After the runc security advisory[1] the default cgroup device
whitelist was changed.
In previous versions every container had "rwm" (read, write, mknod)
for every device ("a" for all). Typically this was overridden by
container engines like Docker. In LinuxKit we left the permissive
default.
In recent `runc` versions the default allow-all rule was removed,
so a container can only access a device if it is specifically
granted access, which LinuxKit handles via a device: entry.
However it is inconvenient for pkg/format, pkg/mount, pkg/swap
to list all possible block devices up-front. Therefore we add the
ability to grant access to an entire class of device with a single
rule:
```
- path: all
type: b
```
Obviously a paranoid user can still override this with a specific
major/minor number in a device: rule.
[1] https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq
Signed-off-by: David Scott <dave@recoil.org>
With 561ce6f4be ("Remove Notary and Content Trust") we
removed support for content trust. No need to have it
in the YAMLs either.
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
oprofile kernel support was dropped with 5.12.x with:
f8408264c77a ("drivers: Remove CONFIG_OPROFILE support")
However the commit stated that the userspace oprofile tools
had stopped using the kernel interface for a log time. So
drop the check.
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
CONFIG_BPFILTER is aimed to provide a replacement for netfilter.
When CONFIG_BPFILTER is enabled, the kernel tries to contact a user mode helper
for each iptable rule update. However the implementation of this helper has not
been upstreamed yet. The communication thus fails and the kernel then falls back
to netfilter.
As a result, the rule update takes more than ten times the duration of the
netfilter implementation alone.
This has been reported by Docker Desktop users for whom it can take minutes to
start a container sharing a few hundred ports. https://github.com/for-mac/issues/5668
More details on the situation is described in https://lwn.net/Articles/822744/.
Signed-off-by: Frederic Dalleau <frederic.dalleau@docker.com>
The bcc portion of the build had been disabled because it wasn't
building. Now that bcc is building again, add it back to the list of
default targets in the kernel build.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
This moves up to bcc 0.20.0 and builds on the latest 3.13 Alpine base
image. It uses libelf from Alpine, which allows us to drop a number of
the patches we were carrying and reduce the number of steps taken in the
bcc build.
This builds for me on a branch of tip against 5.11.x, 5.10.x,
5.10.x-dbg, and 5.4.x on x86_65. I have not had a chance to attempt
this on other platforms due to lack of hardware.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
Some kernels are only build for some architectures. The
test assumed that all kernels were build for all architectures.
Now, get a list of architectures for which we have a given
kernel image and then make sure the builder images pointed
to by the label and the builder image tagged by convention
exist and point to the same thing.
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
