github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-12-25 05:52:38 +00:00
Code Issues Projects Releases Wiki Activity
7,799 Commits 1 Branch 31 Tags
97d054da5d70997282d33697a18d754181f98aee
Commit Graph

593 Commits

Author SHA1 Message Date
David Scott
46ea02f65b moby: device "all" will add to the cgroup whitelist 
After the runc security advisory[1] the default cgroup device
whitelist was changed.

In previous versions every container had "rwm" (read, write, mknod)
for every device ("a" for all). Typically this was overridden by
container engines like Docker. In LinuxKit we left the permissive
default.

In recent `runc` versions the default allow-all rule was removed,
so a container can only access a device if it is specifically
granted access, which LinuxKit handles via a device: entry.

However it is inconvenient for pkg/format, pkg/mount, pkg/swap
to list all possible block devices up-front. Therefore we add the
ability to grant access to an entire class of device with a single
rule:

```
- path: all
  type: b
```

Obviously a paranoid user can still override this with a specific
major/minor number in a device: rule.

[1] https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:21 +01:00
David Scott
24db42dd68 moby: add a Devices array to the image yml 
According to https://github.com/linuxkit/linuxkit/pull/3684#issuecomment-860128095

runc removed the console as a default device, so now it must be specified
explicitly in the OCI config.

See 60e21ec26e

The similar code in moby/moby is here: https://github.com/moby/moby/blob/master/oci/devices_linux.go

This patch allows packages to declare a `devices` array, which can contain `/dev/console` etc.

Signed-off-by: David Scott <dave@recoil.org>
 2021-10-14 16:14:05 +01:00
David Scott
e463855425 trim-after-delete: avoid building on s390x 
Signed-off-by: David Scott <dave@recoil.org>
 2021-05-18 13:39:20 +01:00
Anca Iordache
d326c1b2e6 Add more event types to trigger fstrim 
Signed-off-by: Anca Iordache <anca.iordache@docker.com>
 2021-05-12 16:12:14 +02:00
Avi Deitcher
ef3e45ac02 pkgs: Update packages to the latest linuxkit/alpine 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2021-04-28 09:13:18 +03:00
Rolf Neugebauer
e48d5294ee Merge pull request #3539 from djs55/trim-after-delete-container 
trim-after-delete: handle containers and volumes as well as images
 2021-04-05 13:21:02 +01:00
Michael Aldridge
b820b0a129 Support metaldata metadata provider 
Signed-off-by: Michael Aldridge <aldridge.mac@gmail.com>
 2021-01-21 23:03:49 -08:00
Petr Fedchenkov
564a4ece26 strip containerd binaries 
Signed-off-by: Petr Fedchenkov <giggsoff@gmail.com>
 2021-01-06 19:04:49 +03:00
Avi Deitcher
203cbd9b9f multiple containerd options 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2020-10-21 11:11:48 +03:00
Avi Deitcher
54be4048f0 fix reversed equals error 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2020-10-19 20:54:14 +03:00
Avi Deitcher
865ed8a1ce add containerd cli opts 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2020-10-19 14:49:15 +03:00
David Scott
76c7f6c1a6 trim-after-delete: also handle containers and volumes 
We already run the command after an image delete but

- a container delete
- a volume delete

will also free space on the filesystem.

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: David Scott <dave@recoil.org>
 2020-10-16 16:56:53 +01:00
Avi Deitcher
a1427d0b7b Merge pull request #3558 from deitch/containerd-141 
containerd 1.4.1 from latest version of lkt/alpine
 2020-10-08 10:39:44 +03:00
Avi Deitcher
3143c04de9 containerd 1.4.1 from latest version of lkt/alpine 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2020-10-07 20:33:08 +03:00
Avi Deitcher
26d46d6c82 include openssh-client in sshd pkg 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2020-10-07 20:15:28 +03:00
Rolf Neugebauer
ea8ecd146d pkgs: Update packages to the latest linuxkit/alpine 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-05-10 14:52:05 +01:00
Rolf Neugebauer
47063eee62 Merge pull request #3512 from saljam/master 
metadata: add support for digitalocean
 2020-05-08 11:53:50 +01:00
Justin Cormack
c01f72d556 Add Risc-V support and only ship binaries we use 
Ported from https://github.com/docker/binfmt/pull/21

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
 2020-05-07 11:53:30 +01:00
Rolf Neugebauer
dbcf2611a0 Merge pull request #3515 from justincormack/qemu-up 
Update to Qemu 4.2.0 from Debian testing
 2020-05-06 23:27:53 +01:00
Ilya Dmitrichenko
86fb6ba0aa pkg/init: Mount /sys/fs/bpf 
NOTE: This will be a shared mount, due to root being turned into a
shared with `MC_REC` set: `mount("", "/", "", rec|shared, "")`.
For some reason setting `shared` when mounting `/sys/fs/bpf` doesn't
work at all, perhaps that's just a kernel feature.

Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
 2020-05-06 11:06:54 +01:00
Justin Cormack
d2f55af35c Update to Qemu 4.2.0 from Debian testing 
This has fixed a lot of outstanding emulation issues, see comments
in https://github.com/docker/binfmt/pull/24

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
 2020-05-04 16:22:52 +01:00
salman aljammaz
35ae4e028c metadata: add support for digitalocean 
This adds support for fetching metadata and user data from the
DigitalOcean metadata service.

https://www.digitalocean.com/docs/droplets/resources/metadata/

Signed-off-by: salman aljammaz <s@aljmz.com>
 2020-05-02 11:24:11 -04:00
Avi Deitcher
3678adeca8 find cloud-init on cdrom by label 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2020-04-27 17:00:42 +03:00
Rolf Neugebauer
2427145dfc pkg/init: Revert "workaround bad containerd bug" 
This reverts commit 6653c3387e.

