As this does not use containerd at all, this means you can run very
minimal setups with just `runc` if you use no services, for example
most of our tests do not actually use services, or if you have other
similar very minimal use cases.
Move ulimit setup to `init` which makes more sense.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
We expect this (or something very similar) to be merged soon, it fixes#2131 so
moving ahead now.
The new alpine mirror is linuxkit/alpine:6832775a7e861ee2d7842e157688ece52d007142
Signed-off-by: Ian Campbell <ijc@docker.com>
This will make it simpler to temporarily in PRs which are not yet merged (but
are expected to be soon).
Tools alpine is not rebuilt here since we are going to do just that in the next
commit.
Signed-off-by: Ian Campbell <ijc@docker.com>
pull in newer containerd v1.0.0-alpha0 via updated alpine base, update runc to
429a5387123625040bacfbb60d96b1cbd02293ab which is vendored by that version of
containerd (and also update alpine base for runc)
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
These are not needed, but we are inconsistent. Been waiting for a
quiet moment to fix this since I noticed while doing a presentation...
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Use os.Mkdirall() instead of os.Mkdir() as it does not
error if the path already exists.
This enables specifying a default config file with the image
and then over writing it with metadata.
While at it, also update to the latest alpine base image.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Some hypervisors (e.g. hyperkit / xhyve) don't provide a good way to keep
the VM's clock in sync with the Host's clock. NTP will usually keep the
clocks together, but after a the host or VM is suspended and resumed the
clocks can be suddenly too far apart for NTP to work properly.
This simple daemon listens on an AF_VSOCK port and resynchronises the VM
clock from the virtualised hardware clock.
This is a Go conversion of original C code written by
Magnus Skjegstad <magnus@skjegstad.com>
Signed-off-by: David Scott <dave.scott@docker.com>
For DIRTY and RELEASED this means simply performing a static assignment with
`:=`. For HASH it is a little more complex since it is (and we want/need it to
be) a conditional assigment. However it is only used for defining TAG, so make
that a static assignment.
This reduces the number of times the complex DIRTY shell command in particular
is evaluated.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Firstly add option to disable content trust, for the use of e.g. projects which
are pushing to the linuxkitprojects org (which has no trust setup) rather than
the main linuxkit org.
Secondly, when trust _is_ enabled then enable it globally, in particular it is
now active for the `docker build` and hence containers referenced in
Dockerfiles via "FROM" will be checked.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Adds a new service for running `/sbin/acpid` that comes with busybox.
The VM will shut down if the power button is pressed.
Signed-off-by: Magnus Skjegstad <magnus@skjegstad.com>
Otherwise files which have an updated timestamp but no actual changes are
marked as changes because `git diff-index` only uses the `lstat` result and not
the actual file contents. Running `git update-index --refresh` updates the
cache.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
If a user passes a HASH e.g. HASH=dev then assume they know what they are doing
and don't need dirty tracking.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Useful to answer the question of what the hash was at the point of some older
commit.
$ make --no-print-directory -C pkg/init/ show-tag
linuxkit/init:36c56f0664d49c5a6adc1120d1bf5ba6ac30b389
$ make --no-print-directory -C pkg/init/ show-tag HASH_COMMIT=4699f80ef73141ee87a77d03f93065e541fab382
linuxkit/init:17693d233dd009b2a3a8d23673cb85969e1dce80
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
The current rune for $(HASH) returns nothing with the Jessie version of git
(2.1.4). Using `--full-tree` works corectly but requires an absolute path (else
it produces e.g. "fatal: ../init: '../init' is outside repository").
Both `ls-tree` and `diff-index` are happy with a full absolute path, which
simplifies things since we can use `$(CURDIR)` directly.
Tested with a dirty `pkg/init` on both Jessie (git 2.1.4) and Stretch (git
2.11.0) with the following command, which produces identical output in both
cases:
$ for pkg in init containerd ; do make -C pkg/$pkg --no-print-directory show-tag; ( cd pkg/$pkg && make show-tag ); done
linuxkit/init:36c56f0664d49c5a6adc1120d1bf5ba6ac30b389-dirty
linuxkit/init:36c56f0664d49c5a6adc1120d1bf5ba6ac30b389-dirty
linuxkit/containerd:1e3e8f207421de8deac8cedc26a138d6b1661a0d
linuxkit/containerd:1e3e8f207421de8deac8cedc26a138d6b1661a0d
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
By setting `DIRTY` to either "-dirty" or "" directly we can simply use
`$(HASH)$(DIRTY)` and avoid make adding a space as it does with `+=`.
