Merge pull request #3835 from dgageot/release-workflow

Add an automated release workflow

.circleci/config.yml

@@ -1,62 +0,0 @@
-version: 2
-jobs:
-  build:
-    working_directory: /go/src/github.com/linuxkit/linuxkit
-    docker:
-      - image: circleci/golang:1.11-stretch
-    steps:
-      - checkout
-      - run: mkdir -p ./bin
-      - run:
-          name: Versions
-          command: |
-            set -x
-            go version
-            cat /etc/os-release
-      - run:
-          name: Dependencies
-          command: |
-            go get -u golang.org/x/lint/golint
-            go get -u github.com/gordonklaus/ineffassign
-      - run:
-          name: Lint
-          command: make local-check
-      - run:
-          name: Build amd64/linux
-          environment:
-            GOOS: linux
-            GOARCH: amd64
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
-      - run:
-          name: Build arm64/linux
-          environment:
-            GOOS: linux
-            GOARCH: arm64
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
-      - run:
-          name: Build s390x/linux
-          environment:
-            GOOS: linux
-            GOARCH: s390x
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
-      - run:
-          name: Build amd64/darwin
-          environment:
-            GOOS: darwin
-            GOARCH: amd64
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
-      - run:
-          name: Build amd64/windows
-          environment:
-            GOOS: windows
-            GOARCH: amd64
-          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH.exe local-build
-      - run:
-          name: Test
-          command: make local-test
-      - run:
-          name: Checksum
-          command: cd bin && sha256sum linuxkit-*-* > SHA256SUM
-      - store_artifacts:
-          path: ./bin
-          destination: .

.github/workflows/ci.yml

@@ -0,0 +1,381 @@
+name: LinuxKit CI
+on: [push, pull_request]
+
+jobs:
+  build:
+    name: Build & Test
+    strategy:
+      matrix:
+        target:
+          - os: linux
+            arch: amd64
+            suffix: amd64-linux
+            runner: ubuntu-latest
+          - os: linux
+            arch: arm64
+            suffix: arm64-linux
+            runner: ubuntu-latest
+          - os: linux
+            arch: s390x
+            suffix: s390x-linux
+            runner: ubuntu-latest
+          - os: darwin
+            arch: amd64
+            suffix: amd64-darwin
+            runner: macos-latest
+          - os: darwin
+            arch: arm64
+            suffix: arm64-darwin
+            runner: macos-latest
+          - os: windows
+            arch: amd64
+            suffix: amd64-windows.exe
+            runner: ubuntu-latest
+
+    runs-on: ${{ matrix.target.runner }}
+    steps:
+
+    - name: Set up Go 1.16
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.16.7
+      id: go
+
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Set path
+      run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+      env:
+         GOPATH: ${{runner.workspace}}
+
+    - name: Get pre-requisites
+      run: |
+            go get -u golang.org/x/lint/golint
+            go get -u github.com/gordonklaus/ineffassign
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    # - name: Lint
+    #   run: |
+    #     make local-check
+    #   env:
+    #     GOPATH: ${{runner.workspace}}
+
+    - name: Build
+      run: |
+        make GOARCH=${{matrix.target.arch}} GOOS=${{matrix.target.os}} LOCAL_TARGET=$(pwd)/bin/linuxkit-${{matrix.target.suffix}} local-build
+        file bin/linuxkit-${{matrix.target.suffix}}
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    - name: Checksum
+      run: |
+        cd bin
+        if command -v sha256sum > /dev/null; then sha256sum linuxkit-${{matrix.target.suffix}} > linuxkit-${{matrix.target.suffix}}.SHA256SUM
+        else openssl sha256 -r linuxkit-${{matrix.target.suffix}} | tr -d '*'  > linuxkit-${{matrix.target.suffix}}.SHA256SUM
+        fi
+        cat linuxkit-${{matrix.target.suffix}}.SHA256SUM
+
+    - name: Test
+      run: make local-test
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    - name: Upload binary
+      uses: actions/upload-artifact@v2
+      with:
+        name: linuxkit-${{matrix.target.suffix}}
+        path: |
+          bin/linuxkit-${{matrix.target.suffix}}
+          bin/linuxkit-${{matrix.target.suffix}}.SHA256SUM
+        if-no-files-found: error
+
+  build_packages:
+    name: Build Packages
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Set up binfmt
+      # Only register arm64 as we are on amd64 already. s390x is not reliable
+      run: docker run --privileged --rm tonistiigi/binfmt --install arm64
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Cache Packages
+      uses: actions/cache@v2
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+
+    - name: Build Packages
+      # Skip s390x as emulation is unreliable
+      run: |
+        make OPTIONS="-v --skip-platforms linux/s390x" -C pkg build
+
+  test_packages:
+    name: Packages Tests
+    needs: [ build_packages, build ]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Restore Package Cache
+      uses: actions/cache@v2
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.packages
+
+  test_kernel:
+    name: Kernel Tests
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.kernel
+
+  test_linuxkit:
+    name: LinuxKit Build Tests
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.build
+
+  test_platforms:
+    name: Platform Tests
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.platforms
+
+  test_security:
+    name: Security Tests
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v2
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v2
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Run Tests
+      run: |
+          cd test
+          rtf -l build -v run -x linuxkit.security

.github/workflows/publish.yaml

@@ -0,0 +1,67 @@
+# publish changes that are merged to master
+name: Packages Push
+on:
+  workflow_run:
+    workflows: [LinuxKit CI]
+    types: [completed]
+    branches: [master, main]
+
+jobs:
+  packages:
+    env:
+      linuxkit_file: linuxkit-amd64-linux
+    name: Publish Changed Packages
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+    - name: Ensure bin/ directory
+      run: mkdir -p bin
+    - name: Download linuxkit
+      uses: actions/github-script@v3.1.0
+      with:
+        script: |
+          var artifacts = await github.actions.listWorkflowRunArtifacts({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: ${{github.event.workflow_run.id }},
+          });
+          var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+            return artifact.name == "${{ env.linuxkit_file }}"
+          })[0];
+          var download = await github.actions.downloadArtifact({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              artifact_id: matchArtifact.id,
+              archive_format: 'zip',
+          });
+          var fs = require('fs');
+          fs.writeFileSync('${{github.workspace}}/bin/${{ env.linuxkit_file }}.zip', Buffer.from(download.data));
+    - name: unzip linuxkit
+      run: cd bin && unzip ${{ env.linuxkit_file }}.zip
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/${{ env.linuxkit_file }}
+        sudo ln -s $(pwd)/bin/${{ env.linuxkit_file }} /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+    - name: Restore Package Cache
+      uses: actions/cache@v2
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+    - name: Login to Docker Hub
+      uses: docker/login-action@v2
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Publish Packages
+      # this should only push changed ones:
+      #  - unchanged: already in the registry
+      #  - changed: already built and cached, so only will push
+      # Skip s390x as emulation is unreliable
+      run: |
+        make OPTIONS="--skip-platforms linux/s390x" -C pkg push PUSHOPTIONS="--nobuild"

.github/workflows/release.yml

@@ -0,0 +1,42 @@
+name: LinuxKit CI
+
+on:
+  create:
+    tags:
+      - v*
+
+jobs:
+  build:
+    name: Build all targets
+    runs-on: macos-latest
+    steps:
+
+    - name: Set up Go 1.16
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.16.7
+      id: go
+
+    - name: Check out code
+      uses: actions/checkout@v1
+      with:
+        path: ./src/github.com/linuxkit/linuxkit
+
+    - name: Set path
+      run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+      env:
+         GOPATH: ${{runner.workspace}}
+
+    - name: Build
+      run: |
+        make build-all-targets
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    - name: GitHub Release
+      uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        draft: true
+        files: bin/*

.gitignore

@@ -19,3 +19,4 @@ Dockerfile.media
 *-cmdline
 *-state
 artifacts/*
+tools/alpine/iid

.mailmap

@@ -1,5 +1,3 @@
-# Generate AUTHORS: scripts/generate-authors.sh
-
 # Tip for finding duplicates (besides scanning the output of AUTHORS for name
 # duplicates that aren't also email duplicates): scan the output of:
 #   git log --format='%aE - %aN' | sort -uf
@@ -41,7 +39,8 @@ Magnus Skjegstad <magnus.skjegstad@docker.com> <magnus@skjegstad.com>
 Marten Cassel <marten.cassel@gmail.com> <mcpop28@hotmail.com>
 Mindy Preston <mindy.preston@docker.com> <meetup@yomimono.org>
 MinJae Kwon <mingrammer@gmail.com>
-Nathan Dautenhahn <ndd@seas.upenn.edu> <ndd@cis.upenn.edu>
+Nathan Dautenhahn <ndd@rice.edu> <ndd@seas.upenn.edu>
+Nathan Dautenhahn <ndd@rice.edu> <ndd@cis.upenn.edu>
 Nathan LeClaire <nathan.leclaire@docker.com> <nathan.leclaire@gmail.com>
 Nathan LeClaire <nathan.leclaire@docker.com> <nathanleclaire@gmail.com>
 Niclas Mietz <niclas@mietz.io>

ADOPTERS.md

@@ -16,4 +16,4 @@ _This list is currently under construction. Please add your use cases to this wi
 
 **_[dm-linuxkit](https://github.com/dotmesh-io/dm-linuxkit)_** A dotmesh controller for LinuxKit persistent storage management.
 
-**_[Zenbuild](https://github.com/zededa/zenbuild)_** Linuxkit based IoT Edge Operating System (Zenix)
+**_[Linux Foundation Edge EVE](https://github.com/lf-edge/eve)_** Edge Virtualization Engine Operating System

AUTHORS

@@ -6,22 +6,28 @@ Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
 Alan Raison <alanraison@users.noreply.github.com>
 Alex Ellis <alexellis2@gmail.com>
 Alex Johnson <hello@alex-johnson.net>
+Alex Szakaly <alex.szakaly@gmail.com>
 Alexander Slesarev <alex.slesarev@nudatasecurity.com>
 Alice Frosi <alice@linux.vnet.ibm.com>
 Amir Chaudhry <amir.chaudhry@docker.com>
 Anil Madhavapeddy <anil.madhavapeddy@docker.com>
+Arthur Lutz <arthur.lutz@logilab.fr>
 Asbjorn Enge <asbjorn@hanafjedle.net>
 Avi Deitcher <avi@deitcher.net>
+Aymen EL AMRI <aymen@eralabs.io>
 Ben Allen <bsallen@alcf.anl.gov>
 Bill Kerr <bill@generalbill.com>
+Björn Ingeson <bjorn.ingeson@gmail.com>
 Brice Figureau <brice-puppet@daysofwonder.com>
 Carlton-Semple <carlton.semple@ibm.com>
 Chanwit Kaewkasi <chanwit@gmail.com>
 Christian Wuerdig <christian.wuerdig@gmail.com>
+Clovis Durand <cd.clovel19@gmail.com>
 Craig Ingram <cingram@heroku.com>
 Damiano Donati <damiano.donati@gmail.com>
 Dan Finneran <dan@thebsdbox.co.uk>
 Daniel Caminada <daniel.caminada@ergon.ch>
+Daniel Dean <daniel@razorsecure.com>
 Daniel Hiltgen <daniel.hiltgen@docker.com>
 Daniel Nephin <dnephin@gmail.com>
 Dave Freitag <dcfreita@us.ibm.com>
@@ -33,18 +39,24 @@ David Scott <dave.scott@docker.com>
 David Sheets <david.sheets@docker.com>
 Dennis Chen <dennis.chen@arm.com>
 Dieter Reuter <dieter.reuter@me.com>
+Dominic White <singe-github@singe.za.net>
 duraki <duraki@linuxmail.org>
 Edward Vielmetti <edward.vielmetti@gmail.com>
 Emily Casey <ecasey@pivotal.io>
 Eric Briand <eric.briand@gmail.com>
 Evan Hazlett <ejhazlett@gmail.com>
+Federico Pellegatta <12744504+federico-pellegatta@users.noreply.github.com>
 French Ben <frenchben@docker.com>
+Frédéric Dalleau <frederic.dalleau@docker.com>
 functor <meehow@gmail.com>
+Gabriel Chabot <gabriel.chabot@qarnot-computing.com>
 Garth Bushell <garth.bushell@oracle.com>
 George Papanikolaou <g3orge.app@gmail.com>
+Gerben Geijteman <gerben@isset.nl>
 Gianluca Arbezzano <gianarb92@gmail.com>
 Guillaume Rose <guillaume.rose@docker.com>
 Hans van den Bogert <hansbogert@gmail.com>
+hyperized <gerben@hyperized.net>
 Ian Campbell <ian.campbell@docker.com>
 Ilya Dmitrichenko <errordeveloper@gmail.com>
 Isaac Rodman <isaac@eyz.us>
@@ -63,12 +75,15 @@ Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
 Justin Barrick <jbarrick@cloudflare.com>
 Justin Cormack <justin.cormack@docker.com>
 Justin Ko <justin.ko@oracle.com>
+Justin Terry (VM) <juterry@microsoft.com>
+Karol Woźniak <wozniakk@gmail.com>
 Ken Cochrane <ken.cochrane@docker.com>
 Krister Johansen <krister.johansen@oracle.com>
 Krisztian Horvath <keyki.kk@gmail.com>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
 Liqdfire <liqdfire@gmail.com>
 Lorenzo Fontana <lo@linux.com>
+Loïc Pottier <lpottier@isi.edu>
 Luke Hodkinson <furious.luke@gmail.com>
 Madhu Venugopal <madhu@docker.com>
 Magnus Skjegstad <magnus.skjegstad@docker.com>
@@ -81,12 +96,13 @@ Mathieu Pasquet <mathieu.pasquet@alterway.fr>
 Matt Bajor <matt.bajor@workday.com>
 Matt Bentley <matt.bentley@docker.com>
 Matt Johnson <matjohn2@cisco.com>
+Michael Aldridge <aldridge.mac@gmail.com>
 Michel Courtine <michel.courtine@docker.com>
 Mickaël Salaün <mic@digikod.net>
 Mindy Preston <mindy.preston@docker.com>
 MinJae Kwon <mingrammer@gmail.com>
 Natanael Copa <natanael.copa@docker.com>
-Nathan Dautenhahn <ndd@seas.upenn.edu>
+Nathan Dautenhahn <ndd@rice.edu>
 Nathan LeClaire <nathan.leclaire@docker.com>
 Nick Jones <nick@dischord.org>
 Niclas Mietz <niclas@mietz.io>
@@ -95,10 +111,13 @@ Olaf Bergner <olaf.bergner@gmx.de>
 Olaf Flebbe <of@oflebbe.de>
 Omar Ramadan <omar.ramadan93@gmail.com>
 Patrik Cyvoct <patrik@ptrk.io>
+Petr Fedchenkov <giggsoff@gmail.com>
 Phil Estes <estesp@linux.vnet.ibm.com>
 Pierre Gayvallet <pierre.gayvallet@docker.com>
 Pratik Mallya <mallya@us.ibm.com>
+Preston Holmes <preston@ptone.com>
 Radu Matei <matei.radu94@gmail.com>
+Richard Connon <richard@connon.me.uk>
 Richard Mortier <mort@cantab.net>
 Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 Robb Kistler <robb.kistler@docker.com>
@@ -107,11 +126,15 @@ Rolf Neugebauer <rn@rneugeba.io>
 Roman Shaposhnik <rvs@zededa.com>
 Rui Lopes <rgl@ruilopes.com>
 Ryoga Saito <proelbtn@gmail.com>
+Sachi King <nakato@nakato.io>
+salman aljammaz <s@aljmz.com>
+schrotthaufen <schrotthaufen@invalid.invalid>
 Scott Coulton <scott.coulton@puppet.com>
 Sebastiaan van Stijn <sebastiaan.vanstijn@docker.com>
 sethp <seth.pellegrino@gmail.com>
 Simarpreet Singh <simar@linux.com>
 Simon Ferquel <simon.ferquel@docker.com>
+Simon Fridlund <simon@fridlund.email>
 Sotiris Salloumis <sotiris.salloumis@gmail.com>
 Steeve Morin <steeve.morin@gmail.com>
 Stefan Bourlon <stefan.bourlon@ca.com>
@@ -132,6 +155,7 @@ Tomas Knappek <tomas.knappek@gmail.com>
 Tristan Slominski <tristan.slominski@gmail.com>
 Tycho Andersen <tycho@docker.com>
 Vincent Demeester <Vincent.Demeester@docker.com>
+Yoann Ricordel <yoann.ricordel@qarnot-computing.com>
 Zachery Hostens <zacheryph@gmail.com>
 zimbatm <zimbatm@zimbatm.com>
 zlim <zlim.lnx@gmail.com>

CHANGELOG.md

@@ -3,6 +3,32 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
+## [v0.8] - 2020-05-10
+### Added
+
+- Removed dependency on external `notary` and `manifest-tool` binaries for package builds
+- Risc-V support for `binfmt`
+- Support for GPT partitions
+- `metadata` package support for Digital Ocean and Hetzner as well as loading from a file
+- Support for `/sys/fs/bpf` in `init`
+- Github Actions for CI
+
+### Changed
+- `alpine` base updated to 3.11
+- `containerd` updated to v1.3.4
+- `runc` updated to v1.0.0-rc9
+- `binfmt` updated to qemu 4.2
+- `node_exporter` updated to  v0.18.1
+- `cadvisor` updated to v0.36.0
+- WireGuard updated to 1.0.20200319
+- Improved CDROM support and fixes to GCP and Scaleway providers in the `metadata` package
+- Improved creation of `swap` files
+- Improved RPI3 build
+
+### Removed
+- Containerized `qemu`
+- Windows binary from release
+
 ## [v0.7] - 2019-04-17
 ### Added
 - Reproducible `linuxkit build` for some output formats

MAINTAINERS

@@ -159,13 +159,24 @@ on disputes for technical matters."
 [Org]
 	[Org."Core maintainers"]
 		people = [
+			"dave-tucker",
 			"deitch",
+			"djs55",
 			"ijc",
 			"justincormack",
-			"riyazdf",
 			"rn",
 		]
 
+	[Org.Alumni]
+
+	# This list contains maintainers that are no longer active on the project.
+	# It is thanks to these people that the project has become what it is today.
+	# Thank you!
+
+		people = [
+			"riyazdf",
+		]
+
 [people]
 
 # A reference list of all people associated with the project.
@@ -173,11 +184,21 @@ on disputes for technical matters."
 # in the people section.
 
 	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
+	[People.dave-tucker]
+	Name = "Dave Tucker"
+	Email = "dave@dtucker.co.uk"
+	Github = "dave-tucker"
+
 	[People.deitch]
 	Name = "Avi Deitcher"
 	Email = "avi@atomicinc.com"
 	GitHub = "deitch"
 
+	[People.djs55]
+	Name = "David Scott"
+	Email = "dave@recoil.org"
+	Github = "djs55"
+
 	[People.ijc]
 	Name = "Ian Campbell"
 	Email = "ian.campbell@docker.com"

Makefile

@@ -1,18 +1,16 @@
-VERSION="v0.7"
-GIT_COMMIT=$(shell git rev-list -1 HEAD)
+VERSION="v0.8+"
 
-GO_COMPILE=linuxkit/go-compile:8de0e27a38498389e43b3a5b520d943a2b3be5ba
+GO_COMPILE=linuxkit/go-compile:7b1f5a37d2a93cd4a9aa2a87db264d8145944006
 
 ifeq ($(OS),Windows_NT)
-LINUXKIT?=bin/linuxkit.exe
+LINUXKIT?=$(CURDIR)/bin/linuxkit.exe
 RTF?=bin/rtf.exe
 GOOS?=windows
 else
-LINUXKIT?=bin/linuxkit
+LINUXKIT?=$(CURDIR)/bin/linuxkit
 RTF?=bin/rtf
 GOOS?=$(shell uname -s | tr '[:upper:]' '[:lower:]')
 endif
-GOARCH?=amd64
 ifneq ($(GOOS),linux)
 CROSS+=-e GOOS=$(GOOS)
 endif
@@ -20,24 +18,28 @@ ifneq ($(GOARCH),amd64)
 CROSS+=-e GOARCH=$(GOARCH)
 endif
 
-PREFIX?=/usr/local/
+PREFIX?=/usr/local
+
+LOCAL_TARGET?=$(CURDIR)/bin/linuxkit
+
+export VERSION GO_COMPILE GOOS GOARCH LOCAL_TARGET LINUXKIT
 
 .DELETE_ON_ERROR:
 
 .PHONY: default all
-default: $(LINUXKIT) $(RTF)
+default: linuxkit $(RTF)
 all: default
 
-RTF_COMMIT=171155c375706f2616f0b9c96afe2240e15d1de1
+RTF_COMMIT=2351267f358ce6621c0c0d9a069f361268dba5fc
 RTF_CMD=github.com/linuxkit/rtf/cmd
 RTF_VERSION=0.0
 $(RTF): tmp_rtf_bin.tar | bin
-	tar xf $<
+	tar -C $(dir $(RTF)) -xf $<
 	rm $<
 	touch $@
 
 tmp_rtf_bin.tar: Makefile
-	docker run --rm --log-driver=none -e http_proxy=$(http_proxy) -e https_proxy=$(https_proxy) $(CROSS) $(GO_COMPILE) --clone-path github.com/linuxkit/rtf --clone https://github.com/linuxkit/rtf.git --commit $(RTF_COMMIT) --package github.com/linuxkit/rtf --ldflags "-X $(RTF_CMD).GitCommit=$(RTF_COMMIT) -X $(RTF_CMD).Version=$(RTF_VERSION)" -o $(RTF) > $@
+	docker run --rm --log-driver=none -e http_proxy=$(http_proxy) -e https_proxy=$(https_proxy) $(CROSS) $(GO_COMPILE) --clone-path github.com/linuxkit/rtf --clone https://github.com/linuxkit/rtf.git --commit $(RTF_COMMIT) --package github.com/linuxkit/rtf --ldflags "-X $(RTF_CMD).GitCommit=$(RTF_COMMIT) -X $(RTF_CMD).Version=$(RTF_VERSION)" -o $(notdir $(RTF)) > $@
 
 # Manifest tool for multi-arch images
 MT_COMMIT=bfbd11963b8e0eb5f6e400afaebeaf39820b4e90
@@ -50,56 +52,29 @@ bin/manifest-tool: tmp_mt_bin.tar | bin
 tmp_mt_bin.tar: Makefile
 	docker run --rm --log-driver=none -e http_proxy=$(http_proxy) -e https_proxy=$(https_proxy) $(CROSS) $(GO_COMPILE) --clone-path github.com/estesp/manifest-tool --clone $(MT_REPO) --commit $(MT_COMMIT) --package github.com/estesp/manifest-tool --ldflags "-X main.gitCommit=$(MT_COMMIT)" -o bin/manifest-tool > $@
 
-LINUXKIT_DEPS=$(wildcard src/cmd/linuxkit/*.go) $(wildcard src/cmd/linuxkit/*/*.go) Makefile src/cmd/linuxkit/vendor.conf
-$(LINUXKIT): tmp_linuxkit_bin.tar
-	tar xf $<
-	rm $<
-	touch $@
-
-tmp_linuxkit_bin.tar: $(LINUXKIT_DEPS)
-	tar cf - -C src/cmd/linuxkit . | docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit/src/cmd/linuxkit --ldflags "-X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.GitCommit=$(GIT_COMMIT) -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.Version=$(VERSION)" -o $(LINUXKIT) > $@
+.PHONY: linuxkit
+linuxkit: bin
+	make -C ./src/cmd/linuxkit
 
 .PHONY: test-cross
 test-cross:
-	$(MAKE) clean
-	$(MAKE) -j 3 GOOS=darwin tmp_rtf_bin.tar tmp_mt_bin.tar tmp_linuxkit_bin.tar
-	$(MAKE) clean
-	$(MAKE) -j 3 GOOS=windows tmp_rtf_bin.tar tmp_mt_bin.tar tmp_linuxkit_bin.tar
-	$(MAKE) clean
-	$(MAKE) -j 3 GOOS=linux tmp_rtf_bin.tar tmp_mt_bin.tar tmp_linuxkit_bin.tar
-	$(MAKE) clean
+	make -C ./src/cmd/linuxkit test-cross
 
-LOCAL_LDFLAGS += -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.GitCommit=$(GIT_COMMIT) -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.Version=$(VERSION)
-LOCAL_TARGET ?= $(LINUXKIT)
+.PHONY: local local-%
+local:
+	make -C ./src/cmd/linuxkit local
 
-.PHONY: local-check local-build local-test local-static-pie local-static local-dynamic local
-local-check: $(LINUXKIT_DEPS)
-	@echo gofmt... && o=$$(gofmt -s -l $(filter %.go,$(LINUXKIT_DEPS))) && if [ -n "$$o" ] ; then echo $$o ; exit 1 ; fi
-	@echo govet... && go tool vet -printf=false $(filter %.go,$(LINUXKIT_DEPS))
-	@echo golint... && set -e ; for i in $(filter %.go,$(LINUXKIT_DEPS)); do golint $$i ; done
-	@echo ineffassign... && ineffassign  $(filter %.go,$(LINUXKIT_DEPS))
-
-local-build: local-static
-
-local-static-pie: $(LINUXKIT_DEPS) | bin
-	CGO_ENABLED=0 go build -o $(LOCAL_TARGET) --buildmode pie --ldflags "-s -w -extldflags \"-static\" $(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit
-
-local-static: $(LINUXKIT_DEPS) | bin
-	CGO_ENABLED=0 go build -o $(LOCAL_TARGET) --ldflags "$(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit
-
-local-dynamic: $(LINUXKIT_DEPS) | bin
-	go build -o $(LOCAL_TARGET) --ldflags "$(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit
-
-local-test: $(LINUXKIT_DEPS)
-	go test $(shell go list github.com/linuxkit/linuxkit/src/cmd/linuxkit/... | grep -v ^github.com/linuxkit/linuxkit/src/cmd/linuxkit/vendor/)
-
-local: local-check local-build local-test
+local-%:
+	make -C ./src/cmd/linuxkit $@
 
 bin:
 	mkdir -p $@
 
 install:
-	cp -R ./bin/* $(PREFIX)/bin
+	cp -R bin/* $(PREFIX)/bin
+
+sign:
+	codesign --entitlements linuxkit.entitlements --force -s - $(PREFIX)/bin/linuxkit
 
 .PHONY: test
 test:
@@ -130,3 +105,31 @@ ci-pr: test-cross
 .PHONY: clean
 clean:
 	rm -rf bin *.log *-kernel *-cmdline *-state *.img *.iso *.gz *.qcow2 *.vhd *.vmx *.vmdk *.tar *.raw
+
+update-package-tags:
+ifneq ($(LK_RELEASE),)
+	$(eval tags := $(shell cd pkg; make show-tag | cut -d ':' -f1))
+	$(eval image := :$(LK_RELEASE))
+else
+	$(eval tags := $(shell cd pkg; make show-tag))
+	$(eval image := )
+endif
+	for img in $(tags); do \
+		./scripts/update-component-sha.sh --image $${img}$(image); \
+	done
+
+.PHONY: build-all-targets
+build-all-targets: bin
+	$(MAKE) GOOS=darwin GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-arm64 local-build
+	file bin/linuxkit-darwin-arm64
+	$(MAKE) GOOS=darwin GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-amd64 local-build
+	file bin/linuxkit-darwin-amd64
+	$(MAKE) GOOS=linux GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-arm64 local-build
+	file bin/linuxkit-linux-arm64
+	$(MAKE) GOOS=linux GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-amd64 local-build
+	file bin/linuxkit-linux-amd64
+	$(MAKE) GOOS=linux GOARCH=s390x LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-s390x local-build
+	file bin/linuxkit-linux-s390x
+	$(MAKE) GOOS=windows GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-windows-amd64.exe local-build
+	file bin/linuxkit-windows-amd64.exe
+	cd bin && openssl sha256 -r linuxkit-* | tr -d '*' > checksums.txt

README.md

@@ -13,7 +13,7 @@ LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.
 - Designed to create [reproducible builds](./docs/reproducible-builds.md) [WIP]
 - Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
 - Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
-- Designed to be managed by external tooling, such as [Infrakit](https://github.com/docker/infrakit) or similar tools
+- Designed to be managed by external tooling, such as [Infrakit](https://github.com/docker/infrakit) (renamed to [deploykit](https://github.com/docker/deploykit) which has been archived in 2019) or similar tools
 - Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
 
 LinuxKit currently supports the `x86_64`, `arm64`, and `s390x` architectures on a variety of platforms, both as virtual machines and baremetal (see [below](#booting-and-testing) for details).
@@ -36,7 +36,7 @@ LinuxKit uses the `linuxkit` tool for building, pushing and running VM images.
 Simple build instructions: use `make` to build. This will build the tool in `bin/`. Add this
 to your `PATH` or copy it to somewhere in your `PATH` eg `sudo cp bin/* /usr/local/bin/`. Or you can use `sudo make install`.
 
