This contains the fixes to the eBPF verifier which allowed
privilege escalation in 4.9 and 4.14 kernels.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf
programs to access (read/write) random memory. Setting
kernel.unprivileged_bpf_disabled=1 mitigates this somewhat
until it is fixed upstream.
See:
- https://lwn.net/Articles/742170
- https://lwn.net/Articles/742169
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This was added to alpine since our package was created. Now we have upgraded we
can just use the binary.
The package contains an auditd.conf but we have a tweak local copy which writes
to stdio (which goes to /var/log/auditd.*.log already). The package doesn't
have an audit.rules so keep that here too.
Signed-off-by: Ian Campbell <ijc@docker.com>
656bd87fd2...d9d2a91780d9d2a91 Merge pull request #193 from ijc/bugfix-191
307f13b Defer dockerRm until we are finished with the contents
ebd7228 Merge pull request #191 from ijc/reduce-memory-via-tempfiles
3045a80 Stream `docker export` directly to consumer
9f44acf Generate intermediate image into a temp file
9558740 Add cpu and mem profiling options
Reduces the memory usage substantially.
While here make some notes about the need to update src/cmd/linuxkit/build.go
where people might see them.
Signed-off-by: Ian Campbell <ijc@docker.com>
- Enable console for arm64 for all tests
- linuxkit.packages.binfmt is x86_64 only for now
- linuxkit.packages.format_mount.by_name seems to hang with no output.
needs investigating...
- linuxkit.packages.getty-containerd is x86_64 specific
- linuxkit.packages.mkimage is x86_64 specific
- linuxkit.packages.wireguard: Use the non-alpine variant as it is
available as a multiarch for arm64. Use a specific version/tag (1.13.7)
as currently 'latest' seem to have issues.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Disable kernel config tests on arm64 as some are x86_64
specific: https://github.com/linuxkit/linuxkit/issues/2807
- Add arm64 console to tests
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Disable tests which use unsupported formats
- Enable serial arm64 console for kernel+initrd test
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Currently there is a Content Trust issue with 4.0-alpine
as well as 4-alpine on arm64. 4.0.5-alpine works, so use
it for the example.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
It is not needed and the 'nginx:alpine' variant is not
yet multi-arch so it won't work on arm64.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- docker: Disabled because we don't have arm64 dind images
- tpm: The tss package is not compiled for arm64
- wireguard: This uses nginx:alpine which is not yet multi-arch
- docker_for_mac: Is x86 specific
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 'linuxkit build' command line option was renamed from
'-output' to '-format' a while back. Rename the test group
to reflect the change.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
*-bios and various cloud output image types are not
supported on arm64. Use the automatic 'amd64' label
to disable them for arm64.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Some testis explicitly use alpine:3.6 and alpine:3.5 to run
some shell scripts. Switch them to alpine:3.7 like the
rest of the packages and tools.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Commit 340d45d70850 ("locking/refcounts, x86/asm: Enable
CONFIG_ARCH_HAS_REFCOUNT") re-enabled the ARCH_HAS_REFCOUNT
again as default. Pick it up in our kernel config.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