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-26 22:49:48 +01:00
Rolf Neugebauer
1b8cb8b235 pkg/runc: Update to v1.0.0-rc10 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-26 22:47:48 +01:00
Rolf Neugebauer
db1f9c8dc8 pkgs" Update containerd to v1.3.4 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-26 22:47:48 +01:00
Federico Pellegatta
6133c561fd Add GUID Partition Table (GPT) support to extend and mount packages 
Signed-off-by: Federico Pellegatta <12744504+federico-pellegatta@users.noreply.github.com>
 2020-04-24 12:54:48 +02:00
Federico Pellegatta
5fc196c289 Add partition table type selector (defaulted to DOS/MBR) to format package 
Signed-off-by: Federico Pellegatta <12744504+federico-pellegatta@users.noreply.github.com>
 2020-04-23 10:16:36 +02:00
Avi Deitcher
59697ffc62 read cdrom userdata from spec location 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2020-04-20 10:03:17 +03:00
Rolf Neugebauer
463216acda pkg: Add gcc for all packages build for arm64 
This is a workaround for https://github.com/linuxkit/linuxkit/issues/3496

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-17 10:36:03 +01:00
Rolf Neugebauer
5301dbf352 pkg/firmware: Disable firmware packages for s390x 
Reduce the number of packages to build for s390x. Firmware
is only used for physical devices, so disable it for s390x
where we mostly run in virtual machines.

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-17 10:36:03 +01:00
Rolf Neugebauer
cd92ad3f16 pkg/firmware: Fix firmware extraction 
Some drivers offer mutliple firmwares with the WHENCE file
defining the default. Use the cope-firmware.sh script to
create a copy of the firmware repository with the defaults
copied in to the right place.

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-17 10:36:03 +01:00
Rolf Neugebauer
384b439d05 pkg/firmware: Use kernel v5.4.x as the base 
this determines which firmware packages are included.

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-17 10:36:03 +01:00
Rolf Neugebauer
bd5fb29ba1 pkg/firmware: update to latest 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-17 10:36:03 +01:00
Rolf Neugebauer
0b750af7cd pkg/node_exporter: Fix build 
Add curla and gcc

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-17 10:36:03 +01:00
Rolf Neugebauer
facc612603 pkg/node_exporter: Bump to v0.18.1 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-17 10:36:03 +01:00
Rolf Neugebauer
5c190c96e1 pkg/cadvisor: Bump to v0.36.0 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-17 10:36:03 +01:00
Rolf Neugebauer
2f4034d36c pkgs: Update packages to the latest linuxkit/alpine 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-04-17 10:36:03 +01:00
Avi Deitcher
6653c3387e workaround bad containerd bug 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2020-03-23 12:18:14 +02:00
Rolf Neugebauer
7bcd19058b pkg/runc: Update to v1.0.0-rc9 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-01-21 23:17:17 +00:00
Rolf Neugebauer
11d9acf35b pkg/containerd: Add containerd-shim-runc-v2 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-01-21 23:17:17 +00:00
Rolf Neugebauer
f14ad3af82 pkgs: Update to containerd v1.3.2 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-01-21 23:17:17 +00:00
Rolf Neugebauer
bbf174d374 pkg/ip: Pick up the new version of wireguard-tools 
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
 2020-01-03 00:15:43 +00:00
Simon Ferquel
3f56669576 Metadata: add support for loading from a file 
This adds a new configuration provider that just reads a file.
This is needed for Docker Desktop, where we will run a LinuxKit distro in an isolated namespace within WSL 2.
In this scenario, the config will be accessible trough the WSL2 built-in 9p mount of the Windows filesystem.

Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
 2019-12-20 11:21:20 +01:00
Rolf Neugebauer
a09b86a8e1 Merge pull request #3371 from guillaumerose/error 
Skip disk resize for dos partition if no free space is available
 2019-12-19 19:31:58 +00:00
Rolf Neugebauer
547521d146 Merge pull request #3349 from ptone/gcp-fixes 
Update GCP metadata provider
 2019-12-19 18:00:47 +00:00
Rolf Neugebauer
f0ac623b11 Merge pull request #3430 from Sh4d1/fix_scaleway_metadata 
remove sendBootSignal in scaleway metadata package
 2019-12-19 17:41:51 +00:00
Rolf Neugebauer
80f0765097 Merge pull request #3429 from zimme/metadata-fix-provider-scaleway 
Fix the Scaleway provider in the metadata package
 2019-12-19 17:41:10 +00:00
Rolf Neugebauer
725dc47a37 Merge pull request #3431 from zimme/metadata-fix-provider-hetzner 
Fix the Hetzner provider in the metadata package
 2019-12-19 17:39:45 +00:00
Simon Fridlund
4005082664 Fix the Hetzner provider in the metadata package 
There were some mistakes made in the initial code where writes didn't work, this commit fixes that.

Signed-off-by: Simon Fridlund <simon@fridlund.email>
 2019-12-04 23:01:40 +01:00