Commit Graph

5432 Commits

Author SHA1 Message Date
Rolf Neugebauer
932b9f1c10
Merge pull request #2731 from arm64b/kernel-makefile-fixing
kernel: Fixing kernel_perf and kernel_zfs build issue
2017-11-23 22:56:32 +00:00
Dennis Chen
b0cbfe1988 kernel: Fixing kernel_perf and kernel_zfs build issue
For 'build_perf_' and 'build_zfs_' targets in the Makefile,
since both of them are dependends on the build_$(2)$(3) target,
So, we pull the image with DCT as part of the dependency on build_$(2)$(3)
and then build with DOCKER_CONTENT_TRUST explicitly set to 0.

Signed-off-by: Dennis Chen <dennis.chen@arm.com>
2017-11-23 10:34:54 +00:00
Rolf Neugebauer
bc185996f9 example: Update kernel in examples/cadvisor
The PR adding cadvisor overlapped with the kernel updates. This
brings the example back in line.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-22 19:36:57 +00:00
Rolf Neugebauer
ddcc98c3fe
Merge pull request #2736 from Wolphin-project/cadvisor
cAdvisor
2017-11-22 19:35:30 +00:00
Rolf Neugebauer
bf64d238db
Merge pull request #2768 from rn/circle
Minor tweaks to CircleCI config
2017-11-22 10:59:54 +00:00
Rolf Neugebauer
61ce897d72
Merge pull request #2767 from rn/kern-up
Update kernels (multiple times) and add security related configs
2017-11-22 10:48:08 +00:00
Rolf Neugebauer
6af06e5c25
Merge pull request #2765 from RobbKistler/docs-fix
docs: minor fixes for use of `-data`
2017-11-22 00:24:31 +00:00
Rolf Neugebauer
763e5e317f circle: use .exe as extension for Windows binary
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 19:56:57 +00:00
Rolf Neugebauer
592d0fd7c5 circle: Add batch to README.md
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 19:56:56 +00:00
Rolf Neugebauer
464a46d74a Update YAML files to latest kernels.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 17:19:42 +00:00
Rolf Neugebauer
06689b5d68 tests: Add kernel module tests for all supported kernels
Also add libelf-dev as this is needed for ORC_UNWINDER. While this is only
a feature of 4.14.x we added it to all Dockerfiles to keep things in synch.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 17:14:19 +00:00
Rolf Neugebauer
6ede240737 kernel: Update to 4.14.1/4.13.15/4.9.64/4.4.100
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 17:05:35 +00:00
Rolf Neugebauer
57226034e6 kernel: Move KEYS_COMPAT
Commit 31c8c4942820 ("security/keys: add CONFIG_KEYS_COMPAT
to Kconfig") moved the KEYS_COMPAT config option to a different
section. Adjust config file.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 15:55:47 +00:00
Rolf Neugebauer
f5e970b7fb kernel: Update to 4.13.14/4.9.63/4.4.99
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 15:54:15 +00:00
Rolf Neugebauer
717829ea89 kernel: Don't build a debug kernel for 4.13
We already have too many kernels to build and 4.13 will be EOLed soon

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 15:53:34 +00:00
Rolf Neugebauer
f79c392ce3 kernel: Enable REFCOUNT_FULL on kernels supporting it
REFCOUNT_FULL enables full reference count validation. There is a
potential slow down but ti protects against certain use-after-free
attacks.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 14:02:33 +00:00
Rolf Neugebauer
66342d0646 kernel: Enable GCC_PLUGIN_RANDSTRUCT on kernels supporting it
On 4.13 and 4.14 kernels GCC_PLUGIN_RANDSTRUCT can be use to randomise
some kernel data structures such as structs with function pointers.

We also select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE which
tries harder to restrict randomisation to cache-lines in order to reduce
performance impact.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 14:02:33 +00:00
Rolf Neugebauer
8d16426644 kernel: Enable GCC_PLUGIN_STRUCTLEAK on kernels supporting it
The 4.13 and 4.14 kernels support GCC_PLUGIN_STRUCTLEAK, a GCC plugin
to zero initialise any structures with the __user attribute to prevent
information exposure.

On 4.14 kernels also enable GCC_PLUGIN_STRUCTLEAK_BYREF_ALL which is
an extension of the above

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 14:02:33 +00:00
Rolf Neugebauer
b0db43567e kernel: Enable GCC_PLUGIN on kernels supporting it
Subsequent commits will enable selected sub options.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 14:02:33 +00:00
Rolf Neugebauer
2c1fdc7b47 kernel: Use latest linuxkit/alpine and install mpc1-dev/mpfr-dev
The GCC_PLUGINS config options enabled in the next commits
require mpc1-dev/mpfr-dev