For the push check we now block pushing if `$(DIRTY)` is non-empty.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
$ make --no-print-directory -C pkg/init/ show-tag
linuxkit/init:36c56f0664d49c5a6adc1120d1bf5ba6ac30b389
Useful for scripting etc.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
As of commit b2439251dd ("blueprints: update docker-for-mac.yml
to latest vpnkit packages") the docker-ce package does not need
the vpnkit-expose-port binary anymore. It was also removed from
the linuxkit/vpnkit-forwarder forwarder package with commit
f48a2bfe12 ("pkg: update vpnkit-forwarder") causing the docker-ce
package build to fail.
This commit fixes this by removing the linuxkit/vpnkit-forwarder
package from the docker-ce package build.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This fixes a regression introduced in:
5a225b9d ("Makefile: Fix bug where network was not disabled")
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This package contains vpnkit binaries needed inside the dockerd
container that can be either copied into the container with a multistage
build or used as an init-container and bind-mounted to the right
locations.
vpnkit-expose-port is a userland proxy that interacts with vpnkit and
the vpnkit-forwarder service to open ports on the host.
vpnkit-iptables-wrapper wraps iptables to launch
vpnkit-expose-port automatically when ports are opened to a swarm
service.
Signed-off-by: Magnus Skjegstad <magnus@skjegstad.com>
This commit moves the include statement to the bottom of the file to
ensure that all variables are set before conditionals are evaluated.
I also changed the ifndef NETWORK to ifdef NETWORK as the former was
incorrect. We want `NET_OPTS="--network=none"` in cases where NETWORK is
not defined.
Fixes: #2134
Signed-off-by: Dave Tucker <dt@docker.com>
Warn the user in the MOTD
Add "(ns: getty)" or "(ns: sshd)" to the PS1
Use `agetty` and `-a root` to ensure we get a login shell when insecure
Signed-off-by: Dave Tucker <dt@docker.com>
Two things to note here: we unfortunately can't just exec audit, because
something needs to load the rules in beforehand.
Second, it also dies if it can't re-nice itself, so we have to give it
CAP_SYS_NICE as well as the audit caps.
I didn't add this to the default linuxkit.yml because the linuxkit/audit
repo doesn't exist yet, but we should probably (?) do that. Additionally,
we should provide the kernel parameter audit=1, otherwise according to
auditd's man pages, we can't audit some early tasks.
Closes#52
Signed-off-by: Tycho Andersen <tycho@docker.com>
- Use the new style kernel tags with the full kernel version
- Update packages with new alpine base and new/simplified Makefiles.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
People typically update hashes in YAML files with
'git grep ... | sed ...' this will change the README.md files
in the ./pkg directory and thus change the git tree hash.
Remove the use of explicit hashes from those files to avoid
the obvious chicken and egg problem.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This adds a helper which monitors the Docker event stream and, when it
receives an image delete event, queues a call to `fstrim /var/lib/docker`
to trigger a space reclamation. Previously we would rely on a cron job
running every 15 minutes.
Signed-off-by: David Scott <dave.scott@docker.com>
There seems to be a change in docker 17.06-rc5 on how remote
URLs and tar archives work with ADD. Use curl instead.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In a subsequent commit, all YAML files will be updated with
new package hashes since all packages needed rebuild due to
build system changes in commit adae27b8d1 ("Simplify
Makefiles for Packages"). So, we might as well bring all
packages up to the latest alpine base package.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Only build if the hash has changed. Previosuly
we'd unconditionally build and not push of the tag existed.
- Add '.m' to the hash if the repository is dirty.
This allows developers to build locally without committing
but makes it clear that the hash is from a modified repository.
- Don't push to hub if the repository is dirty
- If the current commit has a tag, also push this to hub.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This adds all the binds from pkg/getty/Dockerfile to pkg/sshd/Dockerfile and
retains the existing /root/.ssh and /etc/resolv.conf binds.
With this `dist` and `ctr` function in a ssh session.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
ctr (which runs in the getty or ssh container) relies on sharing files in /tmp
with containerd (which runs in the host mount namespace). Specifically it
currently uses paths under /tmp/containerd for the stdio FIFOs of containers, resulting in:
# ctr run -t docker.io/library/redis:alpine test
ctr: rpc error: code = Unknown desc = runtime create failed: runc create failed: container with id exists: test
Currently it is not possible to specify a non-existent source directory for a
bind mount, so we cannot easily bind just /tmp/containerd. Sharing all of /tmp
doesn't sound like a terrible idea anyway.
Defering updating the sha in *.yml until after some further changes to these packages.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
