Merge pull request #3835 from dgageot/release-workflow

Add an automated release workflow

.circleci/config.yml

@@ -1,62 +0,0 @@
-version: 2
-jobs:
-  build:
-    working_directory: /go/src/github.com/linuxkit/linuxkit
-    docker:
-      - image: circleci/golang:1.10-stretch
-    steps:
-      - checkout
-      - run: mkdir -p ./bin
-      - run:
-          name: Versions
-          command: |
-            set -x
-            go version
-            cat /etc/os-release
-      - run:
-          name: Dependencies
-          command: |
-            go get -u github.com/golang/lint/golint
-            go get -u github.com/gordonklaus/ineffassign
-      - run:
-          name: Lint
-          command: make local-check
-      - run:
-          name: Build amd64/linux
-          environment:
-            GOOS: linux
-            GOARCH: amd64
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
-      - run:
-          name: Build arm64/linux
-          environment:
-            GOOS: linux
-            GOARCH: arm64
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
-      - run:
-          name: Build s390x/linux
-          environment:
-            GOOS: linux
-            GOARCH: s390x
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
-      - run:
-          name: Build amd64/darwin
-          environment:
-            GOOS: darwin
-            GOARCH: amd64
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
-      - run:
-          name: Build amd64/windows
-          environment:
-            GOOS: windows
-            GOARCH: amd64
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH.exe local-build
-      - run:
-          name: Test
-          command: make local-test
-      - run:
-          name: Checksum
-          command: cd bin && sha256sum linuxkit-*-* > SHA256SUM
-      - store_artifacts:
-          path: ./bin
-          destination: .

.github/workflows/ci.yml

@@ -0,0 +1,381 @@
+name: LinuxKit CI
+on: [push, pull_request]
+
+jobs:
+  build:
+    name: Build & Test
+    strategy:
+      matrix:
+        target:
+          - os: linux
+            arch: amd64
+            suffix: amd64-linux
+            runner: ubuntu-latest
+          - os: linux
+            arch: arm64
+            suffix: arm64-linux
+            runner: ubuntu-latest
+          - os: linux
+            arch: s390x
+            suffix: s390x-linux
+            runner: ubuntu-latest
+          - os: darwin
+            arch: amd64
+            suffix: amd64-darwin
+            runner: macos-latest
+          - os: darwin
+            arch: arm64
+            suffix: arm64-darwin
+            runner: macos-latest
+          - os: windows
+            arch: amd64
+            suffix: amd64-windows.exe
+            runner: ubuntu-latest
+
+    runs-on: ${{ matrix.target.runner }}
+    steps:
+
+    - name: Set up Go 1.16
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.16.7
+      id: go
+
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Set path
+      run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+      env:
+         GOPATH: ${{runner.workspace}}
+
+    - name: Get pre-requisites
+      run: |
+            go get -u golang.org/x/lint/golint
+            go get -u github.com/gordonklaus/ineffassign
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    # - name: Lint
+    #   run: |
+    #     make local-check
+    #   env:
+    #     GOPATH: ${{runner.workspace}}
+
+    - name: Build
+      run: |
+        make GOARCH=${{matrix.target.arch}} GOOS=${{matrix.target.os}} LOCAL_TARGET=$(pwd)/bin/linuxkit-${{matrix.target.suffix}} local-build
+        file bin/linuxkit-${{matrix.target.suffix}}
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    - name: Checksum
+      run: |
+        cd bin
+        if command -v sha256sum > /dev/null; then sha256sum linuxkit-${{matrix.target.suffix}} > linuxkit-${{matrix.target.suffix}}.SHA256SUM
+        else openssl sha256 -r linuxkit-${{matrix.target.suffix}} | tr -d '*'  > linuxkit-${{matrix.target.suffix}}.SHA256SUM
+        fi
+        cat linuxkit-${{matrix.target.suffix}}.SHA256SUM
+
+    - name: Test
+      run: make local-test
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    - name: Upload binary
+      uses: actions/upload-artifact@v2
+      with:
+        name: linuxkit-${{matrix.target.suffix}}
+        path: |
+          bin/linuxkit-${{matrix.target.suffix}}
+          bin/linuxkit-${{matrix.target.suffix}}.SHA256SUM
+        if-no-files-found: error
+
+  build_packages:
+    name: Build Packages
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Set up binfmt
+      # Only register arm64 as we are on amd64 already. s390x is not reliable
+      run: docker run --privileged --rm tonistiigi/binfmt --install arm64
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Cache Packages
+      uses: actions/cache@v2
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+
+    - name: Build Packages
+      # Skip s390x as emulation is unreliable
+      run: |
+        make OPTIONS="-v --skip-platforms linux/s390x" -C pkg build
+
+  test_packages:
+    name: Packages Tests
+    needs: [ build_packages, build ]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Restore Package Cache
+      uses: actions/cache@v2
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.packages
+
+  test_kernel:
+    name: Kernel Tests
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.kernel
+
+  test_linuxkit:
+    name: LinuxKit Build Tests
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.build
+
+  test_platforms:
+    name: Platform Tests
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.platforms
+
+  test_security:
+    name: Security Tests
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.security

.github/workflows/publish.yaml

@@ -0,0 +1,67 @@
+# publish changes that are merged to master
+name: Packages Push
+on:
+  workflow_run:
+    workflows: [LinuxKit CI]
+    types: [completed]
+    branches: [master, main]
+
+jobs:
+  packages:
+    env:
+      linuxkit_file: linuxkit-amd64-linux
+    name: Publish Changed Packages
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+    - name: Ensure bin/ directory
+      run: mkdir -p bin
+    - name: Download linuxkit
+      uses: actions/github-script@v3.1.0
+      with:
+        script: |
+          var artifacts = await github.actions.listWorkflowRunArtifacts({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: ${{github.event.workflow_run.id }},
+          });
+          var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+            return artifact.name == "${{ env.linuxkit_file }}"
+          })[0];
+          var download = await github.actions.downloadArtifact({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              artifact_id: matchArtifact.id,
+              archive_format: 'zip',
+          });
+          var fs = require('fs');
+          fs.writeFileSync('${{github.workspace}}/bin/${{ env.linuxkit_file }}.zip', Buffer.from(download.data));
+    - name: unzip linuxkit
+      run: cd bin && unzip ${{ env.linuxkit_file }}.zip
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/${{ env.linuxkit_file }}
+        sudo ln -s $(pwd)/bin/${{ env.linuxkit_file }} /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+    - name: Restore Package Cache
+      uses: actions/cache@v2
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+    - name: Login to Docker Hub
+      uses: docker/login-action@v2
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Publish Packages
+      # this should only push changed ones:
+      #  - unchanged: already in the registry
+      #  - changed: already built and cached, so only will push
+      # Skip s390x as emulation is unreliable
+      run: |
+        make OPTIONS="--skip-platforms linux/s390x" -C pkg push PUSHOPTIONS="--nobuild"

.github/workflows/release.yml

@@ -0,0 +1,42 @@
+name: LinuxKit CI
+
+on:
+  create:
+    tags:
+      - v*
+
+jobs:
+  build:
+    name: Build all targets
+    runs-on: macos-latest
+    steps:
+
+    - name: Set up Go 1.16
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.16.7
+      id: go
+
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Set path
+      run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+      env:
+         GOPATH: ${{runner.workspace}}
+
+    - name: Build
+      run: |
+        make build-all-targets
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    - name: GitHub Release
+      uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        draft: true
+        files: bin/*

.gitignore

@@ -19,3 +19,4 @@ Dockerfile.media
 *-cmdline
 *-state
 artifacts/*
+tools/alpine/iid

.mailmap

@@ -1,5 +1,3 @@
-# Generate AUTHORS: scripts/generate-authors.sh
-
 # Tip for finding duplicates (besides scanning the output of AUTHORS for name
 # duplicates that aren't also email duplicates): scan the output of:
 #   git log --format='%aE - %aN' | sort -uf
@@ -7,6 +5,7 @@
 # For explanation on this file format: man git-shortlog
 
 Alice Frosi <alice@linux.vnet.ibm.com> <alice@linux.vnet.ibm.comx>
+Alice Frosi <alice@linux.vnet.ibm.com> <afrosi@de.ibm.com>
 Amir Chaudhry <amir.chaudhry@docker.com> <amirmc@gmail.com>
 Anil Madhavapeddy <anil.madhavapeddy@docker.com> <anil@recoil.org>
 Dan Finneran <dan@thebsdbox.co.uk> <dan@dev.fnnrn.me>
@@ -29,6 +28,7 @@ Ian Campbell <ian.campbell@docker.com> <ijc@lxdeb01.marist.edu>
 Isaac Rodman <isaac@eyz.us> <isaac.rodman@healthtrio.com>
 Isaac Rodman <isaac@eyz.us>
 Istvan Szukacs <l1x@users.noreply.github.com>
+James McCoy <james@mcy.email>
 Jeff Wu <jeff.wu.junfei@gmail.com> <JeffWuBJ@users.noreply.github.com>
 Jeremy Yallop <yallop@docker.com> <yallop@gmail.com>
 Justin Cormack <justin.cormack@docker.com> <justin.cormack@unikernel.com>
@@ -39,7 +39,8 @@ Magnus Skjegstad <magnus.skjegstad@docker.com> <magnus@skjegstad.com>
 Marten Cassel <marten.cassel@gmail.com> <mcpop28@hotmail.com>
 Mindy Preston <mindy.preston@docker.com> <meetup@yomimono.org>
 MinJae Kwon <mingrammer@gmail.com>
-Nathan Dautenhahn <ndd@seas.upenn.edu> <ndd@cis.upenn.edu>
+Nathan Dautenhahn <ndd@rice.edu> <ndd@seas.upenn.edu>
+Nathan Dautenhahn <ndd@rice.edu> <ndd@cis.upenn.edu>
 Nathan LeClaire <nathan.leclaire@docker.com> <nathan.leclaire@gmail.com>
 Nathan LeClaire <nathan.leclaire@docker.com> <nathanleclaire@gmail.com>
 Niclas Mietz <niclas@mietz.io>

ADOPTERS.md

@@ -0,0 +1,19 @@
+## LinuxKit Adopters
+
+_This list is currently under construction. Please add your use cases to this with a PR. Thanks!_
+
+# Production Users
+
+**_[Docker Desktop](https://www.docker.com/products/docker-desktop)_** - Docker Desktop for Mac and Windows uses LinuxKit to provide an embedded, invisible virtual machine in order to run Linux containers and to run Kubernetes. There are currently millions of active users.
+
+**_[TagHub](https://www.taghub.net)_** - TagHub is a SaaS product for doing asset management. We use LinuxKit to have small and secure linux nodes powering our multi-cloud infrastructure. TagHub is made by [Smart Management](http://www.smartm.no/).
+
+# Projects Using LinuxKit
+
+**_[LinuxKit Nix](https://github.com/nix-community/linuxkit-nix)_** aims to provide a Linux Nix VM for macOS.
+
+**_[cfdev](https://github.com/cloudfoundry-incubator/cfdev)_** A fast and easy local Cloud Foundry experience on native hypervisors, powered by LinuxKit with VPNKit
+
+**_[dm-linuxkit](https://github.com/dotmesh-io/dm-linuxkit)_** A dotmesh controller for LinuxKit persistent storage management.
+
+**_[Linux Foundation Edge EVE](https://github.com/lf-edge/eve)_** Edge Virtualization Engine Operating System

AUTHORS

@@ -6,19 +6,28 @@ Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
 Alan Raison <alanraison@users.noreply.github.com>
 Alex Ellis <alexellis2@gmail.com>
 Alex Johnson <hello@alex-johnson.net>
+Alex Szakaly <alex.szakaly@gmail.com>
 Alexander Slesarev <alex.slesarev@nudatasecurity.com>
 Alice Frosi <alice@linux.vnet.ibm.com>
 Amir Chaudhry <amir.chaudhry@docker.com>
 Anil Madhavapeddy <anil.madhavapeddy@docker.com>
+Arthur Lutz <arthur.lutz@logilab.fr>
+Asbjorn Enge <asbjorn@hanafjedle.net>
 Avi Deitcher <avi@deitcher.net>
+Aymen EL AMRI <aymen@eralabs.io>
+Ben Allen <bsallen@alcf.anl.gov>
 Bill Kerr <bill@generalbill.com>
+Björn Ingeson <bjorn.ingeson@gmail.com>
 Brice Figureau <brice-puppet@daysofwonder.com>
 Carlton-Semple <carlton.semple@ibm.com>
 Chanwit Kaewkasi <chanwit@gmail.com>
+Christian Wuerdig <christian.wuerdig@gmail.com>
+Clovis Durand <cd.clovel19@gmail.com>
 Craig Ingram <cingram@heroku.com>
 Damiano Donati <damiano.donati@gmail.com>
 Dan Finneran <dan@thebsdbox.co.uk>
 Daniel Caminada <daniel.caminada@ergon.ch>
+Daniel Dean <daniel@razorsecure.com>
 Daniel Hiltgen <daniel.hiltgen@docker.com>
 Daniel Nephin <dnephin@gmail.com>
 Dave Freitag <dcfreita@us.ibm.com>
@@ -30,66 +39,85 @@ David Scott <dave.scott@docker.com>
 David Sheets <david.sheets@docker.com>
 Dennis Chen <dennis.chen@arm.com>
 Dieter Reuter <dieter.reuter@me.com>
+Dominic White <singe-github@singe.za.net>
+duraki <duraki@linuxmail.org>
 Edward Vielmetti <edward.vielmetti@gmail.com>
 Emily Casey <ecasey@pivotal.io>
 Eric Briand <eric.briand@gmail.com>
 Evan Hazlett <ejhazlett@gmail.com>
+Federico Pellegatta <12744504+federico-pellegatta@users.noreply.github.com>
 French Ben <frenchben@docker.com>
+Frédéric Dalleau <frederic.dalleau@docker.com>
 functor <meehow@gmail.com>
+Gabriel Chabot <gabriel.chabot@qarnot-computing.com>
 Garth Bushell <garth.bushell@oracle.com>
 George Papanikolaou <g3orge.app@gmail.com>
+Gerben Geijteman <gerben@isset.nl>
 Gianluca Arbezzano <gianarb92@gmail.com>
 Guillaume Rose <guillaume.rose@docker.com>
 Hans van den Bogert <hansbogert@gmail.com>
+hyperized <gerben@hyperized.net>
 Ian Campbell <ian.campbell@docker.com>
 Ilya Dmitrichenko <errordeveloper@gmail.com>
 Isaac Rodman <isaac@eyz.us>
 Istvan Szukacs <l1x@users.noreply.github.com>
 Ivan Markin <sw@nogoegst.net>
+James McCoy <james@mcy.email>
 Jason A. Donenfeld <Jason@zx2c4.com>
 Jeff Wu <jeff.wu.junfei@gmail.com>
 Jeffrey Hogan <jeff.hogan1@gmail.com>
 Jeremy Yallop <yallop@docker.com>
 Jes Ferrier <jes.ferrier@gmail.com>
 Jesse Adametz <jesseadametz@gmail.com>
+Johannes Würbach <johannes.wuerbach@googlemail.com>
 John Albietz <inthecloud247@gmail.com>
 Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
 Justin Barrick <jbarrick@cloudflare.com>
 Justin Cormack <justin.cormack@docker.com>
 Justin Ko <justin.ko@oracle.com>
+Justin Terry (VM) <juterry@microsoft.com>
+Karol Woźniak <wozniakk@gmail.com>
 Ken Cochrane <ken.cochrane@docker.com>
 Krister Johansen <krister.johansen@oracle.com>
+Krisztian Horvath <keyki.kk@gmail.com>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
 Liqdfire <liqdfire@gmail.com>
 Lorenzo Fontana <lo@linux.com>
+Loïc Pottier <lpottier@isi.edu>
 Luke Hodkinson <furious.luke@gmail.com>
 Madhu Venugopal <madhu@docker.com>
 Magnus Skjegstad <magnus.skjegstad@docker.com>
 Marco Mariani <marco.mariani@alterway.fr>
 Marcus van Dam <marcus@marcusvandam.nl>
+Mario Loriedo <mario.loriedo@gmail.com>
 marten <marten.cassel@gmail.com>
 Mathieu Champlon <mathieu.champlon@docker.com>
 Mathieu Pasquet <mathieu.pasquet@alterway.fr>
 Matt Bajor <matt.bajor@workday.com>
 Matt Bentley <matt.bentley@docker.com>
 Matt Johnson <matjohn2@cisco.com>
+Michael Aldridge <aldridge.mac@gmail.com>
 Michel Courtine <michel.courtine@docker.com>
 Mickaël Salaün <mic@digikod.net>
 Mindy Preston <mindy.preston@docker.com>
 MinJae Kwon <mingrammer@gmail.com>
 Natanael Copa <natanael.copa@docker.com>
-Nathan Dautenhahn <ndd@seas.upenn.edu>
+Nathan Dautenhahn <ndd@rice.edu>
 Nathan LeClaire <nathan.leclaire@docker.com>
 Nick Jones <nick@dischord.org>
 Niclas Mietz <niclas@mietz.io>
 Nico Di Rocco <dirocco.nico@gmail.com>
 Olaf Bergner <olaf.bergner@gmx.de>
 Olaf Flebbe <of@oflebbe.de>
+Omar Ramadan <omar.ramadan93@gmail.com>
 Patrik Cyvoct <patrik@ptrk.io>
+Petr Fedchenkov <giggsoff@gmail.com>
 Phil Estes <estesp@linux.vnet.ibm.com>
 Pierre Gayvallet <pierre.gayvallet@docker.com>
 Pratik Mallya <mallya@us.ibm.com>
+Preston Holmes <preston@ptone.com>
 Radu Matei <matei.radu94@gmail.com>
+Richard Connon <richard@connon.me.uk>
 Richard Mortier <mort@cantab.net>
 Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 Robb Kistler <robb.kistler@docker.com>
@@ -98,9 +126,15 @@ Rolf Neugebauer <rn@rneugeba.io>
 Roman Shaposhnik <rvs@zededa.com>
 Rui Lopes <rgl@ruilopes.com>
 Ryoga Saito <proelbtn@gmail.com>
+Sachi King <nakato@nakato.io>
+salman aljammaz <s@aljmz.com>
+schrotthaufen <schrotthaufen@invalid.invalid>
 Scott Coulton <scott.coulton@puppet.com>
 Sebastiaan van Stijn <sebastiaan.vanstijn@docker.com>
+sethp <seth.pellegrino@gmail.com>
+Simarpreet Singh <simar@linux.com>
 Simon Ferquel <simon.ferquel@docker.com>
+Simon Fridlund <simon@fridlund.email>
 Sotiris Salloumis <sotiris.salloumis@gmail.com>
 Steeve Morin <steeve.morin@gmail.com>
 Stefan Bourlon <stefan.bourlon@ca.com>
@@ -117,8 +151,11 @@ Tiejun Chen <tiejun.china@gmail.com>
 Tim Potter <tpot@hpe.com>
 Tobias Gesellchen <tobias@gesellix.de>
 Tobias Klauser <tklauser@distanz.ch>
+Tomas Knappek <tomas.knappek@gmail.com>
 Tristan Slominski <tristan.slominski@gmail.com>
 Tycho Andersen <tycho@docker.com>
 Vincent Demeester <Vincent.Demeester@docker.com>
+Yoann Ricordel <yoann.ricordel@qarnot-computing.com>
 Zachery Hostens <zacheryph@gmail.com>
+zimbatm <zimbatm@zimbatm.com>
 zlim <zlim.lnx@gmail.com>

CHANGELOG.md

@@ -3,6 +3,52 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
+## [v0.8] - 2020-05-10
+### Added
+
+- Removed dependency on external `notary` and `manifest-tool` binaries for package builds
+- Risc-V support for `binfmt`
+- Support for GPT partitions
+- `metadata` package support for Digital Ocean and Hetzner as well as loading from a file
+- Support for `/sys/fs/bpf` in `init`
+- Github Actions for CI
+
+### Changed
+- `alpine` base updated to 3.11
+- `containerd` updated to v1.3.4
+- `runc` updated to v1.0.0-rc9
+- `binfmt` updated to qemu 4.2
+- `node_exporter` updated to  v0.18.1
+- `cadvisor` updated to v0.36.0
+- WireGuard updated to 1.0.20200319
+- Improved CDROM support and fixes to GCP and Scaleway providers in the `metadata` package
+- Improved creation of `swap` files
+- Improved RPI3 build
+
+### Removed
+- Containerized `qemu`
+- Windows binary from release
+
+## [v0.7] - 2019-04-17
+### Added
+- Reproducible `linuxkit build` for some output formats
+- Support uncompressed kernels, e.g., for crosvm and firecracker.
+- Support encrypted disks via `dm-crypt`
+- New `bpftrace` package
+- Support for USB devices in `qemu`
+
+### Changed
+- Alpine base updated to 3.9
+- `containerd` updated to v1.2.6
+- WireGuard updated to 0.0.20190227
+- Updated Docker base API level
+- VirtualBox improvements (multiple drives and network adapters)
+- Fixed Windows path handling in `linuxkit`
+- GCP: Improve error checking/handling
+
+### Removed
+
+
 ## [v0.6] - 2018-07-26
 ### Added
 - `linuxkit build` now works with private repositories and registries.

MAINTAINERS

@@ -159,13 +159,24 @@ on disputes for technical matters."
 [Org]
 	[Org."Core maintainers"]
 		people = [
+			"dave-tucker",
 			"deitch",
+			"djs55",
 			"ijc",
 			"justincormack",
-			"riyazdf",
 			"rn",
 		]
 
+	[Org.Alumni]
+
+	# This list contains maintainers that are no longer active on the project.
+	# It is thanks to these people that the project has become what it is today.
+	# Thank you!
+
+		people = [
+			"riyazdf",
+		]
+
 [people]
 
 # A reference list of all people associated with the project.
@@ -173,11 +184,21 @@ on disputes for technical matters."
 # in the people section.
 
