The scheme we currently have seems relatively usable and
this project has not been maintained for a while.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The scripts used to scrape the various repositories to build
and push package for all foreign kernels. They were designed
to be run periodically and provide "official" foreign kernel
packages. Needless to say we did not run them periodically
and the linuxkit packages became out-dated quickly.
Now, we just provide users who are interested in using foreign
kernels the means to build their own package from specific
vendor kernels.
Each script uses slightly different command line arguments
as the location and naming of the kernel packages differ
wildly. The help message provide a working example which
has been tested with a minimal LinuxKit YAML file.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Support for this has stalled in the swarmkit project due to lack of maintainer
time to review and support and the existing code no longer works with the
version of containerd used in linuxkit.
Signed-off-by: Ian Campbell <ijc@docker.com>
Use unix.Reboot from golang.org/x/sys/unix for poweroff and reboot
instead of relying on external commands.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
This is the new Lernel Page Table Isolation (KPTI,
formerly KAISER) introduced with 4.14.11 (and in
4.15.rcX).
KPTI runs the kernel and userspace off separate
pagetables (and uses PCID on more recent processors
to minimise the TLB flush penalty). It comes with
a performance hit but is enabled by default as a
workaround around some serious, not yet disclosed,
bug in Intel processors.
When enabled in the kernel config, KPTI will be
be dynamically enabled at boot time deping on the
CPU it is executing (currently all Intel x86 CPUs).
Depending on the environment, you may choose to
disable it using 'pti=off' on the kernel commandline.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Previously, KV lines which were commented would attempt to be set. Now any commented KV lines will also be ignored.
- Comments can start with a hash or semicolon
- Splitting KV on both period and forward slash
- Some kernels may not have certain features enabled (such as IPv6) in the default etc/sysctl.d/*.conf, and thus pkg/sysctl would only set the KV until the first failure, and then silently skip the rest of the KVs. Now any failure is logged as a WARN, and those lines can now be commented per the above change, as they will be identified.
Signed-off-by: Isaac Rodman <isaac@eyz.us>
This contains the fixes to the eBPF verifier which allowed
privilege escalation in 4.9 and 4.14 kernels.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf
programs to access (read/write) random memory. Setting
kernel.unprivileged_bpf_disabled=1 mitigates this somewhat
until it is fixed upstream.
See:
- https://lwn.net/Articles/742170
- https://lwn.net/Articles/742169
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
