This is the new Lernel Page Table Isolation (KPTI,
formerly KAISER) introduced with 4.14.11 (and in
4.15.rcX).
KPTI runs the kernel and userspace off separate
pagetables (and uses PCID on more recent processors
to minimise the TLB flush penalty). It comes with
a performance hit but is enabled by default as a
workaround around some serious, not yet disclosed,
bug in Intel processors.
When enabled in the kernel config, KPTI will be
be dynamically enabled at boot time deping on the
CPU it is executing (currently all Intel x86 CPUs).
Depending on the environment, you may choose to
disable it using 'pti=off' on the kernel commandline.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Previously, KV lines which were commented would attempt to be set. Now any commented KV lines will also be ignored.
- Comments can start with a hash or semicolon
- Splitting KV on both period and forward slash
- Some kernels may not have certain features enabled (such as IPv6) in the default etc/sysctl.d/*.conf, and thus pkg/sysctl would only set the KV until the first failure, and then silently skip the rest of the KVs. Now any failure is logged as a WARN, and those lines can now be commented per the above change, as they will be identified.
Signed-off-by: Isaac Rodman <isaac@eyz.us>
This contains the fixes to the eBPF verifier which allowed
privilege escalation in 4.9 and 4.14 kernels.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf
programs to access (read/write) random memory. Setting
kernel.unprivileged_bpf_disabled=1 mitigates this somewhat
until it is fixed upstream.
See:
- https://lwn.net/Articles/742170
- https://lwn.net/Articles/742169
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This was added to alpine since our package was created. Now we have upgraded we
can just use the binary.
The package contains an auditd.conf but we have a tweak local copy which writes
to stdio (which goes to /var/log/auditd.*.log already). The package doesn't
have an audit.rules so keep that here too.
Signed-off-by: Ian Campbell <ijc@docker.com>
656bd87fd2...d9d2a91780d9d2a91 Merge pull request #193 from ijc/bugfix-191
307f13b Defer dockerRm until we are finished with the contents
ebd7228 Merge pull request #191 from ijc/reduce-memory-via-tempfiles
3045a80 Stream `docker export` directly to consumer
9f44acf Generate intermediate image into a temp file
9558740 Add cpu and mem profiling options
Reduces the memory usage substantially.
While here make some notes about the need to update src/cmd/linuxkit/build.go
where people might see them.
Signed-off-by: Ian Campbell <ijc@docker.com>
- Enable console for arm64 for all tests
- linuxkit.packages.binfmt is x86_64 only for now
- linuxkit.packages.format_mount.by_name seems to hang with no output.
needs investigating...
- linuxkit.packages.getty-containerd is x86_64 specific
- linuxkit.packages.mkimage is x86_64 specific
- linuxkit.packages.wireguard: Use the non-alpine variant as it is
available as a multiarch for arm64. Use a specific version/tag (1.13.7)
as currently 'latest' seem to have issues.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Disable kernel config tests on arm64 as some are x86_64
specific: https://github.com/linuxkit/linuxkit/issues/2807
- Add arm64 console to tests
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Disable tests which use unsupported formats
- Enable serial arm64 console for kernel+initrd test
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Currently there is a Content Trust issue with 4.0-alpine
as well as 4-alpine on arm64. 4.0.5-alpine works, so use
it for the example.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
It is not needed and the 'nginx:alpine' variant is not
yet multi-arch so it won't work on arm64.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- docker: Disabled because we don't have arm64 dind images
- tpm: The tss package is not compiled for arm64
- wireguard: This uses nginx:alpine which is not yet multi-arch
- docker_for_mac: Is x86 specific
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 'linuxkit build' command line option was renamed from
'-output' to '-format' a while back. Rename the test group
to reflect the change.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