 	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
+	[People.dave-tucker]
+	Name = "Dave Tucker"
+	Email = "dave@dtucker.co.uk"
+	Github = "dave-tucker"
+
 	[People.deitch]
 	Name = "Avi Deitcher"
 	Email = "avi@atomicinc.com"
 	GitHub = "deitch"
 
+	[People.djs55]
+	Name = "David Scott"
+	Email = "dave@recoil.org"
+	Github = "djs55"
+
 	[People.ijc]
 	Name = "Ian Campbell"
 	Email = "ian.campbell@docker.com"

Makefile

@@ -1,18 +1,16 @@
-VERSION="v0.6"
-GIT_COMMIT=$(shell git rev-list -1 HEAD)
+VERSION="v0.8+"
 
-GO_COMPILE=linuxkit/go-compile:e1204ce9921c1d45362a374e06be7234d3bf1184
+GO_COMPILE=linuxkit/go-compile:7b1f5a37d2a93cd4a9aa2a87db264d8145944006
 
 ifeq ($(OS),Windows_NT)
-LINUXKIT?=bin/linuxkit.exe
+LINUXKIT?=$(CURDIR)/bin/linuxkit.exe
 RTF?=bin/rtf.exe
 GOOS?=windows
 else
-LINUXKIT?=bin/linuxkit
+LINUXKIT?=$(CURDIR)/bin/linuxkit
 RTF?=bin/rtf
 GOOS?=$(shell uname -s | tr '[:upper:]' '[:lower:]')
 endif
-GOARCH?=amd64
 ifneq ($(GOOS),linux)
 CROSS+=-e GOOS=$(GOOS)
 endif
@@ -20,24 +18,28 @@ ifneq ($(GOARCH),amd64)
 CROSS+=-e GOARCH=$(GOARCH)
 endif
 
-PREFIX?=/usr/local/
+PREFIX?=/usr/local
+
+LOCAL_TARGET?=$(CURDIR)/bin/linuxkit
+
+export VERSION GO_COMPILE GOOS GOARCH LOCAL_TARGET LINUXKIT
 
 .DELETE_ON_ERROR:
 
 .PHONY: default all
-default: $(LINUXKIT) $(RTF)
+default: linuxkit $(RTF)
 all: default
 
-RTF_COMMIT=171155c375706f2616f0b9c96afe2240e15d1de1
+RTF_COMMIT=2351267f358ce6621c0c0d9a069f361268dba5fc
 RTF_CMD=github.com/linuxkit/rtf/cmd
 RTF_VERSION=0.0
 $(RTF): tmp_rtf_bin.tar | bin
-	tar xf $<
+	tar -C $(dir $(RTF)) -xf $<
 	rm $<
 	touch $@
 
 tmp_rtf_bin.tar: Makefile
-	docker run --rm --log-driver=none -e http_proxy=$(http_proxy) -e https_proxy=$(https_proxy) $(CROSS) $(GO_COMPILE) --clone-path github.com/linuxkit/rtf --clone https://github.com/linuxkit/rtf.git --commit $(RTF_COMMIT) --package github.com/linuxkit/rtf --ldflags "-X $(RTF_CMD).GitCommit=$(RTF_COMMIT) -X $(RTF_CMD).Version=$(RTF_VERSION)" -o $(RTF) > $@
+	docker run --rm --log-driver=none -e http_proxy=$(http_proxy) -e https_proxy=$(https_proxy) $(CROSS) $(GO_COMPILE) --clone-path github.com/linuxkit/rtf --clone https://github.com/linuxkit/rtf.git --commit $(RTF_COMMIT) --package github.com/linuxkit/rtf --ldflags "-X $(RTF_CMD).GitCommit=$(RTF_COMMIT) -X $(RTF_CMD).Version=$(RTF_VERSION)" -o $(notdir $(RTF)) > $@
 
 # Manifest tool for multi-arch images
 MT_COMMIT=bfbd11963b8e0eb5f6e400afaebeaf39820b4e90
@@ -50,56 +52,29 @@ bin/manifest-tool: tmp_mt_bin.tar | bin
 tmp_mt_bin.tar: Makefile
 	docker run --rm --log-driver=none -e http_proxy=$(http_proxy) -e https_proxy=$(https_proxy) $(CROSS) $(GO_COMPILE) --clone-path github.com/estesp/manifest-tool --clone $(MT_REPO) --commit $(MT_COMMIT) --package github.com/estesp/manifest-tool --ldflags "-X main.gitCommit=$(MT_COMMIT)" -o bin/manifest-tool > $@
 
-LINUXKIT_DEPS=$(wildcard src/cmd/linuxkit/*.go) $(wildcard src/cmd/linuxkit/*/*.go) Makefile src/cmd/linuxkit/vendor.conf
-$(LINUXKIT): tmp_linuxkit_bin.tar
-	tar xf $<
-	rm $<
-	touch $@
-
-tmp_linuxkit_bin.tar: $(LINUXKIT_DEPS)
-	tar cf - -C src/cmd/linuxkit . | docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit/src/cmd/linuxkit --ldflags "-X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.GitCommit=$(GIT_COMMIT) -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.Version=$(VERSION)" -o $(LINUXKIT) > $@
+.PHONY: linuxkit
+linuxkit: bin
+	make -C ./src/cmd/linuxkit
 
 .PHONY: test-cross
 test-cross:
-	$(MAKE) clean
-	$(MAKE) -j 3 GOOS=darwin tmp_rtf_bin.tar tmp_mt_bin.tar tmp_linuxkit_bin.tar
-	$(MAKE) clean
-	$(MAKE) -j 3 GOOS=windows tmp_rtf_bin.tar tmp_mt_bin.tar tmp_linuxkit_bin.tar
-	$(MAKE) clean
-	$(MAKE) -j 3 GOOS=linux tmp_rtf_bin.tar tmp_mt_bin.tar tmp_linuxkit_bin.tar
-	$(MAKE) clean
+	make -C ./src/cmd/linuxkit test-cross
 
-LOCAL_LDFLAGS += -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.GitCommit=$(GIT_COMMIT) -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.Version=$(VERSION)
-LOCAL_TARGET ?= $(LINUXKIT)
+.PHONY: local local-%
+local:
+	make -C ./src/cmd/linuxkit local
 
-.PHONY: local-check local-build local-test local-static-pie local-static local-dynamic local
-local-check: $(LINUXKIT_DEPS)
-	@echo gofmt... && o=$$(gofmt -s -l $(filter %.go,$(LINUXKIT_DEPS))) && if [ -n "$$o" ] ; then echo $$o ; exit 1 ; fi
-	@echo govet... && go tool vet -printf=false $(filter %.go,$(LINUXKIT_DEPS))
-	@echo golint... && set -e ; for i in $(filter %.go,$(LINUXKIT_DEPS)); do golint $$i ; done
-	@echo ineffassign... && ineffassign  $(filter %.go,$(LINUXKIT_DEPS))
-
-local-build: local-static
-
-local-static-pie: $(LINUXKIT_DEPS) | bin
-	CGO_ENABLED=0 go build -o $(LOCAL_TARGET) --buildmode pie --ldflags "-s -w -extldflags \"-static\" $(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit
-
-local-static: $(LINUXKIT_DEPS) | bin
-	CGO_ENABLED=0 go build -o $(LOCAL_TARGET) --ldflags "$(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit
-
-local-dynamic: $(LINUXKIT_DEPS) | bin
-	go build -o $(LOCAL_TARGET) --ldflags "$(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit
-
-local-test: $(LINUXKIT_DEPS)
-	go test $(shell go list github.com/linuxkit/linuxkit/src/cmd/linuxkit/... | grep -v ^github.com/linuxkit/linuxkit/src/cmd/linuxkit/vendor/)
-
-local: local-check local-build local-test
+local-%:
+	make -C ./src/cmd/linuxkit $@
 
 bin:
 	mkdir -p $@
 
 install:
-	cp -R ./bin/* $(PREFIX)/bin
+	cp -R bin/* $(PREFIX)/bin
+
+sign:
+	codesign --entitlements linuxkit.entitlements --force -s - $(PREFIX)/bin/linuxkit
 
 .PHONY: test
 test:
@@ -130,3 +105,31 @@ ci-pr: test-cross
 .PHONY: clean
 clean:
 	rm -rf bin *.log *-kernel *-cmdline *-state *.img *.iso *.gz *.qcow2 *.vhd *.vmx *.vmdk *.tar *.raw
+
+update-package-tags:
+ifneq ($(LK_RELEASE),)
+	$(eval tags := $(shell cd pkg; make show-tag | cut -d ':' -f1))
+	$(eval image := :$(LK_RELEASE))
+else
+	$(eval tags := $(shell cd pkg; make show-tag))
+	$(eval image := )
+endif
+	for img in $(tags); do \
+		./scripts/update-component-sha.sh --image $${img}$(image); \
+	done
+
+.PHONY: build-all-targets
+build-all-targets: bin
+	$(MAKE) GOOS=darwin GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-arm64 local-build
+	file bin/linuxkit-darwin-arm64
+	$(MAKE) GOOS=darwin GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-amd64 local-build
+	file bin/linuxkit-darwin-amd64
+	$(MAKE) GOOS=linux GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-arm64 local-build
+	file bin/linuxkit-linux-arm64
+	$(MAKE) GOOS=linux GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-amd64 local-build
+	file bin/linuxkit-linux-amd64
+	$(MAKE) GOOS=linux GOARCH=s390x LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-s390x local-build
+	file bin/linuxkit-linux-s390x
+	$(MAKE) GOOS=windows GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-windows-amd64.exe local-build
+	file bin/linuxkit-windows-amd64.exe
+	cd bin && openssl sha256 -r linuxkit-* | tr -d '*' > checksums.txt

README.md

@@ -10,9 +10,10 @@ LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.
 - Completely stateless, but persistent storage can be attached
 - Easy tooling, with easy iteration
 - Built with containers, for running containers
+- Designed to create [reproducible builds](./docs/reproducible-builds.md) [WIP]
 - Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
 - Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
-- Designed to be managed by external tooling, such as [Infrakit](https://github.com/docker/infrakit) or similar tools
+- Designed to be managed by external tooling, such as [Infrakit](https://github.com/docker/infrakit) (renamed to [deploykit](https://github.com/docker/deploykit) which has been archived in 2019) or similar tools
 - Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
 
 LinuxKit currently supports the `x86_64`, `arm64`, and `s390x` architectures on a variety of platforms, both as virtual machines and baremetal (see [below](#booting-and-testing) for details).
@@ -24,6 +25,7 @@ LinuxKit currently supports the `x86_64`, `arm64`, and `s390x` architectures on
 - [linux](https://github.com/linuxkit/linux) A copy of the Linux stable tree with branches LinuxKit kernels.
 - [virtsock](https://github.com/linuxkit/virtsock) A `go` library and test utilities for `virtio` and Hyper-V sockets.
 - [rtf](https://github.com/linuxkit/rtf) A regression test framework used for the LinuxKit CI tests (and other projects).
+- [homebrew](https://github.com/linuxkit/homebrew-linuxkit) Homebrew packages for the `linuxkit` tool.
 
 ## Getting Started
 
@@ -34,7 +36,7 @@ LinuxKit uses the `linuxkit` tool for building, pushing and running VM images.
 Simple build instructions: use `make` to build. This will build the tool in `bin/`. Add this
 to your `PATH` or copy it to somewhere in your `PATH` eg `sudo cp bin/* /usr/local/bin/`. Or you can use `sudo make install`.
 
-If you already have `go` installed you can use `go get -u github.com/linuxkit/linuxkit/src/cmd/linuxkit` to install the `linuxkit` tool.
+If you already have `go` installed you can use `go install github.com/linuxkit/linuxkit/src/cmd/linuxkit@latest` to install the `linuxkit` tool.
 
 On MacOS there is a `brew tap` available. Detailed instructions are at [linuxkit/homebrew-linuxkit](https://github.com/linuxkit/homebrew-linuxkit),
 the short summary is
@@ -43,11 +45,17 @@ brew tap linuxkit/linuxkit
 brew install --HEAD linuxkit
 ```
 
-Build requirements from source:
+Build requirements from source using a container
 - GNU `make`
 - Docker
 - optionally `qemu`
 
+For a local build using `make local`
+- `go`
+- `make`
+- `go get -u golang.org/x/lint/golint`
+- `go get -u github.com/gordonklaus/ineffassign`
+
 ### Building images
 
 Once you have built the tool, use
@@ -67,6 +75,7 @@ for example VMWare.  See `linuxkit run --help`.
 
 Currently supported platforms are:
 - Local hypervisors
+  - [Virtualization.Framework (macOS)](docs/platform-virtualization-framework.md) `[x86_64, arm64]`
   - [HyperKit (macOS)](docs/platform-hyperkit.md) `[x86_64]`
   - [Hyper-V (Windows)](docs/platform-hyperv.md) `[x86_64]`
   - [qemu (macOS, Linux, Windows)](docs/platform-qemu.md) `[x86_64, arm64, s390x]`
@@ -76,6 +85,7 @@ Currently supported platforms are:
   - [Google Cloud](docs/platform-gcp.md) `[x86_64]`
   - [Microsoft Azure](docs/platform-azure.md) `[x86_64]`
   - [OpenStack](docs/platform-openstack.md) `[x86_64]`
+  - [Scaleway](docs/platform-scaleway.md) `[x86_64]`
 - Baremetal:
   - [packet.net](docs/platform-packet.md) `[x86_64, arm64]`
   - [Raspberry Pi Model 3b](docs/platform-rpi3.md)  `[arm64]`
@@ -154,7 +164,11 @@ This is an open project without fixed judgements, open to the community to set t
 
 ## Development reports
 
-There are weekly [development reports](reports/) summarizing work carried out in the week.
+There are monthly [development reports](reports/) summarising the work carried out each month.
+
+## Adopters
+
+We maintain an incomplete list of [adopters](ADOPTERS.md). Please open a PR if you are using LinuxKit in production or in your project, or both.
 
 ## FAQ
 

contrib/crosvm/Dockerfile

@@ -1,7 +1,7 @@
-FROM rust:1.25.0-stretch
+FROM rust:1.30.0-stretch
 
 ENV CROSVM_REPO=https://chromium.googlesource.com/chromiumos/platform/crosvm
-ENV CROSVM_COMMIT=7a7268faf0a43c79b6a4520f5c2f35c3e0233932
+ENV CROSVM_COMMIT=c527c1a7e8136dae1e8ae728dfd9932bf3967e7e
 ENV MINIJAIL_REPO=https://android.googlesource.com/platform/external/minijail
 ENV MINIJAIL_COMMIT=d45fc420bb8fd9d1fc9297174f3c344db8c20bbd
 

contrib/crosvm/README.md

@@ -25,56 +25,30 @@ You may also have to create an empty directory `/var/empty`.
 ## Use with LinuxKit images
 
 You can build a LinuxKit image suitable for `crosvm` with the
-`kernel+squashfs` build format. For example, using this LinuxKit
-YAML file (`minimal.yml`):
-
-```
-kernel:
-  image: linuxkit/kernel:4.9.115
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
-init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-services:
-  - name: getty
-    image: linuxkit/getty:v0.6
-    env:
-      - INSECURE=true
-trust:
-  org:
-    - linuxkit
-```
-
-run:
+`kernel+squashfs` build format. For example, using `minimal.yml` from
+the `./examples` directory, run (but also see the known issues):
 
