This commit removes Notary and Content Trust.
Notary v1 is due to be replaced with Notary v2 soon.
There is no clean migration path from one to the other.
For now, this removes all signing from LinuxKit.
We will look to add this back once a new Notary alternative
becomes available.
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
On Linux a key in `~/.docker/config.json` indicates if a credentials helper is
in use (and which), if one is then the method is identical to the Darwin case
so refactor to support that.
Signed-off-by: Ian Campbell <ijc@docker.com>
src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/linuxkit.go embeds a yaml
fragement with some hashes in it, so avoid updating that since that would make
the vendoring unclean.
Signed-off-by: Ian Campbell <ijc@docker.com>
This updates to support updating things like `linuxkit/runc:v0.3` to a new hash
(or tag).
Running:
./scripts/update-component-sha.sh --image linuxkit/runc 100d0d046c
Still DTRT and updates runc to that (bogus) sha.
Furthermore, running:
./scripts/update-component-sha.sh --image linuxkit/runc v0.4
Updates runc to that (bogus) release (this worked before) but now running:
./scripts/update-component-sha.sh --image linuxkit/runc acba8886e4
Inverts things and puts them back.
(this is not quote a nop because
src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/linuxkit.go has a
different sha in it which is not put back)
Signed-off-by: Ian Campbell <ijc@docker.com>
Right now the difference is rather minor, but I'm about to make this case more
complicated.
Running:
./scripts/update-component-sha.sh --image linuxkit/runc 100d0d046c
Still DTRT and updates runc to that (bogus) sha.
Signed-off-by: Ian Campbell <ijc@docker.com>
I think the intention was to use "" for bits with substititions and '' for bits
without, but that makes it hard to read and the bits in '' are safe in the ""
context anyway.
Running:
./scripts/update-component-sha.sh --image linuxkit/runc 100d0d046c
Still DTRT and updates runc to that (bogus) sha.
Signed-off-by: Ian Campbell <ijc@docker.com>
Prior to notary 0.6.0, notary expected a terminal and only accepted
username/password interactively. With notary 0.6.0 this can now be
passed as en environment variable 'NOTARY_AUTH' in the form of
a base64 encoded 'username:password'.
This commit removes the ugly 'expect' hack in favour of the much
cleaner use of an environment variable.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The scripts used to scrape the various repositories to build
and push package for all foreign kernels. They were designed
to be run periodically and provide "official" foreign kernel
packages. Needless to say we did not run them periodically
and the linuxkit packages became out-dated quickly.
Now, we just provide users who are interested in using foreign
kernels the means to build their own package from specific
vendor kernels.
Each script uses slightly different command line arguments
as the location and naming of the kernel packages differ
wildly. The help message provide a working example which
has been tested with a minimal LinuxKit YAML file.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This script is slightly modified from the ChromiumOS splitconfig
It takes a number of kernel config files and prints the common
on specific kernel config options to seperate files.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Also adjust the 'linuxkit/alpine' script to follow the
same pattern.
The new version of the script extract username/password from
the credential helper (or docker) and build and 'expect'
script to feed the info to 'notary'.
They can be invoked by:
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="phrase" ./push-manifest.sh ...
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Remove the image and the intermediate images. Otherwise, especially
for the initial runs, the disk fills up quickly.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
No actual source change, just make it easier to enable
kernel headers should they be needed.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Doing a "docker pull" to check if an image exist on hub
takes a long time for the number of images, in particular
in the linuxkit/kernel-mainline repo.
Instead, get a list of tags on Hub and check that way. This
does not check if the image was signed, but should be good
enough.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This only covers the 4.x Ubuntu kernels and for now does
not include the headers to build modules against.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>