-If you already have `go` installed you can use `go get -u github.com/linuxkit/linuxkit/src/cmd/linuxkit` to install the `linuxkit` tool.
+If you already have `go` installed you can use `go install github.com/linuxkit/linuxkit/src/cmd/linuxkit@latest` to install the `linuxkit` tool.
 
 On MacOS there is a `brew tap` available. Detailed instructions are at [linuxkit/homebrew-linuxkit](https://github.com/linuxkit/homebrew-linuxkit),
 the short summary is
@@ -45,11 +45,17 @@ brew tap linuxkit/linuxkit
 brew install --HEAD linuxkit
 ```
 
-Build requirements from source:
+Build requirements from source using a container
 - GNU `make`
 - Docker
 - optionally `qemu`
 
+For a local build using `make local`
+- `go`
+- `make`
+- `go get -u golang.org/x/lint/golint`
+- `go get -u github.com/gordonklaus/ineffassign`
+
 ### Building images
 
 Once you have built the tool, use
@@ -69,6 +75,7 @@ for example VMWare.  See `linuxkit run --help`.
 
 Currently supported platforms are:
 - Local hypervisors
+  - [Virtualization.Framework (macOS)](docs/platform-virtualization-framework.md) `[x86_64, arm64]`
   - [HyperKit (macOS)](docs/platform-hyperkit.md) `[x86_64]`
   - [Hyper-V (Windows)](docs/platform-hyperv.md) `[x86_64]`
   - [qemu (macOS, Linux, Windows)](docs/platform-qemu.md) `[x86_64, arm64, s390x]`
@@ -78,6 +85,7 @@ Currently supported platforms are:
   - [Google Cloud](docs/platform-gcp.md) `[x86_64]`
   - [Microsoft Azure](docs/platform-azure.md) `[x86_64]`
   - [OpenStack](docs/platform-openstack.md) `[x86_64]`
+  - [Scaleway](docs/platform-scaleway.md) `[x86_64]`
 - Baremetal:
   - [packet.net](docs/platform-packet.md) `[x86_64, arm64]`
   - [Raspberry Pi Model 3b](docs/platform-rpi3.md)  `[arm64]`

contrib/open-vm-tools/README.md

@@ -0,0 +1,10 @@
+# open-vm-tools
+This should allow end-users to gracefully reboot or shutdown Kubernetes nodes (incuding control planes) running on vSphere Hypervisor.
+
+Furthermore, it is also mandatory to have `open-vm-tools` installed on your Kubernetes nodes to use vSphere Cloud Provider (i.e. determinte virtual machine's FQDN).
+
+## Remarks:
+- `spec.template.spec.hostNetwork: true`: correctly report node IP address; required
+- `spec.template.spec.hostPID: true`: send the right signal to node, instead of killing the container itself; required
+- `spec.template.spec.priorityClassName: system-cluster-critical`: critical to a fully functional cluster
+- `spec.template.spec.securityContext.privileged: true`: gain more privileges than its parent process; required

contrib/open-vm-tools/open-vm-tools-ds.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: open-vm-tools
+  name: open-vm-tools
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app: open-vm-tools
+  template:
+    metadata:
+      labels:
+        app: open-vm-tools
+    spec:
+      hostNetwork: true
+      hostPID: true
+      priorityClassName: system-cluster-critical
+      tolerations:
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      containers:
+      - image: linuxkit/open-vm-tools:4c3158c7ba27f7ad0ede5d383ca25b57c5588a26
+        name: open-vm-tools
+        resources:
+          requests:
+            memory: "5Mi"
+            cpu: "100m"
+          limits:
+            memory: "25Mi"
+            cpu: "500m"
+        securityContext:
+          privileged: true
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always

docs/alpine-base-update.md

@@ -0,0 +1,232 @@
+# Updating Alpine Base
+
+This document describes the steps to update the `linuxkit/alpine` image.
+This image is at the base of all other linuxkit images.
+It is built out of the directory `tools/alpine/`.
+
+While you do not need to update every downstream image _immediately_ when you update
+this image, you do need to be aware that changes to this image will affect the
+downstream images when it is next adopted. Those downstream images should be updated
+as soon as possible after updating `linuxkit/alpine`.
+
+When you make a linuxkit release, you _must_ update all of the downstream images.
+See [releasing.md](./releasing.md) for the release process.
+
+## Pre-requisites
+
+Updating `linuxkit/alpine` can be done by any maintainer. Maintainers need to have
+access to build machines for all architectures support by LinuxKit.
+
+## Process
+
+At a high-level, we are going to do the following:
+
+1. Preparatory steps
+1. Create a new branch
+1. Make our desired changes to `tools/alpine` and commit them
+1. Build and push out our alpine changes, and commit the `versions` files
+1. Update all affected downstream changes and commit them: `tools/`, `test/pkg`, `pkg`, `test/`, `examples/`
+1. Push out all affected downstream changes: `tools/`, `test/pkg`, `pkg`, `test/`, `examples/`
+
+For each of the affected downstream changes, we could update and then push, then move to the next. However,
+since the push out can be slow and require retries, we try to make all of the changes first, and then push them out.
+
+### Preparation
+
+As a starting point you have to be on the update to date master branch
+and be in the root directory of your local git clone. You should also
+have the same setup on all build machines used.
+
+To make the steps below cut-and-pastable, define the following
+environment variables:
+
+```sh
+LK_ROOT=$(pwd)
+LK_REMOTE=origin         # or whatever your personal remote is
+LK_BRANCH=alpine-update  # or whatever the name of the branch on which you are working is
+```
+
+Note that if you are cutting a release, the `LK_BRANCH` may have a release-type name, e.g. `rel_v0.4`.
+
+Make sure that you have the latest version of the `linuxkit`
+utility in the path. Alternatively, you may wish to compile the latest version from
+master.
+
+### Create a new branch
+
+On one of the build machines (preferably the `x86_64` machine), create
+the branch:
+
+```sh
+git checkout -b $LK_BRANCH
+```
+
+### Update `linuxkit/alpine`
+
+You must perform the arch-specific image builds, pushes and updates on each
+architecture first - these can be done in parallel, if you choose. When done,
+you then copy the updated `versions.<arch>` to one place, commit them, and
+push the manifest.
+
+#### Make alpine changes
+
+Make any changes in `tools/alpine` that you desire, then commit them.
+In the below, change the commit message to something meaningful to the change you are making.
+
+```sh
+cd tools/alpine
+# make changes
+git commit -s -a -m "Update linuxkit/alpine"
+git push origin $LK_BRANCH
+```
+
+#### Build and Push Alpine Per-Architecture
+
+On each supported platform, build and update `linuxkit/alpine`, which will update the `versions.<arch>`
+file.:
+
+```sh
+git fetch
+git checkout $LK_BRANCH
+cd $LK_ROOT/tools/alpine
+make push
+```
+
+Repeat on each platform.
+
+#### Commit Changed Versions Files
+
+When all of the platforms are done, copy the changed `versions.<arch>` from each platform to one place, commit and push.
+In the below, replace `linuxkit-arch` with each build machine's name:
+
+```sh
+# one of these will not be necessary, as you will likely be executing it on one of these machines
+scp linuxkit-s390x:$LK_ROOT/tools/alpine/versions.s390x $LK_ROOT/tools/alpine/versions.s390x
+scp linuxkit-aarch64:$LK_ROOT/tools/alpine/versions.aarch64 $LK_ROOT/tools/alpine/versions.aarch64
+scp linuxkit-x86_64:$LK_ROOT/tools/alpine/versions.x86_64 $LK_ROOT/tools/alpine/versions.x86_64
+git commit -a -s -m "tools/alpine: Update to latest"
+git push $LK_REMOTE $LK_BRANCH
+```
+
+#### Update and Push Multi-Arch Index
+
+Push out the multi-arch index:
+
+```sh
+make push-manifest
+```
+
+Stash the tag of the alpine base image in an environment variable:
+
+```sh
+LK_ALPINE=$(make show-tag)
+```
+
+### Update affected downstream packages 
+
+This section describes all of the steps. Below follows a straight copyable list of steps to take,
+following which is an explanation of each one.
+
+```sh
+# Update tools packages
+cd $LK_ROOT/tools
+$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+git checkout grub/Dockerfile
+git commit -a -s -m "tools: Update to the latest linuxkit/alpine"
+
+# Update tools dependencies
+cd $LK_ROOT
+for img in $(cd tools; make show-tag); do
+    $LK_ROOT/scripts/update-component-sha.sh --image $img
+done
+git commit -a -s -m "Update use of tools to latest"
+
+# Update test packages
+cd $LK_ROOT/test/pkg
+$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+git commit -a -s -m "tests: Update packages to the latest linuxkit/alpine"
+
+# Update test packages dependencies
+cd $LK_ROOT
+for img in $(cd test/pkg; make show-tag); do
+    $LK_ROOT/scripts/update-component-sha.sh --image $img
+done
+git commit -a -s -m "Update use of test packages to latest"
+
+# Update test cases to latest linuxkit/alpine
+cd $LK_ROOT/test/cases
+$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+git commit -a -s -m "tests: Update tests cases to the latest linuxkit/alpine"
+
+# Update packages to latest linuxkit/alpine
+cd $LK_ROOT/pkg
+$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+git commit -a -s -m "pkgs: Update packages to the latest linuxkit/alpine"
+
+# update package tags - may want to include the release in it if set
+cd $LK_ROOT
+make update-package-tags
+MSG=""
+[ -n "$LK_RELEASE" ] && MSG="to $LK_RELEASE"
+git commit -a -s -m "Update package tags $MSG"
+
+git push $LK_REMOTE $LK_BRANCH
+```
+
+#### Update tools packages
+
+On your primary build machine, update the other tools packages.
+
+Note, the `git checkout` reverts the changes made by
+`update-component-sha.sh` to files which are accidentally updated.
+Important is the `git checkout` of `grub`. This is a bit old and only can be built with specific
+older versions of packages like `gcc`, and should not be updated.
+
+Then we update any dependencies of these tools.
+
+#### Update test packages
+
+Next, we update the test packages to the updated alpine base.
+
+Next, we update the use of test packages to latest.
+
+Some tests also use `linuxkit/alpine`, so we update them as well.
+
+### Update packages
+
+Next, we update the LinuxKit packages. This is really the core of the
+release. The other steps above are just there to ensure consistency
+across packages.
+
+#### External Tools
+
+Most of the packages are build from `linuxkit/alpine` and source code
+in the `linuxkit` repository, but some packages wrap external
+tools. When updating all packages, and especially during the time of a release,
+is a good opportunity to check if there have been updates. Specifically:
+
+- `pkg/cadvisor`: Check for [new releases](https://github.com/google/cadvisor/releases).
+- `pkg/firmware` and `pkg/firmware-all`: Use latest commit from [here](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git).
+- `pkg/node_exporter`: Check for [new releases](https://github.com/prometheus/node_exporter/releases).
+- Check [docker hub](https://hub.docker.com/r/library/docker/tags/) for the latest `dind` tags. and update `examples/docker.yml`, `examples/docker-for-mac.yml`, `examples/cadvisor.yml`, and `test/cases/030_security/000_docker-bench/test.yml` if necessary.
+
+This is at your discretion.
+
+### Build and push affected downstream packages
+
+<ul>Note</ul>: All of the `make push` and `make forcepush` in this section use `linuxkit pkg push`, which will build for all architectures and push
+the images out. See [Build Platforms](./packages.md#Build_Platforms).
+
+```sh
+# build and push out the tools packages
+cd $LK_ROOT/tools
+make forcepush
+
+# Build and push out test packages
+cd $LK_ROOT/test/pkg
+make push
+
+# build and push out the packages
+cd $LK_ROOT/pkg
+make push
+```

docs/developer-setup.md

@@ -0,0 +1,81 @@
+# Build Platforms
+
+This document describes how to install and maintain a LinuxKit development platform. It will grow over time.
+
+The LinuxKit team also maintains several Linux-based build platforms. These are donated by Equinix Metal (arm64) and IBM (s390x).
+
+## Platform-Specific Installation
+
+### arm64 and amd64
+
+The `amd64` and `arm64` platforms are fully supported by most OS vendors and Docker. Just upgrade to the latest OS and install the latest Docker using the
+packaging tools. As of this writing, that is:
+
+* Ubuntu/Debian with `apt`
+* RHEL/CentOS/Fedora with `yum`. For any of these, use the CentOS 7/8 packages as released by Docker.
+
+Docker does not recommend that you using the packages released by the OS vendors, as those tend to be out of date. Follow the instructions
+[from Docker](https://docs.docker.com/engine/install/).
+
+### s390x
+
+The s390x has modern versions of most OSes, including RHEL and Ubuntu, but does not have recent versions of docker, neither as
+`apt` packages for Ubuntu, nor as static downloads. In any case, these static downloads mostly are replicas.
+
+This section describes how to install modern versions of Docker on these platforms.
+
+#### RHEL
+
+RHEL 7 on s390x only has releases from Docker. Follow the instructions from Docker to install. The rpm packages for RHEL are available at
+https://download.docker.com/linux/rhel/
+
+#### Ubuntu
+
+Docker does not release packages for Ubuntu on s390x. The most recent release was for Ubuntu 18.04 Bionic, with Docker version 18.06.3.
+This is quite old, and does not support modern capabilities, e.g. buildkit.
+
+To install a more modern version:
+
+1. Upgrade any dependent apt packages `apt upgrade`
+1. Upgrade the operating system to your desired version `do-release-upgrade -d`. Note that you can set which versions to suggest via changing `/etc/update-manager/release-upgrades`
+1. Download the necessary rpms (yes, rpms) from the Docker RHEL7 site. These are available [here](https://download.docker.com/linux/rhel/7/s390x/stable/Packages/). You need the following packages:
+   * `containerd.io-*.rpm`
+   * `docker-ce-*.rpm`
+   * `docker-ce-cli-*.rpm`
+1. Install alien: `apt install alien`
+1. Convert each package to a dpkg `alien --scripts <source-rpm-file.rpm>`
+1. Install each package with `dpkg -i <source-dpkg>.dpkg`. Dependency management is not great, so we recommend installing them in order:
+   1. `containerd.io`
+   1. `docker-ce`
+   1. `docker-ce-cli`
+1. Install devmapper `apt install libdevmapper-dev`
+1. Check the missing version of libdevmapper, if any, with `ldd /usr/bin/dockerd`. In our example, it needs `libdevmapper.so.1.02`
+1. Ensure that the library can be found where needed via `cd /lib/s390x-linux-gnu/ && ln -s $(ls -1 libdevmapper.so.*) libdevmapper.so.1.02`
+1. Check again that dockerd is ok: `ldd /usr/bin/dockerd`
+1. Start docker `system ctl restart docker`
+1. Check that everything works:
+   * `docker version`
+   * `docker run --rm hello-world`
+
+## Common Notes
+
+On all platforms, if you want to run tests, you will need:
+
+* `jq`
+* `expect`
+* `qemu-kvm`
+
+These should be installed using your normal platform package installation, e.g. `apt install -y jq expect qemu-kvm`.
+
+You also will need `rtf`, which can be installed with `make bin/rtf && make install`.
+
+For pushing our kernels, you will need [manifest-tool](http://github.com/estesp/manifest-tool), which can be installed with
+`make bin/manifest-tool && make install`.
+
+Finally, to enable your regular user to run the tools, we recommend:
+
+```
+usermod -aG docker $USER
+usermod -aG kvm $USER
+usermod -aG sudo $USER
+```

docs/external-disk.md

@@ -7,7 +7,8 @@
 ## Make Disk Available
 In order to make the disk available, you need to tell `linuxkit` where the disk file or block device is.
 
-All local `linuxkit run` methods (currently `hyperkit`, `qemu`, and `vmware`) take a `-disk` argument:
+All local `linuxkit run` methods (currently `hyperkit`, `qemu`, `virtualization.framework` and `vmware`)
+take a `-disk` argument:
 
 * `-disk path,size=100M,format=qcow2`. For size the default is in GB but an `M` can be appended to specify sizes in MB. The format can be omitted for the platform default, and is only useful on `qemu` at present.
 
@@ -52,9 +53,17 @@ onboot:
     command: ["/usr/bin/format", "-force", "-type", "xfs", "-label", "DATA", "-verbose", "/dev/vda"]
 ```
 
+```
+onboot:
+  - name: format
+    image: linuxkit/format:<hash>
+    command: ["/usr/bin/format", "-type", "ext4", "-partition", "gpt", "/dev/vda"]
+```
+
 - `-force` can be used to force the partition to be cleared and recreated (if applicable), and the recreated partition formatted. This option would be used to re-init the partition on every boot, rather than persisting the partition between boots.
 - `-label` can be used to give the disk a label
 - `-type` can be used to specify the type. This is `ext4` by default but `btrfs` and `xfs` are also supported
+- `-partition` can be used to specify the partition table type. This is `dos` by default but `gpt` is also supported
 - `-verbose` enables verbose logging, which can be used to troubleshoot device auto-detection and (re-)partitioning
 - The final (optional) argument specifies the device name
 

docs/faq.md

@@ -6,7 +6,7 @@ Please open an issue if you want to add a question here.
 
 LinuxKit does not require being installed on a disk, it is often run from an ISO, PXE or other
 such means, so it does not require an on disk upgrade method such as the ChromeOS code that
-is often used. It would definitely be possible to use that type of upgrade method if the 
+is often used. It would definitely be possible to use that type of upgrade method if the
 system is installed, and it would be useful to support this for that use case, and an
 updater container to control this for people who want to use this.
 
@@ -37,6 +37,52 @@ If you're not seeing `containerd` logs in the console during boot, make sure tha
 
 `init` and other processes like `containerd` will use the last defined console in the kernel `cmdline`. When using `qemu`, to see the console you need to list `ttyS0` as the last console to properly see the output.
 
+## Enabling and controlling containerd logs
+
+On startup, linuxkit looks for and parses a file `/etc/containerd/runtime-config.toml`. If it exists, the content is used to configure containerd runtime.
+
+Sample config is below:
+
+```toml
+cliopts="--log-level debug"
+stderr="/var/log/containerd.out.log"
+stdout="stdout"
+```
+
+The options are as follows:
+
+* `cliopts`: options to pass to the containerd command-line as is.
+* `stderr`: where to send stderr from containerd. If blank, it sends it to the default stderr, which is the console.
+* `stdout`: where to send stdout from containerd. If blank, it sends it to the default stdout, which is the console. containerd normally does not have any stdout.
+
+The `stderr` and `stdout` options can take exactly one of the following options:
+
+* `stderr` - send to stderr
+* `stdout` - send to stdout
+* any absolute path (beginning with `/`) - send to that file. If the file exists, append to it; if not, create it and append to it.
+
+Thus, to enable
+a higher log level, for example `debug`, create a file whose contents are `--log-level debug` and place it on the image:
+
+```yml
+files:
+  - path: /etc/containerd/runtime-config.toml
+    source: "/path/to/runtime-config.toml"
+    mode: "0644"
+```
+
+Note that the package that parses the `cliopts` splits on _all_ whitespace. It does not, as of this writing, support shell-like parsing, so the following will work:
+
+```
+--log-level debug --arg abcd
+```
+
+while the following will not:
+
+```
+--log-level debug --arg 'abcd def'
+```
+
 ## Troubleshooting containers
 
 Linuxkit runs all services in a specific `containerd` namespace called `services.linuxkit`. To list all the defined containers:

docs/image-cache.md

@@ -0,0 +1,61 @@
+# Image Caching
+
+linuxkit builds each runtime OS image from a combination of Docker images.
+These images are pulled from a registry and cached locally.
+
+linuxkit does not use the docker image cache to store these images. This is
+for two key reasons.
+
+First, docker does not provide support for different architecture versions. For
+example, if you want to pull down `docker.io/library/alpine:3.13` by manifest,
+with its signature, but get the `arm64` version while you are on an `amd64` device,
+it is not supported.
+
+Second, and more importantly, this requires a running docker daemon. Since the
+very essence of linuxkit is removing daemons and operating systems where unnecessary,
+just laying down bits in a file, removing docker from the image build process
+is valuable. It also simplifies many use cases, like CI, where a docker daemon
+may be unavailable.
+
+## How LinuxKit Caches Images
+
+LinuxKit pulls images down from a registry and stores them in a local cache.
+It stores the root manifest or index of the image, the manifest, and all of the layers
+for the requested architecture. It does not pull down layers, manifest or config
+for all available architectures, only the requested one. If none is requested, it
+defaults to the architecture on which you are running.
+
+By default, LinuxKit caches images in `~/.linuxkit/cache/`. It can be changed
+via a command-line option. The structure of the cache directory matches the
+[OCI spec for image layout](http://github.com/opencontainers/image-spec/blob/master/image-layout.md).
+
+Image names are kept in `index.json` in the [annotation](https://github.com/opencontainers/image-spec/blob/master/annotations.md) `org.opencontainers.image.ref.name`. For example"
+
+```json
+{
+  "schemaVersion": 2,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+      "size": 1638,
+      "digest": "sha256:9a839e63dad54c3a6d1834e29692c8492d93f90c59c978c1ed79109ea4fb9a54",
+      "annotations": {
+        "org.opencontainers.image.ref.name": "docker.io/library/alpine:3.13"
+      }
+    }
+  ]
+}
+```
+
+## How LinuxKit Uses the Cache and Registry
+
+For each image that linuxkit needs to read, it does the following. Note that if the `--pull` option
+is provided, it always will pull, independent of what is in the cache.
+
+1. Check in the cache for the image name in the cache `index.json`. If it does not find it, pull it down and store it in cache.
+1. Read the root hash from `index.json`.
+1. Find the root blob in the `blobs/` directory via the hash and read it.
+1. Proceed to read the manifest, config and layers.
+
+The read process is smart enough to check each blob in the local cache before downloading
+it from a registry.

docs/kernels.md

@@ -45,22 +45,36 @@ Most kernel modules are autoloaded with `mdev` but if you need to `modprobe` a m
 ## Compiling external kernel modules
 
 This section describes how to build external (out-of-tree) kernel
-modules. It is assumed you have the source available to those modules,
-and require the correct kernel version headers and compile tools.
+modules. You need the following to build external modules. All of
+these are to be built for a specific version of the kernel. For
+the examples, we will assume 5.10.104; replace with your desired
+version.
 
-The LinuxKit kernel packages include `kernel-dev.tar` which contains
+* source available to your modules - you need to get those on your own
+* kernel development headers - available in the `linuxkit/kernel` image as `kernel-dev.tar`, e.g. `linuxkit/kernel:5.10.104`
+* OS with sources and compiler - this **must** be the exact same version as that used to compile the kernel
+
+As described above, the `linuxkit/kernel` images include `kernel-dev.tar` which contains
 the headers and other files required to compile kernel modules against
 the specific version of the kernel. Currently, the headers are not
 included in the initial RAM disk, but it is possible to compile custom
 modules offline and then include the modules in the initial RAM disk.
 
