check for dirty tree without update-index, which is not parallel-safe (#4133)

Signed-off-by: Avi Deitcher <avi@deitcher.net>

.github/workflows/ci.yml

@@ -35,35 +35,29 @@ jobs:
     runs-on: ${{ matrix.target.runner }}
     steps:
 
-    - name: Set up Go 1.16
-      uses: actions/setup-go@v2
+    - name: Set up Go 1.22
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.16.7
+        go-version: 1.22.3
       id: go
 
     - name: Check out code
-      uses: actions/checkout@v1
-      with:
-        path: ./src/github.com/linuxkit/linuxkit
+      uses: actions/checkout@v4
 
     - name: Set path
       run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
       env:
          GOPATH: ${{runner.workspace}}
 
-    - name: Get pre-requisites
+    - name: golangci-lint CLI
+      uses: golangci/golangci-lint-action@v7
+      with:
+        version: v2.0.2
+        working-directory: src/cmd/linuxkit
+        args: --verbose --timeout=10m
+    - name: go vet CLI
       run: |
-            go get -u golang.org/x/lint/golint
-            go get -u github.com/gordonklaus/ineffassign
-      env:
-        GOPATH: ${{runner.workspace}}
-
-    # - name: Lint
-    #   run: |
-    #     make local-check
-    #   env:
-    #     GOPATH: ${{runner.workspace}}
-
+        cd src/cmd/linuxkit && go vet ./...
     - name: Build
       run: |
         make GOARCH=${{matrix.target.arch}} GOOS=${{matrix.target.os}} LOCAL_TARGET=$(pwd)/bin/linuxkit-${{matrix.target.suffix}} local-build
@@ -85,7 +79,7 @@ jobs:
         GOPATH: ${{runner.workspace}}
 
     - name: Upload binary
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v4
       with:
         name: linuxkit-${{matrix.target.suffix}}
         path: |
@@ -99,16 +93,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v1
-      with:
-        path: ./src/github.com/linuxkit/linuxkit
+      uses: actions/checkout@v4
 
     - name: Set up binfmt
       # Only register arm64 as we are on amd64 already. s390x is not reliable
       run: docker run --privileged --rm tonistiigi/binfmt --install arm64
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -120,7 +112,7 @@ jobs:
         /usr/local/bin/linuxkit version
 
     - name: Cache Packages
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -130,17 +122,45 @@ jobs:
     - name: Build Packages
       # Skip s390x as emulation is unreliable
       run: |
-        make OPTIONS="-v --skip-platforms linux/s390x" -C pkg build
+        make OPTIONS="-v 2 --skip-platforms linux/s390x" -C pkg build
+
+    - name: Build Test Packages
+      # ensures that the test packages are in linuxkit cache when we need them for tests later
+      # Skip s390x as emulation is unreliable
+      run: |
+        make OPTIONS="-v 2 --skip-platforms linux/s390x" -C test/pkg build
+
+    - name: Check Kernel Dependencies up to date
+      # checks that any kernel dependencies are up to date.
+      # if they are, then running `make update-kernel-yamls` will not change anything
+      run: |
+        echo "checking git diff before running make update-kernel-yamls"
+        git diff --exit-code
+        echo "running make update-kernel-yamls"
+        make -C kernel update-kernel-yamls
+        echo "checking git diff again after running make update-kernel-yamls; should be no changes"
+        git diff --exit-code
+
+    - name: Build Kernels
+      # ensures that the kernel packages are in linuxkit cache when we need them for tests later
+      # no need for excluding s390x, as each build.yml in the kernel explicitly lists archs
+      run: |
+        make OPTIONS="-v 2" -C kernel build
+
+    - name: list cache contents
+      run: |
+        linuxkit cache ls
 
   test_packages:
     name: Packages Tests
     needs: [ build_packages, build ]
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        shard: [1/10,2/10,3/10,4/10,5/10,6/10,7/10,8/10,9/10,10/10]
     steps:
     - name: Check out code
-      uses: actions/checkout@v1
-      with:
-        path: ./src/github.com/linuxkit/linuxkit
+      uses: actions/checkout@v4
 
