Use a file (that we can drop easily into the rootfs) instead of passing the full
command on the CLI (as config.json needs to be edited otherwise).
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
The inotify bindings that we are using is a bit sensitive to init
conditions, and it seems to not like being run inside in a container.
See https://github.com/samoht/irmin-watcher/issues/10
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
For now, use jbuilder to build the calf as well, this gives us a bit
more control than the mirage tool. We will switch back to the mirage
tool later on if we want to use more fancy backends (such as KVM).
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
mkfs.vfat prints output (even without the -v option) which ends up
in front of the ISO, which is cat'ed to stdout. This made the generated
ISO unbootable. Redirect stdout of mkfs.vfat to /dev/null.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Some users seem to have Docker for Mac/hyperkit in a non-standard
path. Allow them to specify the path to the hyperkit executable.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In the same vein as [1], let's start talking about security events. I
suppose we want to talk about security events as well as non-events,
though, to give a little discussion about post moretem. But we can rename
this to security-non-events if we want.
[1]: https://github.com/docker/docker.github.io/blob/master/engine/security/non-events.md
Signed-off-by: Tycho Andersen <tycho@docker.com>
This is the default NIC provided by virt-install, I think it is also pretty
common on other virtualisation platforms since both the drivers and the
emulation are pretty widespread (IIRC Xen HVM guests used to get this by
default, and may still do).
Personally I'd probably try and remember to switch to virtio (or even e1000) in
preference, but that's one more thing to do.
Bump the image number.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
... and accept the defaults. Doing so enables some hw monitoring on Intel
(which enables some I2C thing) and explicitly disables a few Mellanox options.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
- Move HyperKit code into a separate file. It should be compilable
on all supported OSes now.
- Add a (optional) subcommand to "moby run" to select a backend
i.e., "moby run hyperkit [options] [prefix]"
- On macOS the default is "hyperkit" so that:
"moby run [options] [prefix]"
just works
- Add enough command line parsing to make it easy to add new
backends to the run command
Update help messages.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Since Makefile contains the hashes we need a dependency otherwise changing the
hashes does not necessarily result in the binaries getting updated.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
The protocol allows the client to send concurrent RPCs to the server.
The server replies by keeping the client ID, and the client keeps a
dispatch table of queries to route the retries. By doing things like
that, the server has a strong control over resource allocation, so
a bad client cannot exhaust all the server memory.
Also add some simple tests for the serialization + wire protocol which
are all passing. Proper concurrency/resource exhaustion usage will be
added later.
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
Previously, the control plane was using HTTP client/server, that various people
found way too complex to run in a privileged container (for very good reasons).
So switching to a simpler binary protocol, using c-like structures. Will
probably switch to an other serialization protocol later (eg. protobuf
or cap-n-proto).
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
On some hv_sock workloads which quickly open/close many connections
occasionally, channel IDs would get re-used while still having work
pending. This can cause a kernel crash on a NULL pointer exception.
The three patches added to the 4.9.x and 4.10.x kernels fixes
these bugs. The patches are being prepared to be upstreamed, but for
now we cherry-picked them from the developers tree.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
It's useful for cherry-picked patches to know which tree
they got patched from. Include a "Origin:" line.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.9.19/4.10.7 kernels include the fix for the VMBus
memory leak, so we don't need to carry these patches anymore.
The patches against 4.9.x/4.10.x now also all have added a
"Origin" line pointing to the git tree the patches were cherry
picked from.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Instead, make a hard link a symlink. This isn't much better, but it allows
some cases (e.g. installing GCC on moby via alpine) to work.
Signed-off-by: Tycho Andersen <tycho@docker.com>
The ebpf packages were somewhat neglected during the restructuring of the
the repository and currently do not build. They were also a little awkward
to use. So move them to ./projects for now until it matures.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