-There is a [example](../test/cases/020_kernel/011_kmod_4.9.x), but
+The source is available as the same name as the `linuxkit/kernel` image, with the addition of `-builder` on the tag.
+For example:
+
+* `linuxkit/kernel:5.10.92` has builder `linuxkit/kernel:5.10.92-builder`
+* `linuxkit/kernel:5.15.15` has builder `linuxkit/kernel:5.15.15-builder`
+
+With the above in hand, you can create a multi-stage `Dockerfile` build to compile your modules.
+There is an [example](../test/cases/020_kernel/011_kmod_4.9.x), but
 basically one can use a multi-stage build to compile the kernel
 modules:
 
-```
-FROM linuxkit/kernel:4.9.33 AS ksrc
-FROM linuxkit/alpine:<hash> AS build
+```dockerfile
+FROM linuxkit/kernel:5.10.104 AS ksrc
+FROM linuxkit/kernel:5.10.104-builder AS build
+
 RUN apk add build-base
 
 COPY --from=ksrc /kernel-dev.tar /
@@ -76,6 +90,36 @@ package to the `onboot` section in your YAML
 file. [kmod.yml](../test/cases/020_kernel/010_kmod_4.9.x/kmod.yml)
 contains an example for the configuration.
 
+### Builder Backups
+
+As described above, the OS builder is referenced via `<kernel-image>-builder`, e.g.
+`linuxkit/kernel:5.15.15-builder`.
+
+As a fallback, in case the `-builder` image is not available or you cannot access it from your development environment,
+you have 3 total places to determine the correct version of the OS image with sources and compiler:
+
+* `-builder` tag added to the kernel version, e.g. `linuxkit/kernel:5.10.104-builder`
+* labels on the kernel image, e.g. `docker inspect linuxkit/kernel:5.10.104 | jq -r '.[].Config.Labels["org.mobyproject.linuxkit.kernel.buildimage"]'`
+* `/kernel-builder` file in the kernel image
+
+You **should** use `-builder` tag as the `AS build` in your `Dockerfile`, but you **can** use
+the direct source, extracted from the labels or `/kernel-builder` file in the kernel image, in the `AS build`.
+
+For example, in the case of `5.10.104`, the label and `/kernel-builder` file show `linuxkit/alpine:2be490394653b7967c250e86fd42cef88de428ba`,
+so you can use either `linuxkit/alpine:2be490394653b7967c250e86fd42cef88de428ba` or
+`linuxkit/kernel:5.10.104-builder` to build the modules.
+
+Thus, the following are equivalent:
+
+```dockerfile
+FROM linuxkit/kernel:5.10.104 AS ksrc
+FROM linuxkit/kernel:5.10.104-builder AS build
+```
+
+```dockerfile
+FROM linuxkit/kernel:5.10.104 AS ksrc
+FROM linuxkit/alpine:2be490394653b7967c250e86fd42cef88de428ba AS build
+```
 
 ## Modifying the kernel config
 
@@ -149,7 +193,7 @@ appended. Then you can also override the Hub organisation to use the
 image elsewhere with (and also disable image signing):
 
 ```sh
-make ORG=<your hub org> NOTRUST=1
+make ORG=<your hub org>
 ```
 
 The image will be uploaded to Hub and can be use in a YAML file as
@@ -322,7 +366,7 @@ yourself:
 
 ```sh
 cd kernel
-make ORG=<foo> NOTRUST=1 push_zfs_4.9.x # or different kernel version
+make ORG=<foo> push_zfs_4.9.x # or different kernel version
 ```
 
 will build and push a `zfs-kmod-4.9.<version>` image to Docker Hub

docs/metadata.md

@@ -101,9 +101,23 @@ hostname and populate the `/run/config/ssh/authorized_keys` from metadata.
 AWS userdata is extracted from `http://169.254.169.254/latest/user-data` and
 and made available in `/run/config/userdata`.
 
+## Hetzner
+
+Hetzner metadata is reached via the following URL
+(`http://169.254.169.254/latest/meta-data/`) and currently we extract the
+hostname and populate the `/run/config/ssh/authorized_keys` from metadata.
+
+Hetzner userdata is extracted from `http://169.254.169.254/latest/user-data` and
+and made available in `/run/config/userdata`.
 
 ## HyperKit
 
 HyperKit does not distinguish metadata and userdata, it's simply
 refered to as data, which is passed to the VM as a disk image
 in ISO9660 format.
+
+## Virtualization.Framework
+
+Virtualization.Framework does not distinguish metadata and userdata, it's simply
+refered to as data, which is passed to the VM as a disk image
+in ISO9660 format.

docs/packages.md

@@ -7,23 +7,37 @@ packages, as it's very easy. Packages are the unit of customisation
 in a LinuxKit-based project, if you know how to build a container,
 you should be able to build a LinuxKit package.
 
-All LinuxKit packages are:
-- Signed with Docker Content Trust.
-- Enabled with multi-arch manifests to work on multiple architectures.
-- Derived from well-known (and signed) sources for repeatable builds.
+All official LinuxKit packages are:
+- Enabled with multi-arch indexes to work on multiple architectures.
+- Derived from well-known sources for repeatable builds.
 - Built with multi-stage builds to minimise their size.
 
 
 ## CI and Package Builds
+
 When building and merging packages, it is important to note that our CI process builds packages. The targets `make ci` and `make ci-pr` execute `make -C pkg build`. These in turn execute `linuxkit pkg build` for each package under `pkg/`. This in turn will try to pull the image whose tag matches the tree hash or, failing that, to build it.
 
-We do not want the builds to happen with each CI run for two reasons:
+Any released image, i.e. any package under `pkg/` that has _not_ changed as
+part of a pull request,
+already will be released to Docker Hub. This will cause it to download that image, rather
+than try to build it.
+
+Any non-releaed image, i.e. any package under `pkg/` that _has_ changed as part of
+a pull request, will not be in Docker Hub until the PR has merged.
+This will cause the download to fail, leading `linuxkit pkg build` to try and build the
+image and save it in the cache.
+
+This does have two downsides:
 
 1. It is slower to do a package build than to just pull the latest image.
 2. If any of the steps of the build fails, e.g. a `curl` download that depends on an intermittent target, it can cause all of CI to fail.
 
-Thus, if, as a maintainer, you merge any commits into a `pkg/`, even if the change is documentation alone, please do a `linuxkit package push`.
+In the past, each PR required a maintainer to build, and push to Docker Hub, every
+changed package in `pkg/`. This placed the maintainer in the PR cycle, with the
+following downsides:
 
+1. A maintainer had to be involved in every PR, not just reviewing but actually building and pushing. This reduces the ability for others to contribute.
+1. The actual package is pushed out by a person, violating good supply-chain practice.
 
 ## Package source
 
@@ -40,8 +54,8 @@ A package source consists of a directory containing at least two files:
 - `extra-sources` _(list of strings)_: Additional sources for the package outside the package directory. The format is `src:dst`, where `src` can be relative to the package directory and `dst` is the destination in the build context. This is useful for sharing files, such as vendored go code, between packages.
 - `gitrepo` _(string)_: The git repository where the package source is kept.
 - `network` _(bool)_: Allow network access during the package build (default: no)
-- `disable-content-trust` _(bool)_: Disable Docker content trust for this package (default: no)
 - `disable-cache` _(bool)_: Disable build cache for this package (default: no)
+- `buildArgs` will forward a list of build arguments down to docker. As if `--build-arg` was specified during `docker build`
 - `config`: _(struct `github.com/moby/tool/src/moby.ImageConfig`)_: Image configuration, marshalled to JSON and added as `org.mobyproject.config` label on image (default: no label)
 - `depends`: Contains information on prerequisites which must be satisfied in order to build the package. Has subfields:
     - `docker-images`: Docker images to be made available (as `tar` files via `docker image save`) within the package build context. Contains the following nested fields:
@@ -53,9 +67,9 @@ A package source consists of a directory containing at least two files:
 ### Prerequisites
 
 Before you can build packages you need:
-- Docker version 17.06 or newer. If you are on a Mac you also need
-  `docker-credential-osxkeychain.bin`, which comes with Docker for Mac.
-- `make`, `notary`, `base64`, `jq`, and `expect`
+- Docker version 19.03 or newer.
+- If you are on a Mac you also need `docker-credential-osxkeychain.bin`, which comes with Docker for Mac.
+- `make`, `base64`, `jq`, and `expect`
 - A *recent* version of `manifest-tool` which you can build with `make
   bin/manifest-tool`, or `go get github.com:estesp/manifest-tool`, or
   via the LinuxKit homebrew tap with `brew install --HEAD
@@ -66,68 +80,239 @@ Further, when building packages you need to be logged into hub with
 `docker login` as some of the tooling extracts your hub credentials
 during the build.
 
+### Build Targets
+
+LinuxKit builds packages as docker images. It deposits the built package as a docker image in one or both of two targets:
+
+* the linuxkit cache, which is at `~/.linuxkit/cache/` (configurable)
+* the docker image cache (optional)
+
+The package _always_ is built and saved in the linuxkit cache. However, you _also_ can load the package for the current
+architecture, if available, into the docker image cache.
+
+If you want to build images and test and run them _in a standalone_ fashion locally, then you should add the docker image cache.
+Otherwise, you don't need anything more than the default linuxkit cache. LinuxKit defaults to building OS images using docker
+images from this cache, only looking in the docker cache if instructed to via `linuxkit build --docker`.
+
+In the linuxkit cache, it creates all of the layers, the manifest that can be uploaded
+to a registry, and the multi-architecture index. If an image already exists for a different architecture in the cache,
+it updates the index to include additional manifests created.
+
+The order of building is as follows:
+
+1. Build the image to the linuxkit cache
+1. If `--docker` is provided, load the image into the docker image cache
+
+For example:
+
+```bash
+linuxkit pkg build pkg/foo           # builds pkg/foo and places it in the linuxkit cache
+linuxkit pkg build pkg/foo --docker  # builds pkg/foo and places it in the linuxkit cache and also loads it into docker
+```
+
+#### Build Platforms
+
+By default, `linuxkit pkg build` builds for all supported platforms in the package's `build.yml`, whose syntax is available
+[here][Package source]. If no platforms are provided in the `build.yml`, it builds for all platforms that linuxkit supports.
+As of this writing, those are:
+
+* `linux/amd64`
+* `linux/arm64`
+* `linux/s390x`
+
+You can choose to skip one of the platforms from `build.yml` or those selected
+by default using the `--skip-platforms` flag.
+
+For example:
+
+```
+linuxkit pkg build --skip-platforms linux/s390x ...
+```
+
+You can override the target build platform by passing it the `--platforms` option:
+
+```
+linuxkit pkg build --platforms <platform1,platform2,...platformN>
+```
+
+The options for `--platforms` are identical to those for [docker build](https://docs.docker.com/engine/reference/commandline/build/).
+An example is available in the official [buildx documentation](https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images).
+
+Given that this is linuxkit, i.e. all builds are for linux, the `OS` part would seem redundant, and it should be sufficient to pass `--platform arm64`. However, for complete consistency, the _entire_ platform, e.g. `--platforms linux/amd64,linux/arm64`, must be provided.
+
+#### Where it builds
+
+You are running the `linuxkit pkg build` command on a single platform, e.g. your local linux cloud instance running on `amd64`, or
+a MacBook with Apple Silicon running on `arm64`.
+
+How does linuxkit determine where to build the target images?
+
+linuxkit uses [buildkit](https://github.com/moby/buildkit) directly to build all images.
+It uses docker contexts to determine _where_ to run those buildkit containers, based on the target
+architecture.
+
+When running a package build, linuxkit looks for a container named `linuxkit-builder`, running the appropriate
+version of buildkit. If it cannot find a container with that name, it creates it.
+If the container already exists but is not running buildkit, or if the version is incorrect, linuxkit stops and removes
+the existing `linuxkit-builder` container and creates one running the correct version of buildkit.
+
+When linuxkit needs to build a package for a particular architecture:
+
+1. If a context for that architecture was provided, use that context, looking for and/or starting a buildkit container named `linuxkit-builder`.
+1. If no context for that architecture was provided, use the `default` context.
+
+The actual building then will be one of:
+
+1. native, if the provided context has the same architecture as the target build architecture; else
+1. cross-build, if the provided context has a different architecture, but the package's `Dockerfile` supports cross-building; else
+1. emulated build, using docker's qemu binfmt capabilities
+
+Cross-building, i.e. building on one platform using that platform's binaries to create outputs for a different platform,
+depends on the package's `Dockerfile`. Details are available in the
+[official Docker buildx docs](https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images).
+
+* if the image is just `FROM something`, then it runs it under qemu using binfmt
+* if the image is `FROM --platform=$BUILDPLATFORM something`, then it runs it using the local architecture, invoking cross-builders
+
+Read the official docs to learn more how to leverage cross-building with buildx.
+
+**Important:** When building, if the local architecture is not one of those being build,
+selecting `--docker` to load the images into the docker image cache will result in an error.
+You _must_ be building for the local architecture - optionally for others as well - in order to
+pass the `--docker` option.
+
+#### Providing native builder nodes
+
+linuxkit is capable of using native build nodes to do the build, even remotely. To do so, you must:
+
+1. Create a [docker context](https://docs.docker.com/engine/context/working-with-contexts/) that references the build node
+1. Tell linuxkit to use that context for that architecture
+
+linuxkit will then use that provided context to look for and/or start a container in which to run buildkit for that architecture.
+
+linuxkit looks for contexts in the following descending order of priority:
+
+1. CLI option `--builders <platform>=<context>,<platform>=<context>`, e.g. `--builders linux/arm64=linuxkit-arm64,linux/amd64=default`
+1. Environment variable `LINUXKIT_BUILDERS=<platform>=<context>,<platform>=<context>`, e.g. `LINUXKIT_BUILDERS=linux/arm64=linuxkit-arm64,linux/amd64=default`
+1. Existing context named `linuxkit-<platform>`, e.g. `linuxkit-linux-arm64` or `linuxkit-linux-s390x`, with "/" replaced by "-", as "/" is an invalid character.
+1. Default context
+
+If a builder name is provided for a specific platform, and it doesn't exist, it will be treated as a fatal error.
+
+#### Examples
+
+##### Simple build
+
+There are no contexts starting with `linuxkit-`, no environment variable `LINUXKIT_BUILDERS`, no command-line argument `--builders`.
+
+linuxkit will build any requested packages using `default` context on the local platform, with a container (created, if necessary) named `linuxkit-builder`.
+Builds for the same architecture will be native, builds for other platforms will use either qemu or cross-building.
+
+##### Specified target
+
+You create a context named `my-remote-arm64` and then run:
+
+```bash
+linuxkit pkg build --platforms=linux/arm64,linux/amd64 --builders linux/arm64=my-remote-arm64
+```
+
+linuxkit will build:
+
+* for arm64 using the context `my-remote-arm64`, since you specified in `--builders` to use `my-remote-arm64` for `linux/arm64`
+* for amd64 using the context `default`, as that is the default fallback
+
+The same would happen if you used `LINUXKIT_BUILDERS=linux/arm64=my-remote-arm64` instead of the `--builders` flag.
+
+In both cases - the remote context `my-remote-arm64` and the local `default` context - it will do the build inside
+a container named `linuxkit-builder`.
+
+##### Named context
+
+You create a context named `linuxkit-linux-arm64` and then run:
+
+```bash
+linuxkit pkg build --platforms=linux/arm64,linux/amd64
+```
+
+linuxkit will build:
+
+* for arm64 using the context `linuxkit-linux-arm64`, since there is a context with the name `linuxkit-<platform>`, and you did not override it using `--builders` or the environment variable `LINUXKIT_BUILDERS`
+* for amd64 using the context `default` and the `linuxkit` builder, as that is the default fallback
+
+##### Combination
+
+You create a context named `linuxkit-linux-arm64`, and another named `my-remote-builder-amd64` and then run:
+
+```bash
+linuxkit pkg build --platforms=linux/arm64,linux/amd64 --builders linux/amd64=my-remote-builder-amd64
+```
+
+linuxkit will build:
+
+* for arm64 using the context `linuxkit-linux-arm64`, since there is a context with the name `linuxkit-<platform>`, and you did not override that particular architecture using `--builders` or the environment variable `LINUXKIT_BUILDERS`
+* for amd64 using the context `my-remote-builder-amd64`, since you specified for that architecture using `--builders`
+
+The same would happen if you used `LINUXKIT_BUILDERS=linux/arm64=my-remote-builder-amd64` instead of the `--builders` flag.
+
+##### Missing context
+
+You do not have a context named `my-remote-arm64`, and run:
+
+```bash
+linuxkit pkg build --platforms=linux/arm64 --builders linux/arm64=my-remote-arm64
+```
+
+linuxkit will try to build for `linux/arm64` using the context `my-remote-arm64`. Since that context does not exist, you will get an error.
+
 ### Build packages as a maintainer
 
-If you have write access to the `linuxkit` organisation on hub, you
-should also be set up with signing keys for packages and your signing
-key should have a passphrase, which we call `<passphrase>` throughout.
-
 All official LinuxKit packages are multi-arch manifests and most of
-them are available for `amd64`, `arm64`, and `s390x`. Official images
-*must* be build on both architectures and they must be build *in
-sequence*, i.e., they can't be build in parallel.
+them are available for the following platforms:
 
-To build a package on an architecture:
+* `linux/amd64`
+* `linux/arm64`
+* `linux/s390x`
 
-```
-DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="<passphrase>" linuxkit pkg push «path-to-package»
-```
+Official images *must* be built for all architectures for which they are available.
 
-`«path-to-package»` is the path to the package's source directory
+Pushing out a package as a maintainer involves two stages:
+
+1. Building and pushing out the platform-specific images
+1. Creating and pushing out the multi-arch manifest, a.k.a. OCI image index
+
+The `linuxkit pkg` command contains automation which performs all of the steps.
+Note that `«path-to-package»` is the path to the package's source directory
 (containing at least `build.yml` and `Dockerfile`). It can be `.` if
 the package is in the current directory.
 
-**Note:** You *must* be logged into hub (`docker login`) and the
-passphrase for the key *must* be supplied as an environment
-variable. The build process has to resort to using `expect` to drive
-`notary` so none of the credentials can be entered interactively.
-
-This will:
-- Build a local images as `linuxkit/<image>:<hash>-<arch>`
-- Push it to hub
-- Sign it with your key
-- Create a manifest called `linuxkit/<image>:<hash>` (note no `-<arch>`)
-- Push the manifest to hub
-- Sign the manifest
-
-If you repeat the same on another architecture, a new manifest will be
-pushed and signed containing the previous and the new
-architecture. The YAML files should consume the package as:
-`linuxkit/<image>:<hash>`.
-
-
-Since it is not very good to have your passphrase in the clear (or
-even stashed in your shell history), we recommend using a password
-manager with a CLI interface, such as LastPass or `pass`. You can then
-invoke the build like this (for LastPass):
-
 ```
-DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$(lpass show <key> --password) linuxkit pkg push «path-to-package»
-```
-or alternatively you may add the command to `~/.moby/linuxkit/config.yml` e.g.:
-```
-pkg:
-  content-trust-passphrase-command: "lpass show <key> --password"
+linuxkit pkg push «path-to-package»
 ```
 
+This will do the following:
+
+1. Determine the name and tag for the image as follows:
+   * The tag is from the hash of the git tree for that package. You can see it by doing `linuxkit pkg show-tag «path-to-package»`.
+   * The name for the image is from `«path-to-package»/build.yml`
+   * The organization for the package is given on the command-line, default to `linuxkit`.
+1. Build the package in the given path using your local docker instance for all the platforms in `«path-to-package»/build.yml`
+1. Save the built image in the linuxkit cache
+1. Tag each built image as `«image-name»:«hash»-«arch»`
+1. Create a multi-arch manifest called `«image-name»:«hash»` (note no `-«arch»`)
+1. Push the manifest and all of the images to the hub
+
+Note that for actual release images, these steps normally are performed as part
+of CI, by the merge-to-master process.
+
+#### Prerequisites
+
+* For all of the steps, you *must* be logged into hub (`docker login`).
+
 ### Build packages as a developer
 
-If you want to develop packages or test them locally, it is best to
-override the hub organisation used. You may also want to disable
-signing while developing. A typical example would be:
 
 ```
-linuxkit pkg build -org=wombat -disable-content-trust «path-to-package»
+linuxkit pkg build -org=wombat «path-to-package»
 ```
 
 This will create a local image: `wombat/<image>:<hash>-<arch>` which
@@ -136,7 +321,7 @@ on other systems you can push the image to your hub account and pull
 from a different system by issuing:
 
 ```
-linuxkit pkg build -org=wombat -disable-content-trust push
+linuxkit pkg build -org=wombat push
 ```
 
 This will push both `wombat/<image>:<hash>-<arch>` and
@@ -146,8 +331,32 @@ Finally, if you are tired of the long hashes you can override the hash
 with:
 
 ```
-linuxkit pkg build -org=wombat -disable-content-trust -hash=foo push
+linuxkit pkg build -org=wombat -hash=foo push
 ```
 
 and this will create `wombat/<image>:foo-<arch>` and
 `wombat/<image>:foo` for use in your YAML files.
+
+### Proxies
+
+If you are building packages from behind a proxy, `linuxkit pkg build` respects
+the following environment variables, and will set them as `--build-arg` to
+`docker build` when building a package.
+
+* `http_proxy` / `HTTP_PROXY`
+* `https_proxy` / `HTTPS_PROXY`
+* `ftp_proxy` / `FTP_PROXY`
+* `no_proxy` / `NO_PROXY`
+* `all_proxy` / `ALL_PROXY`
+
+Note that the first four of these are the standard built-in `build-arg` options available
+for `docker build`; see the [docker build documentation](https://docs.docker.com/v17.09/engine/reference/builder/#arg).
+The last, `all_proxy`, is a standard var used for socks proxying. Since it is not built into `docker build`,
+if you want to use it, you will need to add the following line to the dockerfile:
+
+```dockerfile
+ARG all_proxy
+```
+
+LinuxKit does not judge between lower-cased or upper-cased variants of these options, e.g. `http_proxy` vs `HTTP_PROXY`,
+as `docker build` does not either. It just passes them through "as-is".

docs/platform-aws.md

@@ -35,7 +35,7 @@ specified bucket, and create a bootable image from the stored image.
 
 Alternatively, you can use the `AWS_BUCKET` environment variable to specify the bucket name.
 
-**Note:** If the push times out before it finishes, you can use the `-timeout` flag to extend the timeout.
+**Note:** If the push times out before it finishes, you can use the `-timeout` flag to extend the timeout. You may also want to consider passing `-ena` to enable enhanced networking in the AMI.
 
 ```
 linuxkit push aws -bucket bucketname -timeout 1200 aws.raw
@@ -47,7 +47,7 @@ With the image created, we can now create an instance.
 You won't be able to see the serial console output until after it has terminated.
 