 ```sh
-linuxkit build -output kernel+squashfs minimal.yml
+linuxkit build -format kernel+squashfs -decompress-kernel minimal.yml
 ```
 
-The kernel this produces (`minimal-kernel`) needs to be converted as
-`crosvm` does not grok `bzImage`s. You can convert the LinuxKit kernel
-image with
-[extract-vmlinux](https://raw.githubusercontent.com/torvalds/linux/master/scripts/extract-vmlinux):
-
-```sh
-extract-vmlinux minimal-kernel > minimal-vmlinux
-```
+The `-vmlinux` switch is needed since `crosvm` does not grok
+compressed linux kernel images.
 
 Then you can run `crosvm`:
 ```sh
-./crosvm run --seccomp-policy-dir=./seccomp/x86_64 \
+crosvm run --disable-sandbox \
     --root ./minimal-squashfs.img \
     --mem 2048 \
-    --multiprocess \
     --socket ./linuxkit-socket \
-    minimal-vmlinux
+    minimal-kernel
 ```
 
 ## Known issues
 
 - With 4.14.x, a `BUG_ON()` is hit in `drivers/base/driver.c`. 4.9.x
   kernels seem to work.
+- With the latest version, I don't seem to get a interactive console.
 - Networking does not yet work, so don't include a `onboot` `dhcpd` service.
 - `poweroff` from the command line does not work (crosvm does not seem
   to support ACPI). So to stop a VM you can use the control socket

contrib/open-vm-tools/README.md

@@ -0,0 +1,10 @@
+# open-vm-tools
+This should allow end-users to gracefully reboot or shutdown Kubernetes nodes (incuding control planes) running on vSphere Hypervisor.
+
+Furthermore, it is also mandatory to have `open-vm-tools` installed on your Kubernetes nodes to use vSphere Cloud Provider (i.e. determinte virtual machine's FQDN).
+
+## Remarks:
+- `spec.template.spec.hostNetwork: true`: correctly report node IP address; required
+- `spec.template.spec.hostPID: true`: send the right signal to node, instead of killing the container itself; required
+- `spec.template.spec.priorityClassName: system-cluster-critical`: critical to a fully functional cluster
+- `spec.template.spec.securityContext.privileged: true`: gain more privileges than its parent process; required

contrib/open-vm-tools/open-vm-tools-ds.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: open-vm-tools
+  name: open-vm-tools
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app: open-vm-tools
+  template:
+    metadata:
+      labels:
+        app: open-vm-tools
+    spec:
+      hostNetwork: true
+      hostPID: true
+      priorityClassName: system-cluster-critical
+      tolerations:
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      containers:
+      - image: linuxkit/open-vm-tools:4c3158c7ba27f7ad0ede5d383ca25b57c5588a26
+        name: open-vm-tools
+        resources:
+          requests:
+            memory: "5Mi"
+            cpu: "100m"
+          limits:
+            memory: "25Mi"
+            cpu: "500m"
+        securityContext:
+          privileged: true
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always

docs/alpine-base-update.md

@@ -0,0 +1,232 @@
+# Updating Alpine Base
+
+This document describes the steps to update the `linuxkit/alpine` image.
+This image is at the base of all other linuxkit images.
+It is built out of the directory `tools/alpine/`.
+
+While you do not need to update every downstream image _immediately_ when you update
+this image, you do need to be aware that changes to this image will affect the
+downstream images when it is next adopted. Those downstream images should be updated
+as soon as possible after updating `linuxkit/alpine`.
+
+When you make a linuxkit release, you _must_ update all of the downstream images.
+See [releasing.md](./releasing.md) for the release process.
+
+## Pre-requisites
+
+Updating `linuxkit/alpine` can be done by any maintainer. Maintainers need to have
+access to build machines for all architectures support by LinuxKit.
+
+## Process
+
+At a high-level, we are going to do the following:
+
+1. Preparatory steps
+1. Create a new branch
+1. Make our desired changes to `tools/alpine` and commit them
+1. Build and push out our alpine changes, and commit the `versions` files
+1. Update all affected downstream changes and commit them: `tools/`, `test/pkg`, `pkg`, `test/`, `examples/`
+1. Push out all affected downstream changes: `tools/`, `test/pkg`, `pkg`, `test/`, `examples/`
+
+For each of the affected downstream changes, we could update and then push, then move to the next. However,
+since the push out can be slow and require retries, we try to make all of the changes first, and then push them out.
+
+### Preparation
+
+As a starting point you have to be on the update to date master branch
+and be in the root directory of your local git clone. You should also
+have the same setup on all build machines used.
+
+To make the steps below cut-and-pastable, define the following
+environment variables:
+
+```sh
+LK_ROOT=$(pwd)
+LK_REMOTE=origin         # or whatever your personal remote is
+LK_BRANCH=alpine-update  # or whatever the name of the branch on which you are working is
+```
+
+Note that if you are cutting a release, the `LK_BRANCH` may have a release-type name, e.g. `rel_v0.4`.
+
+Make sure that you have the latest version of the `linuxkit`
+utility in the path. Alternatively, you may wish to compile the latest version from
+master.
+
+### Create a new branch
+
+On one of the build machines (preferably the `x86_64` machine), create
+the branch:
+
+```sh
+git checkout -b $LK_BRANCH
+```
+
+### Update `linuxkit/alpine`
+
+You must perform the arch-specific image builds, pushes and updates on each
+architecture first - these can be done in parallel, if you choose. When done,
+you then copy the updated `versions.<arch>` to one place, commit them, and
+push the manifest.
+
+#### Make alpine changes
+
+Make any changes in `tools/alpine` that you desire, then commit them.
+In the below, change the commit message to something meaningful to the change you are making.
+
+```sh
+cd tools/alpine
+# make changes
+git commit -s -a -m "Update linuxkit/alpine"
+git push origin $LK_BRANCH
+```
+
+#### Build and Push Alpine Per-Architecture
+
+On each supported platform, build and update `linuxkit/alpine`, which will update the `versions.<arch>`
+file.:
+
+```sh
+git fetch
+git checkout $LK_BRANCH
+cd $LK_ROOT/tools/alpine
+make push
+```
+
+Repeat on each platform.
+
+#### Commit Changed Versions Files
+
+When all of the platforms are done, copy the changed `versions.<arch>` from each platform to one place, commit and push.
+In the below, replace `linuxkit-arch` with each build machine's name:
+
+```sh
+# one of these will not be necessary, as you will likely be executing it on one of these machines
+scp linuxkit-s390x:$LK_ROOT/tools/alpine/versions.s390x $LK_ROOT/tools/alpine/versions.s390x
+scp linuxkit-aarch64:$LK_ROOT/tools/alpine/versions.aarch64 $LK_ROOT/tools/alpine/versions.aarch64
+scp linuxkit-x86_64:$LK_ROOT/tools/alpine/versions.x86_64 $LK_ROOT/tools/alpine/versions.x86_64
+git commit -a -s -m "tools/alpine: Update to latest"
+git push $LK_REMOTE $LK_BRANCH
+```
+
+#### Update and Push Multi-Arch Index
+
+Push out the multi-arch index:
+
+```sh
+make push-manifest
+```
+
+Stash the tag of the alpine base image in an environment variable:
+
+```sh
+LK_ALPINE=$(make show-tag)
+```
+
+### Update affected downstream packages 
+
+This section describes all of the steps. Below follows a straight copyable list of steps to take,
+following which is an explanation of each one.
+
+```sh
+# Update tools packages
+cd $LK_ROOT/tools
+$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+git checkout grub/Dockerfile
+git commit -a -s -m "tools: Update to the latest linuxkit/alpine"
+
+# Update tools dependencies
+cd $LK_ROOT
+for img in $(cd tools; make show-tag); do
+    $LK_ROOT/scripts/update-component-sha.sh --image $img
+done
+git commit -a -s -m "Update use of tools to latest"
+
+# Update test packages
+cd $LK_ROOT/test/pkg
+$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+git commit -a -s -m "tests: Update packages to the latest linuxkit/alpine"
+
+# Update test packages dependencies
+cd $LK_ROOT
+for img in $(cd test/pkg; make show-tag); do
+    $LK_ROOT/scripts/update-component-sha.sh --image $img
+done
+git commit -a -s -m "Update use of test packages to latest"
+
+# Update test cases to latest linuxkit/alpine
+cd $LK_ROOT/test/cases
+$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+git commit -a -s -m "tests: Update tests cases to the latest linuxkit/alpine"
+
+# Update packages to latest linuxkit/alpine
+cd $LK_ROOT/pkg
+$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+git commit -a -s -m "pkgs: Update packages to the latest linuxkit/alpine"
+
+# update package tags - may want to include the release in it if set
+cd $LK_ROOT
+make update-package-tags
+MSG=""
+[ -n "$LK_RELEASE" ] && MSG="to $LK_RELEASE"
+git commit -a -s -m "Update package tags $MSG"
+
+git push $LK_REMOTE $LK_BRANCH
+```
+
+#### Update tools packages
+
+On your primary build machine, update the other tools packages.
+
+Note, the `git checkout` reverts the changes made by
+`update-component-sha.sh` to files which are accidentally updated.
+Important is the `git checkout` of `grub`. This is a bit old and only can be built with specific
+older versions of packages like `gcc`, and should not be updated.
+
+Then we update any dependencies of these tools.
+
+#### Update test packages
+
+Next, we update the test packages to the updated alpine base.
+
+Next, we update the use of test packages to latest.
+
+Some tests also use `linuxkit/alpine`, so we update them as well.
+
+### Update packages
+
+Next, we update the LinuxKit packages. This is really the core of the
+release. The other steps above are just there to ensure consistency
+across packages.
+
+#### External Tools
+
+Most of the packages are build from `linuxkit/alpine` and source code
+in the `linuxkit` repository, but some packages wrap external
+tools. When updating all packages, and especially during the time of a release,
+is a good opportunity to check if there have been updates. Specifically:
+
+- `pkg/cadvisor`: Check for [new releases](https://github.com/google/cadvisor/releases).
+- `pkg/firmware` and `pkg/firmware-all`: Use latest commit from [here](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git).
+- `pkg/node_exporter`: Check for [new releases](https://github.com/prometheus/node_exporter/releases).
+- Check [docker hub](https://hub.docker.com/r/library/docker/tags/) for the latest `dind` tags. and update `examples/docker.yml`, `examples/docker-for-mac.yml`, `examples/cadvisor.yml`, and `test/cases/030_security/000_docker-bench/test.yml` if necessary.
+
+This is at your discretion.
+
+### Build and push affected downstream packages
+
+<ul>Note</ul>: All of the `make push` and `make forcepush` in this section use `linuxkit pkg push`, which will build for all architectures and push
+the images out. See [Build Platforms](./packages.md#Build_Platforms).
+
+```sh
+# build and push out the tools packages
+cd $LK_ROOT/tools
+make forcepush
+
+# Build and push out test packages
+cd $LK_ROOT/test/pkg
+make push
+
+# build and push out the packages
+cd $LK_ROOT/pkg
+make push
+```

docs/developer-setup.md

@@ -0,0 +1,81 @@
+# Build Platforms
+
+This document describes how to install and maintain a LinuxKit development platform. It will grow over time.
+
+The LinuxKit team also maintains several Linux-based build platforms. These are donated by Equinix Metal (arm64) and IBM (s390x).
+
+## Platform-Specific Installation
+
+### arm64 and amd64
+
+The `amd64` and `arm64` platforms are fully supported by most OS vendors and Docker. Just upgrade to the latest OS and install the latest Docker using the
+packaging tools. As of this writing, that is:
+
+* Ubuntu/Debian with `apt`
+* RHEL/CentOS/Fedora with `yum`. For any of these, use the CentOS 7/8 packages as released by Docker.
+
+Docker does not recommend that you using the packages released by the OS vendors, as those tend to be out of date. Follow the instructions
+[from Docker](https://docs.docker.com/engine/install/).
+
+### s390x
+
+The s390x has modern versions of most OSes, including RHEL and Ubuntu, but does not have recent versions of docker, neither as
+`apt` packages for Ubuntu, nor as static downloads. In any case, these static downloads mostly are replicas.
+
+This section describes how to install modern versions of Docker on these platforms.
+
+#### RHEL
+
+RHEL 7 on s390x only has releases from Docker. Follow the instructions from Docker to install. The rpm packages for RHEL are available at
+https://download.docker.com/linux/rhel/
+
+#### Ubuntu
+
+Docker does not release packages for Ubuntu on s390x. The most recent release was for Ubuntu 18.04 Bionic, with Docker version 18.06.3.
+This is quite old, and does not support modern capabilities, e.g. buildkit.
+
+To install a more modern version:
+
+1. Upgrade any dependent apt packages `apt upgrade`
+1. Upgrade the operating system to your desired version `do-release-upgrade -d`. Note that you can set which versions to suggest via changing `/etc/update-manager/release-upgrades`
+1. Download the necessary rpms (yes, rpms) from the Docker RHEL7 site. These are available [here](https://download.docker.com/linux/rhel/7/s390x/stable/Packages/). You need the following packages:
+   * `containerd.io-*.rpm`
+   * `docker-ce-*.rpm`
+   * `docker-ce-cli-*.rpm`
+1. Install alien: `apt install alien`
+1. Convert each package to a dpkg `alien --scripts <source-rpm-file.rpm>`
+1. Install each package with `dpkg -i <source-dpkg>.dpkg`. Dependency management is not great, so we recommend installing them in order:
+   1. `containerd.io`
+   1. `docker-ce`
+   1. `docker-ce-cli`
+1. Install devmapper `apt install libdevmapper-dev`
+1. Check the missing version of libdevmapper, if any, with `ldd /usr/bin/dockerd`. In our example, it needs `libdevmapper.so.1.02`
+1. Ensure that the library can be found where needed via `cd /lib/s390x-linux-gnu/ && ln -s $(ls -1 libdevmapper.so.*) libdevmapper.so.1.02`
+1. Check again that dockerd is ok: `ldd /usr/bin/dockerd`
+1. Start docker `system ctl restart docker`
+1. Check that everything works:
+   * `docker version`
+   * `docker run --rm hello-world`
+
+## Common Notes
+
+On all platforms, if you want to run tests, you will need:
+
+* `jq`
+* `expect`
+* `qemu-kvm`
+
+These should be installed using your normal platform package installation, e.g. `apt install -y jq expect qemu-kvm`.
+
+You also will need `rtf`, which can be installed with `make bin/rtf && make install`.
+
+For pushing our kernels, you will need [manifest-tool](http://github.com/estesp/manifest-tool), which can be installed with
+`make bin/manifest-tool && make install`.
+
+Finally, to enable your regular user to run the tools, we recommend:
+
+```
+usermod -aG docker $USER
+usermod -aG kvm $USER
+usermod -aG sudo $USER
+```

docs/encrypted-disk.md

@@ -0,0 +1,86 @@
+# Device encryption with dm-crypt
+
+In the packages section you can find an image to setup dm-crypt encrypted devices in [linuxkit](https://github.com/linuxkit/linuxkit)-generated images.
+
+## Usage
+
+The setup is a one time step during boot:
+
+```yaml
+onboot:
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:<hash>
+    command: ["/usr/bin/crypto", "dm_crypt_name", "/dev/sda1"]
+  - name: mount
+    image: linuxkit/mount:<hash>
+    command: ["/usr/bin/mountie", "/dev/mapper/dm_crypt_name", "/var/secure_storage"]
+files:
+  - path: etc/dm-crypt/key
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+```
+
+The above will map `/dev/sda1` as an encrypted device under `/dev/mapper/dm_crypt_name` and mount it under `/var/secure_storage`
+
+The `dm-crypt` container by default bind-mounts `/dev:/dev` and `/etc/dm-crypt:/etc/dm-crypt`. It expects the encryption key to be present in the file `/etc/dm-crypt/key`. You can pass an alternative location as encryption key which can be either a file path relative to `/etc/dm-crypt` or an absolute path.
+
+Providing an alternative encryption key file name:
+
+```yaml
+onboot:
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:<hash>
+    command: ["/usr/bin/crypto", "-k", "some_other_key", "dm_crypt_name", "/dev/sda1"]
+  - name: mount
+    image: linuxkit/mount:<hash>
+    command: ["/usr/bin/mountie", "/dev/mapper/dm_crypt_name", "/var/secure_storage"]
+files:
+  - path: etc/dm-crypt/some_other_key
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+```
+
+Providing an alternative encryption key file name as absolute path:
+
+```yaml
+onboot:
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:<hash>
+    command: ["/usr/bin/crypto", "-k", "/some/other/key", "dm_crypt_name", "/dev/sda1"]
+    binds:
+      - /dev:/dev
+      - /etc/dm-crypt/some_other_key:/some/other/key
+  - name: mount
+    image: linuxkit/mount:<hash>
+    command: ["/usr/bin/mountie", "/dev/mapper/dm_crypt_name", "/var/secure_storage"]
+files:
+  - path: etc/dm-crypt/some_other_key
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+```
+
+Note that you have to also map `/dev:/dev` explicitly if you override the default bind-mounts.
+
+The `dm-crypt` container
+
+* Will create an `ext4` file system on the encrypted device if none is present.
+  * It will also initialize the encrypted device by filling it from `/dev/zero` prior to creating the filesystem. Which means if the device is being setup for the first time it might take a bit longer.
+* Uses the `aes-cbc-essiv:sha256` cipher (it's explicitly specified in case the default ever changes)
+  * Consequently the encryption key is expected to be 32 bytes long, a random one can be created via
+    ```shell
+    dd if=/dev/urandom of=dm-crypt.key bs=32 count=1
+    ```
+    If you see the error `Cannot read requested amount of data.` next to the log message `Creating dm-crypt mapping for ...` then this means your keyfile doesn't contain enough data.
+
+### Examples
+
+There are two examples in the `examples/` folder:
+
+1. `dm-crypt.yml` - formats an external disk and mounts it encrypted.
+2. `dm-crypt-loop.yml` - mounts an encrypted loop device backed by a regular file sitting on an external disk
+
+### Options
+
+|Option|Default|Required|Notes|
+|---|---|---|---|
+|`-k` or `--key`|`key`|No|Encryption key file name. Must be either relative to `/etc/dm-crypt` or an absolute file path.|
+|`-l` or `--luks`||No|Use LUKS format for encryption|
+|`<dm_name>`||**Yes**|The device-mapper device name to use. The device will be mapped under `/dev/mapper/<dm_name>`|
+|`<device>`||**Yes**|Device to encrypt.|

docs/external-disk.md

@@ -7,7 +7,8 @@
 ## Make Disk Available
 In order to make the disk available, you need to tell `linuxkit` where the disk file or block device is.
 
-All local `linuxkit run` methods (currently `hyperkit`, `qemu`, and `vmware`) take a `-disk` argument:
+All local `linuxkit run` methods (currently `hyperkit`, `qemu`, `virtualization.framework` and `vmware`)
+take a `-disk` argument:
 
 * `-disk path,size=100M,format=qcow2`. For size the default is in GB but an `M` can be appended to specify sizes in MB. The format can be omitted for the platform default, and is only useful on `qemu` at present.
 
@@ -52,9 +53,17 @@ onboot:
     command: ["/usr/bin/format", "-force", "-type", "xfs", "-label", "DATA", "-verbose", "/dev/vda"]
 ```
 
+```
+onboot:
+  - name: format
+    image: linuxkit/format:<hash>
+    command: ["/usr/bin/format", "-type", "ext4", "-partition", "gpt", "/dev/vda"]
+```
+
 - `-force` can be used to force the partition to be cleared and recreated (if applicable), and the recreated partition formatted. This option would be used to re-init the partition on every boot, rather than persisting the partition between boots.
 - `-label` can be used to give the disk a label
 - `-type` can be used to specify the type. This is `ext4` by default but `btrfs` and `xfs` are also supported
+- `-partition` can be used to specify the partition table type. This is `dos` by default but `gpt` is also supported
 - `-verbose` enables verbose logging, which can be used to troubleshoot device auto-detection and (re-)partitioning
 - The final (optional) argument specifies the device name
 

docs/faq.md

@@ -6,7 +6,7 @@ Please open an issue if you want to add a question here.
 
 LinuxKit does not require being installed on a disk, it is often run from an ISO, PXE or other
 such means, so it does not require an on disk upgrade method such as the ChromeOS code that
-is often used. It would definitely be possible to use that type of upgrade method if the 
+is often used. It would definitely be possible to use that type of upgrade method if the
 system is installed, and it would be useful to support this for that use case, and an
 updater container to control this for people who want to use this.
 
@@ -37,6 +37,52 @@ If you're not seeing `containerd` logs in the console during boot, make sure tha
 
 `init` and other processes like `containerd` will use the last defined console in the kernel `cmdline`. When using `qemu`, to see the console you need to list `ttyS0` as the last console to properly see the output.
 
+## Enabling and controlling containerd logs
+
+On startup, linuxkit looks for and parses a file `/etc/containerd/runtime-config.toml`. If it exists, the content is used to configure containerd runtime.
+
+Sample config is below:
+
+```toml
+cliopts="--log-level debug"
+stderr="/var/log/containerd.out.log"
+stdout="stdout"
+```
+
+The options are as follows:
+
+* `cliopts`: options to pass to the containerd command-line as is.
+* `stderr`: where to send stderr from containerd. If blank, it sends it to the default stderr, which is the console.
+* `stdout`: where to send stdout from containerd. If blank, it sends it to the default stdout, which is the console. containerd normally does not have any stdout.
+
+The `stderr` and `stdout` options can take exactly one of the following options:
+
+* `stderr` - send to stderr
+* `stdout` - send to stdout
+* any absolute path (beginning with `/`) - send to that file. If the file exists, append to it; if not, create it and append to it.
+
+Thus, to enable
+a higher log level, for example `debug`, create a file whose contents are `--log-level debug` and place it on the image:
+
+```yml
+files:
+  - path: /etc/containerd/runtime-config.toml
+    source: "/path/to/runtime-config.toml"
+    mode: "0644"
+```
+
+Note that the package that parses the `cliopts` splits on _all_ whitespace. It does not, as of this writing, support shell-like parsing, so the following will work:
+
+```
+--log-level debug --arg abcd
+```
+
+while the following will not:
+
+```
+--log-level debug --arg 'abcd def'
+```
+
 ## Troubleshooting containers
 
 Linuxkit runs all services in a specific `containerd` namespace called `services.linuxkit`. To list all the defined containers:

docs/image-cache.md

@@ -0,0 +1,61 @@
+# Image Caching
+
+linuxkit builds each runtime OS image from a combination of Docker images.
+These images are pulled from a registry and cached locally.
+
+linuxkit does not use the docker image cache to store these images. This is
+for two key reasons.
+
+First, docker does not provide support for different architecture versions. For
+example, if you want to pull down `docker.io/library/alpine:3.13` by manifest,
+with its signature, but get the `arm64` version while you are on an `amd64` device,
+it is not supported.
+
+Second, and more importantly, this requires a running docker daemon. Since the
+very essence of linuxkit is removing daemons and operating systems where unnecessary,
+just laying down bits in a file, removing docker from the image build process
+is valuable. It also simplifies many use cases, like CI, where a docker daemon
+may be unavailable.
+
+## How LinuxKit Caches Images
+
+LinuxKit pulls images down from a registry and stores them in a local cache.
+It stores the root manifest or index of the image, the manifest, and all of the layers
+for the requested architecture. It does not pull down layers, manifest or config
+for all available architectures, only the requested one. If none is requested, it
+defaults to the architecture on which you are running.
+
+By default, LinuxKit caches images in `~/.linuxkit/cache/`. It can be changed
+via a command-line option. The structure of the cache directory matches the
+[OCI spec for image layout](http://github.com/opencontainers/image-spec/blob/master/image-layout.md).
+
+Image names are kept in `index.json` in the [annotation](https://github.com/opencontainers/image-spec/blob/master/annotations.md) `org.opencontainers.image.ref.name`. For example"
+
+```json
+{
+  "schemaVersion": 2,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+      "size": 1638,
+      "digest": "sha256:9a839e63dad54c3a6d1834e29692c8492d93f90c59c978c1ed79109ea4fb9a54",
+      "annotations": {
+        "org.opencontainers.image.ref.name": "docker.io/library/alpine:3.13"
+      }
+    }
+  ]
+}
+```
+
+## How LinuxKit Uses the Cache and Registry
+
+For each image that linuxkit needs to read, it does the following. Note that if the `--pull` option
+is provided, it always will pull, independent of what is in the cache.
+
+1. Check in the cache for the image name in the cache `index.json`. If it does not find it, pull it down and store it in cache.
+1. Read the root hash from `index.json`.
+1. Find the root blob in the `blobs/` directory via the hash and read it.
+1. Proceed to read the manifest, config and layers.
+
+The read process is smart enough to check each blob in the local cache before downloading
+it from a registry.

docs/kernel-bcc.md

@@ -0,0 +1,31 @@
+# Using the bcc utility with LinuxKit
+
+The `bcc` utility is a standard Linux tool to access performance
+counters, trace events and access various other kernel internals for
+performance analysis.
+
+The `bcc` utility needs to matched be with the kernel. For recent
+kernel build, LinuxKit provides a `linuxkit/kernel-bcc` package with
+a matching tag for each kernel under `linuxkit/kernel`.
+
+The preferred way of using the `linuxkit/kernel-bcc` package is to
+add it to the `init` section. This adds `/usr/share/bcc` to the
+  systems' root filesystem. From there it can be
+  - bind mounted into your container
+  - accessed via `/proc/1/root/usr/share/bcc/tools` from with in the `getty`
+    or `ssh` container.
+  - accessed via a nsenter of `/bin/ash` of proc 1.
+
+If you want to use `bcc` you may also want to remove the `sysctl`
+container, or alternatively, disable the kernel pointer restriction it
+enables by default:
+
+```
+echo 0 > /proc/sys/kernel/kptr_restrict
+```
+
+Now, `bcc` is ready to use. The LinuxKit `bcc` package contains
+the `bcc` binary, example and tool scripts, and kernel headers for the
+associated kernel build.
+
+

docs/kernels.md

@@ -45,22 +45,36 @@ Most kernel modules are autoloaded with `mdev` but if you need to `modprobe` a m
 ## Compiling external kernel modules
 
 This section describes how to build external (out-of-tree) kernel
-modules. It is assumed you have the source available to those modules,
-and require the correct kernel version headers and compile tools.
+modules. You need the following to build external modules. All of
+these are to be built for a specific version of the kernel. For
+the examples, we will assume 5.10.104; replace with your desired
+version.
 
-The LinuxKit kernel packages include `kernel-dev.tar` which contains
+* source available to your modules - you need to get those on your own
+* kernel development headers - available in the `linuxkit/kernel` image as `kernel-dev.tar`, e.g. `linuxkit/kernel:5.10.104`
+* OS with sources and compiler - this **must** be the exact same version as that used to compile the kernel
+
+As described above, the `linuxkit/kernel` images include `kernel-dev.tar` which contains
 the headers and other files required to compile kernel modules against
 the specific version of the kernel. Currently, the headers are not
 included in the initial RAM disk, but it is possible to compile custom
 modules offline and then include the modules in the initial RAM disk.
 
-There is a [example](../test/cases/020_kernel/010_kmod_4.9.x), but
+The source is available as the same name as the `linuxkit/kernel` image, with the addition of `-builder` on the tag.
+For example:
+
+* `linuxkit/kernel:5.10.92` has builder `linuxkit/kernel:5.10.92-builder`
+* `linuxkit/kernel:5.15.15` has builder `linuxkit/kernel:5.15.15-builder`
+
+With the above in hand, you can create a multi-stage `Dockerfile` build to compile your modules.
+There is an [example](../test/cases/020_kernel/011_kmod_4.9.x), but
 basically one can use a multi-stage build to compile the kernel
 modules:
 
-```
-FROM linuxkit/kernel:4.9.33 AS ksrc
-FROM linuxkit/alpine:<hash> AS build
+```dockerfile
+FROM linuxkit/kernel:5.10.104 AS ksrc
+FROM linuxkit/kernel:5.10.104-builder AS build
+
 RUN apk add build-base
 
 COPY --from=ksrc /kernel-dev.tar /
@@ -76,6 +90,36 @@ package to the `onboot` section in your YAML
 file. [kmod.yml](../test/cases/020_kernel/010_kmod_4.9.x/kmod.yml)
 contains an example for the configuration.
 
