This is a `moby.ImageConfig` struct which is marshalled into JSON and added as
the `org.mobyproject.config` label on the built image.
Convert `pkg/sysctl` as PoC.
Signed-off-by: Ian Campbell <ijc@docker.com>
The update in 6ede240737 ("kernel: Update to
4.14.1/4.13.15/4.9.64/4.4.100") failed to build on aarch64.
This fixes it.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
If doing the build separately from pushing (as I am intending in
https://github.com/linuxkit/kubernetes/pull/8/) it is desirable to avoid a
second build when pushing.
Signed-off-by: Ian Campbell <ijc@docker.com>
For 'build_perf_' and 'build_zfs_' targets in the Makefile,
since both of them are dependends on the build_$(2)$(3) target,
So, we pull the image with DCT as part of the dependency on build_$(2)$(3)
and then build with DOCKER_CONTENT_TRUST explicitly set to 0.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
The PR adding cadvisor overlapped with the kernel updates. This
brings the example back in line.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Also add libelf-dev as this is needed for ORC_UNWINDER. While this is only
a feature of 4.14.x we added it to all Dockerfiles to keep things in synch.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Commit 31c8c4942820 ("security/keys: add CONFIG_KEYS_COMPAT
to Kconfig") moved the KEYS_COMPAT config option to a different
section. Adjust config file.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
REFCOUNT_FULL enables full reference count validation. There is a
potential slow down but ti protects against certain use-after-free
attacks.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
On 4.13 and 4.14 kernels GCC_PLUGIN_RANDSTRUCT can be use to randomise
some kernel data structures such as structs with function pointers.
We also select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE which
tries harder to restrict randomisation to cache-lines in order to reduce
performance impact.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.13 and 4.14 kernels support GCC_PLUGIN_STRUCTLEAK, a GCC plugin
to zero initialise any structures with the __user attribute to prevent
information exposure.
On 4.14 kernels also enable GCC_PLUGIN_STRUCTLEAK_BYREF_ALL which is
an extension of the above
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The recent iso9660wrap vendoring bump means this does now work, but it seems
pointless in this case so skip.
Relates to https://github.com/linuxkit/kubernetes/issues/4
Signed-off-by: Ian Campbell <ijc@docker.com>
This code was identical in the QEMU and HyperKit cases. Move it to util.go and
wrap it in a function, with minimal changes for returning an error.
Signed-off-by: Ian Campbell <ijc@docker.com>
