Previously the network policy yaml had to be hard-coded in the image.
This patch allows the policy to be added via the metadata directories:
- /var/config/cni/etc/net.d/
- /var/config/kube-system.init/
Signed-off-by: David Scott <dave.scott@docker.com>
This has no kube object(s) but just arranges for the CNI configuration to be
written in the right place. The CNI bridge, loopback etc binaries are already
included since they are in the reference set.
Signed-off-by: Ian Campbell <ijc@docker.com>
KUBE_NETWORK now specifies a yml which is passed to the Moby tool, which can
introduce files into /etc/kubeadm/kube-system.init/ or do other things as it
likes.
In the case of weave this just adds the weave yaml to that directory. To avoid
too much confusion between weave.yml (Moby tool input) and `weave.yaml` (the
kubernetes `ServiceAccount`, `DeamonsSet` etc object specs) name the latter
`kube-weave.yaml`.
Signed-off-by: Ian Campbell <ijc@docker.com>
Building both BIOS and EFI variants is a waste of time in most cases, instead
just build whichever one is relevant to the platform (which currently means EFI
on Darwin and BIOS everywhere else).
At the same time make it possible to pass "KUBE_FORMATS" (a space separated
list of targets) to the build e.g. `make KUBE_FORMATS="iso-efi iso-bios"` will
preserve the behaviour prior to this patch.
Signed-off-by: Ian Campbell <ijc@docker.com>
Specifically ignore present-but-empty files entirely and ignore (but log)
failure to apply any one file.
Ignoring an empty file is useful because it means you can clobber a file which
might be referenced from an images binds without needing to override those
binds (since that generally means duplicating the whole lot which is annoying).
Ignoring any failures to apply means the rest gets applied and the rest of the
script (including untaint and the stamp file creation) still happen, resulting
in a system where the admin just has to address the failures rather than the
remaining updates. We touch a file to indicate failure generally plus one to
indicate the specific yaml which failed to apply.
Signed-off-by: Ian Campbell <ijc@docker.com>
The 'vpnkit-forwarder' packages lacked the vpnkit-expose-port which
was removed in f48a2bfe12 ("pkg: update vpnkit-forwarder").
It is not longer needed as the vpnkit-expose-port functionality
was integrated into 'linuskit run'
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
With the switch to github.com/satori/go.uuid this is no
longer needed. Strangely, it was not in vendor.conf...
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
When hyperkit is used with VPNKit we can "publish" VM ports
on localhost by using an API to the VPNKit process.
This commit adds a "-publish" flag to the hyperkit backend
exposing this functionality. "-publish" can be used multiple
times and is used the same way as for the qemu backend.
Other changes:
- Use 'github.com/google/uuid' as the 'uuid' package since
VPKNkit uses it
- use 'vpnkit' prefix instead of 'vpnKit'
- Improve logging
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Remove the grub2 patch from LinuxKit since it has already been merged
into the CoreOS grub2 mainline code.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
The type of the guest and host ports should be uint16 not int. Also
make them public member of the PublishPort structure.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This code will soon be shared by other backends.
While at it, also rename the type to PublishPort (from publishPorts)
as it is just one Port and the function from splitPublish() to
NewPublishPort() as this seems more go like.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Advantage over Travis for this usecase is the automatic artifact handling
without needing to mess with S3 or similar, making it simple to offer
downloads.
Signed-off-by: Ian Campbell <ijc@docker.com>
On Linux enable pie too.
Lastly, give the user control over the target name (e.g. to allow them to build
with a GOOS+GOARCH suffix).
Signed-off-by: Ian Campbell <ijc@docker.com>
On Linux the default is /dev/random which may block if there
is not enough entropy (and it determines lack of entropy
conservatively). /dev/urandom never blocks but is fed from
the same entropy source as /dev/random so this change should
not affect platforms which have hardware RNGs but helps to
prevent stalls on platforms, in particular some arm64 platforms,
where the hardware RNG is either not present or not enabled.
If you really care about proper entropy inside a VM do not use
'linuxkit run', it's mostly for testing and shouldn't be used
for production anyway.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