+### Builder Backups
+
+As described above, the OS builder is referenced via `<kernel-image>-builder`, e.g.
+`linuxkit/kernel:5.15.15-builder`.
+
+As a fallback, in case the `-builder` image is not available or you cannot access it from your development environment,
+you have 3 total places to determine the correct version of the OS image with sources and compiler:
+
+* `-builder` tag added to the kernel version, e.g. `linuxkit/kernel:5.10.104-builder`
+* labels on the kernel image, e.g. `docker inspect linuxkit/kernel:5.10.104 | jq -r '.[].Config.Labels["org.mobyproject.linuxkit.kernel.buildimage"]'`
+* `/kernel-builder` file in the kernel image
+
+You **should** use `-builder` tag as the `AS build` in your `Dockerfile`, but you **can** use
+the direct source, extracted from the labels or `/kernel-builder` file in the kernel image, in the `AS build`.
+
+For example, in the case of `5.10.104`, the label and `/kernel-builder` file show `linuxkit/alpine:2be490394653b7967c250e86fd42cef88de428ba`,
+so you can use either `linuxkit/alpine:2be490394653b7967c250e86fd42cef88de428ba` or
+`linuxkit/kernel:5.10.104-builder` to build the modules.
+
+Thus, the following are equivalent:
+
+```dockerfile
+FROM linuxkit/kernel:5.10.104 AS ksrc
+FROM linuxkit/kernel:5.10.104-builder AS build
+```
+
+```dockerfile
+FROM linuxkit/kernel:5.10.104 AS ksrc
+FROM linuxkit/alpine:2be490394653b7967c250e86fd42cef88de428ba AS build
+```
 
 ## Modifying the kernel config
 
@@ -149,7 +193,7 @@ appended. Then you can also override the Hub organisation to use the
 image elsewhere with (and also disable image signing):
 
 ```sh
-make ORG=<your hub org> NOTRUST=1
+make ORG=<your hub org>
 ```
 
 The image will be uploaded to Hub and can be use in a YAML file as
@@ -322,7 +366,7 @@ yourself:
 
 ```sh
 cd kernel
-make ORG=<foo> NOTRUST=1 push_zfs_4.9.x # or different kernel version
+make ORG=<foo> push_zfs_4.9.x # or different kernel version
 ```
 
 will build and push a `zfs-kmod-4.9.<version>` image to Docker Hub

docs/losetup.md

@@ -0,0 +1,27 @@
+# LinuxKit losetup
+
+Image to setup a loop device backed by a regular file in a [linuxkit](https://github.com/linuxkit/linuxkit)-generated image. The typical use case is to have a portable storage location which can be used to persist settings or other files. Can be combined with the `linuxkit/dm-crypt` package for protection.
+
+## Usage
+
+The setup is a one time step during boot:
+
+```yaml
+onboot:
+  - name: losetup
+    image: linuxkit/losetup:<hash>
+    command: ["/usr/bin/loopy", "-c", "/var/test.img"]
+```
+
+The above will associate the file `/var/test.img` with `/dev/loop0` and will also create it if it's not present.
+
+The container by default bind-mounts `/var:/var` and `/dev:/dev`. Usually the loop-file will reside on external storage which should be typically mounted under `/var` hence the choice of the defaults. If the loop-file is located somewhere else and you need a different bind-mount for it then do not forget to explicitly bind-mount `/dev:/dev` as well or else `losetup` will fail.
+
+### Options
+
+|Option|Default|Required|Notes|
+|---|---|---|---|
+|`-c` or `--create`||No|Creates the file if not present. If `--create` is not specified and the file is missing then the loop setup will obviously fail.|
+|`-s` or `--size`|10|No|If `--create` was specified and the file is not present then this sets the size in MiB of the created file. The file will be filled from `/dev/zero`.|
+|`-d` or `--dev`|`/dev/loop0`|No|Loop device which should be associated with the file.|
+|`<file>`||**Yes**|The file to use as backing storage.|

docs/metadata.md

@@ -101,9 +101,23 @@ hostname and populate the `/run/config/ssh/authorized_keys` from metadata.
 AWS userdata is extracted from `http://169.254.169.254/latest/user-data` and
 and made available in `/run/config/userdata`.
 
+## Hetzner
+
+Hetzner metadata is reached via the following URL
+(`http://169.254.169.254/latest/meta-data/`) and currently we extract the
+hostname and populate the `/run/config/ssh/authorized_keys` from metadata.
+
+Hetzner userdata is extracted from `http://169.254.169.254/latest/user-data` and
+and made available in `/run/config/userdata`.
 
 ## HyperKit
 
 HyperKit does not distinguish metadata and userdata, it's simply
 refered to as data, which is passed to the VM as a disk image
 in ISO9660 format.
+
+## Virtualization.Framework
+
+Virtualization.Framework does not distinguish metadata and userdata, it's simply
+refered to as data, which is passed to the VM as a disk image
+in ISO9660 format.

docs/packages.md

@@ -7,23 +7,37 @@ packages, as it's very easy. Packages are the unit of customisation
 in a LinuxKit-based project, if you know how to build a container,
 you should be able to build a LinuxKit package.
 
-All LinuxKit packages are:
-- Signed with Docker Content Trust.
-- Enabled with multi-arch manifests to work on multiple architectures.
-- Derived from well-known (and signed) sources for repeatable builds.
+All official LinuxKit packages are:
+- Enabled with multi-arch indexes to work on multiple architectures.
+- Derived from well-known sources for repeatable builds.
 - Built with multi-stage builds to minimise their size.
 
 
 ## CI and Package Builds
+
 When building and merging packages, it is important to note that our CI process builds packages. The targets `make ci` and `make ci-pr` execute `make -C pkg build`. These in turn execute `linuxkit pkg build` for each package under `pkg/`. This in turn will try to pull the image whose tag matches the tree hash or, failing that, to build it.
 
-We do not want the builds to happen with each CI run for two reasons:
+Any released image, i.e. any package under `pkg/` that has _not_ changed as
+part of a pull request,
+already will be released to Docker Hub. This will cause it to download that image, rather
+than try to build it.
+
+Any non-releaed image, i.e. any package under `pkg/` that _has_ changed as part of
+a pull request, will not be in Docker Hub until the PR has merged.
+This will cause the download to fail, leading `linuxkit pkg build` to try and build the
+image and save it in the cache.
+
+This does have two downsides:
 
 1. It is slower to do a package build than to just pull the latest image.
 2. If any of the steps of the build fails, e.g. a `curl` download that depends on an intermittent target, it can cause all of CI to fail.
 
-Thus, if, as a maintainer, you merge any commits into a `pkg/`, even if the change is documentation alone, please do a `linuxkit package push`.
+In the past, each PR required a maintainer to build, and push to Docker Hub, every
+changed package in `pkg/`. This placed the maintainer in the PR cycle, with the
+following downsides:
 
+1. A maintainer had to be involved in every PR, not just reviewing but actually building and pushing. This reduces the ability for others to contribute.
+1. The actual package is pushed out by a person, violating good supply-chain practice.
 
 ## Package source
 
@@ -40,8 +54,8 @@ A package source consists of a directory containing at least two files:
 - `extra-sources` _(list of strings)_: Additional sources for the package outside the package directory. The format is `src:dst`, where `src` can be relative to the package directory and `dst` is the destination in the build context. This is useful for sharing files, such as vendored go code, between packages.
 - `gitrepo` _(string)_: The git repository where the package source is kept.
 - `network` _(bool)_: Allow network access during the package build (default: no)
-- `disable-content-trust` _(bool)_: Disable Docker content trust for this package (default: no)
 - `disable-cache` _(bool)_: Disable build cache for this package (default: no)
+- `buildArgs` will forward a list of build arguments down to docker. As if `--build-arg` was specified during `docker build`
 - `config`: _(struct `github.com/moby/tool/src/moby.ImageConfig`)_: Image configuration, marshalled to JSON and added as `org.mobyproject.config` label on image (default: no label)
 - `depends`: Contains information on prerequisites which must be satisfied in order to build the package. Has subfields:
     - `docker-images`: Docker images to be made available (as `tar` files via `docker image save`) within the package build context. Contains the following nested fields:
@@ -53,9 +67,9 @@ A package source consists of a directory containing at least two files:
 ### Prerequisites
 
 Before you can build packages you need:
-- Docker version 17.06 or newer. If you are on a Mac you also need
-  `docker-credential-osxkeychain.bin`, which comes with Docker for Mac.
-- `make`, `notary`, `base64`, `jq`, and `expect`
+- Docker version 19.03 or newer.
+- If you are on a Mac you also need `docker-credential-osxkeychain.bin`, which comes with Docker for Mac.
+- `make`, `base64`, `jq`, and `expect`
 - A *recent* version of `manifest-tool` which you can build with `make
   bin/manifest-tool`, or `go get github.com:estesp/manifest-tool`, or
   via the LinuxKit homebrew tap with `brew install --HEAD
@@ -66,68 +80,239 @@ Further, when building packages you need to be logged into hub with
 `docker login` as some of the tooling extracts your hub credentials
 during the build.
 
+### Build Targets
+
+LinuxKit builds packages as docker images. It deposits the built package as a docker image in one or both of two targets:
+
+* the linuxkit cache, which is at `~/.linuxkit/cache/` (configurable)
+* the docker image cache (optional)
+
+The package _always_ is built and saved in the linuxkit cache. However, you _also_ can load the package for the current
+architecture, if available, into the docker image cache.
+
+If you want to build images and test and run them _in a standalone_ fashion locally, then you should add the docker image cache.
+Otherwise, you don't need anything more than the default linuxkit cache. LinuxKit defaults to building OS images using docker
+images from this cache, only looking in the docker cache if instructed to via `linuxkit build --docker`.
+
+In the linuxkit cache, it creates all of the layers, the manifest that can be uploaded
+to a registry, and the multi-architecture index. If an image already exists for a different architecture in the cache,
+it updates the index to include additional manifests created.
+
+The order of building is as follows:
+
+1. Build the image to the linuxkit cache
+1. If `--docker` is provided, load the image into the docker image cache
+
+For example:
+
+```bash
+linuxkit pkg build pkg/foo           # builds pkg/foo and places it in the linuxkit cache
+linuxkit pkg build pkg/foo --docker  # builds pkg/foo and places it in the linuxkit cache and also loads it into docker
+```
+
+#### Build Platforms
+
+By default, `linuxkit pkg build` builds for all supported platforms in the package's `build.yml`, whose syntax is available
+[here][Package source]. If no platforms are provided in the `build.yml`, it builds for all platforms that linuxkit supports.
+As of this writing, those are:
+
+* `linux/amd64`
+* `linux/arm64`
+* `linux/s390x`
+
+You can choose to skip one of the platforms from `build.yml` or those selected
+by default using the `--skip-platforms` flag.
+
+For example:
+
+```
+linuxkit pkg build --skip-platforms linux/s390x ...
+```
+
+You can override the target build platform by passing it the `--platforms` option:
+
+```
+linuxkit pkg build --platforms <platform1,platform2,...platformN>
+```
+
+The options for `--platforms` are identical to those for [docker build](https://docs.docker.com/engine/reference/commandline/build/).
+An example is available in the official [buildx documentation](https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images).
+
+Given that this is linuxkit, i.e. all builds are for linux, the `OS` part would seem redundant, and it should be sufficient to pass `--platform arm64`. However, for complete consistency, the _entire_ platform, e.g. `--platforms linux/amd64,linux/arm64`, must be provided.
+
+#### Where it builds
+
+You are running the `linuxkit pkg build` command on a single platform, e.g. your local linux cloud instance running on `amd64`, or
+a MacBook with Apple Silicon running on `arm64`.
+
+How does linuxkit determine where to build the target images?
+
+linuxkit uses [buildkit](https://github.com/moby/buildkit) directly to build all images.
+It uses docker contexts to determine _where_ to run those buildkit containers, based on the target
+architecture.
+
+When running a package build, linuxkit looks for a container named `linuxkit-builder`, running the appropriate
+version of buildkit. If it cannot find a container with that name, it creates it.
+If the container already exists but is not running buildkit, or if the version is incorrect, linuxkit stops and removes
+the existing `linuxkit-builder` container and creates one running the correct version of buildkit.
+
+When linuxkit needs to build a package for a particular architecture:
+
+1. If a context for that architecture was provided, use that context, looking for and/or starting a buildkit container named `linuxkit-builder`.
+1. If no context for that architecture was provided, use the `default` context.
+
+The actual building then will be one of:
+
+1. native, if the provided context has the same architecture as the target build architecture; else
+1. cross-build, if the provided context has a different architecture, but the package's `Dockerfile` supports cross-building; else
+1. emulated build, using docker's qemu binfmt capabilities
+
+Cross-building, i.e. building on one platform using that platform's binaries to create outputs for a different platform,
+depends on the package's `Dockerfile`. Details are available in the
+[official Docker buildx docs](https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images).
+
+* if the image is just `FROM something`, then it runs it under qemu using binfmt
+* if the image is `FROM --platform=$BUILDPLATFORM something`, then it runs it using the local architecture, invoking cross-builders
+
+Read the official docs to learn more how to leverage cross-building with buildx.
+
+**Important:** When building, if the local architecture is not one of those being build,
+selecting `--docker` to load the images into the docker image cache will result in an error.
+You _must_ be building for the local architecture - optionally for others as well - in order to
+pass the `--docker` option.
+
+#### Providing native builder nodes
+
+linuxkit is capable of using native build nodes to do the build, even remotely. To do so, you must:
+
+1. Create a [docker context](https://docs.docker.com/engine/context/working-with-contexts/) that references the build node
+1. Tell linuxkit to use that context for that architecture
+
+linuxkit will then use that provided context to look for and/or start a container in which to run buildkit for that architecture.
+
+linuxkit looks for contexts in the following descending order of priority:
+
+1. CLI option `--builders <platform>=<context>,<platform>=<context>`, e.g. `--builders linux/arm64=linuxkit-arm64,linux/amd64=default`
+1. Environment variable `LINUXKIT_BUILDERS=<platform>=<context>,<platform>=<context>`, e.g. `LINUXKIT_BUILDERS=linux/arm64=linuxkit-arm64,linux/amd64=default`
+1. Existing context named `linuxkit-<platform>`, e.g. `linuxkit-linux-arm64` or `linuxkit-linux-s390x`, with "/" replaced by "-", as "/" is an invalid character.
+1. Default context
+
+If a builder name is provided for a specific platform, and it doesn't exist, it will be treated as a fatal error.
+
+#### Examples
+
+##### Simple build
+
+There are no contexts starting with `linuxkit-`, no environment variable `LINUXKIT_BUILDERS`, no command-line argument `--builders`.
+
+linuxkit will build any requested packages using `default` context on the local platform, with a container (created, if necessary) named `linuxkit-builder`.
+Builds for the same architecture will be native, builds for other platforms will use either qemu or cross-building.
+
+##### Specified target
+
+You create a context named `my-remote-arm64` and then run:
+
+```bash
+linuxkit pkg build --platforms=linux/arm64,linux/amd64 --builders linux/arm64=my-remote-arm64
+```
+
+linuxkit will build:
+
+* for arm64 using the context `my-remote-arm64`, since you specified in `--builders` to use `my-remote-arm64` for `linux/arm64`
+* for amd64 using the context `default`, as that is the default fallback
+
+The same would happen if you used `LINUXKIT_BUILDERS=linux/arm64=my-remote-arm64` instead of the `--builders` flag.
+
+In both cases - the remote context `my-remote-arm64` and the local `default` context - it will do the build inside
+a container named `linuxkit-builder`.
+
+##### Named context
+
+You create a context named `linuxkit-linux-arm64` and then run:
+
+```bash
+linuxkit pkg build --platforms=linux/arm64,linux/amd64
+```
+
+linuxkit will build:
+
+* for arm64 using the context `linuxkit-linux-arm64`, since there is a context with the name `linuxkit-<platform>`, and you did not override it using `--builders` or the environment variable `LINUXKIT_BUILDERS`
+* for amd64 using the context `default` and the `linuxkit` builder, as that is the default fallback
+
+##### Combination
+
+You create a context named `linuxkit-linux-arm64`, and another named `my-remote-builder-amd64` and then run:
+
+```bash
+linuxkit pkg build --platforms=linux/arm64,linux/amd64 --builders linux/amd64=my-remote-builder-amd64
+```
+
+linuxkit will build:
+
+* for arm64 using the context `linuxkit-linux-arm64`, since there is a context with the name `linuxkit-<platform>`, and you did not override that particular architecture using `--builders` or the environment variable `LINUXKIT_BUILDERS`
+* for amd64 using the context `my-remote-builder-amd64`, since you specified for that architecture using `--builders`
+
+The same would happen if you used `LINUXKIT_BUILDERS=linux/arm64=my-remote-builder-amd64` instead of the `--builders` flag.
+
+##### Missing context
+
+You do not have a context named `my-remote-arm64`, and run:
+
+```bash
+linuxkit pkg build --platforms=linux/arm64 --builders linux/arm64=my-remote-arm64
+```
+
+linuxkit will try to build for `linux/arm64` using the context `my-remote-arm64`. Since that context does not exist, you will get an error.
+
 ### Build packages as a maintainer
 
-If you have write access to the `linuxkit` organisation on hub, you
-should also be set up with signing keys for packages and your signing
-key should have a passphrase, which we call `<passphrase>` throughout.
-
 All official LinuxKit packages are multi-arch manifests and most of
-them are available for `amd64`, `arm64`, and `s390x`. Official images
-*must* be build on both architectures and they must be build *in
-sequence*, i.e., they can't be build in parallel.
+them are available for the following platforms:
 
-To build a package on an architecture:
+* `linux/amd64`
+* `linux/arm64`
+* `linux/s390x`
 
-```
-DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="<passphrase>" linuxkit pkg push «path-to-package»
-```
+Official images *must* be built for all architectures for which they are available.
 
-`«path-to-package»` is the path to the package's source directory
+Pushing out a package as a maintainer involves two stages:
+
+1. Building and pushing out the platform-specific images
+1. Creating and pushing out the multi-arch manifest, a.k.a. OCI image index
+
+The `linuxkit pkg` command contains automation which performs all of the steps.
+Note that `«path-to-package»` is the path to the package's source directory
 (containing at least `build.yml` and `Dockerfile`). It can be `.` if
 the package is in the current directory.
 
-**Note:** You *must* be logged into hub (`docker login`) and the
-passphrase for the key *must* be supplied as an environment
-variable. The build process has to resort to using `expect` to drive
-`notary` so none of the credentials can be entered interactively.
-
-This will:
-- Build a local images as `linuxkit/<image>:<hash>-<arch>`
-- Push it to hub
-- Sign it with your key
-- Create a manifest called `linuxkit/<image>:<hash>` (note no `-<arch>`)
-- Push the manifest to hub
-- Sign the manifest
-
-If you repeat the same on another architecture, a new manifest will be
-pushed and signed containing the previous and the new
-architecture. The YAML files should consume the package as:
-`linuxkit/<image>:<hash>`.
-
-
-Since it is not very good to have your passphrase in the clear (or
-even stashed in your shell history), we recommend using a password
-manager with a CLI interface, such as LastPass or `pass`. You can then
-invoke the build like this (for LastPass):
-
 ```
-DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$(lpass show <key> --password) linuxkit pkg push «path-to-package»
-```
-or alternatively you may add the command to `~/.moby/linuxkit/config.yml` e.g.:
-```
-pkg:
-  content-trust-passphrase-command: "lpass show <key> --password"
+linuxkit pkg push «path-to-package»
 ```
 
+This will do the following:
+
+1. Determine the name and tag for the image as follows:
+   * The tag is from the hash of the git tree for that package. You can see it by doing `linuxkit pkg show-tag «path-to-package»`.
+   * The name for the image is from `«path-to-package»/build.yml`
+   * The organization for the package is given on the command-line, default to `linuxkit`.
+1. Build the package in the given path using your local docker instance for all the platforms in `«path-to-package»/build.yml`
+1. Save the built image in the linuxkit cache
+1. Tag each built image as `«image-name»:«hash»-«arch»`
+1. Create a multi-arch manifest called `«image-name»:«hash»` (note no `-«arch»`)
+1. Push the manifest and all of the images to the hub
+
+Note that for actual release images, these steps normally are performed as part
+of CI, by the merge-to-master process.
+
+#### Prerequisites
+
+* For all of the steps, you *must* be logged into hub (`docker login`).
+
 ### Build packages as a developer
 
-If you want to develop packages or test them locally, it is best to
-override the hub organisation used. You may also want to disable
-signing while developing. A typical example would be:
 
 ```
-linuxkit pkg build -org=wombat -disable-content-trust «path-to-package»
+linuxkit pkg build -org=wombat «path-to-package»
 ```
 
 This will create a local image: `wombat/<image>:<hash>-<arch>` which
@@ -136,7 +321,7 @@ on other systems you can push the image to your hub account and pull
 from a different system by issuing:
 
 ```
-linuxkit pkg build -org=wombat -disable-content-trust push
+linuxkit pkg build -org=wombat push
 ```
 
 This will push both `wombat/<image>:<hash>-<arch>` and
@@ -146,8 +331,32 @@ Finally, if you are tired of the long hashes you can override the hash
 with:
 
 ```
-linuxkit pkg build -org=wombat -disable-content-trust -hash=foo push
+linuxkit pkg build -org=wombat -hash=foo push
 ```
 
 and this will create `wombat/<image>:foo-<arch>` and
 `wombat/<image>:foo` for use in your YAML files.
+
+### Proxies
+
+If you are building packages from behind a proxy, `linuxkit pkg build` respects
+the following environment variables, and will set them as `--build-arg` to
+`docker build` when building a package.
+
+* `http_proxy` / `HTTP_PROXY`
+* `https_proxy` / `HTTPS_PROXY`
+* `ftp_proxy` / `FTP_PROXY`
+* `no_proxy` / `NO_PROXY`
+* `all_proxy` / `ALL_PROXY`
+
+Note that the first four of these are the standard built-in `build-arg` options available
+for `docker build`; see the [docker build documentation](https://docs.docker.com/v17.09/engine/reference/builder/#arg).
+The last, `all_proxy`, is a standard var used for socks proxying. Since it is not built into `docker build`,
+if you want to use it, you will need to add the following line to the dockerfile:
+
+```dockerfile
+ARG all_proxy
+```
+
+LinuxKit does not judge between lower-cased or upper-cased variants of these options, e.g. `http_proxy` vs `HTTP_PROXY`,
+as `docker build` does not either. It just passes them through "as-is".

docs/platform-aws.md

@@ -35,7 +35,7 @@ specified bucket, and create a bootable image from the stored image.
 
 Alternatively, you can use the `AWS_BUCKET` environment variable to specify the bucket name.
 