     - name: Install Pre-Requisites
       run: |
@@ -150,7 +170,7 @@ jobs:
 
     - name: Restore RTF From Cache
       id: cache-rtf
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: bin
         key: rtf-${{hashFiles('Makefile')}}
@@ -164,7 +184,7 @@ jobs:
         sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -176,75 +196,82 @@ jobs:
         /usr/local/bin/linuxkit version
 
     - name: Restore Package Cache
-      uses: actions/cache@v2
+      uses: actions/cache@v4
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+    - name: list cache contents
+      run: |
+        linuxkit cache ls
+      
+    - name: Run Tests
+      run: make test TEST_SUITE=linuxkit.packages TEST_SHARD=${{ matrix.shard }}
+
+  test_kernel:
+    name: Kernel Tests
+    needs: [ build_packages, build ]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Install Pre-Requisites
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        sudo apt-get update
+        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
+
+    - name: Restore RTF From Cache
+      id: cache-rtf
+      uses: actions/cache@v4
+      with:
+        path: bin
+        key: rtf-${{hashFiles('Makefile')}}
+
+    - name: Build RTF
+      if: steps.cache-rtf.outputs.cache-hit != 'true'
+      run: make bin/rtf
+
+    - name: Symlink RTF
+      run: |
+        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
+
+    - name: Download linuxkit
+      uses: actions/download-artifact@v4
+      with:
+        name: linuxkit-amd64-linux
+        path: bin
+
+    - name: Symlink Linuxkit
+      run: |
+        chmod ugo+x bin/linuxkit-amd64-linux
+        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
+        /usr/local/bin/linuxkit version
+
+    - name: Restore Package Cache
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}
         restore-keys: |
           ${{ runner.os }}-linuxkit-
 
+    - name: list cache contents
+      run: |
+        linuxkit cache ls
+      
     - name: Run Tests
-      run: |
-          cd test
-          rtf -l build -v run -x linuxkit.packages
-
-  test_kernel:
-    name: Kernel Tests
-    needs: build
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v1
-      with:
-        path: ./src/github.com/linuxkit/linuxkit
-
-    - name: Install Pre-Requisites
-      run: |
-        export DEBIAN_FRONTEND=noninteractive
-        sudo apt-get update
-        sudo apt-get install -qy qemu-utils qemu-system-x86 expect
-
-    - name: Restore RTF From Cache
-      id: cache-rtf
-      uses: actions/cache@v2
-      with:
-        path: bin
-        key: rtf-${{hashFiles('Makefile')}}
-
-    - name: Build RTF
-      if: steps.cache-rtf.outputs.cache-hit != 'true'
-      run: make bin/rtf
-
-    - name: Symlink RTF
-      run: |
-        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
-
-    - name: Download linuxkit
-      uses: actions/download-artifact@v2
-      with:
-        name: linuxkit-amd64-linux
-        path: bin
-
-    - name: Symlink Linuxkit
-      run: |
-        chmod ugo+x bin/linuxkit-amd64-linux
-        sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
-        /usr/local/bin/linuxkit version
-
-    - name: Run Tests
-      run: |
-          cd test
-          rtf -l build -v run -x linuxkit.kernel
+      run: make test TEST_SUITE=linuxkit.kernel
 
   test_linuxkit:
     name: LinuxKit Build Tests
-    needs: build
+    needs: [ build_packages, build ]
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v1
-      with:
-        path: ./src/github.com/linuxkit/linuxkit
+      uses: actions/checkout@v4
 
     - name: Install Pre-Requisites
       run: |
@@ -254,11 +281,19 @@ jobs:
 
     - name: Restore RTF From Cache
       id: cache-rtf
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: bin
         key: rtf-${{hashFiles('Makefile')}}
 
+    - name: Restore Package Cache
+      uses: actions/cache@v4
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+
     - name: Build RTF
       if: steps.cache-rtf.outputs.cache-hit != 'true'
       run: make bin/rtf
@@ -268,7 +303,7 @@ jobs:
         sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -279,20 +314,20 @@ jobs:
         sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
         /usr/local/bin/linuxkit version
 
