Previously we would pass the path `/var/log/service.log` for both
stdout and stderr to containerd. containerd would construct a dict
with the paths as keys[1] and, due to the duplicate key, would only
open one of the files and start one `io.Copy` instance. Writes to
the other stream would be buffered by the pipe connected to
containerd-shim and would eventually block.
If we modified containerd to open the file twice and start 2
`io.Copy` instances, we would end up with the two streams interleaved
together. It seems cleaner to keep the streams separate; therefore
this patch logs stdout to `/var/log/service.out.log` and stderr to
`/var/log/service.err.log`.
[1]
49437711c3/linux/shim/io.go (L51)
Signed-off-by: David Scott <dave.scott@docker.com>
This removes all the code that had knowledge of how to do read only
and read write container mounts, and just uses the runtime config.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
The metadata package has binds
- /dev
- /var
- /sys
- /etc/resolv.conf
- /etc/ssl/certs
but unfortunately `/etc/ssl/certs` doesn't exist and this causes the
following commands:
cd blueprints/docker-for-mac # easy example
moby build -name docker-for-mac base.yml docker-17.06-ce.yml
linuxkit run hyperkit -networking=vpnkit -vsock-ports=2376 -disk size=500M docker-for-mac
to produce the following error on the VM console:
container_linux.go:265: starting container process caused "process_linux.go:348: container init caused \"rootfs_linux.go:57: mounting \\\"/etc/ssl/certs\\\" to rootfs \\\"/containers/onboot/000-metadata/rootfs\\\" at \\\"/etc/ssl/certs\\\" caused \\\"stat /etc/ssl/certs: no such file or directory\\\"\""
2017/08/21 16:39:40 Error creating 000-metadata: exit status 1
This patch creates /etc/ssl/certs in the `init` package. The metadata package
will now say things like
2017/08/21 16:44:39 No metadata/userdata found. Bye
Signed-off-by: David Scott <dave.scott@docker.com>
As discussed before, as we use this in three places, cloning in
base makes more sense.
Update base image.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Use the packet metadata to set up bonding, also get ssh keys and hostname.
This does not yet do anything with disk metadata.
Userdata is not used if it has been used for ipxe, but is otherwise available.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This contans the upstream (non busybox) version of `ip` and also the
Wireguard tools as these aere not yet integrated into `ip`. It is designed
to be used for network configuration.
For example a Wireguard interface can be setup with something like:
```
- name: wg
image: linuxkit/ip
net: new
binds:
- /etc/wireguard:/etc/wireguard
command: ["sh", "-c", "ip link set dev wg0 up; ip address add dev wg0 192.168.2.1 peer 192.168.2.2; wg setconf wg0 /etc/wireguard/wg0.conf; wg show wg0"]
runtime:
interfaces:
- name: wg0
add: wireguard
createInRoot: true
bindNS:
net: /run/netns/wg
```
This binds the net namespace so other containers can use it later.
Note that `ip` supports batch scripts with `ip -b file` which is quite convenient for
this use case.
Alas `wg-quick` requires `bash` so this is currently a bit bloated, maybe @zx2c4
might be persuaded to rewrite it without bashisms...
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This adds support for a runtime configuration file that can do:
- `mkdir` to make a directory at runtime, eg in `/var` or `/tmp`, to avoid workarounds
- `interface` that can create network interfaces in a container or move them
- `bindNS` that can bind mount namespaces of an `onboot` container to a file so a service can be started in that namespace.
It merges the `service` and `onboot` tools (in `init`) to avoid duplication. This also saves some size for
eg LCOW which did not use the `onboot` code in `runc`.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
During development I tend to do:
make -C pkg/foo tag HASH=dev ORG=ijc
and I expect to get an image `ijc/foo:dev` and not `ijc/foo:dev-amd64`. In
general I think if the HASH has been explicitly provided the build should
just honour that.
To compensate and avoid mistaken pushes adjust the check for dirtiness to also
insist on a non-empty suffix.
Signed-off-by: Ian Campbell <ijc@docker.com>
At least when running under Docker this seems to cause some issues,
possibly also explains some other oddnesses.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This has a number of fixes/improvements
- console resize
- better error handling (pass stacktrace/errors back to docker
- fix for container images which have a resolve.conf file
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Chown clears suid bits even for root on Linux.
Also move a few functions to x/sys/unix from syscall, to be
more arm64 friendly.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Runc is master as of this morning, slightly newer than what is vendored into
containerd v1.0.0-alpha3 but the differences[0] seemed benign and/or good to have.
Signed-off-by: Ian Campbell <ijc@docker.com>
[0] 429a538712...45bde006ca
This requires that users have `CAP_SYSLOG` in order to access `dmesg`.
This means that containers by default have no access to `dmesg` (which
can leak information about the host or other containers) unless they
have this capability added.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
They either won't work or the packages are specific
to x86_64 like the DfM or VMware packages.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
A package makefile can specify a list of architectures ('ARCHES')
it supports. If build on a unsupported architecture, a message is
printed and make exits without an error.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This checks if any CDROM in the system has metadata. Useful if
you boot off CDROM and also have a metadata CDROM.
Also switch the metadata container to read only, as it is only
writing to bind mounted in directories, and /tmp.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Epoll in `syscall` package does not work on arm64. We do not have
arm64 yet here, but we will when we add tpm support etc.
Signed-off-by: Justin Cormack <justin@specialbusservice.com>