 ```
-linuxkit run aws aws
+linuxkit run aws -security-group "<security_group_id>" aws
 ```
 
 You can edit the AWS example to allow you to SSH to your instance in order to use it.

docs/platform-openstack.md

@@ -11,17 +11,7 @@ Supported (tested) versions of the relevant OpenStack APIs are:
 
 ## Authentication
 
-LinuxKit's support for OpenStack handles two ways of providing the endpoint and authentication details.  You can either set the standard set of environment variables and the commands detailed below will inherit those, or you can explicitly provide them on the command-line as options to `push` and `run`.  The examples below use the latter, but if you prefer the former then you'll need to set the following:
-
-```shell
-OS_USERNAME="admin"
-OS_PASSWORD="xxx"
-OS_TENANT_NAME="linuxkit"
-OS_AUTH_URL="https://keystone.com:5000/v3"
-OS_USER_DOMAIN_NAME=default
-OS_CACERT=/path/to/cacert.pem
-OS_INSECURE=false
-```
+LinuxKit's support for OpenStack includes configuring access to your cloud as detailed in the official [os-client-config](https://docs.openstack.org/os-client-config/latest/user/configuration.html) documentation.
 
 ## Push
 
@@ -40,32 +30,17 @@ Images generated with Moby can be uploaded into OpenStack's image service with `
 
 ```shell
 ./linuxkit push openstack \
-  -authurl=https://keystone.example.com:5000/v3 \
-  -username=admin \
-  -password=XXXXXXXXXXX \
-  -project=linuxkit \
   -img-name=LinuxKitTest
   ./linuxkit.iso
 ```
 
-If successful, this will return the image's UUID.  If you've set your environment variables up as described above, this command can then be simplified:
-
-```shell
-./linuxkit push openstack \
-  -img-name "LinuxKitTest" \
-  ~/Desktop/linuxkitmage.qcow2
-```
-
 ## Run
 
 Virtual machines can be launched using `linuxkit run openstack`.  As an example:
 
 ```shell
 linuxkit run openstack \
-  -authurl https://keystone.example.com:5000/v3 \
-  -username=admin \
-  -password=xxx \
-  -project=linuxkit \
+  -flavor=hotdog
   -keyname=deadline_ed25519 \
   -sec-groups=allow_ssh,nginx \
   -network c5d02c5f-c625-4539-8aed-1dab3aa85a0a \

docs/platform-rpi3.md

@@ -70,4 +70,11 @@ LinuxKit YAML file:
     command: ["modprobe", "smsc95xx"]
 ```
 
+For Raspberry Pi 3b+ use:
+```
+  - name: netdev
+    image: linuxkit/modprobe:<hash>
+    command: ["modprobe", "lan78xx"]
+```
+
 **TODO:** Figure out why mdev is not loading the driver.

docs/platform-scaleway.md

@@ -3,14 +3,14 @@
 This is a quick guide to run LinuxKit on Scaleway (only VPS x86_64 for now)
 
 ## Setup
-Before you proceed it's recommanded that you set up the [Scaleway CLI](https://github.com/scaleway/scaleway-cli/)
-and perform an `scw login`. This will create a `$HOME/.scwrc` file containing the required API token.
 
-You can also use the `SCW_TOKEN` environment variable to set a Scaleway token. 
-The `-token` flag of the `linuxkit push scaleway` and `linuxkit run scaleway` can also be used.
+You must create a Scaleway API Token (combination of Access and Secret Key), available at [Scaleway Console](https://console.scaleway.com/account/credentials), first.
+Then you can use it either with the `SCW_ACCESS_KEY` and `SCW_SECRET_KEY` environment variables or the `-access-key` and `-secret-key` flags
+of the `linuxkit push scaleway` and `linuxkit run scaleway` commands.
 
-The environment variable `SCW_TARGET_REGION` is used to set the region (there is also the `-region` flag)
+In addition, Organization ID value has to be set, either with the `SCW_DEFAULT_ORGANIZATION_ID` environment variable or the `-organization-id` command line flag.
 
+The environment variable `SCW_DEFAULT_ZONE` is used to set the zone (there is also the `-zone` flag)
 
 ## Build an image
 
@@ -28,18 +28,18 @@ $ linuxkit build -format iso-efi examples/scaleway.yml
 ## Push image
 
 You have to do `linuxkit push scaleway scaleway.iso` to upload it to your Scaleway images.
-By default the image name is the name of the ISO file without the extension. 
+By default the image name is the name of the ISO file without the extension.
 It can be overidden with the `-img-name` flag or the `SCW_IMAGE_NAME` environment variable.
 
 **Note 1:** If an image (and snapshot) of the same name exists, it will be replaced.
 
-**Note 2:** The image is region specific: if you create an image in `par1` you can't use is in `ams1`.
+**Note 2:** The image is zone specific: if you create an image in `par1` you can't use is in `ams1`.
 
 ### Push process
 
 Building a Scaleway image have a special process. Basically:
 
-* Create an `image-builder` instance with an additional volume, based on Ubuntu Xenial (only x86_64 for now)
+* Create an `image-builder` instance with an additional volume, based on Ubuntu Bionic (only x86_64 for now)
 * Copy the ISO image on this instance
 * Use `dd` to write the image on the additional volume (`/dev/vdb` by default)
 * Terminate the instance, create a snapshot, and create an image from the snapshot

docs/platform-virtualization-framework.md

@@ -0,0 +1,205 @@
+# LinuxKit with Virtualization.Framework (macOS)
+
+We recommend using LinuxKit in conjunction with
+[Docker for Mac](https://docs.docker.com/docker-for-mac/install/). For
+the time being it's best to be on the latest edge release. `linuxkit
+run` uses [Virtualization.Framework](https://developer.apple.com/documentation/virtualization) and
+[VPNKit](https://github.com/moby/vpnkit) and the edge release ships
+with updated versions of both.
+
+Alternatively, you can install Virtualization.Framework and VPNKit standalone and use it without Docker for Mac.
+
+Virtualization.Framework is enabled on macOS only when built with CGO enabled.
+
+## Boot
+
+The Virtualization.Framework backend currently supports booting:
+- `kernel+initrd` output from `linuxkit build`.
+- `kernel+squashfs` output from `linuxkit build`.
+- EFI ISOs using the EFI firmware.
+
+You need to select the boot method manually using the command line
+options. The default is `kernel+initrd`. `kernel+squashfs` can be
+selected using `-squashfs` and to boot a ISO with EFI you have to
+specify `-iso -uefi`.
+
+The `kernel+initrd` uses a RAM disk for the root filesystem. If you
+have RAM constraints or large images we recommend using either the
+`kernel+squashfs` or the EFI ISO boot.
+
+## Console
+
+With `linuxkit run` on Virtualization.Framework the serial console is redirected to
+stdio, providing interactive access to the VM. The output of the VM
+can be re-directed to a file or pipe, but then stdin is not available.
+Virtualization.Framework does not provide a console device.
+
+
+## Disks
+
+The Virtualization.Framework backend support configuring a persistent disk using the
+standard `linuxkit` `-disk` syntax.  Multiple disks are
+supported and the disks are in raw format.
+
+## Power management
+
+Virtualization.Framework sends an ACPI power event when it receives SIGTERM to allow the VM to
+shut down properly. The VM has to be able to receive ACPI events to initiate the
+shutdown.  This is provided by the [`acpid` package](../pkg/acpid). An example
+is available in the [Docker for Mac example](../examples/docker-for-mac.yml).
+
+## Networking
+
+By default, `linuxkit run` creates a VM with a single network
+interface which, logically, is attached to a L2 bridge. The bridge
+also has the VM used by Docker for Mac attached to it. This means that
+the LinuxKit VMs, created with `linuxkit run`, can be accessed from
+containers running on Docker for Mac.
+
+The LinuxKit VMs have IP addresses on the `192.168.65.0/24` subnet
+assigned by a DHCP server part of VPNKit. `192.168.65.1` is reserved
+for VPNKit as the default gateway and `192.168.65.2` is used by the
+Docker for Mac VM.
+
+By default, LinuxKit VMs get incrementally increasing IP addresses,
+but you can assign a fixed IP address with `linuxkit run -ip`. It's
+best to choose an IP address from the DHCP address range above, but
+care must be taken to avoid clashes of IP address.
+
+*NOTE:* The LinuxKit VMs can *not* be directly accessed by IP address
+from the host.  Enabling this would require use of the macOS `vmnet`
+framework, which requires the VMs to run as `root`.  We don't consider
+this option palatable, and provide alternative options to access the
+VMs over the network below.
+
+
+### Accessing network services
+
+Virtualization.Framework offers a number of ways for accessing network services
+running inside the LinuxKit VM from the host. These depend on the
+networking mode selected via `-networking`. The default mode is
+`vmnet`, where it sets up a network bridge. We intend to add support for
+`docker-for-mac`, where the same VPNkit instance is shared between
+LinuxKit VMs and the VM running as part of Docker for Mac, in the future.
+
+#### Access from the Docker for Mac VM (`-networking docker-for-mac`)
+
+The simplest way to access networking services exposed by a LinuxKit
+VM is to use a Docker for Mac container. For example, to access an ssh
+server in a LinuxKit VM, create a ssh client container from:
+
+```
+FROM alpine:edge
+RUN apk add --no-cache openssh-client
+```
+
+and then run
+
+```
+docker build -t ssh .
+docker run --rm -ti -v ~/.ssh:/root/.ssh  ssh ssh <IP address of VM>
+```
+
+#### Forwarding ports with `socat`  (`-networking docker-for-mac`)
+
+A `socat` container on Docker for Mac can be used to proxy between the
+LinuxKit VM's ports and localhost.  For example, to expose the redis
+port from the [RedisOS example](../examples/redis-os.yml), use this
+Dockerfile:
+
+```
+FROM alpine:edge
+RUN apk add --no-cache socat
+ENTRYPOINT [ "/usr/bin/socat" ]
+```
+and then:
+```
+docker build -t socat .
+docker run --rm -t -d -p 6379:6379 socat tcp-listen:6379,reuseaddr,fork tcp:<IP address of VM>:6379
+```
+
+#### Port forwarding with VPNKit (`-networking docker-for-mac`)
+
+There is **experimental** support for exposing selected ports of the
+guest on `localhost` using the `-publish` command line option. For
+example, using `-publish 2222:22/tcp` exposes the guest TCP port 22 on
+localhost on port 2222. Multiple `-publish` options can be
+specified. For example, the image build from the [`sshd
+example`](../examples/sshd.yml) can be started with:
+
+```
+linuxkit run -publish 2222:22/tcp sshd
+```
+
+and then you can log into the LinuxKit VM with `ssh -p 2222
+root@localhost`.
+
+Note, this mode is **experimental** and may cause the VPNKit instance
+shared with Docker for Mac being confused about which ports are
+currently in use, in particular if the LinuxKit VM does not exit
+gracefully. This can typically be fixed by restarting Docker for Mac.
+
+
+#### Port forwarding with VPNKit (`-networking vpnkit`)
+
+An alternative to the previous method is to start your own copy of
+`vpnkit` (or connect to an already running instance). This can be done
+using the `-networking vpnkit` command line option.
+
+VPNKit uses a 9P mount in `/port` for coordination between
+components. The first VM on a VPNKit instance currently needs mount
+the 9P filesystem and also needs to run the `vpnkit-forwarder` service
+to enable port forwarding to localhost.  A full example with `vpnkit`
+forwarding of `sshd` is available in
+[examples/vpnkit-forwarder.yml](/examples/vpnkit-forwarder.yml).
+
+To run this example with its own instance of VPNKit, use:
+
+```
+linuxkit run -networking vpnkit -publish 2222:22/tcp vpnkit-forwarder
+```
+
+You can then access it via:
+
+```
+ssh -p 2222 root@localhost
+```
+
+More details about the VPNKit forwarding mechanism is available in the
+[VPNKit
+documentation](https://github.com/moby/vpnkit/blob/master/docs/ports.md#signalling-from-the-vm-to-the-host).
+
+
+## Integration services and Metadata
+
+There are no special integration services available for Virtualization.Framework, but
+there are a number of packages, such as `vsudd`, which enable
+tighter integration of the VM with the host (see below).
+
+The Virtualization.Framework backend also allows passing custom userdata into the
+[metadata package](./metadata.md) using either the `-data` or `-data-file` command-line
+option. This attaches a CD device with the data on.
+
+
+### `vsudd` unix domain socket forwarding
+
+The [`vsudd` package](/pkg/vsudd) provides a daemon that exposes unix
+domain socket inside the VM to the host via virtio or Hyper-V sockets.
+With Virtualization.Framework, the virtio sockets can be exposed as unix domain
+sockets on the host, enabling access to other daemons, like
+`containerd` and `dockerd`, from the host.  An example configuration
+file is available in [examples/vsudd-containerd.yml](/examples/vsudd-containerd.yml).
+
+After building the example, run it with `linuxkit run virtualization.framework
+-vsock-ports 2374 vsudd`. This will create a unix domain socket in the state directory that maps to the `containerd` control socket. The socket is called `guest.00000946`.
+
+If you install the `ctr` tool on the host you should be able to access the
+`containerd` running in the VM:
+
+```
+$ go get -u -ldflags -s github.com/containerd/containerd/cmd/ctr
+...
+$ ctr -a vsudd-state/guest.00000946 list
+ID        IMAGE     PID       STATUS
+vsudd               466       RUNNING
+```

docs/releasing.md

@@ -37,207 +37,18 @@ As a starting point you have to be on the update to date master branch
 and be in the root directory of your local git clone. You should also
 have the same setup on all build machines used.
 
-To make the release steps below cut-and-pastable, define the following
-environment variables:
-
-```sh
-LK_RELEASE=v0.4
-LK_ROOT=$(pwd)
-LK_REMOTE=origin
-```
-
-On one of the build machines (preferably the `x86_64` machine), create
-the release branch:
-
-```sh
-git checkout -b rel_$LK_RELEASE
-```
-
-Also make sure that you have a recent version of the `linuxkit`
-utility in the path. Either a previous release or compiled from
-master.
-
-
 ### Update `linuxkit/alpine`
 
 This step is not necessarily required if the alpine base image has
 recently been updated, but it is good to pick up any recent bug
-fixes. Updating the alpine base image is different to other packages
-and it must be performed on `x86_64` first:
+fixes. Follow the process in [alpine-base-update.md](./alpine-base-update.md)
 
-```sh
-cd $LK_ROOT/tools/alpine
-make push
-```
+There are several important notes to consider when updating alpine base:
 
-This will update `linuxkit/alpine` and change the `versions.x86_64`
-file. Check it in and push to GitHub:
-
-```sh
-git commit -a -s -m "tools/alpine: Update to latest"
-git push $LK_REMOTE rel_$LK_RELEASE
-```
-
-Now, on each build machine for the other supported architectures, in turn:
-
-```sh
-git fetch
-git checkout rel_$LK_RELEASE
-cd $LK_ROOT/tools/alpine
-make push
-git commit -a --amend
-git push --force $LK_REMOTE rel_$LK_RELEASE
-```
-
-With all supported architectures updated, head back to the `x86_64`
-machine and update the release branch:
-
-```sh
-git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
-```
-
-Stash the tag of the alpine base image in an environment variable:
-
-```sh
-LK_ALPINE=$(head -1 alpine/versions.x86_64 | sed 's,[#| ]*,,' | sed 's,\-.*$,,' | cut -d':' -f2)
-```
-
-
-### Update tools packages
-
-On the `x86_64` machine, get the `linuxkit/alpine` tag and update the
-other packages:
-
-```sh
-cd $LK_ROOT/tools
-../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
-git checkout alpine/versions.aarch64 alpine/versions.s390x
-
-git commit -a -s -m "tools: Update to the latest linuxkit/alpine"
-git push $LK_REMOTE rel_$LK_RELEASE
-
-make forcepush
-```
-
-Note, the `git checkout` reverts the changes made by
-`update-component-sha.sh` to files which are accidentally updated and
-the `make forcepush` will skip building the alpine base.
-
-Then, on the other build machines in turn:
-
-```sh
-cd $LK_ROOT/tools
-git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
-make forcepush
-```
-
-Back on the `x86_64` machine:
-
-```sh
-cd $LK_ROOT
-for img in $(cd tools; make show-tag); do
-    ./scripts/update-component-sha.sh --image $img
-done
-
-git commit -a -s -m "Update use of tools to latest"
-```
-
-
-### Update test packages
-
-Next, we update the test packages to the updated alpine base on the `x86_64` system:
-
-```sh
-cd $LK_ROOT/test/pkg
-../../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
-
-git commit -a -s -m "tests: Update packages to the latest linuxkit/alpine"
-git push $LK_REMOTE rel_$LK_RELEASE
-
-make push
-```
-
-Then, on the other build machines in turn:
-
-```sh
-cd $LK_ROOT/test/pkg
-git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
-make push
-```
-
-Back on the `x86_64` machine:
-
-```sh
-cd $LK_ROOT
-for img in $(cd test/pkg; make show-tag); do
-    ./scripts/update-component-sha.sh --image $img
-done
-
-git commit -a -s -m "Update use of test packages to latest"
-```
-
-Some tests also use `linuxkit/alpine`. Update them as well:
-
-```sh
-cd $LK_ROOT/test/cases
-../../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
-
-git commit -a -s -m "tests: Update tests cases to the latest linuxkit/alpine"
-```
-
-### Update packages
-
-Next, we update the LinuxKit packages. This is really the core of the
-release. The other steps above are just there to ensure consistency
-across packages.
-
-
-```sh
-cd $LK_ROOT/pkg
-../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
-
-git commit -a -s -m "pkgs: Update packages to the latest linuxkit/alpine"
-git push $LK_REMOTE rel_$LK_RELEASE
-```
-
-Most of the packages are build from `linuxkit/alpine` and source code
-in the `linuxkit` repository, but some packages wrap external
-tools. The time of a release is a good opportunity to check if there
-have been updates. Specifically:
-
-- `pkg/cadvisor`: Check for [new releases](https://github.com/google/cadvisor/releases).
-- `pkg/firmware` and `pkg/firmware-all`: Use latest commit from [here](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git).
-- `pkg/node_exporter`: Check for [new releases](https://github.com/prometheus/node_exporter/releases).
-- Check [docker hub](https://hub.docker.com/r/library/docker/tags/) for the latest `dind` tags. and update `examples/docker.yml`, `examples/docker-for-mac.yml`, `examples/cadvisor.yml`, and `test/cases/030_security/000_docker-bench/test.yml` if necessary.
-
-The build/push the packages:
-
-```sh
-cd $LK_ROOT/pkg
-make OPTIONS="-release $LK_RELEASE" push
-```
-
-Note, the `OPTIONS` argument. This adds the release tag to the
-packages.
-
-Then, on the other build machines in turn:
-
-```sh
-cd $LK_ROOT/pkg
-git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
-make OPTIONS="-release $LK_RELEASE" push
-```
-
-Update the package tags in the YAML files:
-
-```sh
-cd $LK_ROOT
-for img in $(cd pkg; make show-tag | cut -d ':' -f1); do
-    ./scripts/update-component-sha.sh --image $img:$LK_RELEASE
-done
-
-git commit -a -s -m "Update package tags to $LK_RELEASE"
-```
+* `LK_BRANCH` is set to `rel_$LK_RELEASE`, when cutting a release, for e.g. `LK_BRANCH=rel_v0.9`
+* It not necessarily required to update the alpine base image if it has recently been updated, but it is good to pick up any recent bug
+fixes. However, you do need to update the tools, packages and tests.
+* Releases are a particularly good time to check for updates in wrapped external dependencies, as highlighted in [alpine-base-update.md#External Tools](./alpine-base-update.md#External_Tools)
 
 ### Final preparation steps
 
@@ -275,5 +86,3 @@ This completes the release, but you are not done, one more step is required.
 Create a PR which bumps the version number in the top-level `Makefile`
 to `$LK_RELEASE+` to make sure that the version reported by `linuxkit
 version` gets updated.
-
-

docs/security.md

@@ -50,8 +50,6 @@ and namespaced separately from the host as appropriate.
 LinuxKit's build process heavily leverages Docker images for packaging. Of note, all intermediate build images
 are referenced by digest to ensures reproducibility across LinuxKit builds. Tags are mutable, and thus subject to override
 (intentionally or maliciously) - referencing by digest mitigates classes of registry poisoning attacks in LinuxKit's buildchain.
-Certain images, such as the kernel image, will be signed by LinuxKit maintainers using [Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/),
-which guarantees authenticity, integrity, and freshness of the image.
 
 Moreover, LinuxKit's build process leverages [Alpine Linux's](https://alpinelinux.org/) hardened userspace tools such as
 Musl libc, and compiler options that include `-fstack-protector` and position-independent executable output. Go binaries

docs/signing.md

@@ -1,49 +0,0 @@
-# Signing LinuxKit Hub Images
-
-We sign and verify LinuxKit component images, such as `linuxkit/kernel`, using [Notary](https://github.com/docker/notary).
-
-This document details the process for setting this up, intended for maintainers.
-
-## Initialize a New Repository
-
-Let's say we're publishing a new `linuxkit/foo` image that we want to sign and verify in LinuxKit.
-We first need to initialize the Notary repository:
-
-```
-notary -s https://notary.docker.io -d ~/.docker/trust init -p docker.io/linuxkit/foo
-```
-
-This command will generate some private keys in `~/.docker/trust` and ask you for passphrases such that they are encrypted at rest.
-All linuxkit repositories are currently using the same root key so we can pin trust on key ID `1908a0cf4f55710138e63f65ab2a97e8fa3948e5ca3b8857a29f235a3b61ea1b`.
-
-We'll also let the notary server take control of the snapshot key, for easier delegation collaboration:
-```
-notary -s https://notary.docker.io -d ~/.docker/trust key rotate docker.io/linuxkit/foo snapshot -r
-```
-
-## Add maintainers to delegation roles:
-
-Maintainers are to sign with `delegation` keys, which are adminstered by a non-root key.
-Thusly, they are easily rotated without having to bring the root key online.
-Additionally, maintainers can be added to separate roles for auditing purposes: the current setup is to add maintainers to both the `targets/releases` role that is intended
-for release consumption, as well as an individual `targets/<maintainer_name>` role for auditing.
-Docker will automatically sign into both roles when pushing with Docker Content Trust.
-
-Here's what the command looks like to add all maintainers to the `targets/releases` role:
-```
-notary -s https://notary.docker.io -d ~/.docker/trust delegation add -p docker.io/linuxkit/foo targets/releases alice.crt bob.crt charlie.crt --all-paths
-```
-
-Here's what the commands look like to add all maintainers to their individually named roles:
-```
-notary -s https://notary.docker.io -d ~/.docker/trust delegation add -p docker.io/linuxkit/foo targets/alice alice.crt --all-paths
-notary -s https://notary.docker.io -d ~/.docker/trust delegation add -p docker.io/linuxkit/foo targets/bob bob.crt --all-paths
-notary -s https://notary.docker.io -d ~/.docker/trust delegation add -p docker.io/linuxkit/foo targets/charlie charlie.crt --all-paths
-```
-
-## Maintainers import their private keys
-
-It's important that each maintainer imports their private key into Docker's key storage, so Docker can use it to sign:
-```
-notary -d ~/.docker/trust key import alice.key -r user
-```

docs/testing.md

@@ -50,7 +50,7 @@ You must copy an existing `group.sh` in to this folder and adjust as required or
 [example](https://github.com/linuxkit/rtf/tree/master/etc/templates/group.sh)
 
 To write your test, create a folder within the group using the `000_name` format as described above.
-You should then copy an existing `test.sh` in to this directory and amdend it,
+You should then copy an existing `test.sh` in to this directory and amend it,
 or start from an [example](http://github.com/linuxkit/rtf/tree/master/etc/templates/test.sh)
 
 If your test can only be run when certain conditions are met, you should consider adding a label to

docs/vendoring.md

@@ -2,16 +2,24 @@ Vendoring
 =========
 
 The Go code in this repo depends on a number of Go libraries.
-These are vendored in to the `src/cmd/linuxkit/vendor` directory using [`vndr`](https://github.com/lk4d4/vndr)
-The `vendor.conf` file contains a list of the repositories and the git SHA or branch name that should be vendored
+These are vendored in to the `src/cmd/linuxkit/vendor` directory using [go modules](https://golang.org/ref/mod)
 
 ## Updating dependencies
 
-Update `src/cmd/linuxkit/vendor.conf` with the dependency that you would like to add.
-Details of usage of the `vndr` tool and the format of `vendor.conf` can be found [here](https://github.com/LK4D4/vndr/blob/master/README.md)
+Go modules should install any required dependencies to `go.mod` and `go.sum` when running normal go commands such as `go build`,
+`go vet`, etc. To install specific versions, use `go get <dependency>@<reference>`.
 
-Once done, you must run the `vndr` tool to add the necessary files to the `vendor` directory.
-The easiest way to do this is in a container.
+See the [go modules](https://golang.org/ref/mod) documentation for more information.
+
+LinuxKit vendors all dependencies to make it completely self-contained. Once `go.mod` is up to date,
+you must update the dependencies, either using your local go toolchain or in a container.
+
+## Updating locally
+
+To vendor all dependencies:
+
+1. `cd src/cmd/linuxkit`
+1. Run `go mod vendor`
 
 ## Updating in a container
 
@@ -21,39 +29,7 @@ To update all dependencies:
 docker run -it --rm \
 -v $(pwd):/go/src/github.com/linuxkit/linuxkit \
 -w /go/src/github.com/linuxkit/linuxkit/src/cmd/linuxkit \
---entrypoint /go/bin/vndr \
-linuxkit/go-compile:8de0e27a38498389e43b3a5b520d943a2b3be5ba
-```
-
-To update a single dependency:
-
-```
-docker run -it --rm \
--v $(pwd):/go/src/github.com/linuxkit/linuxkit \
--w /go/src/github.com/linuxkit/linuxkit/src/cmd/linuxkit \
---entrypoint /go/bin/vndr \
-linuxkit/go-compile:8de0e27a38498389e43b3a5b520d943a2b3be5ba
-github.com/docker/docker
-```
-
-## Updating locally
-
-First you must install `vndr` and ensure that `$GOPATH/bin` is on your `$PATH`
-
-```
-go get -u github.com/LK4D4/vndr
-```
-
-To update all dependencies:
-
-```
-cd src/cmd/linuxkit
-vndr
-```
-
-To update a single dependency:
-
-```
-cd /src/cmd/linuxkit
-vndr github.com/docker/docker
+--entrypoint=go
+linuxkit/go-compile:7b1f5a37d2a93cd4a9aa2a87db264d8145944006
+mod vendor
 ```

docs/yaml.md

@@ -11,9 +11,10 @@ are downloaded at build time to create an image. The image is self-contained and
 so it can be tested reliably for continuous delivery.
 
 Components are specified as Docker images which are pulled from a registry during build if they
-are not available locally. The Docker images are optionally verified with Docker Content Trust.
+are not available locally. See [image-cache](./image-cache.md) for more details on local caching.
+The Docker images are optionally verified with Docker Content Trust.
 For private registries or private repositories on a registry credentials provided via
-`docker login` are re-used. 
+`docker login` are re-used.
 
 The configuration file is processed in the order `kernel`, `init`, `onboot`, `onshutdown`,
 `services`, `files`. Each section adds files to the root file system. Sections may be omitted.
@@ -124,19 +125,6 @@ file:
 
 Because a `tmpfs` is mounted onto `/var`, `/run`, and `/tmp` by default, the `tmpfs` mounts will shadow anything specified in `files` section for those directories.
 
-## `trust`
-
-The `trust` section specifies which build components are to be cryptographically verified with
-[Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) prior to pulling.
-Trust is a central concern in any build system, and LinuxKit's is no exception: Docker Content Trust provides authenticity,
-integrity, and freshness guarantees for the components it verifies.  The LinuxKit maintainers are responsible for signing
-`linuxkit` components, though collaborators can sign their own images with Docker Content Trust or [Notary](https://github.com/docker/notary).
-
-- `image` lists which individual images to enforce pulling with Docker Content Trust.
-The image name may include tag or digest, but the matching also succeeds if the base image name is the same.
-- `org` lists which organizations for which Docker Content Trust is to be enforced across all images,
-for example `linuxkit` is the org for `linuxkit/kernel`
-
 ## Image specification
 
 Entries in the `onboot` and `services` sections specify an OCI image and
@@ -144,7 +132,9 @@ options. Default values may be specified using the `org.mobyproject.config` imag
 For more details see the [OCI specification](https://github.com/opencontainers/runtime-spec/blob/master/spec.md).
 
 If the `org.mobylinux.config` label is set in the image, that specifies default values for these fields if they
-are not set in the yaml file. You can override the label by setting the value, or setting it to be empty to remove
+are not set in the yaml file. While most fields are _replaced_ if they are specified in the yaml file,
+some support _add_ via the format `<field>.add`; see below.
+You can override the label entirely by setting the value, or setting it to be empty to remove
 the specification for that value in the label.
 
