This part reverts f7c50156c5 ("tools: pull linuxkit/guestfs by digest
only (not digest+tag)") as pulling by tag now seems to work and we
have content trust enabled, so pulling by digest should not be necessary.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The Windows 10 Fall Creators Update added a new 'Default
Switch' (which is a NAT switch). Use it if present and the
user has not specified a switch.
Also, handle External switches with spaces in them.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Moby is moving to using pigz instead of the the golang gzip
library (https://github.com/moby/moby/pull/35697)
Include pigz in the base for downstream projects to use.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This describes more accurately that the example exposes
containerd to the host.
Also adjust platform-hyperkit.md
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
We already had this increased above the defaults, but even larger values
seem to be recommended.
See https://blog.openai.com/scaling-kubernetes-to-2500-nodes/
"It’s common to tune this setting in HPC clusters, and is particularly
relevant in Kubernetes clusters since every pod has its own IP address
which consumes space in the ARP cache."
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
* receive: treat packet checking as irrelevant for timers
Small simplification to the state machine, as discussed with Mathias
Hall-Andersen.
* socket: check for null socket before fishing out sport
* wg-quick: ifnames have max len of 15
* tools: plug memleak in config error path
Important bug fixes.
* external-tests: add python implementation
Piotr Lizonczyk has contributed a test vector written in Python.
* poly1305: remove indirect calls
From Samuel Neves, we now are in a better position to mitigate speculative
execution attacks.
* curve25519: modularize implementation
* curve25519: import 32-bit fiat-crypto implementation
* curve25519: import 64-bit hacl-star implementation
* curve25519: resolve symbol clash between fe types
* curve25519: wire up new impls and remove donna
* tools: import new curve25519 implementations
* contrib: keygen-html: update curve25519 implementation
Two of our Curve25519 implementations now use formally verified C. Read this
mailing list post for more information:
https://lists.zx2c4.com/pipermail/wireguard/2018-January/002304.html
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
- Enable RETPOLINE by default. Note, however, this will
only be used if the compiler supports it.
- Enable sysfs interface for vulnerabilities
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.4.14 has a number of important fixes/additions:
- New support for retpolines (enabled but requires newer gcc
to take advantage of). This provides mitigation for Spectre
style attacks.
- Various KPTI fixes including fixes for EFI booting
- More eBPF fixes around out-of-bounds and overflow of
maps. These were used for variant 1 of CVE-2017-5753.
- Several KVM related to CVE-2017-5753, CVE-2017-5715,
CVE-2017-17741.
- New sysfs interface listing vulnerabilities:
/sys/devices/system/cpu/vulnerabilities
The 4.9.77 kernel also has seems to have most/all of the above
back-ported.
See https://lwn.net/SubscriberLink/744287/1fc3c18173f732e7/
for more details on the Spectre mitigation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
If the flag is set on push, then the image will have the license
set to enabled the currently experimental netsted virtualisation
feature. The flag currently also needs to be set on run to make
sure the right CPU model (at least Haswell) is selected.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