-    - name: Run Tests
+    - name: list cache contents
       run: |
-          cd test
-          rtf -l build -v run -x linuxkit.build
+        linuxkit cache ls
+  
+    - name: Run Tests
+      run: make test TEST_SUITE=linuxkit.build
 
   test_platforms:
     name: Platform Tests
-    needs: build
+    needs: [ build_packages, build ]
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v1
-      with:
-        path: ./src/github.com/linuxkit/linuxkit
+      uses: actions/checkout@v4
 
     - name: Install Pre-Requisites
       run: |
@@ -302,7 +337,7 @@ jobs:
 
     - name: Restore RTF From Cache
       id: cache-rtf
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: bin
         key: rtf-${{hashFiles('Makefile')}}
@@ -316,7 +351,7 @@ jobs:
         sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -327,20 +362,28 @@ jobs:
         sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
         /usr/local/bin/linuxkit version
 
-    - name: Run Tests
+    - name: Restore Package Cache
+      uses: actions/cache@v4
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+
+    - name: list cache contents
       run: |
-          cd test
-          rtf -l build -v run -x linuxkit.platforms
+        linuxkit cache ls
+      
+    - name: Run Tests
+      run: make test TEST_SUITE=linuxkit.platforms
 
   test_security:
     name: Security Tests
-    needs: build
+    needs: [ build_packages, build ]
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v1
-      with:
-        path: ./src/github.com/linuxkit/linuxkit
+      uses: actions/checkout@v4
 
     - name: Install Pre-Requisites
       run: |
@@ -350,7 +393,7 @@ jobs:
 
     - name: Restore RTF From Cache
       id: cache-rtf
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: bin
         key: rtf-${{hashFiles('Makefile')}}
@@ -364,7 +407,7 @@ jobs:
         sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -375,7 +418,17 @@ jobs:
         sudo ln -s $(pwd)/bin/linuxkit-amd64-linux /usr/local/bin/linuxkit
         /usr/local/bin/linuxkit version
 
-    - name: Run Tests
+    - name: Restore Package Cache
+      uses: actions/cache@v4
+      with:
+        path: ~/.linuxkit/cache/
+        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
+        restore-keys: |
+          ${{ runner.os }}-linuxkit-
+
+    - name: list cache contents
       run: |
-          cd test
-          rtf -l build -v run -x linuxkit.security
+        linuxkit cache ls
+      
+    - name: Run Tests
+      run: make test TEST_SUITE=linuxkit.security

.github/workflows/package_release.yml

@@ -0,0 +1,38 @@
+name: Release Tagged Packages
+
+on:
+  create:
+
+jobs:
+  release:
+    name: Release packages
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/pkg-v')
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go 1.22
+      uses: actions/setup-go@v5
+      with:
+        go-version: 1.22.3
+      id: go
+    - name: Check out code
+      uses: actions/checkout@v4
+    - name: Ensure bin/ directory
+      run: mkdir -p bin
+    - name: Install linuxkit
+      run: |
+        go -C ./src/cmd/linuxkit build -o $(pwd)/bin/linuxkit 
+        sudo mv bin/linuxkit /usr/local/bin/
+    - name: Login to Docker Hub
+      uses: docker/login-action@v2
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Publish Packages as Release
+      # this should not build anything, as they all should be built already
+      # however, it can fail if we push the tag before the merge-to-master build is complete, since that may publish
+      # so *always* wait for any merge-to-master to complete before publishing pkg-v* tags
+      run: |
+        RELEASE_TAG=${GITHUB_REF#refs/tags/pkg-}
+        echo "RELEASE_TAG=${RELEASE_TAG}"
+        [ -n "${RELEASE_TAG}" ] || { echo "Not a tag"; exit 1; }
+        make OPTIONS="--skip-platforms linux/s390x" -C pkg push PUSHOPTIONS="--nobuild --release ${RELEASE_TAG}"