 If you need an OCI option that is not specified here please open an issue or pull request as the list is not yet
@@ -159,6 +149,7 @@ bind mounted into a container.
   extracted from this so they need not be filled in.
 - `capabilities` the Linux capabilities required, for example `CAP_SYS_ADMIN`. If there is a single
   capability `all` then all capabilities are added.
+- `capabilities.add` the Linux capabilities required, but these are added to the defaults, rather than overriding them.
 - `ambient` the Linux ambient capabilities (capabilities passed to non root users) that are required.
 - `mounts` is the full form for specifying a mount, which requires `type`, `source`, `destination`
   and a list of `options`. If any fields are omitted, sensible defaults are used if possible, for example
@@ -166,6 +157,7 @@ bind mounted into a container.
   can be replaced by specifying a mount with new options here at the same mount point.
 - `binds` is a simpler interface to specify bind mounts, accepting a string like `/src:/dest:opt1,opt2`
   similar to the `-v` option for bind mounts in Docker.
+- `binds.add` is a simpler interface to specify bind mounts, but these are added to the defaults, rather than overriding them.
 - `tmpfs` is a simpler interface to mount a `tmpfs`, like `--tmpfs` in Docker, taking `/dest:opt1,opt2`.
 - `command` will override the command and entrypoint in the image with a new list of commands.
 - `env` will override the environment in the image with a new environment list. Specify variables as `VAR=value`.
@@ -240,6 +232,31 @@ services:
      - CAP_DAC_OVERRIDE
 ```
 
+## `devices`
+
+To access the console, it's necessary to explicitly add a "device" definition, for example:
+
+```
+devices:
+- path: "/dev/console"
+  type: c
+  major: 5
+  minor: 1
+  mode: 0666
+```
+
+See the [getty package](../pkg/getty/build.yml) for a more complete example
+and see [runc](https://github.com/opencontainers/runc/commit/60e21ec26e15945259d4b1e790e8fd119ee86467) for context.
+
+To grant access to all block devices use:
+
+```
+devices:
+- path: all
+  type: b
+```
+
+See the [format package](../pkg/format/build.yml) for an example.
 
 ### Mount Options
 When mounting filesystem paths into a container - whether as part of `onboot` or `services` - there are several options of which you need to be aware. Using them properly is necessary for your containers to function properly.

examples/addbinds.yml

@@ -0,0 +1,26 @@
+kernel:
+  image: linuxkit/kernel:5.4.30
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    binds.add:
+      # this will keep all of the existing ones as well
+      - /var/tmp:/var/tmp
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+files:
+  - path: etc/getty.shadow
+    # sample sets password for root to "abcdefgh" (without quotes)
+    contents: 'root:$6$6tPd2uhHrecCEKug$8mKfcgfwguP7f.BLdZsT1Wz7WIIJOBY1oUFHzIv9/O71M2J0EPdtFqFGTxB1UK5ejqQxRFQ.ZSG9YXR0SNsc11:17322:0:::::'

examples/aws.yml

@@ -1,37 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.19.34
-  cmdline: "console=ttyS0"
-init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.7
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.7
-services:
-  - name: rngd
-    image: linuxkit/rngd:v0.7
-  - name: sshd
-    image: linuxkit/sshd:v0.7
-    binds:
-     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/azure.yml

@@ -1,26 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.19.34
-  cmdline: "console=ttyS0"
-init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.7
-services:
-  - name: rngd
-    image: linuxkit/rngd:v0.7
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
-  - name: sshd
-    image: linuxkit/sshd:v0.7
-files:
-  - path: root/.ssh/authorized_keys
-    source: ~/.ssh/id_rsa.pub
-    mode: "0600"
-    optional: true
-trust:
-  org:
-    - linuxkit

examples/cadvisor.yml

@@ -1,37 +1,37 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: sysfs
-    image: linuxkit/sysfs:v0.7
+    image: linuxkit/sysfs:c3bdb00c5e23bf566d294bafd5f7890ca319056f
   - name: format
-    image: linuxkit/format:v0.7
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
   - name: mount
-    image: linuxkit/mount:v0.7
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
       - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: ntpd
-    image: linuxkit/openntpd:v0.7
+    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
 
   - name: docker
-    image: docker:18.06.0-ce-dind
+    image: docker:20.10.6-dind
     capabilities:
       - all
     net: host
@@ -46,14 +46,10 @@ services:
       - /etc/docker/daemon.json:/etc/docker/daemon.json
     command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
   - name: cadvisor
-    image: linuxkit/cadvisor:v0.7
+    image: linuxkit/cadvisor:38174e03a9495a2ba8a8a049458f585a8b8e4a59
 files:
   - path: var/lib/docker
     directory: true
   - path: etc/docker/daemon.json
     contents: '{"debug": true, "hosts": ["unix:///var/run/docker.sock"]}'
     mode: "0644"
-trust:
-  org:
-    - linuxkit
-    - library

examples/dm-crypt-loop.yml

@@ -1,31 +1,31 @@
 kernel:
-  image: linuxkit/kernel:4.14.88
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:v0.7
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
     command: ["/usr/bin/format", "/dev/sda"]
   - name: mount
-    image: linuxkit/mount:v0.7
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/dev/sda1", "/var/external"]
   - name: loop
-    image: linuxkit/losetup:v0.7
+    image: linuxkit/losetup:43e40be0c82cbccf171ebd2a8065246e2e84f66e
     command: ["/usr/bin/loopy", "--create", "/var/external/storage_file"]
   - name: dm-crypt
-    image: linuxkit/dm-crypt:v0.7
+    image: linuxkit/dm-crypt:908d3a270650aff7388092a307673c44d86e1ed0
     command: ["/usr/bin/crypto", "crypt_loop_dev", "/dev/loop0"]
   - name: mount
-    image: linuxkit/mount:v0.7
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/dev/mapper/crypt_loop_dev", "/var/secure_storage"]
   - name: bbox
     image: busybox
@@ -34,16 +34,13 @@ onboot:
       - /var:/var
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
 files:
   - path: etc/dm-crypt/key
     # the below key is just to keep the example self-contained
     # !!! provide a proper key for production use here !!!
     contents: "abcdefghijklmnopqrstuvwxyz123456"
-trust:
-  org:
-    - linuxkit

examples/dm-crypt.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:4.14.88
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:v0.7
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
     command: ["/usr/bin/format", "/dev/sda"]
   - name: dm-crypt
-    image: linuxkit/dm-crypt:v0.7
+    image: linuxkit/dm-crypt:908d3a270650aff7388092a307673c44d86e1ed0
     command: ["/usr/bin/crypto", "crypt_dev", "/dev/sda1"]
   - name: mount
-    image: linuxkit/mount:v0.7
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/dev/mapper/crypt_dev", "/var/secure_storage"]
   - name: bbox
     image: busybox
@@ -28,16 +28,13 @@ onboot:
       - /var:/var
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
 files:
   - path: etc/dm-crypt/key
     # the below key is just to keep the example self-contained
     # !!! provide a proper key for production use here !!!
     contents: "abcdefghijklmnopqrstuvwxyz123456"
-trust:
-  org:
-    - linuxkit

examples/docker-for-mac.yml

@@ -1,36 +1,36 @@
 # This is an example for building the open source components of Docker for Mac
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/vpnkit-expose-port:v0.7 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/vpnkit-expose-port:87ac61469247b2a0483cbd1fd2915f220e078b78 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   # support metadata for optional config in /run/config
   - name: metadata
-    image: linuxkit/metadata:v0.7
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: sysfs
-    image: linuxkit/sysfs:v0.7
+    image: linuxkit/sysfs:c3bdb00c5e23bf566d294bafd5f7890ca319056f
   - name: binfmt
-    image: linuxkit/binfmt:v0.7
+    image: linuxkit/binfmt:a17941b47f5cb262638cfb49ffc59ac5ac2bf334
   # Format and mount the disk image in /var/lib/docker
   - name: format
-    image: linuxkit/format:v0.7
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
   - name: mount
-    image: linuxkit/mount:v0.7
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/var/lib"]
   # make a swap file on the mounted disk
   - name: swap
-    image: linuxkit/swap:v0.7
+    image: linuxkit/swap:77305236719ed7ab4be0f3bccc179c583fe7f5ff
     command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"]
   # mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding
   - name: mount-vpnkit
-    image: alpine:3.9
+    image: alpine:3.13
     binds:
         - /var/:/host_var:rbind,rshared
     capabilities:
@@ -39,51 +39,51 @@ onboot:
     command: ["sh", "-c", "mkdir -p /host_var/vpnkit/port && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
   # move logs to the mounted disk (this is a temporary fix until we can limit the log sizes)
   - name: move-logs
-    image: alpine:3.9
+    image: alpine:3.13
     binds:
         - /var:/host_var
     command: ["sh", "-c", "mv -v /host_var/log /host_var/lib && ln -vs /var/lib/log /host_var/log"]
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   # Enable acpi to shutdown on power events
   - name: acpid
-    image: linuxkit/acpid:v0.7
+    image: linuxkit/acpid:c05a368754f6436b326945dc16135ba547568d8d
   # Enable getty for easier debugging
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
         - INSECURE=true
   # Run ntpd to keep time synchronised in the VM
   - name: ntpd
-    image: linuxkit/openntpd:v0.7
+    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
   # VSOCK to unix domain socket forwarding. Forwards guest /var/run/docker.sock
   # to a socket on the host.
   - name: vsudd
-    image: linuxkit/vsudd:v0.7
+    image: linuxkit/vsudd:89980cd551d3174b6d8528f39fbd7fd1ca049161
     binds:
         - /var/run:/var/run
     command: ["/vsudd", "-inport", "2376:unix:/var/run/docker.sock"]
   # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. 
   # It needs access to the vpnkit 9P coordination share 
   - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:v0.7
+    image: linuxkit/vpnkit-forwarder:ea4dded7386b09dd647e854664b029be0a4f420f
     binds:
         - /var/vpnkit:/port
     net: host
     command: ["/vpnkit-forwarder", "-vsockPort", "62373"]
   # Monitor for image deletes and invoke a TRIM on the container filesystem
   - name: trim-after-delete
-    image: linuxkit/trim-after-delete:v0.7
+    image: linuxkit/trim-after-delete:533ed712cf5cede1d5aec121c3f8afc1f471f723
   # When the host resumes from sleep, force a clock resync
   - name: host-timesync-daemon
-    image: linuxkit/host-timesync-daemon:v0.7
+    image: linuxkit/host-timesync-daemon:cc7c2f88c0e585c292624b9665412c9aca615d55
   # Run dockerd with the vpnkit userland proxy from the vpnkit-forwarder container.
   # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit
   # for vpnkit coordination and /run/config/docker for the configuration file.
   - name: docker-dfm
-    image: docker:18.06.0-ce-dind
+    image: docker:20.10.6-dind
     capabilities:
      - all
     net: host
@@ -106,8 +106,3 @@ services:
             "--storage-driver", "overlay2" ]
     runtime:
       mkdir: ["/var/lib/docker"]
-
-trust:
-    org:
-        - linuxkit
-        - library

examples/docker.yml

@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: sysfs
-    image: linuxkit/sysfs:v0.7
+    image: linuxkit/sysfs:c3bdb00c5e23bf566d294bafd5f7890ca319056f
   - name: format
-    image: linuxkit/format:v0.7
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
   - name: mount
-    image: linuxkit/mount:v0.7
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
   - name: ntpd
-    image: linuxkit/openntpd:v0.7
+    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
   - name: docker
-    image: docker:18.06.0-ce-dind
+    image: docker:20.10.6-dind
     capabilities:
      - all
     net: host
@@ -46,7 +46,3 @@ files:
     directory: true
   - path: etc/docker/daemon.json
     contents: '{"debug": true}'
-trust:
-  org:
-    - linuxkit
-    - library

examples/gcp.yml

@@ -1,41 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.19.34
-  cmdline: "console=ttyS0"
-init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.7
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.7
-services:
-  - name: getty
-    image: linuxkit/getty:v0.7
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.7
-  - name: sshd
-    image: linuxkit/sshd:v0.7
-    binds:
-     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/getty.yml

@@ -1,29 +1,26 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     # to make insecure with passwordless root login, uncomment following lines
     #env:
     # - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)
     contents: 'root:$6$6tPd2uhHrecCEKug$8mKfcgfwguP7f.BLdZsT1Wz7WIIJOBY1oUFHzIv9/O71M2J0EPdtFqFGTxB1UK5ejqQxRFQ.ZSG9YXR0SNsc11:17322:0:::::'
-trust:
-  org:
-    - linuxkit

examples/hostmount-writeable-overlay.yml

@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
   - name: shutdown
@@ -18,7 +18,7 @@ onshutdown:
     command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
     runtime:
@@ -30,7 +30,7 @@ services:
           destination: writeable-host-etc
           options: ["rw", "lowerdir=/etc", "upperdir=/run/hostetc/upper", "workdir=/run/hostetc/work"]
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: nginx
     image: nginx:1.13.8-alpine
     capabilities:
@@ -41,7 +41,3 @@ services:
      - CAP_DAC_OVERRIDE
     binds:
      - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/influxdb-os.yml

@@ -1,18 +1,18 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: influxdb
@@ -42,7 +42,3 @@ services:
     env:
       - INFLUXDB_URL=http://127.0.0.1:8086
       - KAPACITOR_URL=http://127.0.0.1:9092
-trust:
-  org:
-    - linuxkit
-    - library

examples/logging.yml

@@ -1,34 +1,30 @@
 # Simple example of using an external logging service
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
-  - linuxkit/memlogd:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/memlogd:014f86dce2ea4bb2ec13e92ae5c1e854bcefec40
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
 # Inside the getty type `/proc/1/root/usr/bin/logread -F` to follow the log
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
 # A service which generates log messages for testing
   - name: write-to-the-logs
-    image: alpine:3.9
+    image: alpine:3.13
     command: ["/bin/sh", "-c", "while /bin/true; do echo hello $(date); sleep 1; done" ]
   - name: write-and-rotate-logs
-    image: linuxkit/logwrite:v0.7
+    image: linuxkit/logwrite:4d8aa07d4a7130239fc62b09f33e3401ecf62a38
   - name: kmsg
-    image: linuxkit/kmsg:v0.7
-trust:
-  org:
-    - linuxkit
-    - library
+    image: linuxkit/kmsg:b2f6cd4ce9041120e30a4b5ab36bb8db4f5eb458

examples/minimal.yml

@@ -1,19 +1,16 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
-trust:
-  org:
-    - linuxkit

examples/node_exporter.yml

@@ -1,21 +1,18 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
   - name: node_exporter
-    image: linuxkit/node_exporter:v0.7
-trust:
-  org:
-    - linuxkit
+    image: linuxkit/node_exporter:bd11bc62e0cdf7a600556c0cb9f6582bf055f245

examples/openstack.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:v0.7
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
     command: ["/usr/bin/metadata", "openstack"]
 services:
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: sshd
-    image: linuxkit/sshd:v0.7
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
     binds:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx
@@ -32,7 +32,3 @@ services:
      - CAP_DAC_OVERRIDE
     binds:
      - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/packet.arm64.yml

@@ -1,14 +0,0 @@
-# This YAML snippet is to be used in conjunction with packet.yml to
-# build a arm64 image for packet.net. It adds a modprobe of the NIC
-# driver and overrides the kernel section to disable prepending the
-# Intel CPU microcode to the initrd. If writing a YAML specifically
-# for arm64 then the 'ucode' line in the kernel section can be left
-# out.
-kernel:
-  image: linuxkit/kernel:4.19.34
-  cmdline: "console=ttyAMA0"
-  ucode: ""
-onboot:
-  - name: modprobe
-    image: linuxkit/modprobe:v0.7
-    command: ["modprobe", "nicvf"]

examples/packet.yml

@@ -1,39 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.19.34
-  cmdline: console=ttyS1
-  ucode: intel-ucode.cpio
-init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
-  - linuxkit/firmware:v0.7
-onboot:
-  - name: rngd1
-    image: linuxkit/rngd:v0.7
-    command: ["/sbin/rngd", "-1"]
-  - name: sysctl
-    image: linuxkit/sysctl:v0.7
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.7
-    command: ["/usr/bin/metadata", "packet"]
-services:
-  - name: rngd
-    image: linuxkit/rngd:v0.7
-  - name: getty
-    image: linuxkit/getty:v0.7
-    env:
-     - INSECURE=true
-  - name: sshd
-    image: linuxkit/sshd:v0.7
-files:
-  - path: root/.ssh/authorized_keys
-    source: ~/.ssh/id_rsa.pub
-    mode: "0600"
-    optional: true
-trust:
-  org:
-    - linuxkit

examples/platform-aws.yml

@@ -0,0 +1,33 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+services:
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    binds:
+     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/platform-azure.yml

@@ -0,0 +1,23 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+services:
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+files:
+  - path: root/.ssh/authorized_keys
+    source: ~/.ssh/id_rsa.pub
+    mode: "0600"
+    optional: true

examples/platform-gcp.yml

@@ -0,0 +1,37 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    binds:
+     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/platform-hetzner.yml

@@ -0,0 +1,36 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: console=ttyS1
+  ucode: intel-ucode.cpio
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/firmware:8f89601312327c78999a880ee104ceae9a25d20e
+onboot:
+  - name: rngd1
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    command: ["/sbin/rngd", "-1"]
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    command: ["/usr/bin/metadata", "hetzner"]
+services:
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+files:
+  - path: root/.ssh/authorized_keys
+    source: ~/.ssh/id_rsa.pub
+    mode: "0600"
+    optional: true

examples/platform-packet.arm64.yml

@@ -0,0 +1,14 @@
+# This YAML snippet is to be used in conjunction with packet.yml to
+# build a arm64 image for packet.net. It adds a modprobe of the NIC
+# driver and overrides the kernel section to disable prepending the
+# Intel CPU microcode to the initrd. If writing a YAML specifically
+# for arm64 then the 'ucode' line in the kernel section can be left
+# out.
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyAMA0"
+  ucode: ""
+onboot:
+  - name: modprobe
+    image: linuxkit/modprobe:1b59b4f2ebb877085ea0d8d3a41cf06f64c09a15
+    command: ["modprobe", "nicvf"]

examples/platform-packet.yml

@@ -0,0 +1,36 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: console=ttyS1
+  ucode: intel-ucode.cpio
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/firmware:8f89601312327c78999a880ee104ceae9a25d20e
+onboot:
+  - name: rngd1
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    command: ["/sbin/rngd", "-1"]
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    command: ["/usr/bin/metadata", "packet"]
+services:
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+files:
+  - path: root/.ssh/authorized_keys
+    source: ~/.ssh/id_rsa.pub
+    mode: "0600"
+    optional: true

examples/platform-rt-for-vmware.yml

@@ -0,0 +1,32 @@
+kernel:
+  image: linuxkit/kernel:5.11.4-rt
+  cmdline: "console=tty0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+  - name: open-vm-tools
+    image: linuxkit/open-vm-tools:4c3158c7ba27f7ad0ede5d383ca25b57c5588a26
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/platform-scaleway.yml

@@ -0,0 +1,26 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: rngd1
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    command: ["/sbin/rngd", "-1"]
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a

examples/platform-vmware.yml

@@ -0,0 +1,30 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=tty0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/platform-vultr.yml

@@ -0,0 +1,38 @@
+kernel:
+  image: linuxkit/kernel:5.10.104
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    command: ["/usr/bin/metadata", "vultr"]
+services:
+  - name: getty
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    binds:
+     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf

examples/redis-os.yml

@@ -1,19 +1,19 @@
 # Minimal YAML to run a redis server (used at DockerCon'17)
 # connect: nc localhost 6379
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   # Currently redis:4.0.6-alpine has trust issue with multi-arch
@@ -27,7 +27,3 @@ services:
      - CAP_SETGID
      - CAP_DAC_OVERRIDE
     net: host
-trust:
-  org:
-    - linuxkit
-    - library

examples/rt-for-vmware.yml

@@ -1,36 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.19.25-rt
-  cmdline: "console=tty0"
-init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.7
-services:
-  - name: getty
-    image: linuxkit/getty:v0.7
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.7
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
-  - name: open-vm-tools
-    image: linuxkit/open-vm-tools:v0.7
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/scaleway.yml

@@ -1,29 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.19.34
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
-init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.7
-  - name: rngd1
-    image: linuxkit/rngd:v0.7
-    command: ["/sbin/rngd", "-1"]
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.7
-services:
-  - name: getty
-    image: linuxkit/getty:v0.7
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.7
-trust:
-  org:
-    - linuxkit

examples/sshd.yml

@@ -1,33 +1,30 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: rngd1
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
     command: ["/sbin/rngd", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
   - name: sshd
-    image: linuxkit/sshd:v0.7
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
 files:
   - path: root/.ssh/authorized_keys
     source: ~/.ssh/id_rsa.pub
     mode: "0600"
     optional: true
-trust:
-  org:
-    - linuxkit

examples/static-ip.yml

@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 onboot:
   - name: ip
-    image: linuxkit/ip:v0.7
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     binds:
      - /etc/ip:/etc/ip
     command: ["ip", "-b", "/etc/ip/eth0.conf"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
 files:     
@@ -27,6 +27,3 @@ files:
 #      domain test.local
       nameserver 10.10.1.101
       nameserver 10.10.1.100     
-trust:
-  org:
-    - linuxkit

examples/swap.yml

@@ -1,35 +1,31 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:v0.7
+    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
   - name: mount
-    image: linuxkit/mount:v0.7
+    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
     command: ["/usr/bin/mountie", "/var/external"]
   - name: swap