-**Note:** If the push times out before it finishes, you can use the `-timeout` flag to extend the timeout.
+**Note:** If the push times out before it finishes, you can use the `-timeout` flag to extend the timeout. You may also want to consider passing `-ena` to enable enhanced networking in the AMI.
 
 ```
 linuxkit push aws -bucket bucketname -timeout 1200 aws.raw
@@ -47,7 +47,7 @@ With the image created, we can now create an instance.
 You won't be able to see the serial console output until after it has terminated.
 
 ```
-linuxkit run aws aws
+linuxkit run aws -security-group "<security_group_id>" aws
 ```
 
 You can edit the AWS example to allow you to SSH to your instance in order to use it.

docs/platform-openstack.md

@@ -11,17 +11,7 @@ Supported (tested) versions of the relevant OpenStack APIs are:
 
 ## Authentication
 
-LinuxKit's support for OpenStack handles two ways of providing the endpoint and authentication details.  You can either set the standard set of environment variables and the commands detailed below will inherit those, or you can explicitly provide them on the command-line as options to `push` and `run`.  The examples below use the latter, but if you prefer the former then you'll need to set the following:
-
-```shell
-OS_USERNAME="admin"
-OS_PASSWORD="xxx"
-OS_TENANT_NAME="linuxkit"
-OS_AUTH_URL="https://keystone.com:5000/v3"
-OS_USER_DOMAIN_NAME=default
-OS_CACERT=/path/to/cacert.pem
-OS_INSECURE=false
-```
+LinuxKit's support for OpenStack includes configuring access to your cloud as detailed in the official [os-client-config](https://docs.openstack.org/os-client-config/latest/user/configuration.html) documentation.
 
 ## Push
 
@@ -40,32 +30,17 @@ Images generated with Moby can be uploaded into OpenStack's image service with `
 
 ```shell
 ./linuxkit push openstack \
-  -authurl=https://keystone.example.com:5000/v3 \
-  -username=admin \
-  -password=XXXXXXXXXXX \
-  -project=linuxkit \
   -img-name=LinuxKitTest
   ./linuxkit.iso
 ```
 
-If successful, this will return the image's UUID.  If you've set your environment variables up as described above, this command can then be simplified:
-
-```shell
-./linuxkit push openstack \
-  -img-name "LinuxKitTest" \
-  ~/Desktop/linuxkitmage.qcow2
-```
-
 ## Run
 
 Virtual machines can be launched using `linuxkit run openstack`.  As an example:
 
 ```shell
 linuxkit run openstack \
-  -authurl https://keystone.example.com:5000/v3 \
-  -username=admin \
-  -password=xxx \
-  -project=linuxkit \
+  -flavor=hotdog
   -keyname=deadline_ed25519 \
   -sec-groups=allow_ssh,nginx \
   -network c5d02c5f-c625-4539-8aed-1dab3aa85a0a \

docs/platform-rpi3.md

@@ -70,4 +70,11 @@ LinuxKit YAML file:
     command: ["modprobe", "smsc95xx"]
 ```
 
+For Raspberry Pi 3b+ use:
+```
+  - name: netdev
+    image: linuxkit/modprobe:<hash>
+    command: ["modprobe", "lan78xx"]
+```
+
 **TODO:** Figure out why mdev is not loading the driver.

docs/platform-scaleway.md

@@ -3,14 +3,14 @@
 This is a quick guide to run LinuxKit on Scaleway (only VPS x86_64 for now)
 
 ## Setup
-Before you proceed it's recommanded that you set up the [Scaleway CLI](https://github.com/scaleway/scaleway-cli/)
-and perform an `scw login`. This will create a `$HOME/.scwrc` file containing the required API token.
 
-You can also use the `SCW_TOKEN` environment variable to set a Scaleway token. 
-The `-token` flag of the `linuxkit push scaleway` and `linuxkit run scaleway` can also be used.
+You must create a Scaleway API Token (combination of Access and Secret Key), available at [Scaleway Console](https://console.scaleway.com/account/credentials), first.
+Then you can use it either with the `SCW_ACCESS_KEY` and `SCW_SECRET_KEY` environment variables or the `-access-key` and `-secret-key` flags
+of the `linuxkit push scaleway` and `linuxkit run scaleway` commands.
 
-The environment variable `SCW_TARGET_REGION` is used to set the region (there is also the `-region` flag)
+In addition, Organization ID value has to be set, either with the `SCW_DEFAULT_ORGANIZATION_ID` environment variable or the `-organization-id` command line flag.
 
+The environment variable `SCW_DEFAULT_ZONE` is used to set the zone (there is also the `-zone` flag)
 
 ## Build an image
 
@@ -28,18 +28,18 @@ $ linuxkit build -format iso-efi examples/scaleway.yml
 ## Push image
 
 You have to do `linuxkit push scaleway scaleway.iso` to upload it to your Scaleway images.
-By default the image name is the name of the ISO file without the extension. 
+By default the image name is the name of the ISO file without the extension.
 It can be overidden with the `-img-name` flag or the `SCW_IMAGE_NAME` environment variable.
 
 **Note 1:** If an image (and snapshot) of the same name exists, it will be replaced.
 
-**Note 2:** The image is region specific: if you create an image in `par1` you can't use is in `ams1`.
+**Note 2:** The image is zone specific: if you create an image in `par1` you can't use is in `ams1`.
 
 ### Push process
 
 Building a Scaleway image have a special process. Basically:
 
-* Create an `image-builder` instance with an additional volume, based on Ubuntu Xenial (only x86_64 for now)
+* Create an `image-builder` instance with an additional volume, based on Ubuntu Bionic (only x86_64 for now)
 * Copy the ISO image on this instance
 * Use `dd` to write the image on the additional volume (`/dev/vdb` by default)
 * Terminate the instance, create a snapshot, and create an image from the snapshot

docs/platform-vbox.md

@@ -20,11 +20,20 @@ stdio, providing interactive access to the VM.
 ## Disks
 
 The Virtualbox backend support configuring a persistent disk using the
-standard `linuxkit` `-disk` syntax.  Multiple disks are
+standard `linuxkit` `-disk` syntax. Multiple disks are
 supported and can be created in `raw` format; other formats that VirtualBox
-supports can be attached
+supports can be attached. Note that additional drives are attached to the
+SATA Controller, unlike the VM disk which is on the IDE Controller.
 
 ## Networking
 
-You can select the networking mode, which defaults to the standard `nat`, but
-some networking modes may require additional configuration.
+You can select the networking mode, which defaults to the standard `nat`, by using the
+`-networking` command-line option. Some networking modes (`hostonly`, `bridge`) will require 
+the additional `adapter` parameter to the `-networking` option:
+
+~~~
+-networking hostonly,adapter=vboxnet0
+~~~
+
+You can specify more than one `-networking` option to setup multiple adapters. It is
+recommended to setup the first adapter as `nat`.

docs/platform-virtualization-framework.md

@@ -0,0 +1,205 @@
+# LinuxKit with Virtualization.Framework (macOS)
+
+We recommend using LinuxKit in conjunction with
+[Docker for Mac](https://docs.docker.com/docker-for-mac/install/). For
+the time being it's best to be on the latest edge release. `linuxkit
+run` uses [Virtualization.Framework](https://developer.apple.com/documentation/virtualization) and
+[VPNKit](https://github.com/moby/vpnkit) and the edge release ships
+with updated versions of both.
+
+Alternatively, you can install Virtualization.Framework and VPNKit standalone and use it without Docker for Mac.
+
+Virtualization.Framework is enabled on macOS only when built with CGO enabled.
+
+## Boot
+
+The Virtualization.Framework backend currently supports booting:
+- `kernel+initrd` output from `linuxkit build`.
+- `kernel+squashfs` output from `linuxkit build`.
+- EFI ISOs using the EFI firmware.
+
+You need to select the boot method manually using the command line
+options. The default is `kernel+initrd`. `kernel+squashfs` can be
+selected using `-squashfs` and to boot a ISO with EFI you have to
+specify `-iso -uefi`.
+
+The `kernel+initrd` uses a RAM disk for the root filesystem. If you
+have RAM constraints or large images we recommend using either the
+`kernel+squashfs` or the EFI ISO boot.
+
+## Console
+
+With `linuxkit run` on Virtualization.Framework the serial console is redirected to
+stdio, providing interactive access to the VM. The output of the VM
+can be re-directed to a file or pipe, but then stdin is not available.
+Virtualization.Framework does not provide a console device.
+
+
+## Disks
+
+The Virtualization.Framework backend support configuring a persistent disk using the
+standard `linuxkit` `-disk` syntax.  Multiple disks are
+supported and the disks are in raw format.
+
+## Power management
+
+Virtualization.Framework sends an ACPI power event when it receives SIGTERM to allow the VM to
+shut down properly. The VM has to be able to receive ACPI events to initiate the
+shutdown.  This is provided by the [`acpid` package](../pkg/acpid). An example
+is available in the [Docker for Mac example](../examples/docker-for-mac.yml).
+
+## Networking
+
+By default, `linuxkit run` creates a VM with a single network
+interface which, logically, is attached to a L2 bridge. The bridge
+also has the VM used by Docker for Mac attached to it. This means that
+the LinuxKit VMs, created with `linuxkit run`, can be accessed from
+containers running on Docker for Mac.
+
+The LinuxKit VMs have IP addresses on the `192.168.65.0/24` subnet
+assigned by a DHCP server part of VPNKit. `192.168.65.1` is reserved
+for VPNKit as the default gateway and `192.168.65.2` is used by the
+Docker for Mac VM.
+
+By default, LinuxKit VMs get incrementally increasing IP addresses,
+but you can assign a fixed IP address with `linuxkit run -ip`. It's
+best to choose an IP address from the DHCP address range above, but
+care must be taken to avoid clashes of IP address.
+
+*NOTE:* The LinuxKit VMs can *not* be directly accessed by IP address
+from the host.  Enabling this would require use of the macOS `vmnet`
+framework, which requires the VMs to run as `root`.  We don't consider
+this option palatable, and provide alternative options to access the
+VMs over the network below.
+
+
+### Accessing network services
+
+Virtualization.Framework offers a number of ways for accessing network services
+running inside the LinuxKit VM from the host. These depend on the
+networking mode selected via `-networking`. The default mode is
+`vmnet`, where it sets up a network bridge. We intend to add support for
+`docker-for-mac`, where the same VPNkit instance is shared between
+LinuxKit VMs and the VM running as part of Docker for Mac, in the future.
+
+#### Access from the Docker for Mac VM (`-networking docker-for-mac`)
+
+The simplest way to access networking services exposed by a LinuxKit
+VM is to use a Docker for Mac container. For example, to access an ssh
+server in a LinuxKit VM, create a ssh client container from:
+
+```
+FROM alpine:edge
+RUN apk add --no-cache openssh-client
+```
+
+and then run
+
+```
+docker build -t ssh .
+docker run --rm -ti -v ~/.ssh:/root/.ssh  ssh ssh <IP address of VM>
+```
+
+#### Forwarding ports with `socat`  (`-networking docker-for-mac`)
+
+A `socat` container on Docker for Mac can be used to proxy between the
+LinuxKit VM's ports and localhost.  For example, to expose the redis
+port from the [RedisOS example](../examples/redis-os.yml), use this
+Dockerfile:
+
+```
+FROM alpine:edge
+RUN apk add --no-cache socat
+ENTRYPOINT [ "/usr/bin/socat" ]
+```
+and then:
+```
+docker build -t socat .
+docker run --rm -t -d -p 6379:6379 socat tcp-listen:6379,reuseaddr,fork tcp:<IP address of VM>:6379
+```
+
+#### Port forwarding with VPNKit (`-networking docker-for-mac`)
+
+There is **experimental** support for exposing selected ports of the
+guest on `localhost` using the `-publish` command line option. For
+example, using `-publish 2222:22/tcp` exposes the guest TCP port 22 on
+localhost on port 2222. Multiple `-publish` options can be
+specified. For example, the image build from the [`sshd
+example`](../examples/sshd.yml) can be started with:
+
+```
+linuxkit run -publish 2222:22/tcp sshd
+```
+
+and then you can log into the LinuxKit VM with `ssh -p 2222
+root@localhost`.
+
+Note, this mode is **experimental** and may cause the VPNKit instance
+shared with Docker for Mac being confused about which ports are
+currently in use, in particular if the LinuxKit VM does not exit
+gracefully. This can typically be fixed by restarting Docker for Mac.
+
+
+#### Port forwarding with VPNKit (`-networking vpnkit`)
+
+An alternative to the previous method is to start your own copy of
+`vpnkit` (or connect to an already running instance). This can be done
+using the `-networking vpnkit` command line option.
+
+VPNKit uses a 9P mount in `/port` for coordination between
+components. The first VM on a VPNKit instance currently needs mount
+the 9P filesystem and also needs to run the `vpnkit-forwarder` service
+to enable port forwarding to localhost.  A full example with `vpnkit`
+forwarding of `sshd` is available in
+[examples/vpnkit-forwarder.yml](/examples/vpnkit-forwarder.yml).
+
+To run this example with its own instance of VPNKit, use:
+
+```
+linuxkit run -networking vpnkit -publish 2222:22/tcp vpnkit-forwarder
+```
+
+You can then access it via:
+
+```
+ssh -p 2222 root@localhost
+```
+
+More details about the VPNKit forwarding mechanism is available in the
+[VPNKit
+documentation](https://github.com/moby/vpnkit/blob/master/docs/ports.md#signalling-from-the-vm-to-the-host).
+
+
+## Integration services and Metadata
+
+There are no special integration services available for Virtualization.Framework, but
+there are a number of packages, such as `vsudd`, which enable
+tighter integration of the VM with the host (see below).
+
+The Virtualization.Framework backend also allows passing custom userdata into the
+[metadata package](./metadata.md) using either the `-data` or `-data-file` command-line
+option. This attaches a CD device with the data on.
+
+
+### `vsudd` unix domain socket forwarding
+
+The [`vsudd` package](/pkg/vsudd) provides a daemon that exposes unix
+domain socket inside the VM to the host via virtio or Hyper-V sockets.
+With Virtualization.Framework, the virtio sockets can be exposed as unix domain
+sockets on the host, enabling access to other daemons, like
+`containerd` and `dockerd`, from the host.  An example configuration
+file is available in [examples/vsudd-containerd.yml](/examples/vsudd-containerd.yml).
+
+After building the example, run it with `linuxkit run virtualization.framework
+-vsock-ports 2374 vsudd`. This will create a unix domain socket in the state directory that maps to the `containerd` control socket. The socket is called `guest.00000946`.
+
+If you install the `ctr` tool on the host you should be able to access the
+`containerd` running in the VM:
+
+```
+$ go get -u -ldflags -s github.com/containerd/containerd/cmd/ctr
+...
+$ ctr -a vsudd-state/guest.00000946 list
+ID        IMAGE     PID       STATUS
+vsudd               466       RUNNING
+```

docs/releasing.md

@@ -37,207 +37,18 @@ As a starting point you have to be on the update to date master branch
 and be in the root directory of your local git clone. You should also
 have the same setup on all build machines used.
 
-To make the release steps below cut-and-pastable, define the following
-environment variables:
-
-```sh
-LK_RELEASE=v0.4
-LK_ROOT=$(pwd)
-LK_REMOTE=origin
-```
-
-On one of the build machines (preferably the `x86_64` machine), create
-the release branch:
-
-```sh
-git checkout -b rel_$LK_RELEASE
-```
-
-Also make sure that you have a recent version of the `linuxkit`
-utility in the path. Either a previous release or compiled from
-master.
-
-
 ### Update `linuxkit/alpine`
 
 This step is not necessarily required if the alpine base image has
 recently been updated, but it is good to pick up any recent bug
-fixes. Updating the alpine base image is different to other packages
-and it must be performed on `x86_64` first:
+fixes. Follow the process in [alpine-base-update.md](./alpine-base-update.md)
 
-```sh
-cd $LK_ROOT/tools/alpine
-make push
-```
+There are several important notes to consider when updating alpine base:
 
-This will update `linuxkit/alpine` and change the `versions.x86_64`
-file. Check it in and push to GitHub:
-
-```sh
-git commit -a -s -m "tools/alpine: Update to latest"
-git push $LK_REMOTE rel_$LK_RELEASE
-```
-
-Now, on each build machine for the other supported architectures, in turn:
-
-```sh
-git fetch
-git checkout rel_$LK_RELEASE
-cd $LK_ROOT/tools/alpine
-make push
-git commit -a --amend
-git push --force $LK_REMOTE rel_$LK_RELEASE
-```
-
-With all supported architectures updated, head back to the `x86_64`
-machine and update the release branch:
-
-```sh
-git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
-```
-
-Stash the tag of the alpine base image in an environment variable:
-
-```sh
-LK_ALPINE=$(head -1 alpine/versions.x86_64 | sed 's,[#| ]*,,' | sed 's,\-.*$,,' | cut -d':' -f2)
-```
-
-
-### Update tools packages
-
-On the `x86_64` machine, get the `linuxkit/alpine` tag and update the
-other packages:
-
-```sh
-cd $LK_ROOT/tools
-../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
-git checkout alpine/versions.aarch64 alpine/versions.s390x
-
-git commit -a -s -m "tools: Update to the latest linuxkit/alpine"
-git push $LK_REMOTE rel_$LK_RELEASE
-
-make forcepush
-```
-
-Note, the `git checkout` reverts the changes made by
-`update-component-sha.sh` to files which are accidentally updated and
-the `make forcepush` will skip building the alpine base.
-
-Then, on the other build machines in turn:
-
-```sh
-cd $LK_ROOT/tools
-git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
-make forcepush
-```
-
-Back on the `x86_64` machine:
-
-```sh
-cd $LK_ROOT
-for img in $(cd tools; make show-tag); do
-    ./scripts/update-component-sha.sh --image $img
-done
-
-git commit -a -s -m "Update use of tools to latest"
-```
-
-
-### Update test packages
-
-Next, we update the test packages to the updated alpine base on the `x86_64` system:
-
-```sh
-cd $LK_ROOT/test/pkg
-../../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
-
-git commit -a -s -m "tests: Update packages to the latest linuxkit/alpine"
-git push $LK_REMOTE rel_$LK_RELEASE
-
-make push
-```
-
-Then, on the other build machines in turn:
-
-```sh
-cd $LK_ROOT/test/pkg
-git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
-make push
-```
-
-Back on the `x86_64` machine:
-
-```sh
-cd $LK_ROOT
-for img in $(cd test/pkg; make show-tag); do
-    ./scripts/update-component-sha.sh --image $img
-done
-
-git commit -a -s -m "Update use of test packages to latest"
-```
-
-Some tests also use `linuxkit/alpine`. Update them as well:
-
-```sh
-cd $LK_ROOT/test/cases
-../../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
-
-git commit -a -s -m "tests: Update tests cases to the latest linuxkit/alpine"
-```
-
-### Update packages
-
-Next, we update the LinuxKit packages. This is really the core of the
-release. The other steps above are just there to ensure consistency
-across packages.
-
-
-```sh
-cd $LK_ROOT/pkg
-../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
-
-git commit -a -s -m "pkgs: Update packages to the latest linuxkit/alpine"
-git push $LK_REMOTE rel_$LK_RELEASE
-```
-
-Most of the packages are build from `linuxkit/alpine` and source code
-in the `linuxkit` repository, but some packages wrap external
-tools. The time of a release is a good opportunity to check if there
-have been updates. Specifically:
-
-- `pkg/cadvisor`: Check for [new releases](https://github.com/google/cadvisor/releases).
-- `pkg/firmware` and `pkg/firmware-all`: Use latest commit from [here](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git).
-- `pkg/node_exporter`: Check for [new releases](https://github.com/prometheus/node_exporter/releases).
-- `example/docker.yml`: Check [docker hub](https://hub.docker.com/r/library/docker/tags/) for the latest `dind` tags.
-
-The build/push the packages:
-
-```sh
-cd $LK_ROOT/pkg
-make OPTIONS="-release $LK_RELEASE" push
-```
-
-Note, the `OPTIONS` argument. This adds the release tag to the
-packages.
-
-Then, on the other build machines in turn:
-
-```sh
-cd $LK_ROOT/pkg
-git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
-make OPTIONS="-release $LK_RELEASE" push
-```
-
-Update the package tags in the YAML files:
-
-```sh
-cd $LK_ROOT
-for img in $(cd pkg; make show-tag | cut -d ':' -f1); do
-    ./scripts/update-component-sha.sh --image $img:$LK_RELEASE
-done
-
-git commit -a -s -m "Update package tags to $LK_RELEASE"
-```
+* `LK_BRANCH` is set to `rel_$LK_RELEASE`, when cutting a release, for e.g. `LK_BRANCH=rel_v0.9`
+* It not necessarily required to update the alpine base image if it has recently been updated, but it is good to pick up any recent bug
+fixes. However, you do need to update the tools, packages and tests.
+* Releases are a particularly good time to check for updates in wrapped external dependencies, as highlighted in [alpine-base-update.md#External Tools](./alpine-base-update.md#External_Tools)
 
 ### Final preparation steps
 
@@ -275,5 +86,3 @@ This completes the release, but you are not done, one more step is required.
 Create a PR which bumps the version number in the top-level `Makefile`
 to `$LK_RELEASE+` to make sure that the version reported by `linuxkit
 version` gets updated.
-
-

docs/reproducible-builds.md

@@ -0,0 +1,71 @@
+# Reproducible builds
+
+We aim to make the outputs of `linuxkit build` reproducible, i.e. the
+build artefacts should be bit-by-bit identical copies if invoked with
+the same inputs and run with the same version of the `linuxkit`
+command. See [this
+document](https://reproducible-builds.org/docs/buy-in/) on why this
+matters.
+
+_Note, we do not (yet) aim to make `linuxkit pkg build` builds
+reproducible._
+
+
+## Current status
+
+Currently, the following output formats provide reproducible builds:
+- `tar` (Tested as part of the CI)
+- `tar-kernel-initrd`
+- `docker`
+- `kernel+initrd` (Tested as part of the CI)
+
+
+## Details
+
+In general, `linuxkit build` lends itself for reproducible
+builds. LinuxKit packages, used during `linuxkit build`, are (signed)
+docker images. Packages are tagged with the content hash of the source
+code (and optionally release version) and are typically only updated
+if the source of the package changed (in which case the tag
+changes). For all intents and purposes, when pulled by tag, the
+contents of a packages should be bit-by-bit identical. Alternatively,
+the digest of the package, in which case, the pulled image will always
+be the same.
+
+The first phase of the `linuxkit build` mostly untars and retars the
+images of the packages to produce an tar file of the root filesystem.
+This then serves as input for other output formats. During this first
+phase, there are a number of things to watch out for to generate
+reproducible builds:
+
+- Timestamps of generated files. The `docker export` command, as well
+  as `linuxkit build` itself, creates a small number of files. The
+  `ModTime` for these files needs to be clamped to a fixed date
+  (otherwise the current time is used). Use the `defaultModTime`
+  variable to set the `ModTime` of created files to a specific time.
+- Generated JSON files. `linuxkit build` generates a number of JSON
+  files by marshalling Go `struct` variables. Examples are the OCI
+  specification `config.json` and `runtime.json` files for
+  containers. The default Go `json.Marshal()` function seems to do a
+  reasonable good job in generating reproducible output from internal
+  structures, including for JSON objects. However, during `linuxkit
+  build` some of the OCI runtime spec fields are generated/modified
+  and care must be taken to ensure consistent ordering. For JSON
+  arrays (Go slices) it is best to sort them before Marshalling them.
+
+Reproducible builds for the first phase of `linuxkit build` can be
+tested using `-output tar` and comparing the output of subsequent
+builds with tools like `diff` or the excellent
+[`diffoscope`](https://diffoscope.org/).
+
+The second phase of `linuxkit build` converts the intermediary `tar`
+format into the desired output format. Making this phase reproducible
+depends on the tools used to generate the output.
+
+Builds, which produce ISO formats should probably be converted to use
+[`go-diskfs`](https://github.com/diskfs/go-diskfs) before attempting
+to make them reproducible.
+
+For ideas on how to make the builds for other output formats
+reproducible, see [this
+page](https://reproducible-builds.org/docs/system-images/).

docs/security.md

@@ -50,8 +50,6 @@ and namespaced separately from the host as appropriate.
 LinuxKit's build process heavily leverages Docker images for packaging. Of note, all intermediate build images
 are referenced by digest to ensures reproducibility across LinuxKit builds. Tags are mutable, and thus subject to override
 (intentionally or maliciously) - referencing by digest mitigates classes of registry poisoning attacks in LinuxKit's buildchain.
-Certain images, such as the kernel image, will be signed by LinuxKit maintainers using [Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/),
-which guarantees authenticity, integrity, and freshness of the image.
 
 Moreover, LinuxKit's build process leverages [Alpine Linux's](https://alpinelinux.org/) hardened userspace tools such as
 Musl libc, and compiler options that include `-fstack-protector` and position-independent executable output. Go binaries

docs/signing.md

@@ -1,49 +0,0 @@
-# Signing LinuxKit Hub Images
-
-We sign and verify LinuxKit component images, such as `linuxkit/kernel`, using [Notary](https://github.com/docker/notary).
-
-This document details the process for setting this up, intended for maintainers.
-
-## Initialize a New Repository
-
-Let's say we're publishing a new `linuxkit/foo` image that we want to sign and verify in LinuxKit.
-We first need to initialize the Notary repository:
-
-```
-notary -s https://notary.docker.io -d ~/.docker/trust init -p docker.io/linuxkit/foo
-```
-
-This command will generate some private keys in `~/.docker/trust` and ask you for passphrases such that they are encrypted at rest.
-All linuxkit repositories are currently using the same root key so we can pin trust on key ID `1908a0cf4f55710138e63f65ab2a97e8fa3948e5ca3b8857a29f235a3b61ea1b`.
-
-We'll also let the notary server take control of the snapshot key, for easier delegation collaboration:
-```
-notary -s https://notary.docker.io -d ~/.docker/trust key rotate docker.io/linuxkit/foo snapshot -r
-```
-
-## Add maintainers to delegation roles:
-
-Maintainers are to sign with `delegation` keys, which are adminstered by a non-root key.
-Thusly, they are easily rotated without having to bring the root key online.
-Additionally, maintainers can be added to separate roles for auditing purposes: the current setup is to add maintainers to both the `targets/releases` role that is intended
-for release consumption, as well as an individual `targets/<maintainer_name>` role for auditing.
-Docker will automatically sign into both roles when pushing with Docker Content Trust.
-
-Here's what the command looks like to add all maintainers to the `targets/releases` role:
-```
-notary -s https://notary.docker.io -d ~/.docker/trust delegation add -p docker.io/linuxkit/foo targets/releases alice.crt bob.crt charlie.crt --all-paths
-```
-
-Here's what the commands look like to add all maintainers to their individually named roles:
-```
-notary -s https://notary.docker.io -d ~/.docker/trust delegation add -p docker.io/linuxkit/foo targets/alice alice.crt --all-paths
-notary -s https://notary.docker.io -d ~/.docker/trust delegation add -p docker.io/linuxkit/foo targets/bob bob.crt --all-paths
-notary -s https://notary.docker.io -d ~/.docker/trust delegation add -p docker.io/linuxkit/foo targets/charlie charlie.crt --all-paths
-```
-
-## Maintainers import their private keys
-
-It's important that each maintainer imports their private key into Docker's key storage, so Docker can use it to sign:
-```
-notary -d ~/.docker/trust key import alice.key -r user
-```

docs/testing.md

@@ -50,7 +50,7 @@ You must copy an existing `group.sh` in to this folder and adjust as required or
 [example](https://github.com/linuxkit/rtf/tree/master/etc/templates/group.sh)
 
 To write your test, create a folder within the group using the `000_name` format as described above.
-You should then copy an existing `test.sh` in to this directory and amdend it,
+You should then copy an existing `test.sh` in to this directory and amend it,
 or start from an [example](http://github.com/linuxkit/rtf/tree/master/etc/templates/test.sh)
 
 If your test can only be run when certain conditions are met, you should consider adding a label to

docs/vendoring.md

@@ -2,16 +2,24 @@ Vendoring
 =========
 
 The Go code in this repo depends on a number of Go libraries.
-These are vendored in to the `src/cmd/linuxkit/vendor` directory using [`vndr`](https://github.com/lk4d4/vndr)
-The `vendor.conf` file contains a list of the repositories and the git SHA or branch name that should be vendored
+These are vendored in to the `src/cmd/linuxkit/vendor` directory using [go modules](https://golang.org/ref/mod)
 
 ## Updating dependencies
 
-Update `src/cmd/linuxkit/vendor.conf` with the dependency that you would like to add.
-Details of usage of the `vndr` tool and the format of `vendor.conf` can be found [here](https://github.com/LK4D4/vndr/blob/master/README.md)
+Go modules should install any required dependencies to `go.mod` and `go.sum` when running normal go commands such as `go build`,
+`go vet`, etc. To install specific versions, use `go get <dependency>@<reference>`.
 
-Once done, you must run the `vndr` tool to add the necessary files to the `vendor` directory.
-The easiest way to do this is in a container.
+See the [go modules](https://golang.org/ref/mod) documentation for more information.
+
+LinuxKit vendors all dependencies to make it completely self-contained. Once `go.mod` is up to date,
+you must update the dependencies, either using your local go toolchain or in a container.
+
+## Updating locally
+
+To vendor all dependencies:
+
+1. `cd src/cmd/linuxkit`
+1. Run `go mod vendor`
 
 ## Updating in a container
 
@@ -21,39 +29,7 @@ To update all dependencies:
 docker run -it --rm \
 -v $(pwd):/go/src/github.com/linuxkit/linuxkit \
 -w /go/src/github.com/linuxkit/linuxkit/src/cmd/linuxkit \
---entrypoint /go/bin/vndr \
-linuxkit/go-compile:e1204ce9921c1d45362a374e06be7234d3bf1184
-```
-
-To update a single dependency:
-
-```
-docker run -it --rm \
--v $(pwd):/go/src/github.com/linuxkit/linuxkit \
--w /go/src/github.com/linuxkit/linuxkit/src/cmd/linuxkit \
---entrypoint /go/bin/vndr \
-linuxkit/go-compile:e1204ce9921c1d45362a374e06be7234d3bf1184
-github.com/docker/docker
-```
-
-## Updating locally
-
-First you must install `vndr` and ensure that `$GOPATH/bin` is on your `$PATH`
-
-```
-go get -u github.com/LK4D4/vndr
-```
-
-To update all dependencies:
-
-```
-cd src/cmd/linuxkit
-vndr
-```
-
-To update a single dependency:
-
-```
-cd /src/cmd/linuxkit
-vndr github.com/docker/docker
+--entrypoint=go
+linuxkit/go-compile:7b1f5a37d2a93cd4a9aa2a87db264d8145944006
+mod vendor
 ```

