This way it runs as root so files always owned by root.
Fix#887
This is the simplest fix for 1.13, we can also use this for
creating the main system initrd, but that needs more changes
so leaving for 1.14.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Default config is restricted ptrace, processes can only ptrace
related processes, such as child processes, rather than any process
with the same uid.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This seems the best option, although none are great
- build with `make AUFS=1` to build with AUFS support, currently with 4.8 kernel
- default is to build without AUFS support, with 4.9 kernel
This recognises that AUFS supprot is temporary #620 and only there until
we can phase it out on desktop editions, and allow the other editions that
never shipped with AUFS to ship something very close to mainline.
However we do still apply the patches so that the non AUFS branch runs fine on
all platforms, so it can be tested elsewhere.
We may be able to move the kernel versions back in line when 4.9 aufs support is out.
Plan is to shift CI to build both sets of images, and get the Desktop editions to
pick up the aufs set automatically, once this is merged.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
See #875
This will only happen if there has been some sort of error
before, but lets not make it worse.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- this is a raw 1GB filesystem image with syslinux for booting
- built with libguestfs so does not need any privileges
- need not be built on GCE
- there is a target that runs the image in qemu for local tests
Does not yet have a script to upload the image to cloud storage or create image from it.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Sometimes Debian just wants to ask you questions on an install,
this is really not a useful behaviour when there is no one
attached to the process.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- make quiet
- force, so some adjustments are not checked see https://github.com/docker/pinata/issues/6198
- set resize_inode as we do resize partitions on cloud and they could have very few inodes otherwise
- inline all the default options and remove the config file, so script is more standalone
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- The scanning process was not ignoring the kernel extraversion before,
so was only sometimes picking up issues.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Includes fix for CVE-2016-8655 Linux af_packet.c race condition.
This gives a container escape with default container capabilities.
This now has the slow network namespace patch backported, so this
is removed.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- run test suite under containerd
- in future this should be converted to Go not shell see #860
- test suite is now in its own initrd, can be run on any platform not just qemu
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Regenerated the kernel config from container, which bumped the kernel
version and included some other fixes. Also bumps the check-config
container to check for VSYSCALL_NATIVE
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This is a minimal standalone statically linked shell for use
for now in converting images to containers.
Plan to phase it out and replace with actual programs later.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Previously we only ran `fstrim` on Windows. Docker for Mac now supports
TRIM so we should run `fstrim` there too.
Note it's possible to turn off TRIM on the Mac at the virtual hardware
level via the database, but this should be harmless -- the `fstrim`
fails immediately with an obvious error if the device doesn't support it:
`fstrim: ioctl 0xc0185879 failed: Not supported`.
Signed-off-by: David Scott <dave.scott@docker.com>