-    image: linuxkit/swap:v0.7
+    image: linuxkit/swap:77305236719ed7ab4be0f3bccc179c583fe7f5ff
     # to use unencrypted swap, use:
     # command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"]
     command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:v0.7
-trust:
-  org:
-    - linuxkit
-    - library
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a

examples/tpm.yml

@@ -1,30 +1,27 @@
 kernel:
-  image: linuxkit/kernel:4.9.38
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
   - name: tss
-    image: linuxkit/tss:v0.7
+    image: linuxkit/tss:9cfa8c15f2120415aab35efcfdede5b3b5fe5b4c
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)
     contents: 'root:$6$6tPd2uhHrecCEKug$8mKfcgfwguP7f.BLdZsT1Wz7WIIJOBY1oUFHzIv9/O71M2J0EPdtFqFGTxB1UK5ejqQxRFQ.ZSG9YXR0SNsc11:17322:0:::::'
-trust:
-  org:
-    - linuxkit

examples/vmware.yml

@@ -1,34 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.19.34
-  cmdline: "console=tty0"
-init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.7
-services:
-  - name: getty
-    image: linuxkit/getty:v0.7
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.7
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/vpnkit-forwarder.yml

@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: mount-vpnkit
-    image: alpine:3.9
+    image: alpine:3.13
     binds:
         - /var/:/host_var:rbind,rshared
     capabilities:
@@ -19,9 +19,9 @@ onboot:
     command: ["sh", "-c", "mkdir /host_var/vpnkit && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
 services:
   - name: sshd
-    image: linuxkit/sshd:v0.7
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
   - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:v0.7
+    image: linuxkit/vpnkit-forwarder:ea4dded7386b09dd647e854664b029be0a4f420f
     binds:
         - /var/vpnkit:/port
     net: host
@@ -32,7 +32,3 @@ files:
     source: ~/.ssh/id_rsa.pub
     mode: "0600"
     optional: true
-
-trust:
-  org:
-    - linuxkit

examples/vsudd-containerd.yml

@@ -1,22 +1,18 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: vsudd
-    image: linuxkit/vsudd:v0.7
+    image: linuxkit/vsudd:89980cd551d3174b6d8528f39fbd7fd1ca049161
     binds:
         - /run/containerd/containerd.sock:/run/containerd/containerd.sock
     command: ["/vsudd",
         "-inport", "2374:unix:/run/containerd/containerd.sock"]
-
-trust:
-  org:
-    - linuxkit

examples/vultr.yml

@@ -1,41 +0,0 @@
-kernel:
-  image: linuxkit/kernel:4.19.34
-  cmdline: "console=ttyS0"
-init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:v0.7
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:v0.7
-services:
-  - name: getty
-    image: linuxkit/getty:v0.7
-    env:
-     - INSECURE=true
-  - name: rngd
-    image: linuxkit/rngd:v0.7
-  - name: sshd
-    image: linuxkit/sshd:v0.7
-    binds:
-     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
-  - name: nginx
-    image: nginx:1.13.8-alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-    binds:
-     - /etc/resolv.conf:/etc/resolv.conf
-trust:
-  org:
-    - linuxkit
-    - library

examples/wireguard.yml

@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:4.19.34
+  image: linuxkit/kernel:5.10.104
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.7
-  - linuxkit/runc:v0.7
-  - linuxkit/containerd:v0.7
-  - linuxkit/ca-certificates:v0.7
+  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
+  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
+  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:v0.7
+    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
   - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.7
+    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: wg0
-    image: linuxkit/ip:v0.7
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     net: new
     binds:
       - /etc/wireguard:/etc/wireguard
@@ -26,7 +26,7 @@ onboot:
       bindNS:
           net: /run/netns/wg0
   - name: wg1
-    image: linuxkit/ip:v0.7
+    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
     net: new
     binds:
       - /etc/wireguard:/etc/wireguard
@@ -40,12 +40,12 @@ onboot:
           net: /run/netns/wg1
 services:
   - name: getty
-    image: linuxkit/getty:v0.7
+    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
     env:
      - INSECURE=true
     net: /run/netns/wg1
   - name: rngd
-    image: linuxkit/rngd:v0.7
+    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
   - name: nginx
     image: nginx:1.13.8-alpine
     net: /run/netns/wg0
@@ -77,7 +77,3 @@ files:
       PublicKey = AcS5t3PC5nL/oj0sYhc3yFpDlRaXoJ0mfEq6iq0rFF4=
       AllowedIPs = 0.0.0.0/0
       Endpoint = 127.0.0.1:51820
-trust:
-  org:
-    - linuxkit
-    - library

kernel/Dockerfile

@@ -1,4 +1,6 @@
-FROM linuxkit/alpine:86cd4f51b49fb9a078b50201d892a3c7973d48ec AS kernel-build
+ARG BUILD_IMAGE
+FROM ${BUILD_IMAGE} AS kernel-build
+ARG BUILD_IMAGE
 RUN apk add \
     argp-standalone \
     automake \
@@ -16,11 +18,15 @@ RUN apk add \
     installkernel \
     kmod \
     elfutils-dev \
+    libunwind-dev \
     linux-headers \
     mpc1-dev \
     mpfr-dev \
     ncurses-dev \
+    openssl \
+    openssl-dev \
     patch \
+    rsync \
     sed \
     squashfs-tools \
     tar \
@@ -28,23 +34,18 @@ RUN apk add \
     xz-dev \
     zlib-dev
 
-# libunwind-dev pkg is missed from arm64 now, below statement will be removed if the pkg is available.
-RUN [ $(uname -m) == x86_64 ] && apk add libunwind-dev || true
-
 ARG KERNEL_VERSION
 ARG KERNEL_SERIES
 ARG EXTRA
 ARG DEBUG
 
-ENV WIREGUARD_VERSION=0.0.20190227
-ENV WIREGUARD_SHA256="fcdb26fd2692d9e1dee54d14418603c38fbb973a06ce89d08fbe45292ff37f79"
-ENV WIREGUARD_URL=https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz
-
 # We copy the entire directory. This copies some unneeded files, but
 # allows us to check for the existence /patches-${KERNEL_SERIES} to
 # build kernels without patches.
 COPY / /
 
+RUN mkdir -p /out/src
+
 # Download and verify kernel
 # PGP keys: 589DA6B1 (greg@kroah.com) & 6092693E (autosigner@kernel.org) & 00411886 (torvalds@linux-foundation.org)
 RUN KERNEL_MAJOR=$(echo ${KERNEL_VERSION} | cut -d . -f 1) && \
@@ -61,7 +62,25 @@ RUN KERNEL_MAJOR=$(echo ${KERNEL_VERSION} | cut -d . -f 1) && \
     xz -d linux-${KERNEL_VERSION}.tar.xz && \
     curl -fsSLO ${KERNEL_PGP2_SIGN} && \
     gpg2 --verify linux-${KERNEL_VERSION}.tar.sign linux-${KERNEL_VERSION}.tar && \
-    cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux
+    cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux && \
+    printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
+
+WORKDIR /tmp
+# Download Intel ucode, create a CPIO archive for it, and keep it in the build context
+# so the firmware can also be referenced with CONFIG_EXTRA_FIRMWARE
+ENV UCODE_REPO=https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
+ENV UCODE_COMMIT=microcode-20210608
+RUN set -e && \
+    if [ $(uname -m) == x86_64 ]; then \
+        git clone ${UCODE_REPO} ucode && \
+        cd ucode && \
+        git checkout ${UCODE_COMMIT} && \
+        iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \
+        cp license /out/intel-ucode-license.txt && \
+        mkdir -p /lib/firmware && \
+        cp -rav ./intel-ucode /lib/firmware; \
+    fi
+
 
 WORKDIR /linux
 # Apply local specific patches if present
@@ -83,8 +102,6 @@ RUN set -e && \
         done; \
     fi
 
-RUN mkdir -p /out/src
-
 # Save kernel source
 RUN tar cJf /out/src/linux.tar.xz /linux
 
@@ -96,9 +113,6 @@ RUN case $(uname -m) in \
     aarch64) \
         KERNEL_DEF_CONF=/linux/arch/arm64/configs/defconfig; \
         ;; \
-    s390x) \
-        KERNEL_DEF_CONF=/linux/arch/s390/defconfig; \
-        ;; \
     esac  && \
     cp /config-${KERNEL_SERIES}-$(uname -m) ${KERNEL_DEF_CONF}; \
     if [ -n "${EXTRA}" ] && [ -f "/config-${KERNEL_SERIES}-$(uname -m)${EXTRA}" ]; then \
@@ -123,23 +137,12 @@ RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
     aarch64) \
         cp arch/arm64/boot/Image.gz /out/kernel; \
         ;; \
-    s390x) \
-        cp arch/s390/boot/bzImage /out/kernel; \
-        ;; \
     esac && \
     cp System.map /out && \
     ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
 
-# WireGuard
-RUN curl -fsSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
-    echo "${WIREGUARD_SHA256}  /wireguard.tar.xz" | sha256sum -c - && \
-    cp /wireguard.tar.xz /out/src/ && \
-    tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "WireGuard-${WIREGUARD_VERSION}/src" && \
-    make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules
-
 # Modules and Device Tree binaries
 RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
-    make INSTALL_MOD_PATH=/tmp/kernel-modules M="/wireguard" modules_install && \
     ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
       cd /tmp/kernel-modules/lib/modules/$DVER && \
       rm build source && \
@@ -171,20 +174,7 @@ RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdept
          tar cf - -T - | (cd $dir; tar xf -) && \
     ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
 
-RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
-
-# Download Intel ucode and create a CPIO archive for it
-ENV UCODE_URL=https://downloadmirror.intel.com/28087/eng/microcode-20180807a.tgz
-RUN set -e && \
-    if [ $(uname -m) == x86_64 ]; then \
-        cd /ucode && \
-        curl -fsSL -o microcode.tar.gz ${UCODE_URL} && \
-        md5sum -c intel-ucode-md5sums && \
-        tar xf microcode.tar.gz && \
-        rm -f intel-ucode/list && \
-        iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \
-        cp intel-ucode-license.txt /out; \
-    fi
+RUN printf "${BUILD_IMAGE}" > /out/kernel-builder
 
 FROM scratch
 ENTRYPOINT []

kernel/Dockerfile.bcc

@@ -1,7 +1,9 @@
 ARG IMAGE
+ARG BUILD_IMAGE
+
 FROM ${IMAGE} as ksrc
 
-FROM linuxkit/alpine:86cd4f51b49fb9a078b50201d892a3c7973d48ec AS build
+FROM ${BUILD_IMAGE} AS build
 RUN apk update && apk upgrade -a && \
   apk add --no-cache \
   argp-standalone \
@@ -14,6 +16,7 @@ RUN apk update && apk upgrade -a && \
   clang-static \
   cmake \
   curl \
+  elfutils-dev \
   flex-dev \
   fts-dev \
   gettext-dev \
@@ -26,40 +29,21 @@ RUN apk update && apk upgrade -a && \
   llvm-static \
   luajit-dev \
   m4 \
-  python \
+  python3 \
   zlib-dev \
   && true
 
-RUN ln -s /usr/lib/cmake/llvm5/ /usr/lib/cmake/llvm && \
-    ln -s /usr/include/llvm5/llvm-c/ /usr/include/llvm-c && \
-    ln -s /usr/include/llvm5/llvm/ /usr/include/llvm
+RUN ln -s /usr/lib/cmake/llvm10/ /usr/lib/cmake/llvm && \
+    ln -s /usr/include/llvm10/llvm-c/ /usr/include/llvm-c && \
+    ln -s /usr/include/llvm10/llvm/ /usr/include/llvm
 
 WORKDIR /build
 
-COPY ./bcc.patches/ ./
-RUN mv error.h /usr/include/ && \
-    mv cdefs.h /usr/include/sys/
-
-ENV ELFUTILS_VERSION=0.165
-ENV ELFUTILS_SHA256="a7fc9277192caaa5f30b47e8c0518dbcfd8c4a19c6493a63d511d804290ce972"
-RUN curl -sSL -O https://fedorahosted.org/releases/e/l/elfutils/0.165/elfutils-$ELFUTILS_VERSION.tar.bz2 && \
-    echo "${ELFUTILS_SHA256}  /build/elfutils-$ELFUTILS_VERSION.tar.bz2" | sha256sum -c - && \
-    tar xjf elfutils-$ELFUTILS_VERSION.tar.bz2 && \
-    cd elfutils-$ELFUTILS_VERSION && \
-    patch -p1 < ../100-musl-compat.patch && \
-    patch -p0 < ../decl.patch && \
-    patch -p0 < ../intl.patch
-
-ENV BCC_COMMIT=6972806729da00ecda0235abac61d66c8fad7fad
+ENV BCC_COMMIT=14278bf1a52dd76ff66eed02cc9db7c7ec240da6
 RUN git clone https://github.com/iovisor/bcc.git && \
     cd bcc && \
     git checkout $BCC_COMMIT && \
-    patch -p0 < ../bcc-gnuism.patch && patch -p0 < ../bcc-lua.patch
-
-ENV LJSYSCALL_COMMIT=e587f8c55aad3955dddab3a4fa6c1968037b5c6e
-RUN git clone https://github.com/justincormack/ljsyscall.git && \
-    cd ljsyscall && \
-    git checkout $LJSYSCALL_COMMIT
+    sed -i 's/<error.h>/<errno.h>/' examples/cpp/KModRetExample.cc
 
 COPY --from=ksrc /kernel-headers.tar /build
 COPY --from=ksrc /kernel-dev.tar /build
@@ -68,24 +52,15 @@ RUN tar xf /build/kernel-headers.tar && \
     tar xf /build/kernel-dev.tar && \
     tar xf /build/kernel.tar
 
-RUN cd elfutils-$ELFUTILS_VERSION && \
-    aclocal && \
-    automake && \
-    ./configure --prefix=/usr CFLAGS=-Wno-strict-aliasing && \
-    make -C libelf && make -C libelf install
-
 RUN mkdir -p bcc/build && cd bcc/build && \
     cmake .. -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON \
              -DCMAKE_C_FLAGS="-I/build/usr/include" \
+             -DPYTHON_CMD=python3 \
              -DCMAKE_CXX_FLAGS="-I/build/usr/include" \
-             -DCMAKE_INSTALL_PREFIX=/usr \
-             -DLUAJIT_INCLUDE_DIR=/usr/include/luajit-2.1 && \
+             -DCMAKE_INSTALL_PREFIX=/usr && \
     make && \
     make install
 
-RUN mkdir -p /usr/local/share/lua/5.1/ && \
-    cd ljsyscall && \
-    cp -a *.lua syscall /usr/local/share/lua/5.1/
 RUN mkdir -p /out/usr/ && \
     cp -a /build/usr/src /out/usr/ && \
     cp -a /build/usr/include /out/usr
@@ -94,22 +69,20 @@ RUN mkdir -p /out/usr/lib && \
     cp -a /usr/lib/libstdc* /out/usr/lib/ && \
     cp -a /usr/lib/libintl* /out/usr/lib/ && \
     cp -a /usr/lib64/* /out/usr/lib/
-RUN mkdir -p /out/usr/lib/python2.7 && \
-    cp -a /usr/lib/python2.7/site-packages /out/usr/lib/python2.7/
+RUN mkdir -p /out/usr/lib/python3.8 && \
+    cp -a /usr/lib/python3.8/site-packages /out/usr/lib/python3.8/
 RUN mkdir -p /out/usr/share && \
     cp -a /usr/share/bcc /out/usr/share/
 RUN mkdir -p /out/usr/bin && \
     cp -a /usr/bin/bcc-lua /out/usr/bin/
-RUN mkdir -p /out/usr/local/share/ && \
-    cp -a /usr/local/share/lua /out/usr/local/share/
 
-FROM linuxkit/alpine:86cd4f51b49fb9a078b50201d892a3c7973d48ec as mirror
+FROM ${BUILD_IMAGE} as mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk update && apk upgrade -a && \
   apk add --no-cache --initdb -p /out \
   busybox \
   luajit \
-  python \
+  python3 \
   zlib \
   && true
 

kernel/Dockerfile.kconfig

@@ -1,4 +1,8 @@
-FROM linuxkit/alpine:86cd4f51b49fb9a078b50201d892a3c7973d48ec AS kernel-build
+ARG BUILD_IMAGE
+FROM ${BUILD_IMAGE} AS kernel-build
+
+ARG KERNEL_VERSIONS
+
 RUN apk add \
     argp-standalone \
     bison \
@@ -14,8 +18,6 @@ RUN apk add \
     patch \
     xz
 
-ARG KERNEL_VERSIONS
-
 COPY / /
 
 # Unpack kernels (download if not present)
@@ -25,7 +27,7 @@ RUN set -e && \
         MAJOR=v${MAJOR}.x && \
         echo "Downloading/Unpacking $VERSION" && \
         KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/${MAJOR}/linux-${VERSION}.tar.xz && \
-        [ -f sources/linux-${VERSION}.tar.xz ] || curl -fSLo sources/linux-${VERSION}.tar.xz ${KERNEL_SOURCE} && \
+        [ -f sources/linux-${VERSION}.tar.xz ] || curl -fSLo sources/linux-${VERSION}.tar.xz --create-dirs ${KERNEL_SOURCE} && \
         bsdtar xf sources/linux-${VERSION}.tar.xz; \
     done
 
@@ -43,7 +45,6 @@ RUN set -e && \
         fi && \
         [ ! -f /config-${SERIES}-x86_64 ] || mv /config-${SERIES}-x86_64 arch/x86/configs/x86_64_defconfig && \
         [ ! -f /config-${SERIES}-aarch64 ] || mv /config-${SERIES}-aarch64 arch/arm64/configs/defconfig ; \
-        [ ! -f /config-${SERIES}-s390x ] || mv /config-${SERIES}-s390x arch/s390/defconfig; \
     done
 
 ENTRYPOINT ["/bin/sh"]

kernel/Dockerfile.perf

@@ -1,9 +1,11 @@
 # This Dockerfile extracts the source code and headers from a kernel package,
 # builds the perf utility, and places it into a scratch image
 ARG IMAGE
+ARG BUILD_IMAGE
+
 FROM ${IMAGE} AS ksrc
 
-FROM linuxkit/alpine:86cd4f51b49fb9a078b50201d892a3c7973d48ec AS build
+FROM ${BUILD_IMAGE} AS build
 RUN apk add \
     argp-standalone \
     bash \
@@ -17,13 +19,17 @@ RUN apk add \
     installkernel \
     kmod \
     elfutils-dev \
+    findutils \
+    libelf-static \
     mpc1-dev \
     mpfr-dev \
+    python3 \
     sed \
     tar \
     xz \
     xz-dev \
-    zlib-dev
+    zlib-dev \
+    zlib-static
 
 COPY --from=ksrc /linux.tar.xz /kernel-headers.tar /
 RUN tar xf linux.tar.xz && \
@@ -32,7 +38,7 @@ RUN tar xf linux.tar.xz && \
 WORKDIR /linux
 
 RUN mkdir -p /out && \
-    make -C tools/perf LDFLAGS=-static && \
+    make -C tools/perf LDFLAGS=-static V=1 && \
     strip tools/perf/perf && \
     cp tools/perf/perf /out
 

kernel/Dockerfile.zfs

@@ -1,6 +1,9 @@
 ARG IMAGE
+ARG BUILD_IMAGE
+
 FROM ${IMAGE} AS ksrc
-FROM linuxkit/alpine:86cd4f51b49fb9a078b50201d892a3c7973d48ec AS build
+
+FROM ${BUILD_IMAGE} AS build
 RUN apk add \
     attr-dev \
     autoconf \
@@ -12,6 +15,7 @@ RUN apk add \
     libtool \
     mpc1-dev \
     mpfr-dev \
+    openssl-dev \
     util-linux-dev \
     zlib-dev
 
@@ -22,17 +26,8 @@ RUN tar xf kernel-dev.tar
 COPY --from=ksrc /kernel.tar /
 RUN tar xf kernel.tar
 
-# Note: ZFS and SPL commits must match. It's unclear how much the user
-# space tools must match the kernel module version.
-# package on Alpine is 0.6.5.9. We pick the version that compiles with
-# latest kernel we support.
-ENV VERSION=0.7.12
-
-ENV SPL_REPO=https://github.com/zfsonlinux/spl.git
-ENV SPL_COMMIT=spl-${VERSION}
-RUN git clone ${SPL_REPO} && \
-    cd spl && \
-    git checkout ${SPL_COMMIT}
+# SPL is part of the ZFS repo since 0.8.0 (https://github.com/zfsonlinux/zfs/releases/tag/zfs-0.8.0)
+ENV VERSION=0.8.1
 
 ENV ZFS_REPO=https://github.com/zfsonlinux/zfs.git
 ENV ZFS_COMMIT=zfs-${VERSION}
@@ -40,23 +35,17 @@ RUN git clone ${ZFS_REPO} && \
     cd zfs && \
     git checkout ${ZFS_COMMIT}
 
-WORKDIR /spl
-RUN ./autogen.sh && \
-    ./configure && \
-    cd module && \
-    make && \
-    make install
-
 WORKDIR /zfs
 RUN ./autogen.sh && \
-    ./configure --with-spl=/spl && \
+    ./configure && \
+    ./scripts/make_gitrev.sh && \
     cd module && \
     make -j "$(getconf _NPROCESSORS_ONLN)" && \
     make install
 
 # Run depmod against the new module directory.
 RUN cd /lib/modules && \
-    depmod -ae * 
+    depmod -ae *
 
 FROM scratch
 ENTRYPOINT []

kernel/Makefile

@@ -18,6 +18,7 @@ IMAGE:=kernel
 IMAGE_BCC:=kernel-bcc
 IMAGE_PERF:=kernel-perf
 IMAGE_ZFS:=zfs-kmod
+IMAGE_BUILDER=linuxkit/alpine:2be490394653b7967c250e86fd42cef88de428ba
 
 # You can specify an extra options for the Makefile. This will:
 # - append a config$(EXTRA) to the kernel config for your kernel/arch
@@ -45,15 +46,14 @@ ARCH := $(shell uname -m)
 ifeq ($(ARCH),x86_64)
 SUFFIX=-amd64
 endif
-ifeq ($(ARCH),aarch64)
+ifeq ($(ARCH),$(filter $(ARCH),aarch64 arm64))
 SUFFIX=-arm64
 endif
-ifeq ($(ARCH),s390x)
-SUFFIX=-s390x
-endif
 
 TAG=$(HASH)$(DIRTY)
 
+BUILD_LABEL=--label org.mobyproject.linuxkit.kernel.buildimage=$(IMAGE_BUILDER)
+
 REPO?=https://github.com/linuxkit/linuxkit
 ifneq ($(REPO),)
 REPO_LABEL=--label org.opencontainers.image.source=$(REPO)
@@ -62,13 +62,8 @@ ifeq ($(DIRTY),)
 REPO_COMMIT=$(shell git rev-parse HEAD)
 COMMIT_LABEL=--label org.opencontainers.image.revision=$(REPO_COMMIT)
 endif
-LABELS=$(REPO_LABEL) $(COMMIT_LABEL)
 
-ifeq ($(DOCKER_CONTENT_TRUST),)
-ifndef NOTRUST
-export DOCKER_CONTENT_TRUST=1
-endif
-endif
+LABELS=$(REPO_LABEL) $(COMMIT_LABEL) $(BUILD_LABEL)
 
 KERNEL_VERSIONS=
 
@@ -79,6 +74,11 @@ KERNEL_VERSIONS=
 build:
 push:
 
+.PHONY: notdirty
+notdirty:
+	@if [ x"$(DIRTY)" !=  x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+
+
 # A template for defining kernel build
 # Arguments:
 # $1: Full kernel version, e.g., 4.9.22
@@ -98,125 +98,130 @@ ifeq ($(4),)
 KERNEL_VERSIONS+=$(1)
 endif
 
-build_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg | sources
+build_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg
 	docker pull $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
 		docker build \
 			--build-arg KERNEL_VERSION=$(1) \
 			--build-arg KERNEL_SERIES=$(2) \
 			--build-arg EXTRA=$(3) \
 			--build-arg DEBUG=$(4) \
+			--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 			$(LABELS) \
 			--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
-forcebuild_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg | sources
+
+forcebuild_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg
 	docker build \
 		--build-arg KERNEL_VERSION=$(1) \
 		--build-arg KERNEL_SERIES=$(2) \
 		--build-arg EXTRA=$(3) \
 		--build-arg DEBUG=$(4) \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 		$(LABELS) \
 		--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
-push_$(2)$(3)$(4): build_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" !=  x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+push_$(2)$(3)$(4): notdirty build_$(2)$(3)$(4)
 	docker pull $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
 		(docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 		 docker tag $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
 		 docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST))
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4))
 
-forcepush_$(2)$(3)$(4): forcebuild_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" !=  x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+forcepush_$(2)$(3)$(4): notdirty forcebuild_$(2)$(3)$(4)
 	docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 	 docker tag $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
 	 docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
-	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST)
+	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) && \
+	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)
+
+# tag the builder and create the manifest
+tagbuilder_$(2)$(3)$(4): notdirty
+	docker tag $(IMAGE_BUILDER) $(ORG)/$(IMAGE):$(1)$(3)$(4)-builder$(SUFFIX) && \
+	docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)-builder$(SUFFIX) && \
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-builder
+
 
 show-tag_$(2)$(3)$(4):
 	@echo $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)
 
 build: build_$(2)$(3)$(4)
 forcebuild: forcebuild_$(2)$(3)$(4)
-push: push_$(2)$(3)$(4)
-forcepush: forcepush_$(2)$(3)$(4)
+push: push_image tagbuilder
+push_image: push_$(2)$(3)$(4)
+forcepush: forcepush_image tagbuilder
+forcepush_image: forcepush_$(2)$(3)$(4)
+tagbuilder: tagbuilder_$(2)$(3)$(4)
 show-tags: show-tag_$(2)$(3)$(4)
 
-# 'docker build' with the FROM image supplied as --build-arg
-# *and* with DOCKER_CONTENT_TRUST=1 currently does not work
-# (https://github.com/moby/moby/issues/34199). So, we pull the image
-# with DCT as part of the dependency on build_$(2)$(3)$(4) and then build
-# with DOCKER_CONTENT_TRUST explicitly set to 0
-
-# Skip perf build for now. See:
-# https://github.com/linuxkit/linuxkit/issues/3299
-ifeq ($(ARCH),SKIP)
+# Only build perf only on x86 and recent LTS and latest stable kernels
+ifeq ($(ARCH),x86_64)
+ifeq ($(2), $(filter $(2),5.15.x 5.10.x 5.4.x))
 build_perf_$(2)$(3)$(4): build_$(2)$(3)$(4)
 	docker pull $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
-		 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.perf \
+		 docker build -f Dockerfile.perf \
 			--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+			--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 			--no-cache --network=none $(LABEL) -t $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
 forcebuild_perf_$(2)$(3)$(4): build_$(2)$(3)$(4)
-	 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.perf \
+	docker build -f Dockerfile.perf \
 		--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 		--no-cache --network=none $(LABEL) -t $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
-push_perf_$(2)$(3)$(4): build_perf_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+push_perf_$(2)$(3)$(4): notdirty build_perf_$(2)$(3)$(4)
