- this needs an init as it does not respond to stop signals, so include tini
- needs CAP_SYS_ADMIN to write to kernel entropy estimate
- set kernel.random.write_wakeup_threshold so that rngd does not need sysctl write access
- build patches from Alpine, but statically linked
- remove rngd from base image, means we no longer need community repository
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
When building the base images always test signatures.
This will be the default at some point.
Add a test that content trust is working.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- statically make containerd symlinks so rootfs can be read only
- run binfmt_misc in a containerd container
- ship arm, aarch64, ppc64le qemu static versions that always "just work" as this is supported in Linux 4.8
fix#53
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Previously when the block device was resized the partition table was also
resized but the filesystem was not. For an increase from 64GiB to 128GiB
the console showed:
* Configuring host block device .../dev/vda1: clean, 62/4194304 files, 604445/16776960 blocks
Resizing disk partition: Unpartitioned space /dev/vda: 64 GiB, 68719476736 bytes, 134217728 sectors
resize2fs 1.43.3 (04-Sep-2016)
Please run 'e2fsck -f /dev/vda1' first.
/dev/vda1: clean, 62/4194304 files, 604445/16776960 blocks
This patch makes `resize2fs` happy by running `e2fsck -f` beforehand as
requested.
Signed-off-by: David Scott <dave.scott@docker.com>
So as to allow a read only root filesystem, we use the proxy
path config option to override the Docker proxy for 1.13.
This means that the iptables override needs to call this binary
not the original docker-proxy binary to allow port forwarding.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- never update root filesystem see #583
- remove tests for earlier docker versions
- only use iptables override on desktop
fix#753
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- use our own code rather than Alpine setup-disk
- remove alpine setup code as not needed
- do not create swap partitions
- create swap file on desktop editions for now (may remove)
Fix#619
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Most editions were shipping with experimental; now it is a daemon
flag this seems the best behaviour.
Only do this on recent dockerd as we are still supporting 1.12 for
a while longer.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This is not working well, and was binding over the logs, and losing
logs. We need a uniform approach on all platforms, planned to be
syslog.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- run bootmisc before sysklogd so symlinks from /var/run to
/run are created
- recreate symlinks that bootmisc created when we remount /var
until this gets moved earlier
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
If we are using vsudd to forward syslog to the host, as on osx,
we need to start it before syslog starts, and make sure it has
created its socket.
Add a pidfile to vsudd to make startup more reliable.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