.github/workflows/publish.yaml

@@ -14,16 +14,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v1
-      with:
-        path: ./src/github.com/linuxkit/linuxkit
+      uses: actions/checkout@v4
     - name: Ensure bin/ directory
       run: mkdir -p bin
     - name: Download linuxkit
-      uses: actions/github-script@v3.1.0
+      uses: actions/github-script@v7
       with:
+        github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
-          var artifacts = await github.actions.listWorkflowRunArtifacts({
+          var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
               owner: context.repo.owner,
               repo: context.repo.repo,
               run_id: ${{github.event.workflow_run.id }},
@@ -31,7 +30,7 @@ jobs:
           var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
             return artifact.name == "${{ env.linuxkit_file }}"
           })[0];
-          var download = await github.actions.downloadArtifact({
+          var download = await github.rest.actions.downloadArtifact({
               owner: context.repo.owner,
               repo: context.repo.repo,
               artifact_id: matchArtifact.id,
@@ -47,7 +46,7 @@ jobs:
         sudo ln -s $(pwd)/bin/${{ env.linuxkit_file }} /usr/local/bin/linuxkit
         /usr/local/bin/linuxkit version
     - name: Restore Package Cache
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -65,3 +64,11 @@ jobs:
       # Skip s390x as emulation is unreliable
       run: |
         make OPTIONS="--skip-platforms linux/s390x" -C pkg push PUSHOPTIONS="--nobuild"
+
+    - name: Publish Kernels
+      # this should only push changed ones:
+      #  - unchanged: already in the registry
+      #  - changed: already built and cached, so only will push
+      # No need to skip s390x, since kernel build.yml files all have explicit archs
+      run: |
+        make -C kernel push

.github/workflows/release.yml

@@ -1,26 +1,23 @@
-name: LinuxKit CI
+name: Release Tagged Linuxkit
 
 on:
   create:
-    tags:
-      - v*
 
 jobs:
-  build:
-    name: Build all targets
-    runs-on: macos-latest
+  build-all:
+    name: Build all targets expect macOS
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
     steps:
 
-    - name: Set up Go 1.16
-      uses: actions/setup-go@v2
+    - name: Set up Go 1.122
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.16.7
+        go-version: 1.22.3
       id: go
 
     - name: Check out code
-      uses: actions/checkout@v1
-      with:
-        path: ./src/github.com/linuxkit/linuxkit
+      uses: actions/checkout@v4
 
     - name: Set path
       run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
@@ -29,14 +26,72 @@ jobs:
 
     - name: Build
       run: |
-        make build-all-targets
+        make build-targets-linux build-targets-windows
       env:
         GOPATH: ${{runner.workspace}}
 
+    - uses: actions/upload-artifact@v4
+      with:
+        name: release-targets-except-cgo
+        path: bin/
+  
+  # separate macos build because macos needs CGO, and it is very hard to cross-compile that
+  build-macos:
+    name: Build macOS target
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
+    runs-on: macos-latest
+    steps:
+
+    - name: Set up Go 1.122
+      uses: actions/setup-go@v5
+      with:
+        go-version: 1.22.3
+      id: go
+
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set path
+      run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+      env:
+         GOPATH: ${{runner.workspace}}
+
+    - name: Build
+      run: |
+        make build-targets-macos
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    - uses: actions/upload-artifact@v4
+      with:
+        name: release-targets-macos
+        path: bin/
+    
+  release-artifacts:
+    needs: [build-all, build-macos]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/download-artifact@v4
+      with:
+        name: release-targets-except-cgo
+        path: bintmp/release-targets-except-cgo
+    - uses: actions/download-artifact@v4
+      with:
+        name: release-targets-macos
+        path: bintmp/release-targets-macos
+    - name: Combine Artifacts
+      run: |
+        mkdir -p bin/
+        cp bintmp/*/* bin/
+    - name: Checksum Artifacts
+      run: |
+        make checksum-targets
     - name: GitHub Release
       uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
         draft: true
-        files: bin/*
+        files: bin/*
+        generate_release_notes: true