docs/yaml.md

@@ -11,9 +11,10 @@ are downloaded at build time to create an image. The image is self-contained and
 so it can be tested reliably for continuous delivery.
 
 Components are specified as Docker images which are pulled from a registry during build if they
-are not available locally. The Docker images are optionally verified with Docker Content Trust.
+are not available locally. See [image-cache](./image-cache.md) for more details on local caching.
+The Docker images are optionally verified with Docker Content Trust.
 For private registries or private repositories on a registry credentials provided via
-`docker login` are re-used. 
+`docker login` are re-used.
 
 The configuration file is processed in the order `kernel`, `init`, `onboot`, `onshutdown`,
 `services`, `files`. Each section adds files to the root file system. Sections may be omitted.
@@ -124,19 +125,6 @@ file:
 
 Because a `tmpfs` is mounted onto `/var`, `/run`, and `/tmp` by default, the `tmpfs` mounts will shadow anything specified in `files` section for those directories.
 
-## `trust`
-
-The `trust` section specifies which build components are to be cryptographically verified with
-[Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) prior to pulling.
-Trust is a central concern in any build system, and LinuxKit's is no exception: Docker Content Trust provides authenticity,
-integrity, and freshness guarantees for the components it verifies.  The LinuxKit maintainers are responsible for signing
-`linuxkit` components, though collaborators can sign their own images with Docker Content Trust or [Notary](https://github.com/docker/notary).
-
-- `image` lists which individual images to enforce pulling with Docker Content Trust.
-The image name may include tag or digest, but the matching also succeeds if the base image name is the same.
-- `org` lists which organizations for which Docker Content Trust is to be enforced across all images,
-for example `linuxkit` is the org for `linuxkit/kernel`
-
 ## Image specification
 
 Entries in the `onboot` and `services` sections specify an OCI image and
@@ -144,7 +132,9 @@ options. Default values may be specified using the `org.mobyproject.config` imag
 For more details see the [OCI specification](https://github.com/opencontainers/runtime-spec/blob/master/spec.md).
 
 If the `org.mobylinux.config` label is set in the image, that specifies default values for these fields if they
-are not set in the yaml file. You can override the label by setting the value, or setting it to be empty to remove
+are not set in the yaml file. While most fields are _replaced_ if they are specified in the yaml file,
+some support _add_ via the format `<field>.add`; see below.
+You can override the label entirely by setting the value, or setting it to be empty to remove
 the specification for that value in the label.
 
 If you need an OCI option that is not specified here please open an issue or pull request as the list is not yet
@@ -159,6 +149,7 @@ bind mounted into a container.
   extracted from this so they need not be filled in.
 - `capabilities` the Linux capabilities required, for example `CAP_SYS_ADMIN`. If there is a single
   capability `all` then all capabilities are added.
+- `capabilities.add` the Linux capabilities required, but these are added to the defaults, rather than overriding them.
 - `ambient` the Linux ambient capabilities (capabilities passed to non root users) that are required.
 - `mounts` is the full form for specifying a mount, which requires `type`, `source`, `destination`
   and a list of `options`. If any fields are omitted, sensible defaults are used if possible, for example
@@ -166,6 +157,7 @@ bind mounted into a container.
   can be replaced by specifying a mount with new options here at the same mount point.
 - `binds` is a simpler interface to specify bind mounts, accepting a string like `/src:/dest:opt1,opt2`
   similar to the `-v` option for bind mounts in Docker.
+- `binds.add` is a simpler interface to specify bind mounts, but these are added to the defaults, rather than overriding them.
 - `tmpfs` is a simpler interface to mount a `tmpfs`, like `--tmpfs` in Docker, taking `/dest:opt1,opt2`.
 - `command` will override the command and entrypoint in the image with a new list of commands.
 - `env` will override the environment in the image with a new environment list. Specify variables as `VAR=value`.
@@ -240,6 +232,31 @@ services:
      - CAP_DAC_OVERRIDE
 ```
 
+## `devices`
+
+To access the console, it's necessary to explicitly add a "device" definition, for example:
+
+```
+devices:
+- path: "/dev/console"
+  type: c
+  major: 5
+  minor: 1
+  mode: 0666
+```
+
+See the [getty package](../pkg/getty/build.yml) for a more complete example
+and see [runc](https://github.com/opencontainers/runc/commit/60e21ec26e15945259d4b1e790e8fd119ee86467) for context.
+
+To grant access to all block devices use:
+
+```
+devices:
+- path: all
+  type: b
+```
+
+See the [format package](../pkg/format/build.yml) for an example.
 
 ### Mount Options
 When mounting filesystem paths into a container - whether as part of `onboot` or `services` - there are several options of which you need to be aware. Using them properly is necessary for your containers to function properly.

examples/addbinds.yml

@@ -0,0 +1,26 @@
+kernel:
+  image: linuxkit/kernel:5.4.30
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    binds.add:
+      # this will keep all of the existing ones as well
+      - /var/tmp:/var/tmp
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+files:
+  - path: etc/getty.shadow
+    # sample sets password for root to "abcdefgh" (without quotes)
+    contents: 'root:$6$6tPd2uhHrecCEKug$8mKfcgfwguP7f.BLdZsT1Wz7WIIJOBY1oUFHzIv9/O71M2J0EPdtFqFGTxB1UK5ejqQxRFQ.ZSG9YXR0SNsc11:17322:0:::::'

examples/aws.yml

@@ -1,37 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.14.58
-  cmdline: "console=ttyS0"
-init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.6
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.6
-services:
-  - name: rngd
-    image: linuxkit/rngd:v0.6
-  - name: sshd
-    image: linuxkit/sshd:v0.6
-    binds:
-     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/azure.yml

@@ -1,26 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.14.58
-  cmdline: "console=ttyS0"
-init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.6
-services:
-  - name: rngd
-    image: linuxkit/rngd:v0.6
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
-  - name: sshd
-    image: linuxkit/sshd:v0.6
-files:
-  - path: root/.ssh/authorized_keys
-    source: ~/.ssh/id_rsa.pub
-    mode: "0600"
-    optional: true
-trust:
-  org:
-    - linuxkit

examples/cadvisor.yml

@@ -1,37 +1,37 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: sysfs
-    image: linuxkit/sysfs:v0.6
+    image: linuxkit/sysfs:c3bdb00c5e23bf566d294bafd5f7890ca319056f
   - name: format
-    image: linuxkit/format:v0.6
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
   - name: mount
-    image: linuxkit/mount:v0.6
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
       - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: ntpd
-    image: linuxkit/openntpd:v0.6
+    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
 
   - name: docker
-    image: docker:17.10.0-ce-dind
+    image: docker:20.10.6-dind
     capabilities:
       - all
     net: host
@@ -46,14 +46,10 @@ services:
       - /etc/docker/daemon.json:/etc/docker/daemon.json
     command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
   - name: cadvisor
-    image: linuxkit/cadvisor:v0.6
+    image: linuxkit/cadvisor:38174e03a9495a2ba8a8a049458f585a8b8e4a59
 files:
   - path: var/lib/docker
     directory: true
   - path: etc/docker/daemon.json
     contents: '{"debug": true, "hosts": ["unix:///var/run/docker.sock"]}'
     mode: "0644"
-trust:
-  org:
-    - linuxkit
-    - library

examples/dm-crypt-loop.yml

@@ -0,0 +1,46 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=tty0 console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: format
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
+    command: ["/usr/bin/format", "/dev/sda"]
+  - name: mount
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    command: ["/usr/bin/mountie", "/dev/sda1", "/var/external"]
+  - name: loop
+    image: linuxkit/losetup:43e40be0c82cbccf171ebd2a8065246e2e84f66e
+    command: ["/usr/bin/loopy", "--create", "/var/external/storage_file"]
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:908d3a270650aff7388092a307673c44d86e1ed0
+    command: ["/usr/bin/crypto", "crypt_loop_dev", "/dev/loop0"]
+  - name: mount
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    command: ["/usr/bin/mountie", "/dev/mapper/crypt_loop_dev", "/var/secure_storage"]
+  - name: bbox
+    image: busybox
+    command: ["sh", "-c", "echo 'secret things' >/var/secure_storage/secrets"]
+    binds:
+      - /var:/var
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+files:
+  - path: etc/dm-crypt/key
+    # the below key is just to keep the example self-contained
+    # !!! provide a proper key for production use here !!!
+    contents: "abcdefghijklmnopqrstuvwxyz123456"

examples/dm-crypt.yml

@@ -0,0 +1,40 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=tty0 console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: format
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
+    command: ["/usr/bin/format", "/dev/sda"]
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:908d3a270650aff7388092a307673c44d86e1ed0
+    command: ["/usr/bin/crypto", "crypt_dev", "/dev/sda1"]
+  - name: mount
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    command: ["/usr/bin/mountie", "/dev/mapper/crypt_dev", "/var/secure_storage"]
+  - name: bbox
+    image: busybox
+    command: ["sh", "-c", "echo 'secret things' >/var/secure_storage/secrets"]
+    binds:
+      - /var:/var
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+files:
+  - path: etc/dm-crypt/key
+    # the below key is just to keep the example self-contained
+    # !!! provide a proper key for production use here !!!
+    contents: "abcdefghijklmnopqrstuvwxyz123456"

examples/docker-for-mac.md

@@ -10,13 +10,13 @@ moment is to install a recent version of Docker for Mac.
 To build it with the latest Docker CE:
 
 ```
-$ linuxkit build docker-for-mac.yml
+$ linuxkit build -format iso-efi docker-for-mac.yml
 ```
 
 To run the VM with a 4G disk:
 
 ```
-linuxkit run hyperkit -networking=vpnkit -vsock-ports=2376 -disk size=4096M -data-file ./metadata.json docker-for-mac
+linuxkit run hyperkit -networking=vpnkit -vsock-ports=2376 -disk size=4096M -data-file ./metadata.json -iso -uefi docker-for-mac-efi
 ```
 
 Where the file `./metadata.json` should contain the desired docker daemon
@@ -35,10 +35,10 @@ configuration, for example:
 ```
 
 In another terminal you should now be able to access docker via the
-socket `guest.00000947` in the state directory
-(`docker-for-mac-state/` by default):
+socket `guest.00000948` in the state directory
+(`docker-for-mac-efi-state/` by default):
 
 ```
-$ docker -H unix://docker-for-mac-state/guest.00000948 ps
+$ docker -H unix://docker-for-mac-efi-state/guest.00000948 ps
 CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
 ```

examples/docker-for-mac.yml

@@ -1,36 +1,36 @@
 # This is an example for building the open source components of Docker for Mac
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/vpnkit-expose-port:v0.6 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/vpnkit-expose-port:87ac61469247b2a0483cbd1fd2915f220e078b78 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   # support metadata for optional config in /run/config
   - name: metadata
-    image: linuxkit/metadata:v0.6
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: sysfs
-    image: linuxkit/sysfs:v0.6
+    image: linuxkit/sysfs:c3bdb00c5e23bf566d294bafd5f7890ca319056f
   - name: binfmt
-    image: linuxkit/binfmt:v0.6
+    image: linuxkit/binfmt:a17941b47f5cb262638cfb49ffc59ac5ac2bf334
   # Format and mount the disk image in /var/lib/docker
   - name: format
-    image: linuxkit/format:v0.6
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
   - name: mount
-    image: linuxkit/mount:v0.6
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/var/lib"]
   # make a swap file on the mounted disk
   - name: swap
-    image: linuxkit/swap:v0.6
+    image: linuxkit/swap:77305236719ed7ab4be0f3bccc179c583fe7f5ff
     command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"]
   # mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding
   - name: mount-vpnkit
-    image: alpine:3.8
+    image: alpine:3.13
     binds:
         - /var/:/host_var:rbind,rshared
     capabilities:
@@ -39,51 +39,51 @@ onboot:
     command: ["sh", "-c", "mkdir -p /host_var/vpnkit/port && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
   # move logs to the mounted disk (this is a temporary fix until we can limit the log sizes)
   - name: move-logs
-    image: alpine:3.8
+    image: alpine:3.13
     binds:
         - /var:/host_var
     command: ["sh", "-c", "mv -v /host_var/log /host_var/lib && ln -vs /var/lib/log /host_var/log"]
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   # Enable acpi to shutdown on power events
   - name: acpid
-    image: linuxkit/acpid:v0.6
+    image: linuxkit/acpid:c05a368754f6436b326945dc16135ba547568d8d
   # Enable getty for easier debugging
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
         - INSECURE=true
   # Run ntpd to keep time synchronised in the VM
   - name: ntpd
-    image: linuxkit/openntpd:v0.6
+    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
   # VSOCK to unix domain socket forwarding. Forwards guest /var/run/docker.sock
   # to a socket on the host.
   - name: vsudd
-    image: linuxkit/vsudd:v0.6
+    image: linuxkit/vsudd:89980cd551d3174b6d8528f39fbd7fd1ca049161
     binds:
         - /var/run:/var/run
     command: ["/vsudd", "-inport", "2376:unix:/var/run/docker.sock"]
   # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. 
   # It needs access to the vpnkit 9P coordination share 
   - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:v0.6
+    image: linuxkit/vpnkit-forwarder:ea4dded7386b09dd647e854664b029be0a4f420f
     binds:
         - /var/vpnkit:/port
     net: host
     command: ["/vpnkit-forwarder", "-vsockPort", "62373"]
   # Monitor for image deletes and invoke a TRIM on the container filesystem
   - name: trim-after-delete
-    image: linuxkit/trim-after-delete:v0.6
+    image: linuxkit/trim-after-delete:533ed712cf5cede1d5aec121c3f8afc1f471f723
   # When the host resumes from sleep, force a clock resync
   - name: host-timesync-daemon
-    image: linuxkit/host-timesync-daemon:v0.6
+    image: linuxkit/host-timesync-daemon:cc7c2f88c0e585c292624b9665412c9aca615d55
   # Run dockerd with the vpnkit userland proxy from the vpnkit-forwarder container.
   # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit
   # for vpnkit coordination and /run/config/docker for the configuration file.
   - name: docker-dfm
-    image: docker:17.07.0-ce-dind
+    image: docker:20.10.6-dind
     capabilities:
      - all
     net: host
@@ -106,8 +106,3 @@ services:
             "--storage-driver", "overlay2" ]
     runtime:
       mkdir: ["/var/lib/docker"]
-
-trust:
-    org:
-        - linuxkit
-        - library

examples/docker.yml

@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: sysfs
-    image: linuxkit/sysfs:v0.6
+    image: linuxkit/sysfs:c3bdb00c5e23bf566d294bafd5f7890ca319056f
   - name: format
-    image: linuxkit/format:v0.6
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
   - name: mount
-    image: linuxkit/mount:v0.6
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
   - name: ntpd
-    image: linuxkit/openntpd:v0.6
+    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
   - name: docker
-    image: docker:18.06.0-ce-dind
+    image: docker:20.10.6-dind
     capabilities:
      - all
     net: host
@@ -46,7 +46,3 @@ files:
     directory: true
   - path: etc/docker/daemon.json
     contents: '{"debug": true}'
-trust:
-  org:
-    - linuxkit
-    - library

examples/gcp.yml

@@ -1,41 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.14.58
-  cmdline: "console=ttyS0"
-init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.6
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.6
-services:
-  - name: getty
-    image: linuxkit/getty:v0.6
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.6
-  - name: sshd
-    image: linuxkit/sshd:v0.6
-    binds:
-     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/getty.yml