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 14:02:33 +00:00
Rolf Neugebauer
eb9a5604a8 tools/alpine: Add mpc1-dev/mpfr-dev
These are needed to enable GCC_PLUGINS for the Linux kernel build.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 14:02:33 +00:00
Rolf Neugebauer
5995d9a10d kernel: Fix Dockerfile.kbuild
Patches were not applied and this fixes it as well as tidying
up the error handling.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-11-21 14:02:33 +00:00
Marco Mariani
e871cd693e examples/cadvisor.yml
Signed-off-by: Marco Mariani <marco.mariani@alterway.fr>
2017-11-21 13:49:19 +01:00
Marco Mariani
959b6dd96d pkg/cadvisor
Signed-off-by: Marco Mariani <marco.mariani@alterway.fr>
2017-11-21 13:46:42 +01:00
Rolf Neugebauer
3184572403
Merge pull request #2764 from riyazdf/signing-init-script
signing: add init script and public certificate fixtures
2017-11-21 12:27:12 +00:00
Justin Cormack
83522d81fd
Merge pull request #2761 from justincormack/restore-build
Restore linuxkit build
2017-11-21 10:21:39 +00:00
Robb Kistler
4f542ad46a docs: replace --data with -data
Signed-off-by: Robb Kistler <robb.kistler@docker.com>
2017-11-20 18:21:10 -08:00
Justin Cormack
b2a67710fa Remove bits that build moby tool from Makefile
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-11-20 23:49:27 +00:00
Justin Cormack
934450c697 Update docs to only say install linuxkit tool.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-11-20 23:49:17 +00:00
Riyaz Faizullabhoy
057e59d0dc signing: add init script and public certificate fixtures
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2017-11-20 15:06:28 -08:00
Rolf Neugebauer
ebe6fd8b4a
Merge pull request #2762 from ijc/handle-empty-metadata
Handle empty metadata file better (by ignoring)
2017-11-20 22:12:38 +00:00
Rolf Neugebauer
e3606477b2
Merge pull request #2754 from Wolphin-project/node-exporter
Node exporter
2017-11-20 22:10:39 +00:00
Justin Cormack
f8e352d375 Replace moby build with linuxkit build throughout
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-11-20 17:06:54 +00:00
Justin Cormack
ca0b1309b0 Update vendoring for moby/tool
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-11-20 17:06:47 +00:00
Ian Campbell
cef9d11f58 Only create metadata if file is non-zero sized
The recent iso9660wrap vendoring bump means this does now work, but it seems
pointless in this case so skip.

Relates to https://github.com/linuxkit/kubernetes/issues/4

Signed-off-by: Ian Campbell <ijc@docker.com>
2017-11-20 15:26:51 +00:00
Ian Campbell
a5e5d42368 Move metadata ISO creation to common code
This code was identical in the QEMU and HyperKit cases. Move it to util.go and
wrap it in a function, with minimal changes for returning an error.

Signed-off-by: Ian Campbell <ijc@docker.com>
2017-11-20 15:22:02 +00:00
Ian Campbell
db9a783821 Bump iso9660wrap to baf8d62ad315
Reduces the linuxkit binary by 12k by removing The Raven. Also allows zero
sized files to be created, see https://github.com/linuxkit/kubernetes/issues/4

4606f848a0...baf8d62ad3

Signed-off-by: Ian Campbell <ijc@docker.com>
2017-11-20 15:17:57 +00:00
Justin Cormack
eef8ab7757 Add linuxkit build, using vendored moby/tool as a library
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-11-20 14:48:48 +00:00
Justin Cormack
c928acf73e
Merge pull request #2757 from errordeveloper/patch-1
docs: Improve intro in packages.md
2017-11-20 14:48:33 +00:00
Ilya Dmitrichenko
490a4d4cd8
docs: Improve intro in packages.md
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
2017-11-20 13:05:12 +00:00
Justin Cormack
98ba4f3b02
Merge pull request #2759 from damdo/fix-some-reports-typos
Fix some typos and no-break char in reports markd
2017-11-20 11:48:27 +00:00
Marco Mariani
7f2ed70b89 updated examples/node_exporter.yml (built from sources)
Signed-off-by: Marco Mariani <marco.mariani@alterway.fr>
2017-11-20 12:13:26 +01:00
Marco Mariani
01d0a1835c pkg/node_exporter from sources
Signed-off-by: Marco Mariani <marco.mariani@alterway.fr>
2017-11-20 12:13:26 +01:00
Rolf Neugebauer
41a4c2df10
Merge pull request #2760 from zlim/patch-2
kernel: update README.md
2017-11-20 08:40:18 +00:00
zlim
8e5006f8f9
kernel: update README.md
Update description to reflect link to ../doc/kernels.md.

Signed-off-by: Zi Shen Lim <zlim.lnx@gmail.com>
2017-11-19 22:19:49 -08:00
Damiano Donati
6daa911fa6 Fix some typos and no-break char in reports markd
Signed-off-by: Damiano Donati <damiano.donati@gmail.com>
2017-11-17 20:31:39 +01:00
Rolf Neugebauer
29f711be94
Merge pull request #2728 from arm64b/rm-content-trust-build-wr
alpine: Remove the 'content trust build' workaround
2017-11-17 18:27:53 +00:00
Rolf Neugebauer
0a2db0ac83
Merge pull request #2758 from rn/no-lcow
Remove LCOW
2017-11-17 17:23:34 +00:00
Justin Cormack
cad6527033
Merge pull request #2755 from justincormack/runtime-cgroups
Add support for creating cgroups in runtime section
2017-11-17 17:01:27 +00:00
Justin Cormack
d3533febe7
Merge pull request #2756 from justincormack/no-logos
Improve language detection
2017-11-17 16:26:15 +00:00