In order to support not running containers as root, allocate
each of them a uid and gid, a bit like traditional Unix system
service IDs. These can be referred to elsewhere by the name of
the container, eg if you wish to create a file owned by a
particular esrvice.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Allow setting ambient capabilities, as a seperate option to the standard
ones. If you are running as a non root user you should use these.
Note that unless you add `CAP_DAC_OVERRIDE` and similar permissions you
need to be careful about file ownership. Added support to set ownership
in the `files` section to help out with this.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Rather than build the image and have something weird happen, let's check
that the capabilities specified are actually valid capabilities.
Signed-off-by: Tycho Andersen <tycho@docker.com>
The default is set by probing for /dev/kvm. Use of KVM can be forcibly disabled
with `-enable-kvm=false`. Note that passing `-enable-kvm=true` when `/dev/kvm` is
not present still boots but complains:
Could not access KVM kernel module: No such file or directory
failed to initialize KVM: No such file or directory
Back to tcg accelerator.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
- this is pretty much the smallest change to split this out and it
exposes a few things that can be improved later
- no change to logging yet
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Allows routed networking, so long as you runhyperkit as root.
This has quite a few downsides, including the requirement to
run as root in order to set up the networking, but some people
really want VMs that are routable from the host.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- Use 'flags' for the subcommand FlagSet
- Use %v to print errors
- Use 'path' for the path
- Fix cases where the 'path' refers to a different directory
- Don't use CamelCase for command line options
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Based on the hyperkit runner's code.
project/kubernetes/boot.sh now works, although lack of network connectivity
between individual VMs remains an issue.
Also manually validated containerized operation with:
rm -rf kube-node-0-state && ../../bin/linuxkit run qemu --containerized -cpus 2 -mem 4096 -state kube-node-0-state -disk size=4G -data "foo bar" kube-node
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Modelled on the Hyperkit runner, for now only used for the disk.
This is one step closer to having project/kubernetes/boot.sh work on Linux.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
In the WIP code in `moby` we now have a standard base tarball format,
that includes the kernel and cmdline as files in `/boot` so that the
entire output of the yaml file can default to a single tarball. Then
this can be split back up by LinuxKit into initrd, kernel and cmdline
as needed. This will probably become the only output of the `moby build`
stage, with a `moby package` stage dealing with output formats.
We may remove the output format specification from the yaml file as well,
and just have it in the command.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Instead, make a hard link a symlink. This isn't much better, but it allows
some cases (e.g. installing GCC on moby via alpine) to work.
Signed-off-by: Tycho Andersen <tycho@docker.com>
This does not get everything where we want it finally, see #1266
nor the optimal way of building, but it gets it out of top level.
Added instructions to build if you have a Go installation.
Not moving `vendor` yet.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
The Hyper-V backend is loosly based on the docker-machine code
as well as ./scripts/LinuxKit.ps1. It shells out to Powershell
for most of the configuration.
Console is provided by github.com/Azure/go-ansiterm/winterm
and the ode surrounding it is loosely based on the equivalent
code in containerd and moby/moby.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
commit bdf9b1f31a introduced a bug with disk size handling
where GB was not handled correctly. Fix it.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Most cloud providers allow disk size allocation on in units
of GB. Make it the default for linuxkit disk "size" arguments.
Users can override the unit by appending a M to the disk size.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This makes it easier to identify where a new backend should be added.
It's also simpler to match help text and case statements.
Signed-off-by: Dave Tucker <dt@docker.com>
- no longer uses several of the `mkimage-*` tools in favour of dogfooding
with `linuxkit` and using the `mkimage` package.
- fix the qemu docker container fallbacks to work better when multiple
paths are used for disks and the image.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
azure: React to change requests
azure: Fix push and run message and update example
azure: Remove docker dependency and upload VHD
Modify %s to %v for Go errors
Signed-off-by: radu-matei <matei.radu94@gmail.com>
This changes the CLI specification for disks, as it needs to be able to
be repeated.
```
linuxkit run qemu -disk name,size=1G,format=qcow2 ...
```
Options may be omitted.
Currently other local backends may not support multiple disks, but this
can be added in future. Code for cloud backends has not changed as the
disk support is specific to the platform.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Adds a new --networking option to simplify selection of networking modes
for `linuxkit run hyperkit`. The new modes are "docker-for-mac",
"vpnkit" and "none".
By default docker-for-mac will be used for networking. HyperKit will
then connect to the default VPNKit socket location used by Docker for
Mac.
In vpnkit-mode a new VPNKit instance is started and the socket
"vpnkit_eth.sock" is created in the state directory. This mode also
enables port forwarding via 9p and vsock. The vpnkit mode optionally
accepts a path to an existing VPNKit socket. This allows two or more VMs
to be connected to the same virtual network - but only the VM that
created the the socket can use port forwarding.
Mode "none" disables networking.
Signed-off-by: Magnus Skjegstad <magnus@skjegstad.com>
Add a new flag to set the VPNKit ethernet socket path. Defaults to the
standard location for the socket in Docker for Mac.
This flag can be used to connect to the VPNKit instance started by
another linuxkit VM launched with `-start-vpnkit`. VMs connected to the
same VPNKit instance will be on the same virtual internal network.
Signed-off-by: Magnus Skjegstad <magnus@skjegstad.com>