@@ -1,29 +1,26 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     # to make insecure with passwordless root login, uncomment following lines
     #env:
     # - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)
     contents: 'root:$6$6tPd2uhHrecCEKug$8mKfcgfwguP7f.BLdZsT1Wz7WIIJOBY1oUFHzIv9/O71M2J0EPdtFqFGTxB1UK5ejqQxRFQ.ZSG9YXR0SNsc11:17322:0:::::'
-trust:
-  org:
-    - linuxkit

examples/hostmount-writeable-overlay.yml

@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
   - name: shutdown
@@ -18,7 +18,7 @@ onshutdown:
     command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
     runtime:
@@ -30,7 +30,7 @@ services:
           destination: writeable-host-etc
           options: ["rw", "lowerdir=/etc", "upperdir=/run/hostetc/upper", "workdir=/run/hostetc/work"]
   - name: rngd
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: nginx
     image: nginx:1.13.8-alpine
     capabilities:
@@ -41,7 +41,3 @@ services:
      - CAP_DAC_OVERRIDE
     binds:
      - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/influxdb-os.yml

@@ -1,48 +1,44 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: influxdb
-    image: influxdb:1.4
+    image: influxdb:1.7
     net: host
     capabilities:
       - CAP_NET_BIND_SERVICE
       - CAP_DAC_OVERRIDE
   - name: kapacitor
-    image: kapacitor:1.4
+    image: kapacitor:1.5
     net: host
     capabilities:
       - all
     env:
       - KAPACITOR_INFLUXDB_0_URLS_0=http://influxdb:8086
   - name: telegraf
-    image: telegraf:1.4
+    image: telegraf:1.9
     net: host
     capabilities:
       - all
   - name: chronograf
-    image: chronograf:1.4
+    image: chronograf:1.7
     net: host
     capabilities:
       - CAP_NET_BIND_SERVICE
       - CAP_DAC_OVERRIDE
     env:
-      - INFLUXDB_URL=http://localhost:8086
-      - KAPACITOR_URL=http://localhost:9092
-trust:
-  org:
-    - linuxkit
-    - library
+      - INFLUXDB_URL=http://127.0.0.1:8086
+      - KAPACITOR_URL=http://127.0.0.1:9092

examples/logging.yml

@@ -1,34 +1,30 @@
 # Simple example of using an external logging service
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
-  - linuxkit/memlogd:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/memlogd:014f86dce2ea4bb2ec13e92ae5c1e854bcefec40
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
 # Inside the getty type `/proc/1/root/usr/bin/logread -F` to follow the log
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
 # A service which generates log messages for testing
   - name: write-to-the-logs
-    image: alpine:3.8
+    image: alpine:3.13
     command: ["/bin/sh", "-c", "while /bin/true; do echo hello $(date); sleep 1; done" ]
   - name: write-and-rotate-logs
-    image: linuxkit/logwrite:v0.6
+    image: linuxkit/logwrite:4d8aa07d4a7130239fc62b09f33e3401ecf62a38
   - name: kmsg
-    image: linuxkit/kmsg:v0.6
-trust:
-  org:
-    - linuxkit
-    - library
+    image: linuxkit/kmsg:b2f6cd4ce9041120e30a4b5ab36bb8db4f5eb458

examples/minimal.yml

@@ -1,19 +1,16 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
-trust:
-  org:
-    - linuxkit

examples/node_exporter.yml

@@ -1,21 +1,18 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
   - name: node_exporter
-    image: linuxkit/node_exporter:v0.6
-trust:
-  org:
-    - linuxkit
+    image: linuxkit/node_exporter:bd11bc62e0cdf7a600556c0cb9f6582bf055f245

examples/openstack.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:v0.6
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
     command: ["/usr/bin/metadata", "openstack"]
 services:
   - name: rngd
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: sshd
-    image: linuxkit/sshd:v0.6
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
     binds:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx
@@ -32,7 +32,3 @@ services:
      - CAP_DAC_OVERRIDE
     binds:
      - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/packet.arm64.yml

@@ -1,14 +0,0 @@
-# This YAML snippet is to be used in conjunction with packet.yml to
-# build a arm64 image for packet.net. It adds a modprobe of the NIC
-# driver and overrides the kernel section to disable prepending the
-# Intel CPU microcode to the initrd. If writing a YAML specifically
-# for arm64 then the 'ucode' line in the kernel section can be left
-# out.
-kernel:
-  image: linuxkit/kernel:4.14.58
-  cmdline: "console=ttyAMA0"
-  ucode: ""
-onboot:
-  - name: modprobe
-    image: linuxkit/modprobe:v0.6
-    command: ["modprobe", "nicvf"]

examples/packet.yml

@@ -1,39 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.14.58
-  cmdline: console=ttyS1
-  ucode: intel-ucode.cpio
-init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
-  - linuxkit/firmware:v0.6
-onboot:
-  - name: rngd1
-    image: linuxkit/rngd:v0.6
-    command: ["/sbin/rngd", "-1"]
-  - name: sysctl
-    image: linuxkit/sysctl:v0.6
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.6
-    command: ["/usr/bin/metadata", "packet"]
-services:
-  - name: rngd
-    image: linuxkit/rngd:v0.6
-  - name: getty
-    image: linuxkit/getty:v0.6
-    env:
-     - INSECURE=true
-  - name: sshd
-    image: linuxkit/sshd:v0.6
-files:
-  - path: root/.ssh/authorized_keys
-    source: ~/.ssh/id_rsa.pub
-    mode: "0600"
-    optional: true
-trust:
-  org:
-    - linuxkit

examples/platform-aws.yml

@@ -0,0 +1,33 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+services:
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    binds:
+     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/platform-azure.yml

@@ -0,0 +1,23 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+services:
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+files:
+  - path: root/.ssh/authorized_keys
+    source: ~/.ssh/id_rsa.pub
+    mode: "0600"
+    optional: true

examples/platform-gcp.yml

@@ -0,0 +1,37 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    binds:
+     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/platform-hetzner.yml

@@ -0,0 +1,36 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: console=ttyS1
+  ucode: intel-ucode.cpio
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/firmware:8f89601312327c78999a880ee104ceae9a25d20e
+onboot:
+  - name: rngd1
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    command: ["/sbin/rngd", "-1"]
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    command: ["/usr/bin/metadata", "hetzner"]
+services:
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+files:
+  - path: root/.ssh/authorized_keys
+    source: ~/.ssh/id_rsa.pub
+    mode: "0600"
+    optional: true

examples/platform-packet.arm64.yml

@@ -0,0 +1,14 @@
+# This YAML snippet is to be used in conjunction with packet.yml to
+# build a arm64 image for packet.net. It adds a modprobe of the NIC
+# driver and overrides the kernel section to disable prepending the
+# Intel CPU microcode to the initrd. If writing a YAML specifically
+# for arm64 then the 'ucode' line in the kernel section can be left
+# out.
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyAMA0"
+  ucode: ""
+onboot:
+  - name: modprobe
+    image: linuxkit/modprobe:1b59b4f2ebb877085ea0d8d3a41cf06f64c09a15
+    command: ["modprobe", "nicvf"]

examples/platform-packet.yml

@@ -0,0 +1,36 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: console=ttyS1
+  ucode: intel-ucode.cpio
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/firmware:8f89601312327c78999a880ee104ceae9a25d20e
+onboot:
+  - name: rngd1
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    command: ["/sbin/rngd", "-1"]
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    command: ["/usr/bin/metadata", "packet"]
+services:
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+files:
+  - path: root/.ssh/authorized_keys
+    source: ~/.ssh/id_rsa.pub
+    mode: "0600"
+    optional: true

examples/platform-rt-for-vmware.yml

@@ -0,0 +1,32 @@
+kernel:
+  image: linuxkit/kernel:5.11.4-rt
+  cmdline: "console=tty0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+  - name: open-vm-tools
+    image: linuxkit/open-vm-tools:4c3158c7ba27f7ad0ede5d383ca25b57c5588a26
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/platform-scaleway.yml

@@ -0,0 +1,26 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: rngd1
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    command: ["/sbin/rngd", "-1"]
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a

examples/platform-vmware.yml

@@ -0,0 +1,30 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=tty0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/platform-vultr.yml

@@ -0,0 +1,38 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    command: ["/usr/bin/metadata", "vultr"]
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    binds:
+     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/redis-os.yml

@@ -1,19 +1,19 @@
 # Minimal YAML to run a redis server (used at DockerCon'17)
 # connect: nc localhost 6379
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   # Currently redis:4.0.6-alpine has trust issue with multi-arch
@@ -27,7 +27,3 @@ services:
      - CAP_SETGID
      - CAP_DAC_OVERRIDE
     net: host
-trust:
-  org:
-    - linuxkit
-    - library

examples/rt-for-vmware.yml

@@ -1,36 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.14.58-rt
-  cmdline: "console=tty0"
-init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.6
-services:
-  - name: getty
-    image: linuxkit/getty:v0.6
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.6
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
-  - name: open-vm-tools
-    image: linuxkit/open-vm-tools:v0.6
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/scaleway.yml

@@ -1,29 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.14.58
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
-init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.6
-  - name: rngd1
-    image: linuxkit/rngd:v0.6
-    command: ["/sbin/rngd", "-1"]
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.6
-services:
-  - name: getty
-    image: linuxkit/getty:v0.6
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.6
-trust:
-  org:
-    - linuxkit

examples/sshd.yml

@@ -1,33 +1,30 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: rngd1
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
     command: ["/sbin/rngd", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
   - name: sshd
-    image: linuxkit/sshd:v0.6
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
 files:
   - path: root/.ssh/authorized_keys
     source: ~/.ssh/id_rsa.pub
     mode: "0600"
     optional: true
-trust:
-  org:
-    - linuxkit

examples/static-ip.yml

@@ -0,0 +1,29 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+onboot:
+  - name: ip
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
+    binds:
+     - /etc/ip:/etc/ip
+    command: ["ip", "-b", "/etc/ip/eth0.conf"]
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+files:     
+  - path: etc/ip/eth0.conf
+    contents: |
+      address add 10.10.1.225/24 dev eth0
+      link set eth0 up
+      route add default via 10.10.1.100 dev eth0
+  - path: etc/resolv.conf
+    contents: |
+#      domain test.local
+      nameserver 10.10.1.101
+      nameserver 10.10.1.100     

examples/swap.yml

@@ -1,35 +1,31 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:v0.6
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
   - name: mount
-    image: linuxkit/mount:v0.6
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/var/external"]
   - name: swap
-    image: linuxkit/swap:v0.6
+    image: linuxkit/swap:77305236719ed7ab4be0f3bccc179c583fe7f5ff
     # to use unencrypted swap, use:
     # command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"]
     command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.6
-trust:
-  org:
-    - linuxkit
-    - library
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a

examples/tpm.yml

@@ -1,30 +1,27 @@
 kernel:
-  image: linuxkit/kernel:4.9.38
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: tss
-    image: linuxkit/tss:v0.6
+    image: linuxkit/tss:9cfa8c15f2120415aab35efcfdede5b3b5fe5b4c
   - name: rngd
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)
     contents: 'root:$6$6tPd2uhHrecCEKug$8mKfcgfwguP7f.BLdZsT1Wz7WIIJOBY1oUFHzIv9/O71M2J0EPdtFqFGTxB1UK5ejqQxRFQ.ZSG9YXR0SNsc11:17322:0:::::'
-trust:
-  org:
-    - linuxkit

examples/vmware.yml

@@ -1,34 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.14.58
-  cmdline: "console=tty0"
-init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.6
-services:
-  - name: getty
-    image: linuxkit/getty:v0.6
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.6
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/vpnkit-forwarder.yml

@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: mount-vpnkit
-    image: alpine:3.8
+    image: alpine:3.13
     binds:
         - /var/:/host_var:rbind,rshared
     capabilities:
@@ -19,9 +19,9 @@ onboot:
     command: ["sh", "-c", "mkdir /host_var/vpnkit && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
 services:
   - name: sshd
-    image: linuxkit/sshd:v0.6
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
   - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:v0.6
+    image: linuxkit/vpnkit-forwarder:ea4dded7386b09dd647e854664b029be0a4f420f
     binds:
         - /var/vpnkit:/port
     net: host
@@ -32,7 +32,3 @@ files:
     source: ~/.ssh/id_rsa.pub
     mode: "0600"
     optional: true
-
-trust:
-  org:
-    - linuxkit

examples/vsudd-containerd.yml

@@ -1,22 +1,18 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: vsudd
-    image: linuxkit/vsudd:v0.6
+    image: linuxkit/vsudd:89980cd551d3174b6d8528f39fbd7fd1ca049161
     binds:
         - /run/containerd/containerd.sock:/run/containerd/containerd.sock
     command: ["/vsudd",
         "-inport", "2374:unix:/run/containerd/containerd.sock"]
-
-trust:
-  org:
-    - linuxkit

examples/vultr.yml

@@ -1,41 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.14.58
-  cmdline: "console=ttyS0"
-init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.6
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.6
-services:
-  - name: getty
-    image: linuxkit/getty:v0.6
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.6
-  - name: sshd
-    image: linuxkit/sshd:v0.6
-    binds:
-     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/wireguard.yml

@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:4.14.58
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.6
-  - linuxkit/runc:v0.6
-  - linuxkit/containerd:v0.6
-  - linuxkit/ca-certificates:v0.6
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.6
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.6
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: wg0
-    image: linuxkit/ip:v0.6
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     net: new
     binds:
       - /etc/wireguard:/etc/wireguard
@@ -26,7 +26,7 @@ onboot:
       bindNS:
           net: /run/netns/wg0
   - name: wg1
-    image: linuxkit/ip:v0.6
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     net: new
     binds:
       - /etc/wireguard:/etc/wireguard
@@ -40,12 +40,12 @@ onboot:
           net: /run/netns/wg1
 services:
   - name: getty
-    image: linuxkit/getty:v0.6
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
     net: /run/netns/wg1
   - name: rngd
-    image: linuxkit/rngd:v0.6
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: nginx
     image: nginx:1.13.8-alpine
     net: /run/netns/wg0
@@ -77,7 +77,3 @@ files:
       PublicKey = AcS5t3PC5nL/oj0sYhc3yFpDlRaXoJ0mfEq6iq0rFF4=
       AllowedIPs = 0.0.0.0/0
       Endpoint = 127.0.0.1:51820
-trust:
-  org:
-    - linuxkit
-    - library

kernel/Dockerfile

@@ -1,4 +1,6 @@
-FROM linuxkit/alpine:6264e5b39af8eb1da7ffa4c05a7ccc597da01197 AS kernel-build
+ARG BUILD_IMAGE
+FROM ${BUILD_IMAGE} AS kernel-build
+ARG BUILD_IMAGE
 RUN apk add \
     argp-standalone \
     automake \
@@ -15,14 +17,16 @@ RUN apk add \
     gnupg \
     installkernel \
     kmod \
-    libelf-dev \
-    libressl \
-    libressl-dev \
+    elfutils-dev \
+    libunwind-dev \
     linux-headers \
     mpc1-dev \
     mpfr-dev \
     ncurses-dev \
+    openssl \
+    openssl-dev \
     patch \
+    rsync \
     sed \
     squashfs-tools \
     tar \
@@ -30,30 +34,26 @@ RUN apk add \
     xz-dev \
     zlib-dev
 
-# libunwind-dev pkg is missed from arm64 now, below statement will be removed if the pkg is available.
-RUN [ $(uname -m) == x86_64 ] && apk add libunwind-dev || true
-
 ARG KERNEL_VERSION
 ARG KERNEL_SERIES
 ARG EXTRA
 ARG DEBUG
 
-ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz
-ENV KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
-ENV KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.sign
-
-ENV WIREGUARD_VERSION=0.0.20180718
-ENV WIREGUARD_SHA256="083c093a6948c8d38f92e7ea5533f9ff926019f24dc2612ea974851ed3e24705"
-ENV WIREGUARD_URL=https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz
-
 # We copy the entire directory. This copies some unneeded files, but
 # allows us to check for the existence /patches-${KERNEL_SERIES} to
 # build kernels without patches.
 COPY / /
 
+RUN mkdir -p /out/src
+
 # Download and verify kernel
 # PGP keys: 589DA6B1 (greg@kroah.com) & 6092693E (autosigner@kernel.org) & 00411886 (torvalds@linux-foundation.org)
-RUN curl -fsSLO ${KERNEL_SHA256_SUMS} && \
+RUN KERNEL_MAJOR=$(echo ${KERNEL_VERSION} | cut -d . -f 1) && \
+    KERNEL_MAJOR=v${KERNEL_MAJOR}.x && \
+    KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/linux-${KERNEL_VERSION}.tar.xz && \
+    KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/sha256sums.asc && \
+    KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/linux-${KERNEL_VERSION}.tar.sign && \
+    curl -fsSLO ${KERNEL_SHA256_SUMS} && \
     gpg2 -q --import keys.asc && \
     gpg2 --verify sha256sums.asc && \
     KERNEL_SHA256=$(grep linux-${KERNEL_VERSION}.tar.xz sha256sums.asc | cut -d ' ' -f 1) && \
@@ -62,7 +62,25 @@ RUN curl -fsSLO ${KERNEL_SHA256_SUMS} && \
     xz -d linux-${KERNEL_VERSION}.tar.xz && \
     curl -fsSLO ${KERNEL_PGP2_SIGN} && \
     gpg2 --verify linux-${KERNEL_VERSION}.tar.sign linux-${KERNEL_VERSION}.tar && \
-    cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux
+    cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux && \
+    printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
+
+WORKDIR /tmp
+# Download Intel ucode, create a CPIO archive for it, and keep it in the build context
+# so the firmware can also be referenced with CONFIG_EXTRA_FIRMWARE
+ENV UCODE_REPO=https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
+ENV UCODE_COMMIT=microcode-20210608
+RUN set -e && \
+    if [ $(uname -m) == x86_64 ]; then \
+        git clone ${UCODE_REPO} ucode && \
+        cd ucode && \
+        git checkout ${UCODE_COMMIT} && \
+        iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \
+        cp license /out/intel-ucode-license.txt && \
+        mkdir -p /lib/firmware && \
+        cp -rav ./intel-ucode /lib/firmware; \
+    fi
+
 
 WORKDIR /linux
 # Apply local specific patches if present
@@ -84,8 +102,6 @@ RUN set -e && \
         done; \
     fi
 
-RUN mkdir -p /out/src
-
 # Save kernel source
 RUN tar cJf /out/src/linux.tar.xz /linux
 
@@ -97,9 +113,6 @@ RUN case $(uname -m) in \
     aarch64) \
         KERNEL_DEF_CONF=/linux/arch/arm64/configs/defconfig; \
         ;; \
-    s390x) \
-        KERNEL_DEF_CONF=/linux/arch/s390/defconfig; \
-        ;; \
     esac  && \
     cp /config-${KERNEL_SERIES}-$(uname -m) ${KERNEL_DEF_CONF}; \
     if [ -n "${EXTRA}" ] && [ -f "/config-${KERNEL_SERIES}-$(uname -m)${EXTRA}" ]; then \
@@ -112,7 +125,7 @@ RUN case $(uname -m) in \
     fi && \
     make defconfig && \
     make oldconfig && \
-    if [ -z "${EXTRA}" ] && [ -z "${DEBUG}" ]; then diff .config ${KERNEL_DEF_CONF}; fi
+    if [ -z "${EXTRA}" ] && [ -z "${DEBUG}" ]; then diff -u .config ${KERNEL_DEF_CONF}; fi
 
 
 # Kernel
@@ -124,23 +137,12 @@ RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
     aarch64) \
         cp arch/arm64/boot/Image.gz /out/kernel; \
         ;; \
-    s390x) \
-        cp arch/s390/boot/bzImage /out/kernel; \
-        ;; \
     esac && \
     cp System.map /out && \
     ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
 