 	docker pull $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
 		(docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 		 docker tag $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
 		 docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST))
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4))
 
-forcepush_perf_$(2)$(3)$(4): forcebuild_perf_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+forcepush_perf_$(2)$(3)$(4): notdirty forcebuild_perf_$(2)$(3)$(4)
 	docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 	docker tag $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
 	docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
-	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST)
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) && \
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)
 
 build: build_perf_$(2)$(3)$(4)
 forcebuild: forcebuild_perf_$(2)$(3)$(4)
 push: push_perf_$(2)$(3)$(4)
 forcepush: forcepush_perf_$(2)$(3)$(4)
 endif
+endif
 
-# Only build BCC on x86 and only on latest LTS and latest stable kernels.
+# Only build bcc only on x86 and recent LTS and latest stable kernels
 ifeq ($(ARCH),x86_64)
-ifneq ($(2), $(filter $(2),4.9.x))
+ifeq ($(2), $(filter $(2),5.15.x 5.10.x 5.4.x))
 build_bcc_$(2)$(3)$(4): build_$(2)$(3)$(4)
 	docker pull $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
-		 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.bcc \
+		docker build -f Dockerfile.bcc \
 			--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+			--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 			--no-cache $(LABEL) -t $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
 forcebuild_bcc_$(2)$(3)$(4): build_$(2)$(3)$(4)
-	 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.bcc \
+	 docker build -f Dockerfile.bcc \
 		--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 		--no-cache $(LABEL) -t $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .
 
-push_bcc_$(2)$(3)$(4): build_bcc_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+push_bcc_$(2)$(3)$(4): notdirty build_bcc_$(2)$(3)$(4)
 	docker pull $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
 		(docker push $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 		 docker tag $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)$(SUFFIX) && \
 		 docker push $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)$(SUFFIX) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST))
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4))
 
-forcepush_bcc_$(2)$(3)$(4): forcebuild_bcc_$(2)$(3)$(4)
-	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+forcepush_bcc_$(2)$(3)$(4): notdirty forcebuild_bcc_$(2)$(3)$(4)
 	docker push $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
 	docker tag $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)$(SUFFIX) && \
 	docker push $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)$(SUFFIX) && \
-	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST)
-
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)-$(TAG) && \
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_BCC):$(1)$(3)$(4)
 
 build: build_bcc_$(2)$(3)$(4)
 forcebuild: forcebuild_bcc_$(2)$(3)$(4)
@@ -230,18 +235,18 @@ ifeq ($(4),)
 # is incompatible with CDDL, apparently (this is ./configure check)
 build_zfs_$(2)$(3): build_$(2)$(3)
 	docker pull $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) || \
-		 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.zfs \
+		docker build -f Dockerfile.zfs \
 			--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) \
+			--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 			--no-cache $(LABEL) -t $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) .
 
-push_zfs_$(2)$(3): build_zfs_$(2)$(3)
-	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
+push_zfs_$(2)$(3): notdirty build_zfs_$(2)$(3)
 	docker pull $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) || \
 		(docker push $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) && \
 		 docker tag $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_ZFS):$(1)$(3)$(SUFFIX) && \
 		 docker push $(ORG)/$(IMAGE_ZFS):$(1)$(3)$(SUFFIX) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_ZFS):$(1)$(3) $(DOCKER_CONTENT_TRUST))
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_ZFS):$(1)$(3)-$(TAG) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_ZFS):$(1)$(3))
 endif
 
 endef
@@ -251,25 +256,29 @@ endef
 # Debug targets only for latest stable and LTS stable
 #
 ifeq ($(ARCH),x86_64)
-$(eval $(call kernel,5.0.7,5.0.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.19.34,4.19.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.19.34,4.19.x,,-dbg))
-$(eval $(call kernel,4.19.25,4.19.x,-rt,))
-$(eval $(call kernel,4.14.111,4.14.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.9.168,4.9.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.15.27,5.15.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.15.27,5.15.x,,-dbg))
+$(eval $(call kernel,5.10.104,5.10.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.4.172,5.4.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.11.4,5.11.x,-rt,))
 
-else ifeq ($(ARCH),aarch64)
-$(eval $(call kernel,5.0.7,5.0.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.19.34,4.19.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.19.25,4.19.x,-rt,))
+else ifeq ($(ARCH),$(filter $(ARCH),aarch64 arm64))
+$(eval $(call kernel,5.15.27,5.15.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.10.104,5.10.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,5.11.4,5.11.x,-rt,))
 
-else ifeq ($(ARCH),s390x)
-$(eval $(call kernel,5.0.7,5.0.x,$(EXTRA),$(DEBUG)))
-$(eval $(call kernel,4.19.34,4.19.x,$(EXTRA),$(DEBUG)))
 endif
 
 # Target for kernel config
-kconfig: | sources
+kconfig:
+ifeq (${KCONFIG_TAG},)
 	docker build --no-cache -f Dockerfile.kconfig \
 		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
 		-t linuxkit/kconfig  .
+else
+	docker build --no-cache -f Dockerfile.kconfig \
+		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
+		-t linuxkit/kconfig:${KCONFIG_TAG}  .
+endif

kernel/bcc.patches/100-musl-compat.patch

@@ -1,788 +0,0 @@
---- a/lib/system.h
-+++ b/lib/system.h
-@@ -68,6 +68,16 @@ extern int crc32_file (int fd, uint32_t
- 
- #define gettext_noop(Str) Str
- 
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) \
-+  (__extension__							      \
-+    ({ long int __result;						      \
-+       do __result = (long int) (expression);				      \
-+       while (__result == -1L && errno == EINTR);			      \
-+       __result; }))
-+#endif
-+
-+#define error(status, errno, ...) err(status, __VA_ARGS__)
- 
- static inline ssize_t __attribute__ ((unused))
- pwrite_retry (int fd, const void *buf, size_t len, off_t off)
---- a/lib/color.c
-+++ b/lib/color.c
-@@ -32,7 +32,7 @@
- #endif
- 
- #include <argp.h>
--#include <error.h>
-+#include <err.h>
- #include <libintl.h>
- #include <stdlib.h>
- #include <string.h>
---- a/lib/xmalloc.c
-+++ b/lib/xmalloc.c
-@@ -30,7 +30,7 @@
- # include <config.h>
- #endif
- 
--#include <error.h>
-+#include <err.h>
- #include <libintl.h>
- #include <stddef.h>
- #include <stdlib.h>
---- a/src/addr2line.c
-+++ b/src/addr2line.c
-@@ -23,7 +23,7 @@
- #include <argp.h>
- #include <assert.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <inttypes.h>
- #include <libdwfl.h>
---- a/src/ar.c
-+++ b/src/ar.c
-@@ -22,7 +22,7 @@
- 
- #include <argp.h>
- #include <assert.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <libintl.h>
---- a/src/arlib2.c
-+++ b/src/arlib2.c
-@@ -20,7 +20,7 @@
- # include <config.h>
- #endif
- 
--#include <error.h>
-+#include <err.h>
- #include <libintl.h>
- #include <limits.h>
- #include <string.h>
---- a/src/arlib.c
-+++ b/src/arlib.c
-@@ -21,7 +21,7 @@
- #endif
- 
- #include <assert.h>
--#include <error.h>
-+#include <err.h>
- #include <gelf.h>
- #include <libintl.h>
- #include <stdio.h>
---- a/src/elfcmp.c
-+++ b/src/elfcmp.c
-@@ -23,7 +23,7 @@
- #include <argp.h>
- #include <assert.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <locale.h>
- #include <libintl.h>
---- a/src/elflint.c
-+++ b/src/elflint.c
-@@ -24,7 +24,7 @@
- #include <assert.h>
- #include <byteswap.h>
- #include <endian.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <inttypes.h>
---- a/src/findtextrel.c
-+++ b/src/findtextrel.c
-@@ -23,7 +23,7 @@
- #include <argp.h>
- #include <assert.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <libdw.h>
---- a/src/i386_ld.c
-+++ b/src/i386_ld.c
-@@ -20,7 +20,7 @@
- #endif
- 
- #include <assert.h>
--#include <error.h>
-+#include <err.h>
- #include <libintl.h>
- #include <stdlib.h>
- #include <string.h>
---- a/src/ld.c
-+++ b/src/ld.c
-@@ -21,7 +21,7 @@
- 
- #include <argp.h>
- #include <assert.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <libelf.h>
- #include <libintl.h>
---- a/src/ldgeneric.c
-+++ b/src/ldgeneric.c
-@@ -23,7 +23,7 @@
- #include <ctype.h>
- #include <dlfcn.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <fnmatch.h>
- #include <gelf.h>
---- a/src/ldlex.c
-+++ b/src/ldlex.c
-@@ -1106,7 +1106,7 @@ char *ldtext;
- #include <assert.h>
- #include <ctype.h>
- #include <elf.h>
--#include <error.h>
-+#include <err.h>
- #include <inttypes.h>
- #include <libintl.h>
- #include <stdbool.h>
---- a/src/ldscript.c
-+++ b/src/ldscript.c
-@@ -95,7 +95,7 @@
- #endif
- 
- #include <assert.h>
--#include <error.h>
-+#include <err.h>
- #include <libintl.h>
- #include <stdbool.h>
- #include <stdint.h>
-@@ -106,7 +106,7 @@
- #include <system.h>
- #include <ld.h>
- 
--/* The error handler.  */
-+/* The err.handler.  */
- static void yyerror (const char *s);
- 
- /* Some helper functions we need to construct the data structures
---- a/src/nm.c
-+++ b/src/nm.c
-@@ -26,7 +26,7 @@
- #include <ctype.h>
- #include <dwarf.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <inttypes.h>
---- a/src/objdump.c
-+++ b/src/objdump.c
-@@ -21,7 +21,7 @@
- #endif
- 
- #include <argp.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <inttypes.h>
- #include <libintl.h>
---- a/src/ranlib.c
-+++ b/src/ranlib.c
-@@ -24,7 +24,7 @@
- #include <argp.h>
- #include <assert.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <libintl.h>
---- a/src/readelf.c
-+++ b/src/readelf.c
-@@ -25,7 +25,7 @@
- #include <ctype.h>
- #include <dwarf.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <inttypes.h>
---- a/src/size.c
-+++ b/src/size.c
-@@ -21,7 +21,7 @@
- #endif
- 
- #include <argp.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <inttypes.h>
---- a/src/stack.c
-+++ b/src/stack.c
-@@ -18,7 +18,7 @@
- #include <config.h>
- #include <assert.h>
- #include <argp.h>
--#include <error.h>
-+#include <err.h>
- #include <stdlib.h>
- #include <inttypes.h>
- #include <stdio.h>
---- a/src/strings.c
-+++ b/src/strings.c
-@@ -25,7 +25,7 @@
- #include <ctype.h>
- #include <endian.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <inttypes.h>
---- a/src/strip.c
-+++ b/src/strip.c
-@@ -24,7 +24,7 @@
- #include <assert.h>
- #include <byteswap.h>
- #include <endian.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <libelf.h>
---- a/src/unstrip.c
-+++ b/src/unstrip.c
-@@ -31,7 +31,7 @@
- #include <argp.h>
- #include <assert.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <fnmatch.h>
- #include <libintl.h>
---- a/tests/addrscopes.c
-+++ b/tests/addrscopes.c
-@@ -25,7 +25,7 @@
- #include <stdio_ext.h>
- #include <locale.h>
- #include <stdlib.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- 
- 
---- a/tests/allregs.c
-+++ b/tests/allregs.c
-@@ -21,7 +21,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
--#include <error.h>
-+#include <err.h>
- #include <locale.h>
- #include <argp.h>
- #include <assert.h>
---- a/tests/backtrace.c
-+++ b/tests/backtrace.c
-@@ -24,7 +24,7 @@
- #include <dirent.h>
- #include <stdlib.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <unistd.h>
- #include <dwarf.h>
- #ifdef __linux__
---- a/tests/backtrace-data.c
-+++ b/tests/backtrace-data.c
-@@ -27,7 +27,7 @@
- #include <dirent.h>
- #include <stdlib.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <unistd.h>
- #include <dwarf.h>
- #if defined(__x86_64__) && defined(__linux__)
---- a/tests/buildid.c
-+++ b/tests/buildid.c
-@@ -23,7 +23,7 @@
- #include ELFUTILS_HEADER(elf)
- #include ELFUTILS_HEADER(dwelf)
- #include <stdio.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- #include <stdlib.h>
- #include <sys/types.h>
---- a/tests/debugaltlink.c
-+++ b/tests/debugaltlink.c
-@@ -23,7 +23,7 @@
- #include ELFUTILS_HEADER(dw)
- #include ELFUTILS_HEADER(dwelf)
- #include <stdio.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- #include <stdlib.h>
- #include <sys/types.h>
---- a/tests/debuglink.c
-+++ b/tests/debuglink.c
-@@ -21,7 +21,7 @@
- #include <errno.h>
- #include ELFUTILS_HEADER(dwelf)
- #include <stdio.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- #include <stdlib.h>
- #include <sys/types.h>
---- a/tests/dwfl-addr-sect.c
-+++ b/tests/dwfl-addr-sect.c
-@@ -23,7 +23,7 @@
- #include <stdio_ext.h>
- #include <stdlib.h>
- #include <string.h>
--#include <error.h>
-+#include <err.h>
- #include <locale.h>
- #include <argp.h>
- #include ELFUTILS_HEADER(dwfl)
---- a/tests/dwfl-bug-addr-overflow.c
-+++ b/tests/dwfl-bug-addr-overflow.c
-@@ -20,7 +20,7 @@
- #include <inttypes.h>
- #include <stdio.h>
- #include <stdio_ext.h>
--#include <error.h>
-+#include <err.h>
- #include <locale.h>
- #include ELFUTILS_HEADER(dwfl)
- 
---- a/tests/dwfl-bug-fd-leak.c
-+++ b/tests/dwfl-bug-fd-leak.c
-@@ -24,7 +24,7 @@
- #include <dirent.h>
- #include <stdlib.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <unistd.h>
- #include <dwarf.h>
- #include <sys/resource.h>
---- a/tests/dwfl-bug-getmodules.c
-+++ b/tests/dwfl-bug-getmodules.c
-@@ -18,7 +18,7 @@
- #include <config.h>
- #include ELFUTILS_HEADER(dwfl)
- 
--#include <error.h>
-+#include <err.h>
- 
- static const Dwfl_Callbacks callbacks =
-   {
---- a/tests/dwfllines.c
-+++ b/tests/dwfllines.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
--#include <error.h>
-+#include <err.h>
- 
- int
- main (int argc, char *argv[])
---- a/tests/dwflmodtest.c
-+++ b/tests/dwflmodtest.c
-@@ -23,7 +23,7 @@
- #include <stdio_ext.h>
- #include <stdlib.h>
- #include <string.h>
--#include <error.h>
-+#include <err.h>
- #include <locale.h>
- #include <argp.h>
- #include ELFUTILS_HEADER(dwfl)
---- a/tests/dwfl-report-elf-align.c
-+++ b/tests/dwfl-report-elf-align.c
-@@ -20,7 +20,7 @@
- #include <inttypes.h>
- #include <stdio.h>
- #include <stdio_ext.h>
--#include <error.h>
-+#include <err.h>
- #include <locale.h>
- #include <string.h>
- #include <stdlib.h>
---- a/tests/dwflsyms.c
-+++ b/tests/dwflsyms.c
-@@ -25,7 +25,7 @@
- #include <stdio.h>
- #include <stdio_ext.h>
- #include <stdlib.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- 
- static const char *
---- a/tests/early-offscn.c
-+++ b/tests/early-offscn.c
-@@ -19,7 +19,7 @@
- #endif
- 
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <stdio.h>
---- a/tests/ecp.c
-+++ b/tests/ecp.c
-@@ -20,7 +20,7 @@
- #endif
- 
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <stdlib.h>
---- a/tests/find-prologues.c
-+++ b/tests/find-prologues.c
-@@ -25,7 +25,7 @@
- #include <stdio_ext.h>
- #include <locale.h>
- #include <stdlib.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- #include <fnmatch.h>
- 
---- a/tests/funcretval.c
-+++ b/tests/funcretval.c
-@@ -25,7 +25,7 @@
- #include <stdio_ext.h>
- #include <locale.h>
- #include <stdlib.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- #include <fnmatch.h>
- 
---- a/tests/funcscopes.c
-+++ b/tests/funcscopes.c
-@@ -25,7 +25,7 @@
- #include <stdio_ext.h>
- #include <locale.h>
- #include <stdlib.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- #include <fnmatch.h>
- 
---- a/tests/line2addr.c
-+++ b/tests/line2addr.c
-@@ -26,7 +26,7 @@
- #include <locale.h>
- #include <stdlib.h>
- #include <string.h>
--#include <error.h>
-+#include <err.h>
- 
- 
- static void
---- a/tests/low_high_pc.c
-+++ b/tests/low_high_pc.c
-@@ -25,7 +25,7 @@
- #include <stdio_ext.h>
- #include <locale.h>
- #include <stdlib.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- #include <fnmatch.h>
- 
---- a/tests/md5-sha1-test.c
-+++ b/tests/md5-sha1-test.c
-@@ -19,7 +19,7 @@
- #endif
- 
- #include <string.h>
--#include <error.h>
-+#include <err.h>
- 
- #include "md5.h"
- #include "sha1.h"
---- a/tests/rdwrmmap.c
-+++ b/tests/rdwrmmap.c
-@@ -19,7 +19,7 @@
- #endif
- 
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <stdio.h>
- #include <fcntl.h>
- #include <unistd.h>
---- a/tests/saridx.c
-+++ b/tests/saridx.c
-@@ -17,7 +17,7 @@
- 
- #include <config.h>
- 
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <stdio.h>
---- a/tests/sectiondump.c
-+++ b/tests/sectiondump.c
-@@ -18,7 +18,7 @@
- #include <config.h>
- 
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <fcntl.h>
- #include <gelf.h>
- #include <inttypes.h>
---- a/tests/varlocs.c
-+++ b/tests/varlocs.c
-@@ -25,7 +25,7 @@
- #include <dwarf.h>
- #include <stdio.h>
- #include <stdlib.h>
--#include <error.h>
-+#include <err.h>
- #include <string.h>
- #include <sys/types.h>
- #include <sys/stat.h>
---- a/libelf/libelf.h
-+++ b/libelf/libelf.h
-@@ -29,6 +29,7 @@
- #ifndef _LIBELF_H
- #define _LIBELF_H 1
- 
-+#include <fcntl.h>
- #include <stdint.h>
- #include <sys/types.h>
- 
---- a/libasm/asm_end.c
-+++ b/libasm/asm_end.c
-@@ -32,7 +32,7 @@
- #endif
- 
- #include <assert.h>
--#include <error.h>
-+#include <err.h>
- #include <libintl.h>
- #include <stdio.h>
- #include <stdlib.h>
---- a/libasm/asm_newscn.c
-+++ b/libasm/asm_newscn.c
-@@ -32,7 +32,7 @@
- #endif
- 
- #include <assert.h>
--#include <error.h>
-+#include <err.h>
- #include <libintl.h>
- #include <stdlib.h>
- #include <string.h>
---- a/libcpu/i386_gendis.c
-+++ b/libcpu/i386_gendis.c
-@@ -31,7 +31,7 @@
- # include <config.h>
- #endif
- 
--#include <error.h>
-+#include <err.h>
- #include <errno.h>
- #include <stdio.h>
- #include <stdlib.h>
---- a/libcpu/i386_lex.c
-+++ b/libcpu/i386_lex.c
-@@ -578,7 +578,7 @@ char *i386_text;
- #endif
- 
- #include <ctype.h>
--#include <error.h>
-+#include <err.h>
- #include <libintl.h>
- 
- #include <system.h>
---- a/libcpu/i386_lex.l
-+++ b/libcpu/i386_lex.l
-@@ -31,7 +31,7 @@
- #endif
- 
- #include <ctype.h>
--#include <error.h>
-+#include <err.h>
- #include <libintl.h>
- 
- #include <system.h>
---- a/libcpu/i386_parse.c
-+++ b/libcpu/i386_parse.c
-@@ -107,7 +107,7 @@
- #include <assert.h>
- #include <ctype.h>
- #include <errno.h>
--#include <error.h>
-+#include <err.h>
- #include <inttypes.h>
- #include <libintl.h>
- #include <math.h>
---- a/libdw/libdw_alloc.c
-+++ b/libdw/libdw_alloc.c
-@@ -31,7 +31,7 @@
- # include <config.h>
- #endif
- 
--#include <error.h>
-+#include <err.h>
- #include <errno.h>
- #include <stdlib.h>
- #include <sys/param.h>
-@@ -74,5 +74,5 @@ __attribute ((noreturn, visibility ("hid
- __libdw_oom (void)
- {
-   while (1)
--    error (EXIT_FAILURE, ENOMEM, "libdw");
-+    err (EXIT_FAILURE, "libdw: out of memory");
- }
---- a/libebl/eblopenbackend.c
-+++ b/libebl/eblopenbackend.c
-@@ -32,7 +32,7 @@
- 
- #include <assert.h>
- #include <dlfcn.h>
--#include <error.h>
-+#include <err.h>
- #include <libelfP.h>
- #include <dwarf.h>
- #include <stdlib.h>
---- a/src/ldlex.l
-+++ b/src/ldlex.l
-@@ -23,7 +23,7 @@
- #include <assert.h>
- #include <ctype.h>
- #include <elf.h>
--#include <error.h>
-+#include <err.h>
- #include <inttypes.h>
- #include <libintl.h>
- #include <stdbool.h>
---- a/libebl/eblwstrtab.c
-+++ b/libebl/eblwstrtab.c
-@@ -305,7 +305,7 @@ copystrings (struct Ebl_WStrent *nodep,
- 
-   /* Process the current node.  */
-   nodep->offset = *offsetp;
--  *freep = wmempcpy (*freep, nodep->string, nodep->len);
-+  *freep = wmemcpy (*freep, nodep->string, nodep->len) + nodep->len;
-   *offsetp += nodep->len * sizeof (wchar_t);
- 
-   for (subs = nodep->next; subs != NULL; subs = subs->next)
---- a/libdwfl/dwfl_error.c
-+++ b/libdwfl/dwfl_error.c
-@@ -140,6 +140,7 @@ __libdwfl_seterrno (Dwfl_Error error)
- const char *
- dwfl_errmsg (int error)
- {
-+  static __thread char s[64] = "";
-   if (error == 0 || error == -1)
-     {
-       int last_error = global_error;
-@@ -154,7 +155,8 @@ dwfl_errmsg (int error)
-   switch (error &~ 0xffff)
-     {
-     case OTHER_ERROR (ERRNO):
--      return strerror_r (error & 0xffff, "bad", 0);
-+      strerror_r (error & 0xffff, s, sizeof(s));
-+      return s;
-     case OTHER_ERROR (LIBELF):
-       return elf_errmsg (error & 0xffff);
-     case OTHER_ERROR (LIBDW):
---- a/libdwfl/libdwfl.h
-+++ b/libdwfl/libdwfl.h
-@@ -31,6 +31,27 @@
- 
- #include "libdw.h"
- #include <stdio.h>
-+#include <unistd.h>
-+#include <alloca.h>
-+#include <string.h>
-+
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) \
-+  (__extension__                                                              \
-+    ({ long int __result;                                                     \
-+       do __result = (long int) (expression);                                 \
-+       while (__result == -1L && errno == EINTR);                             \
-+       __result; }))
-+#endif
-+
-+#ifndef strndupa
-+#define strndupa(s, n) \
-+	(__extension__ ({const char *__in = (s); \
-+			 size_t __len = strnlen (__in, (n)) + 1; \
-+			 char *__out = (char *) alloca (__len); \
-+			 __out[__len-1] = '\0'; \
-+			 (char *) memcpy (__out, __in, __len-1);}))
-+#endif
- 
- /* Handle for a session using the library.  */
- typedef struct Dwfl Dwfl;
---- a/libdwfl/find-debuginfo.c
-+++ b/libdwfl/find-debuginfo.c
-@@ -372,7 +372,7 @@ dwfl_standard_find_debuginfo (Dwfl_Modul
-       /* If FILE_NAME is a symlink, the debug file might be associated
- 	 with the symlink target name instead.  */
- 
--      char *canon = canonicalize_file_name (file_name);
-+      char *canon = realpath (file_name, NULL);
-       if (canon != NULL && strcmp (file_name, canon))
- 	fd = find_debuginfo_in_path (mod, canon,
- 				     debuglink_file, debuglink_crc,
---- a/libdwfl/dwfl_build_id_find_elf.c
-+++ b/libdwfl/dwfl_build_id_find_elf.c
-@@ -94,7 +94,7 @@ __libdwfl_open_by_build_id (Dwfl_Module
- 	{
- 	  if (*file_name != NULL)
- 	    free (*file_name);
--	  *file_name = canonicalize_file_name (name);
-+	  *file_name = realpath (name, NULL);
- 	  if (*file_name == NULL)
- 	    {
- 	      *file_name = name;
---- a/libelf/elf_getarsym.c
-+++ b/libelf/elf_getarsym.c
-@@ -297,7 +297,7 @@ elf_getarsym (Elf *elf, size_t *ptr)
- 		arsym[cnt].as_off = (*u32)[cnt];
- 
- 	      arsym[cnt].as_hash = _dl_elf_hash (str_data);
--	      str_data = rawmemchr (str_data, '\0') + 1;
-+	      str_data = memchr (str_data, '\0', SIZE_MAX) + 1;
- 	    }
- 
- 	  /* At the end a special entry.  */

kernel/bcc.patches/bcc-gnuism.patch

@@ -1,28 +0,0 @@
---- src/cc/usdt.h-orig
-+++ src/cc/usdt.h
-@@ -125,6 +125,24 @@ public:
-   ArgumentParser_powerpc64(const char *arg) : ArgumentParser(arg) {}
- };
-
-+#undef REG_A
-+#undef REG_B
-+#undef REG_C
-+#undef REG_D
-+#undef REG_SI
-+#undef REG_DI
-+#undef REG_BP
-+#undef REG_SP
-+#undef REG_8
-+#undef REG_9
-+#undef REG_10
-+#undef REG_11
-+#undef REG_12
-+#undef REG_13
-+#undef REG_14
-+#undef REG_15
-+#undef REG_RIP
-+
- class ArgumentParser_x64 : public ArgumentParser {
- private:
-   enum Register {
-

kernel/bcc.patches/bcc-lua.patch

@@ -1,43 +0,0 @@
---- src/cc/CMakeLists.txt
-+++ src/cc/CMakeLists.txt