-# WireGuard
-RUN curl -fsSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
-    echo "${WIREGUARD_SHA256}  /wireguard.tar.xz" | sha256sum -c - && \
-    cp /wireguard.tar.xz /out/src/ && \
-    tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "WireGuard-${WIREGUARD_VERSION}/src" && \
-    make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules
-
 # Modules and Device Tree binaries
 RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
-    make INSTALL_MOD_PATH=/tmp/kernel-modules M="/wireguard" modules_install && \
     ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
       cd /tmp/kernel-modules/lib/modules/$DVER && \
       rm build source && \
@@ -172,30 +174,7 @@ RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdept
          tar cf - -T - | (cd $dir; tar xf -) && \
     ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
 
-RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
-
-# perf
-# Skip for 4.4.x (the compile is broken and tedious to fix) and 4.9.x (the
-# compile broke with 4.9.93)
-RUN if [ "${KERNEL_SERIES}" != "4.4.x" ] && [ "${KERNEL_SERIES}" != "4.9.x" ]; then \
-       mkdir -p /build/perf && \
-       make -C tools/perf LDFLAGS=-static O=/build/perf && \
-       strip /build/perf/perf && \
-       cp /build/perf/perf /out; \
-     fi
-
-# Download Intel ucode and create a CPIO archive for it
-ENV UCODE_URL=https://downloadmirror.intel.com/27776/eng/microcode-20180425.tgz
-RUN set -e && \
-    if [ $(uname -m) == x86_64 ]; then \
-        cd /ucode && \
-        curl -fsSL -o microcode.tar.gz ${UCODE_URL} && \
-        md5sum -c intel-ucode-md5sums && \
-        tar xf microcode.tar.gz && \
-        rm -f intel-ucode/list && \
-        iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \
-        cp intel-ucode-license.txt /out; \
-    fi
+RUN printf "${BUILD_IMAGE}" > /out/kernel-builder
 
 FROM scratch
 ENTRYPOINT []

kernel/Dockerfile.bcc

@@ -0,0 +1,95 @@
+ARG IMAGE
+ARG BUILD_IMAGE
+
+FROM ${IMAGE} as ksrc
+
+FROM ${BUILD_IMAGE} AS build
+RUN apk update && apk upgrade -a && \
+  apk add --no-cache \
+  argp-standalone \
+  autoconf \
+  automake \
+  bison \
+  build-base \
+  clang \
+  clang-dev \
+  clang-static \
+  cmake \
+  curl \
+  elfutils-dev \
+  flex-dev \
+  fts-dev \
+  gettext-dev \
+  git \
+  iperf3 \
+  libedit-dev \
+  libtool \
+  llvm \
+  llvm-dev \
+  llvm-static \
+  luajit-dev \
+  m4 \
+  python3 \
+  zlib-dev \
+  && true
+
+RUN ln -s /usr/lib/cmake/llvm10/ /usr/lib/cmake/llvm && \
+    ln -s /usr/include/llvm10/llvm-c/ /usr/include/llvm-c && \
+    ln -s /usr/include/llvm10/llvm/ /usr/include/llvm
+
+WORKDIR /build
+
+ENV BCC_COMMIT=14278bf1a52dd76ff66eed02cc9db7c7ec240da6
+RUN git clone https://github.com/iovisor/bcc.git && \
+    cd bcc && \
+    git checkout $BCC_COMMIT && \
+    sed -i 's/<error.h>/<errno.h>/' examples/cpp/KModRetExample.cc
+
+COPY --from=ksrc /kernel-headers.tar /build
+COPY --from=ksrc /kernel-dev.tar /build
+COPY --from=ksrc /kernel.tar /build
+RUN tar xf /build/kernel-headers.tar && \
+    tar xf /build/kernel-dev.tar && \
+    tar xf /build/kernel.tar
+
+RUN mkdir -p bcc/build && cd bcc/build && \
+    cmake .. -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON \
+             -DCMAKE_C_FLAGS="-I/build/usr/include" \
+             -DPYTHON_CMD=python3 \
+             -DCMAKE_CXX_FLAGS="-I/build/usr/include" \
+             -DCMAKE_INSTALL_PREFIX=/usr && \
+    make && \
+    make install
+
+RUN mkdir -p /out/usr/ && \
+    cp -a /build/usr/src /out/usr/ && \
+    cp -a /build/usr/include /out/usr
+RUN mkdir -p /out/usr/lib && \
+    cp -a /usr/lib/libelf* /out/usr/lib/ && \
+    cp -a /usr/lib/libstdc* /out/usr/lib/ && \
+    cp -a /usr/lib/libintl* /out/usr/lib/ && \
+    cp -a /usr/lib64/* /out/usr/lib/
+RUN mkdir -p /out/usr/lib/python3.8 && \
+    cp -a /usr/lib/python3.8/site-packages /out/usr/lib/python3.8/
+RUN mkdir -p /out/usr/share && \
+    cp -a /usr/share/bcc /out/usr/share/
+RUN mkdir -p /out/usr/bin && \
+    cp -a /usr/bin/bcc-lua /out/usr/bin/
+
+FROM ${BUILD_IMAGE} as mirror
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk update && apk upgrade -a && \
+  apk add --no-cache --initdb -p /out \
+  busybox \
+  luajit \
+  python3 \
+  zlib \
+  && true
+
+FROM scratch
+ENTRYPOINT []
+CMD []
+WORKDIR /
+ENV LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/lib64
+COPY --from=mirror /out /
+COPY --from=build /out /

kernel/Dockerfile.kconfig

@@ -1,4 +1,8 @@
-FROM linuxkit/alpine:6264e5b39af8eb1da7ffa4c05a7ccc597da01197 AS kernel-build
+ARG BUILD_IMAGE
+FROM ${BUILD_IMAGE} AS kernel-build
+
+ARG KERNEL_VERSIONS
+
 RUN apk add \
     argp-standalone \
     bison \
@@ -6,21 +10,24 @@ RUN apk add \
     curl \
     diffutils \
     flex \
+    gmp-dev \
     libarchive-tools \
+    mpc1-dev \
+    mpfr-dev \
     ncurses-dev \
     patch \
     xz
 
-ARG KERNEL_VERSIONS
-
 COPY / /
 
 # Unpack kernels (download if not present)
 RUN set -e && \
     for VERSION in ${KERNEL_VERSIONS}; do \
+        MAJOR=$(echo ${VERSION} | cut -d . -f 1) && \
+        MAJOR=v${MAJOR}.x && \
         echo "Downloading/Unpacking $VERSION" && \
-        KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${VERSION}.tar.xz && \
-        [ -f sources/linux-${VERSION}.tar.xz ] || curl -fSLo sources/linux-${VERSION}.tar.xz ${KERNEL_SOURCE} && \
+        KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/${MAJOR}/linux-${VERSION}.tar.xz && \
+        [ -f sources/linux-${VERSION}.tar.xz ] || curl -fSLo sources/linux-${VERSION}.tar.xz --create-dirs ${KERNEL_SOURCE} && \
         bsdtar xf sources/linux-${VERSION}.tar.xz; \
     done
 
@@ -38,7 +45,6 @@ RUN set -e && \
         fi && \
         [ ! -f /config-${SERIES}-x86_64 ] || mv /config-${SERIES}-x86_64 arch/x86/configs/x86_64_defconfig && \
         [ ! -f /config-${SERIES}-aarch64 ] || mv /config-${SERIES}-aarch64 arch/arm64/configs/defconfig ; \
-        [ ! -f /config-${SERIES}-s390x ] || mv /config-${SERIES}-s390x arch/s390/defconfig; \
     done
 
 ENTRYPOINT ["/bin/sh"]

kernel/Dockerfile.perf

@@ -1,10 +1,49 @@
-# This Dockerfile extracts the perf utility from a kernel package and
-# places it into a scratch image
+# This Dockerfile extracts the source code and headers from a kernel package,
+# builds the perf utility, and places it into a scratch image
 ARG IMAGE
-FROM ${IMAGE} AS kernel
+ARG BUILD_IMAGE
+
+FROM ${IMAGE} AS ksrc
+
+FROM ${BUILD_IMAGE} AS build
+RUN apk add \
+    argp-standalone \
+    bash \
+    bc \
+    binutils-dev \
+    bison \
+    build-base \
+    diffutils \
+    flex \
+    gmp-dev \
+    installkernel \
+    kmod \
+    elfutils-dev \
+    findutils \
+    libelf-static \
+    mpc1-dev \
+    mpfr-dev \
+    python3 \
+    sed \
+    tar \
+    xz \
+    xz-dev \
+    zlib-dev \
+    zlib-static
+
+COPY --from=ksrc /linux.tar.xz /kernel-headers.tar /
+RUN tar xf linux.tar.xz && \
+    tar xf kernel-headers.tar
+
+WORKDIR /linux
+
+RUN mkdir -p /out && \
+    make -C tools/perf LDFLAGS=-static V=1 && \
+    strip tools/perf/perf && \
+    cp tools/perf/perf /out
 
 FROM scratch
 ENTRYPOINT []
 CMD []
 WORKDIR /
-COPY --from=kernel /perf /usr/bin/perf
+COPY --from=build /out/perf /usr/bin/perf

kernel/Dockerfile.zfs

@@ -1,6 +1,9 @@
 ARG IMAGE
+ARG BUILD_IMAGE
+
 FROM ${IMAGE} AS ksrc
-FROM linuxkit/alpine:6264e5b39af8eb1da7ffa4c05a7ccc597da01197 AS build
+
+FROM ${BUILD_IMAGE} AS build
 RUN apk add \
     attr-dev \
     autoconf \
@@ -12,6 +15,7 @@ RUN apk add \
     libtool \
     mpc1-dev \
     mpfr-dev \
+    openssl-dev \
     util-linux-dev \
     zlib-dev
 
@@ -22,17 +26,8 @@ RUN tar xf kernel-dev.tar
 COPY --from=ksrc /kernel.tar /
 RUN tar xf kernel.tar
 
-# Note: ZFS and SPL commits must match. It's unclear how much the user
-# space tools must match the kernel module version. The current zfs
-# package on Alpine is 0.6.5.9. We pick 0.6.5.10 because it has
-# support for 4.12 based kernels.
-ENV VERSION=0.6.5.10
-
-ENV SPL_REPO=https://github.com/zfsonlinux/spl.git
-ENV SPL_COMMIT=spl-${VERSION}
-RUN git clone ${SPL_REPO} && \
-    cd spl && \
-    git checkout ${SPL_COMMIT}
+# SPL is part of the ZFS repo since 0.8.0 (https://github.com/zfsonlinux/zfs/releases/tag/zfs-0.8.0)
+ENV VERSION=0.8.1
 
 ENV ZFS_REPO=https://github.com/zfsonlinux/zfs.git
 ENV ZFS_COMMIT=zfs-${VERSION}
@@ -40,23 +35,17 @@ RUN git clone ${ZFS_REPO} && \
     cd zfs && \
     git checkout ${ZFS_COMMIT}
 
-WORKDIR /spl
-RUN ./autogen.sh && \
-    ./configure && \
-    cd module && \
-    make && \
-    make install
-
 WORKDIR /zfs
 RUN ./autogen.sh && \
-    ./configure --with-spl=/spl && \
+    ./configure && \
+    ./scripts/make_gitrev.sh && \
     cd module && \
     make -j "$(getconf _NPROCESSORS_ONLN)" && \
     make install
 
 # Run depmod against the new module directory.
 RUN cd /lib/modules && \
-    depmod -ae * 
+    depmod -ae *
 
 FROM scratch
 ENTRYPOINT []

kernel/Makefile

@@ -15,8 +15,10 @@
 # Name and Org on Hub
 ORG?=linuxkit
 IMAGE:=kernel
+IMAGE_BCC:=kernel-bcc
 IMAGE_PERF:=kernel-perf
 IMAGE_ZFS:=zfs-kmod
+IMAGE_BUILDER=linuxkit/alpine:2be490394653b7967c250e86fd42cef88de428ba
 
 # You can specify an extra options for the Makefile. This will:
 # - append a config$(EXTRA) to the kernel config for your kernel/arch
@@ -44,15 +46,14 @@ ARCH := $(shell uname -m)
 ifeq ($(ARCH),x86_64)
 SUFFIX=-amd64
 endif
-ifeq ($(ARCH),aarch64)
+ifeq ($(ARCH),$(filter $(ARCH),aarch64 arm64))
 SUFFIX=-arm64
 endif
-ifeq ($(ARCH),s390x)
-SUFFIX=-s390x
-endif
 
 TAG=$(HASH)$(DIRTY)
 
+BUILD_LABEL=--label org.mobyproject.linuxkit.kernel.buildimage=$(IMAGE_BUILDER)
+
 REPO?=https://github.com/linuxkit/linuxkit
 ifneq ($(REPO),)
 REPO_LABEL=--label org.opencontainers.image.source=$(REPO)
@@ -61,27 +62,22 @@ ifeq ($(DIRTY),)
 REPO_COMMIT=$(shell git rev-parse HEAD)
 COMMIT_LABEL=--label org.opencontainers.image.revision=$(REPO_COMMIT)
 endif
-LABELS=$(REPO_LABEL) $(COMMIT_LABEL)
 
-ifeq ($(DOCKER_CONTENT_TRUST),)
-ifndef NOTRUST
-export DOCKER_CONTENT_TRUST=1
-endif
-endif
+LABELS=$(REPO_LABEL) $(COMMIT_LABEL) $(BUILD_LABEL)
 
 KERNEL_VERSIONS=
 
-.PHONY: fetch build push
+.PHONY: build push
 # Targets:
-# fetch: Downloads the kernel sources into ./sources
 # build: Builds all kernels
 # push:  Pushes and sign all tagged kernel images to hub
-fetch:
 build:
 push:
 
-sources:
-	mkdir -p $@
+.PHONY: notdirty
+notdirty:
+	@if [ x"$(DIRTY)" !=  x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+
 
 # A template for defining kernel build
 # Arguments:
@@ -99,116 +95,158 @@ sources:
 define kernel
 
 ifeq ($(4),)
-sources/linux-$(1).tar.xz: Makefile | sources
-	curl -fsSLo sources/linux-$(1).tar.xz https://www.kernel.org/pub/linux/kernel/v4.x/linux-$(1).tar.xz 
 KERNEL_VERSIONS+=$(1)
 endif
 
-build_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg | sources
+build_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg
 	docker pull $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
 		docker build \
 			--build-arg KERNEL_VERSION=$(1) \
 			--build-arg KERNEL_SERIES=$(2) \
 			--build-arg EXTRA=$(3) \
 			--build-arg DEBUG=$(4) \
+			--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 			$(LABELS) \
 			--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
-forcebuild_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg | sources
+
+forcebuild_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg
 	docker build \
 		--build-arg KERNEL_VERSION=$(1) \
 		--build-arg KERNEL_SERIES=$(2) \
 		--build-arg EXTRA=$(3) \
 		--build-arg DEBUG=$(4) \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 		$(LABELS) \
 		--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
-push_$(2)$(3)$(4): build_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" !=  x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+push_$(2)$(3)$(4): notdirty build_$(2)$(3)$(4)
 	docker pull $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
 		(docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 		 docker tag $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
 		 docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST))
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4))
 
-forcepush_$(2)$(3)$(4): forcebuild_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" !=  x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+forcepush_$(2)$(3)$(4): notdirty forcebuild_$(2)$(3)$(4)
 	docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 	 docker tag $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
 	 docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
-	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST)
+	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) && \
+	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)
+
+# tag the builder and create the manifest
+tagbuilder_$(2)$(3)$(4): notdirty
+	docker tag $(IMAGE_BUILDER) $(ORG)/$(IMAGE):$(1)$(3)$(4)-builder$(SUFFIX) && \
+	docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)-builder$(SUFFIX) && \
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-builder
+
 
 show-tag_$(2)$(3)$(4):
 	@echo $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)
 
 build: build_$(2)$(3)$(4)
 forcebuild: forcebuild_$(2)$(3)$(4)
-push: push_$(2)$(3)$(4)
-forcepush: forcepush_$(2)$(3)$(4)
+push: push_image tagbuilder
+push_image: push_$(2)$(3)$(4)
+forcepush: forcepush_image tagbuilder
+forcepush_image: forcepush_$(2)$(3)$(4)
+tagbuilder: tagbuilder_$(2)$(3)$(4)
 show-tags: show-tag_$(2)$(3)$(4)
-fetch: sources/linux-$(1).tar.xz
 
-# 'docker build' with the FROM image supplied as --build-arg
-# *and* with DOCKER_CONTENT_TRUST=1 currently does not work
-# (https://github.com/moby/moby/issues/34199). So, we pull the image
-# with DCT as part of the dependency on build_$(2)$(3)$(4) and then build
-# with DOCKER_CONTENT_TRUST explicitly set to 0
-
-ifneq ($(2), $(filter $(2),4.4.x 4.9.x))
-# perf does not build out of the box for 4.4.x and 4.9.x
+# Only build perf only on x86 and recent LTS and latest stable kernels
+ifeq ($(ARCH),x86_64)
+ifeq ($(2), $(filter $(2),5.15.x 5.10.x 5.4.x))
 build_perf_$(2)$(3)$(4): build_$(2)$(3)$(4)
 	docker pull $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
-		 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.perf \
+		 docker build -f Dockerfile.perf \
 			--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+			--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 			--no-cache --network=none $(LABEL) -t $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
 forcebuild_perf_$(2)$(3)$(4): build_$(2)$(3)$(4)
-	 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.perf \
+	docker build -f Dockerfile.perf \
 		--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 		--no-cache --network=none $(LABEL) -t $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
-push_perf_$(2)$(3)$(4): build_perf_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+push_perf_$(2)$(3)$(4): notdirty build_perf_$(2)$(3)$(4)
 	docker pull $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
 		(docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 		 docker tag $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
 		 docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST))
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4))
 
-forcepush_perf_$(2)$(3)$(4): forcebuild_perf_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+forcepush_perf_$(2)$(3)$(4): notdirty forcebuild_perf_$(2)$(3)$(4)
 	docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 	docker tag $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
 	docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
-	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST)
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) && \
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)
 
 build: build_perf_$(2)$(3)$(4)
 forcebuild: forcebuild_perf_$(2)$(3)$(4)
 push: push_perf_$(2)$(3)$(4)
 forcepush: forcepush_perf_$(2)$(3)$(4)
 endif
+endif
+
+# Only build bcc only on x86 and recent LTS and latest stable kernels
+ifeq ($(ARCH),x86_64)
+ifeq ($(2), $(filter $(2),5.15.x 5.10.x 5.4.x))
+build_bcc_$(2)$(3)$(4): build_$(2)$(3)$(4)
+	docker pull $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
+		docker build -f Dockerfile.bcc \
+			--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+			--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
+			--no-cache $(LABEL) -t $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
+
+forcebuild_bcc_$(2)$(3)$(4): build_$(2)$(3)$(4)
+	 docker build -f Dockerfile.bcc \
+		--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
+		--no-cache $(LABEL) -t $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
+
+push_bcc_$(2)$(3)$(4): notdirty build_bcc_$(2)$(3)$(4)
+	docker pull $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
+		(docker push $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
+		 docker tag $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)$(SUFFIX) && \
+		 docker push $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)$(SUFFIX) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4))
+
+forcepush_bcc_$(2)$(3)$(4): notdirty forcebuild_bcc_$(2)$(3)$(4)
+	docker push $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
+	docker tag $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)$(SUFFIX) && \
+	docker push $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)$(SUFFIX) && \
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG) && \
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)
+
+build: build_bcc_$(2)$(3)$(4)
+forcebuild: forcebuild_bcc_$(2)$(3)$(4)
+push: push_bcc_$(2)$(3)$(4)
+forcepush: forcepush_bcc_$(2)$(3)$(4)
+endif
+endif
 
 ifeq ($(4),)
 # ZFS does not compile against -dbg kernels because CONFIG_DEBUG_LOCK_ALLOC
 # is incompatible with CDDL, apparently (this is ./configure check)
 build_zfs_$(2)$(3): build_$(2)$(3)
 	docker pull $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) || \
-		 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.zfs \
+		docker build -f Dockerfile.zfs \
 			--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) \
+			--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 			--no-cache $(LABEL) -t $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) .
 
-push_zfs_$(2)$(3): build_zfs_$(2)$(3)
-	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+push_zfs_$(2)$(3): notdirty build_zfs_$(2)$(3)
 	docker pull $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) || \
 		(docker push $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) && \
 		 docker tag $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_ZFS):$(1)$(3)$(SUFFIX) && \
 		 docker push $(ORG)/$(IMAGE_ZFS):$(1)$(3)$(SUFFIX) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_ZFS):$(1)$(3) $(DOCKER_CONTENT_TRUST))
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_ZFS):$(1)$(3))
 endif
 
 endef
@@ -218,25 +256,29 @@ endef
 # Debug targets only for latest stable and LTS stable
 #
 ifeq ($(ARCH),x86_64)
-$(eval $(call kernel,4.17.10,4.17.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.14.58,4.14.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.14.58,4.14.x,,-dbg))
-$(eval $(call kernel,4.14.53,4.14.x,-rt,))
-$(eval $(call kernel,4.9.115,4.9.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.4.144,4.4.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.15.27,5.15.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.15.27,5.15.x,,-dbg))
+$(eval $(call kernel,5.10.104,5.10.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.4.172,5.4.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.11.4,5.11.x,-rt,))
 
-else ifeq ($(ARCH),aarch64)
-$(eval $(call kernel,4.17.10,4.17.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.14.58,4.14.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.14.53,4.14.x,-rt,))
+else ifeq ($(ARCH),$(filter $(ARCH),aarch64 arm64))
+$(eval $(call kernel,5.15.27,5.15.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.10.104,5.10.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.11.4,5.11.x,-rt,))
 
-else ifeq ($(ARCH),s390x)
-$(eval $(call kernel,4.17.10,4.17.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.14.58,4.14.x,$(EXTRA),$(DEBUG)))
 endif
 
 # Target for kernel config
-kconfig: | sources
+kconfig:
+ifeq (${KCONFIG_TAG},)
 	docker build --no-cache -f Dockerfile.kconfig \
 		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 		-t linuxkit/kconfig  .
+else
+	docker build --no-cache -f Dockerfile.kconfig \
+		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
+		-t linuxkit/kconfig:${KCONFIG_TAG}  .
+endif