-@@ -52,7 +52,7 @@ target_link_libraries(bcc-loader-static elf)
- add_library(bcc-static STATIC
-   ${bcc_common_sources} ${bcc_table_sources} ${bcc_util_sources})
- set_target_properties(bcc-static PROPERTIES OUTPUT_NAME bcc)
--set(bcc-lua-static
-+add_library(bcc-lua-static STATIC
-   ${bcc_common_sources} ${bcc_table_sources} ${bcc_sym_sources} ${bcc_util_sources})
- 
- include(clang_libs)
-@@ -64,9 +64,9 @@ set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${llvm_lib_exclude_f
- set(bcc_common_libs_for_a b_frontend clang_frontend bpf-static
-   -Wl,--whole-archive ${clang_libs} ${llvm_libs} -Wl,--no-whole-archive
-   ${LIBELF_LIBRARIES})
--set(bcc_common_libs_for_s ${bcc_common_libs_for_a})
--set(bcc_common_libs_for_lua b_frontend clang_frontend bpf-static
-+set(bcc_common_libs_for_s b_frontend clang_frontend bpf-static
-   ${clang_libs} ${llvm_libs} ${LIBELF_LIBRARIES})
-+set(bcc_common_libs_for_lua ${bcc_common_libs_for_s})
- 
- if(ENABLE_CPP_API)
-   add_subdirectory(api)
-@@ -87,7 +87,7 @@ add_subdirectory(frontends)
- # Link against LLVM libraries
- target_link_libraries(bcc-shared ${bcc_common_libs_for_s})
- target_link_libraries(bcc-static ${bcc_common_libs_for_a} bcc-loader-static)
--set(bcc-lua-static ${bcc-lua-static} ${bcc_common_libs_for_lua})
-+target_link_libraries(bcc-lua-static ${bcc_common_libs_for_lua})
- 
- install(TARGETS bcc-shared LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
- install(FILES ${bcc_table_headers} DESTINATION include/bcc)
---- src/lua/CMakeLists.txt
-+++ src/lua/CMakeLists.txt
-@@ -23,7 +23,7 @@ if (LUAJIT_LIBRARIES AND LUAJIT)
- 	add_executable(bcc-lua src/main.c bcc.o)
- 	set_target_properties(bcc-lua PROPERTIES LINKER_LANGUAGE C)
- 	target_link_libraries(bcc-lua ${LUAJIT_LIBRARIES})
--	target_link_libraries(bcc-lua ${bcc-lua-static})
-+	target_link_libraries(bcc-lua -Wl,--whole-archive bcc-lua-static -Wl,--no-whole-archive)
- 	if (NOT COMPILER_NOPIE_FLAG EQUAL "")
- 		target_link_libraries(bcc-lua ${COMPILER_NOPIE_FLAG})
- 	endif()

kernel/bcc.patches/cdefs.h

@@ -1,628 +0,0 @@
-/*	$NetBSD: cdefs.h,v 1.129 2016/12/27 21:52:01 christos Exp $	*/
-
-/* * Copyright (c) 1991, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * This code is derived from software contributed to Berkeley by
- * Berkeley Software Design, Inc.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)cdefs.h	8.8 (Berkeley) 1/9/95
- */
-
-#ifndef	_SYS_CDEFS_H_
-#define	_SYS_CDEFS_H_
-
-#ifdef _KERNEL_OPT
-#include "opt_diagnostic.h"
-#endif
-
-/*
- * Macro to test if we're using a GNU C compiler of a specific vintage
- * or later, for e.g. features that appeared in a particular version
- * of GNU C.  Usage:
- *
- *	#if __GNUC_PREREQ__(major, minor)
- *	...cool feature...
- *	#else
- *	...delete feature...
- *	#endif
- */
-#ifdef __GNUC__
-#define	__GNUC_PREREQ__(x, y)						\
-	((__GNUC__ == (x) && __GNUC_MINOR__ >= (y)) ||			\
-	 (__GNUC__ > (x)))
-#else
-#define	__GNUC_PREREQ__(x, y)	0
-#endif
-
-#ifdef __GNUC__
-#define	__strict_weak_alias(alias,sym)					\
-	__unused static __typeof__(alias) *__weak_alias_##alias = &sym;	\
-	__weak_alias(alias,sym)
-#else
-#define	__strict_weak_alias(alias,sym) __weak_alias(alias,sym)
-#endif
-
-/*
- * Optional marker for size-optimised MD calling convention.
- */
-#ifndef __compactcall
-#define	__compactcall
-#endif
-
-/*
- * The __CONCAT macro is used to concatenate parts of symbol names, e.g.
- * with "#define OLD(foo) __CONCAT(old,foo)", OLD(foo) produces oldfoo.
- * The __CONCAT macro is a bit tricky -- make sure you don't put spaces
- * in between its arguments.  __CONCAT can also concatenate double-quoted
- * strings produced by the __STRING macro, but this only works with ANSI C.
- */
-
-#define	___STRING(x)	__STRING(x)
-#define	___CONCAT(x,y)	__CONCAT(x,y)
-
-#if __STDC__ || defined(__cplusplus)
-#define	__P(protos)	protos		/* full-blown ANSI C */
-#define	__CONCAT(x,y)	x ## y
-#define	__STRING(x)	#x
-
-#define	__const		const		/* define reserved names to standard */
-#define	__signed	signed
-#define	__volatile	volatile
-#if defined(__cplusplus) || defined(__PCC__)
-#define	__inline	inline		/* convert to C++/C99 keyword */
-#else
-#if !defined(__GNUC__) && !defined(__lint__)
-#define	__inline			/* delete GCC keyword */
-#endif /* !__GNUC__  && !__lint__ */
-#endif /* !__cplusplus */
-
-#else	/* !(__STDC__ || __cplusplus) */
-#define	__P(protos)	()		/* traditional C preprocessor */
-#define	__CONCAT(x,y)	x/**/y
-#define	__STRING(x)	"x"
-
-#ifndef __GNUC__
-#define	__const				/* delete pseudo-ANSI C keywords */
-#define	__inline
-#define	__signed
-#define	__volatile
-#endif	/* !__GNUC__ */
-
-/*
- * In non-ANSI C environments, new programs will want ANSI-only C keywords
- * deleted from the program and old programs will want them left alone.
- * Programs using the ANSI C keywords const, inline etc. as normal
- * identifiers should define -DNO_ANSI_KEYWORDS.
- */
-#ifndef	NO_ANSI_KEYWORDS
-#define	const		__const		/* convert ANSI C keywords */
-#define	inline		__inline
-#define	signed		__signed
-#define	volatile	__volatile
-#endif /* !NO_ANSI_KEYWORDS */
-#endif	/* !(__STDC__ || __cplusplus) */
-
-/*
- * Used for internal auditing of the NetBSD source tree.
- */
-#ifdef __AUDIT__
-#define	__aconst	__const
-#else
-#define	__aconst
-#endif
-
-/*
- * Compile Time Assertion.
- */
-#ifdef __COUNTER__
-#define	__CTASSERT(x)		__CTASSERT0(x, __ctassert, __COUNTER__)
-#else
-#define	__CTASSERT(x)		__CTASSERT99(x, __INCLUDE_LEVEL__, __LINE__)
-#define	__CTASSERT99(x, a, b)	__CTASSERT0(x, __CONCAT(__ctassert,a), \
-					       __CONCAT(_,b))
-#endif
-#define	__CTASSERT0(x, y, z)	__CTASSERT1(x, y, z) 
-#define	__CTASSERT1(x, y, z)	typedef char y ## z[/*CONSTCOND*/(x) ? 1 : -1] __unused
-
-/*
- * The following macro is used to remove const cast-away warnings
- * from gcc -Wcast-qual; it should be used with caution because it
- * can hide valid errors; in particular most valid uses are in
- * situations where the API requires it, not to cast away string
- * constants. We don't use *intptr_t on purpose here and we are
- * explicit about unsigned long so that we don't have additional
- * dependencies.
- */
-#define __UNCONST(a)	((void *)(unsigned long)(const void *)(a))
-
-/*
- * The following macro is used to remove the volatile cast-away warnings
- * from gcc -Wcast-qual; as above it should be used with caution
- * because it can hide valid errors or warnings.  Valid uses include
- * making it possible to pass a volatile pointer to memset().
- * For the same reasons as above, we use unsigned long and not intptr_t.
- */
-#define __UNVOLATILE(a)	((void *)(unsigned long)(volatile void *)(a))
-
-/*
- * GCC2 provides __extension__ to suppress warnings for various GNU C
- * language extensions under "-ansi -pedantic".
- */
-#if !__GNUC_PREREQ__(2, 0)
-#define	__extension__		/* delete __extension__ if non-gcc or gcc1 */
-#endif
-
-/*
- * GCC1 and some versions of GCC2 declare dead (non-returning) and
- * pure (no side effects) functions using "volatile" and "const";
- * unfortunately, these then cause warnings under "-ansi -pedantic".
- * GCC2 uses a new, peculiar __attribute__((attrs)) style.  All of
- * these work for GNU C++ (modulo a slight glitch in the C++ grammar
- * in the distribution version of 2.5.5).
- *
- * GCC defines a pure function as depending only on its arguments and
- * global variables.  Typical examples are strlen and sqrt.
- *
- * GCC defines a const function as depending only on its arguments.
- * Therefore calling a const function again with identical arguments
- * will always produce the same result.
- *
- * Rounding modes for floating point operations are considered global
- * variables and prevent sqrt from being a const function.
- *
- * Calls to const functions can be optimised away and moved around
- * without limitations.
- */
-#if !__GNUC_PREREQ__(2, 0) && !defined(__lint__)
-#define __attribute__(x)
-#endif
-
-#if __GNUC_PREREQ__(2, 5)
-#define	__dead		__attribute__((__noreturn__))
-#elif defined(__GNUC__)
-#define	__dead		__volatile
-#else
-#define	__dead
-#endif
-
-#if __GNUC_PREREQ__(2, 96)
-#define	__pure		__attribute__((__pure__))
-#elif defined(__GNUC__)
-#define	__pure		__const
-#else
-#define	__pure
-#endif
-
-#if __GNUC_PREREQ__(2, 5)
-#define	__constfunc	__attribute__((__const__))
-#else
-#define	__constfunc
-#endif
-
-#if __GNUC_PREREQ__(3, 0)
-#define	__noinline	__attribute__((__noinline__))
-#else
-#define	__noinline	/* nothing */
-#endif
-
-#if __GNUC_PREREQ__(3, 0)
-#define	__always_inline	__attribute__((__always_inline__))
-#else
-#define	__always_inline	/* nothing */
-#endif
-
-#if __GNUC_PREREQ__(4, 1)
-#define	__returns_twice	__attribute__((__returns_twice__))
-#else
-#define	__returns_twice	/* nothing */
-#endif
-
-#if __GNUC_PREREQ__(4, 5)
-#define	__noclone	__attribute__((__noclone__))
-#else
-#define	__noclone	/* nothing */
-#endif
-
-/*
- * __unused: Note that item or function might be unused.
- */
-#if __GNUC_PREREQ__(2, 7) || defined(__lint__)
-#define	__unused	__attribute__((__unused__))
-#else
-#define	__unused	/* delete */
-#endif
-
-/*
- * __used: Note that item is needed, even if it appears to be unused.
- */
-#if __GNUC_PREREQ__(3, 1)
-#define	__used		__attribute__((__used__))
-#else
-#define	__used		__unused
-#endif
-
-/*
- * __diagused: Note that item is used in diagnostic code, but may be
- * unused in non-diagnostic code.
- */
-#if (defined(_KERNEL) && defined(DIAGNOSTIC)) \
- || (!defined(_KERNEL) && !defined(NDEBUG))
-#define	__diagused	/* empty */
-#else
-#define	__diagused	__unused
-#endif
-
-/*
- * __debugused: Note that item is used in debug code, but may be
- * unused in non-debug code.
- */
-#if defined(DEBUG)
-#define	__debugused	/* empty */
-#else
-#define	__debugused	__unused
-#endif
-
-#if __GNUC_PREREQ__(3, 1)
-#define	__noprofile	__attribute__((__no_instrument_function__))
-#else
-#define	__noprofile	/* nothing */
-#endif
-
-#if __GNUC_PREREQ__(4, 6) || defined(__clang__)
-#define	__unreachable()	__builtin_unreachable()
-#else
-#define	__unreachable()	do {} while (/*CONSTCOND*/0)
-#endif
-
-#if defined(__cplusplus)
-#define	__BEGIN_EXTERN_C	extern "C" {
-#define	__END_EXTERN_C		}
-#define	__static_cast(x,y)	static_cast<x>(y)
-#else
-#define	__BEGIN_EXTERN_C
-#define	__END_EXTERN_C
-#define	__static_cast(x,y)	(x)y
-#endif
-
-#if __GNUC_PREREQ__(4, 0)
-#  define __dso_public	__attribute__((__visibility__("default")))
-#  define __dso_hidden	__attribute__((__visibility__("hidden")))
-#  define __BEGIN_PUBLIC_DECLS	\
-	_Pragma("GCC visibility push(default)") __BEGIN_EXTERN_C
-#  define __END_PUBLIC_DECLS	__END_EXTERN_C _Pragma("GCC visibility pop")
-#  define __BEGIN_HIDDEN_DECLS	\
-	_Pragma("GCC visibility push(hidden)") __BEGIN_EXTERN_C
-#  define __END_HIDDEN_DECLS	__END_EXTERN_C _Pragma("GCC visibility pop")
-#else
-#  define __dso_public
-#  define __dso_hidden
-#  define __BEGIN_PUBLIC_DECLS	__BEGIN_EXTERN_C
-#  define __END_PUBLIC_DECLS	__END_EXTERN_C
-#  define __BEGIN_HIDDEN_DECLS	__BEGIN_EXTERN_C
-#  define __END_HIDDEN_DECLS	__END_EXTERN_C
-#endif
-#if __GNUC_PREREQ__(4, 2)
-#  define __dso_protected	__attribute__((__visibility__("protected")))
-#else
-#  define __dso_protected
-#endif
-
-#define	__BEGIN_DECLS		__BEGIN_PUBLIC_DECLS
-#define	__END_DECLS		__END_PUBLIC_DECLS
-
-/*
- * Non-static C99 inline functions are optional bodies.  They don't
- * create global symbols if not used, but can be replaced if desirable.
- * This differs from the behavior of GCC before version 4.3.  The nearest
- * equivalent for older GCC is `extern inline'.  For newer GCC, use the
- * gnu_inline attribute additionally to get the old behavior.
- *
- * For C99 compilers other than GCC, the C99 behavior is expected.
- */
-#if defined(__GNUC__) && defined(__GNUC_STDC_INLINE__)
-#define	__c99inline	extern __attribute__((__gnu_inline__)) __inline
-#elif defined(__GNUC__)
-#define	__c99inline	extern __inline
-#elif defined(__STDC_VERSION__)
-#define	__c99inline	__inline
-#endif
-
-#if defined(__lint__)
-#define	__packed	__packed
-#define	__aligned(x)	/* delete */
-#define	__section(x)	/* delete */
-#elif __GNUC_PREREQ__(2, 7) || defined(__PCC__)
-#define	__packed	__attribute__((__packed__))
-#define	__aligned(x)	__attribute__((__aligned__(x)))
-#define	__section(x)	__attribute__((__section__(x)))
-#elif defined(_MSC_VER)
-#define	__packed	/* ignore */
-#else
-#define	__packed	error: no __packed for this compiler
-#define	__aligned(x)	error: no __aligned for this compiler
-#define	__section(x)	error: no __section for this compiler
-#endif
-
-/*
- * C99 defines the restrict type qualifier keyword, which was made available
- * in GCC 2.92.
- */
-#if defined(__lint__)
-#define	__restrict	/* delete __restrict when not supported */
-#elif __STDC_VERSION__ >= 199901L
-#define	__restrict	restrict
-#elif __GNUC_PREREQ__(2, 92)
-#define	__restrict	__restrict__
-#else
-#define	__restrict	/* delete __restrict when not supported */
-#endif
-
-/*
- * C99 defines __func__ predefined identifier, which was made available
- * in GCC 2.95.
- */
-#if !(__STDC_VERSION__ >= 199901L)
-#if __GNUC_PREREQ__(2, 6)
-#define	__func__	__PRETTY_FUNCTION__
-#elif __GNUC_PREREQ__(2, 4)
-#define	__func__	__FUNCTION__
-#else
-#define	__func__	""
-#endif
-#endif /* !(__STDC_VERSION__ >= 199901L) */
-
-#if defined(_KERNEL)
-#if defined(NO_KERNEL_RCSIDS)
-#undef __KERNEL_RCSID
-#define	__KERNEL_RCSID(_n, _s)		/* nothing */
-#endif /* NO_KERNEL_RCSIDS */
-#endif /* _KERNEL */
-
-#if !defined(_STANDALONE) && !defined(_KERNEL)
-#if defined(__GNUC__) || defined(__PCC__)
-#define	__RENAME(x)	___RENAME(x)
-#elif defined(__lint__)
-#define	__RENAME(x)	__symbolrename(x)
-#else
-#error "No function renaming possible"
-#endif /* __GNUC__ */
-#else /* _STANDALONE || _KERNEL */
-#define	__RENAME(x)	no renaming in kernel/standalone environment
-#endif
-
-/*
- * A barrier to stop the optimizer from moving code or assume live
- * register values. This is gcc specific, the version is more or less
- * arbitrary, might work with older compilers.
- */
-#if __GNUC_PREREQ__(2, 95)
-#define	__insn_barrier()	__asm __volatile("":::"memory")
-#else
-#define	__insn_barrier()	/* */
-#endif
-
-/*
- * GNU C version 2.96 adds explicit branch prediction so that
- * the CPU back-end can hint the processor and also so that
- * code blocks can be reordered such that the predicted path
- * sees a more linear flow, thus improving cache behavior, etc.
- *
- * The following two macros provide us with a way to use this
- * compiler feature.  Use __predict_true() if you expect the expression
- * to evaluate to true, and __predict_false() if you expect the
- * expression to evaluate to false.
- *
- * A few notes about usage:
- *
- *	* Generally, __predict_false() error condition checks (unless
- *	  you have some _strong_ reason to do otherwise, in which case
- *	  document it), and/or __predict_true() `no-error' condition
- *	  checks, assuming you want to optimize for the no-error case.
- *
- *	* Other than that, if you don't know the likelihood of a test
- *	  succeeding from empirical or other `hard' evidence, don't
- *	  make predictions.
- *
- *	* These are meant to be used in places that are run `a lot'.
- *	  It is wasteful to make predictions in code that is run
- *	  seldomly (e.g. at subsystem initialization time) as the
- *	  basic block reordering that this affects can often generate
- *	  larger code.
- */
-#if __GNUC_PREREQ__(2, 96)
-#define	__predict_true(exp)	__builtin_expect((exp) != 0, 1)
-#define	__predict_false(exp)	__builtin_expect((exp) != 0, 0)
-#else
-#define	__predict_true(exp)	(exp)
-#define	__predict_false(exp)	(exp)
-#endif
-
-/*
- * Compiler-dependent macros to declare that functions take printf-like
- * or scanf-like arguments.  They are null except for versions of gcc
- * that are known to support the features properly (old versions of gcc-2
- * didn't permit keeping the keywords out of the application namespace).
- */
-#if __GNUC_PREREQ__(2, 7)
-#define __printflike(fmtarg, firstvararg)	\
-	    __attribute__((__format__ (__printf__, fmtarg, firstvararg)))
-#ifndef __syslog_attribute__
-#define __syslog__ __printf__
-#endif
-#define __sysloglike(fmtarg, firstvararg)	\
-	    __attribute__((__format__ (__syslog__, fmtarg, firstvararg)))
-#define __scanflike(fmtarg, firstvararg)	\
-	    __attribute__((__format__ (__scanf__, fmtarg, firstvararg)))
-#define __format_arg(fmtarg)    __attribute__((__format_arg__ (fmtarg)))
-#else
-#define __printflike(fmtarg, firstvararg)	/* nothing */
-#define __scanflike(fmtarg, firstvararg)	/* nothing */
-#define __sysloglike(fmtarg, firstvararg)	/* nothing */
-#define __format_arg(fmtarg)			/* nothing */
-#endif
-
-/*
- * Macros for manipulating "link sets".  Link sets are arrays of pointers
- * to objects, which are gathered up by the linker.
- *
- * Object format-specific code has provided us with the following macros:
- *
- *	__link_set_add_text(set, sym)
- *		Add a reference to the .text symbol `sym' to `set'.
- *
- *	__link_set_add_rodata(set, sym)
- *		Add a reference to the .rodata symbol `sym' to `set'.
- *
- *	__link_set_add_data(set, sym)
- *		Add a reference to the .data symbol `sym' to `set'.
- *
- *	__link_set_add_bss(set, sym)
- *		Add a reference to the .bss symbol `sym' to `set'.
- *
- *	__link_set_decl(set, ptype)
- *		Provide an extern declaration of the set `set', which
- *		contains an array of pointers to type `ptype'.  This
- *		macro must be used by any code which wishes to reference
- *		the elements of a link set.
- *
- *	__link_set_start(set)
- *		This points to the first slot in the link set.
- *
- *	__link_set_end(set)
- *		This points to the (non-existent) slot after the last
- *		entry in the link set.
- *
- *	__link_set_count(set)
- *		Count the number of entries in link set `set'.
- *
- * In addition, we provide the following macros for accessing link sets:
- *
- *	__link_set_foreach(pvar, set)
- *		Iterate over the link set `set'.  Because a link set is
- *		an array of pointers, pvar must be declared as "type **pvar",
- *		and the actual entry accessed as "*pvar".
- *
- *	__link_set_entry(set, idx)
- *		Access the link set entry at index `idx' from set `set'.
- */
-#define	__link_set_foreach(pvar, set)					\
-	for (pvar = __link_set_start(set); pvar < __link_set_end(set); pvar++)
-
-#define	__link_set_entry(set, idx)	(__link_set_start(set)[idx])
-
-/*
- * Return the natural alignment in bytes for the given type
- */
-#if __GNUC_PREREQ__(4, 1)
-#define	__alignof(__t)  __alignof__(__t)
-#else
-#define __alignof(__t) (sizeof(struct { char __x; __t __y; }) - sizeof(__t))
-#endif
-
-/*
- * Return the number of elements in a statically-allocated array,
- * __x.
- */
-#define	__arraycount(__x)	(sizeof(__x) / sizeof(__x[0]))
-
-#ifndef __ASSEMBLER__
-/* __BIT(n): nth bit, where __BIT(0) == 0x1. */
-#define	__BIT(__n)	\
-    (((uintmax_t)(__n) >= NBBY * sizeof(uintmax_t)) ? 0 : \
-    ((uintmax_t)1 << (uintmax_t)((__n) & (NBBY * sizeof(uintmax_t) - 1))))
-
-/* __BITS(m, n): bits m through n, m < n. */
-#define	__BITS(__m, __n)	\
-	((__BIT(MAX((__m), (__n)) + 1) - 1) ^ (__BIT(MIN((__m), (__n))) - 1))
-#endif /* !__ASSEMBLER__ */
-
-/* find least significant bit that is set */
-#define	__LOWEST_SET_BIT(__mask) ((((__mask) - 1) & (__mask)) ^ (__mask))
-
-#define	__PRIuBIT	PRIuMAX
-#define	__PRIuBITS	__PRIuBIT
-
-#define	__PRIxBIT	PRIxMAX
-#define	__PRIxBITS	__PRIxBIT
-
-#define	__SHIFTOUT(__x, __mask)	(((__x) & (__mask)) / __LOWEST_SET_BIT(__mask))
-#define	__SHIFTIN(__x, __mask) ((__x) * __LOWEST_SET_BIT(__mask))
-#define	__SHIFTOUT_MASK(__mask) __SHIFTOUT((__mask), (__mask))
-
-/*
- * Only to be used in other headers that are included from both c or c++
- * NOT to be used in code.
- */
-#ifdef __cplusplus
-#define __CAST(__dt, __st)	static_cast<__dt>(__st)
-#else
-#define __CAST(__dt, __st)	((__dt)(__st))
-#endif
-
-#define __CASTV(__dt, __st)	__CAST(__dt, __CAST(void *, __st))
-#define __CASTCV(__dt, __st)	__CAST(__dt, __CAST(const void *, __st))
-
-#define __USE(a) ((void)(a))
-
-#define __type_mask(t) (/*LINTED*/sizeof(t) < sizeof(intmax_t) ? \
-    (~((1ULL << (sizeof(t) * NBBY)) - 1)) : 0ULL)
-
-#ifndef __ASSEMBLER__
-static __inline long long __zeroll(void) { return 0; }
-static __inline unsigned long long __zeroull(void) { return 0; }
-#else
-#define __zeroll() (0LL)
-#define __zeroull() (0ULL)
-#endif
-
-#define __negative_p(x) (!((x) > 0) && ((x) != 0))
-
-#define __type_min_s(t) ((t)((1ULL << (sizeof(t) * NBBY - 1))))
-#define __type_max_s(t) ((t)~((1ULL << (sizeof(t) * NBBY - 1))))
-#define __type_min_u(t) ((t)0ULL)
-#define __type_max_u(t) ((t)~0ULL)
-#define __type_is_signed(t) (/*LINTED*/__type_min_s(t) + (t)1 < (t)1)
-#define __type_min(t) (__type_is_signed(t) ? __type_min_s(t) : __type_min_u(t))
-#define __type_max(t) (__type_is_signed(t) ? __type_max_s(t) : __type_max_u(t))
-
-
-#define __type_fit_u(t, a) (/*LINTED*/!__negative_p(a) && \
-    (uintmax_t)((a) + __zeroull()) <= (uintmax_t)__type_max_u(t))
-
-#define __type_fit_s(t, a) (/*LINTED*/__negative_p(a) ? \
-    ((intmax_t)((a) + __zeroll()) >= (intmax_t)__type_min_s(t)) : \
-    ((intmax_t)((a) + __zeroll()) >= (intmax_t)0 && \
-     (intmax_t)((a) + __zeroll()) <= (intmax_t)__type_max_s(t)))
-
-/*
- * return true if value 'a' fits in type 't'
- */
-#define __type_fit(t, a) (__type_is_signed(t) ? \
-    __type_fit_s(t, a) : __type_fit_u(t, a))
-
-#endif /* !_SYS_CDEFS_H_ */

kernel/bcc.patches/decl.patch

@@ -1,23 +0,0 @@
---- libelf/elf.h-orig
-+++ libelf/elf.h
-@@ -21,7 +21,9 @@
- 
- #include <features.h>
- 
--__BEGIN_DECLS
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
- 
- /* Standard ELF types.  */
- 
-@@ -3553,6 +3555,8 @@
- #define R_TILEGX_NUM		130
- 
- 
--__END_DECLS
-+#ifdef __cplusplus
-+}
-+#endif
- 
- #endif	/* elf.h */

kernel/bcc.patches/error.h

@@ -1,29 +0,0 @@
-# include <stdio.h>
-# include <stdarg.h>
-# include <stdlib.h>
-# include <string.h>
-static void error_at_line(int status, int errnum, const char *filename,
-                          unsigned int linenum, const char *format, ...)
-{
-	va_list ap;
-
-	fflush(stdout);
-
-	if (filename != NULL)
-		fprintf(stderr, "%s:%u: ", filename, linenum);
-
-	va_start(ap, format);
-	vfprintf(stderr, format, ap);
-	va_end(ap);
-
-	if (errnum != 0)
-		fprintf(stderr, ": %s", strerror(errnum));
-
-	fprintf(stderr, "\n");
-
-	if (status != 0)
-		exit(status);
-}
-
-#define error(status, errnum, format...) \
-	error_at_line(status, errnum, NULL, 0, format)

kernel/bcc.patches/intl.patch

@@ -1,11 +0,0 @@
---- libelf/Makefile.am-orig
-+++ libelf/Makefile.am
-@@ -95,7 +95,7 @@
- libelf_pic_a_SOURCES =
- am_libelf_pic_a_OBJECTS = $(libelf_a_SOURCES:.c=.os)
- 
--libelf_so_LDLIBS = -lz
-+libelf_so_LDLIBS = -lz -lintl
- if USE_LOCKS
- libelf_so_LDLIBS += -lpthread
- endif

kernel/bcc.patches/temp_failure.patch

@@ -1,17 +0,0 @@
---- lib/system.h-orig
-+++ lib/system.h
-@@ -70,6 +70,14 @@
- 
- #define gettext_noop(Str) Str
- 
-+#ifndef TEMP_FAILURE_RETRY
-+# define TEMP_FAILURE_RETRY(expression) \
-+  (__extension__                                                              \
-+    ({ long int __result;                                                     \
-+       do __result = (long int) (expression);                                 \
-+       while (__result == -1L && errno == EINTR);                             \
-+       __result; }))
-+#endif
- 
- #define pwrite_retry(fd, buf,  len, off) \
-   TEMP_FAILURE_RETRY (pwrite (fd, buf, len, off))