Makefile

@@ -1,6 +1,10 @@
 VERSION="v0.8+"
 
-GO_COMPILE=linuxkit/go-compile:7b1f5a37d2a93cd4a9aa2a87db264d8145944006
+# test suite to run, blank for all
+TEST_SUITE ?=
+TEST_SHARD ?=
+
+GO_COMPILE=linuxkit/go-compile:985a9db72a7e6941de5e1eb71c2b41b76bf0556f
 
 ifeq ($(OS),Windows_NT)
 LINUXKIT?=$(CURDIR)/bin/linuxkit.exe
@@ -30,7 +34,7 @@ export VERSION GO_COMPILE GOOS GOARCH LOCAL_TARGET LINUXKIT
 default: linuxkit $(RTF)
 all: default
 
-RTF_COMMIT=2351267f358ce6621c0c0d9a069f361268dba5fc
+RTF_COMMIT=1118e08445438dc37ec62b4c1e216918b3d804d2
 RTF_CMD=github.com/linuxkit/rtf/cmd
 RTF_VERSION=0.0
 $(RTF): tmp_rtf_bin.tar | bin
@@ -78,10 +82,7 @@ sign:
 
 .PHONY: test
 test:
-	$(MAKE) -C test
-
-.PHONY: collect-artifacts
-collect-artifacts: artifacts/test.img.tar.gz artifacts/test-ltp.img.tar.gz
+	$(MAKE) -C test TEST_SUITE=$(TEST_SUITE) TEST_SHARD=$(TEST_SHARD)
 
 .PHONY: ci ci-tag ci-pr
 ci: test-cross
@@ -118,18 +119,27 @@ endif
 		./scripts/update-component-sha.sh --image $${img}$(image); \
 	done
 
-.PHONY: build-all-targets
-build-all-targets: bin
-	$(MAKE) GOOS=darwin GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-arm64 local-build
-	file bin/linuxkit-darwin-arm64
-	$(MAKE) GOOS=darwin GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-amd64 local-build
-	file bin/linuxkit-darwin-amd64
+.PHONY: build-targets-all build-targets-linux build-targets-windows build-targets-macos checksum-targets
+
+build-targets-all: build-targets-linux build-targets-windows build-targets-macos
+
+build-targets-linux: bin
 	$(MAKE) GOOS=linux GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-arm64 local-build
 	file bin/linuxkit-linux-arm64
 	$(MAKE) GOOS=linux GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-amd64 local-build
 	file bin/linuxkit-linux-amd64
 	$(MAKE) GOOS=linux GOARCH=s390x LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-s390x local-build
 	file bin/linuxkit-linux-s390x
+
+build-targets-windows: bin
 	$(MAKE) GOOS=windows GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-windows-amd64.exe local-build
 	file bin/linuxkit-windows-amd64.exe
+
+build-targets-macos: bin
+	$(MAKE) GOOS=darwin GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-arm64 local-build
+	file bin/linuxkit-darwin-arm64
+	$(MAKE) GOOS=darwin GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-amd64 local-build
+	file bin/linuxkit-darwin-amd64
+
+checksum-targets: bin
 	cd bin && openssl sha256 -r linuxkit-* | tr -d '*' > checksums.txt

README.md

@@ -63,8 +63,8 @@ Once you have built the tool, use
 ```
 linuxkit build linuxkit.yml
 ```
-to build the example configuration. You can also specify different output formats, eg `linuxkit build -format raw-bios linuxkit.yml` to
-output a raw BIOS bootable disk image, or `linuxkit build -format iso-efi linuxkit.yml` to output an EFI bootable ISO image. See `linuxkit build -help` for more information.
+to build the example configuration. You can also specify different output formats, eg `linuxkit build --format raw-bios linuxkit.yml` to
+output a raw BIOS bootable disk image, or `linuxkit build --format iso-efi linuxkit.yml` to output an EFI bootable ISO image. See `linuxkit build -help` for more information.
 
 ### Booting and Testing
 
@@ -87,7 +87,7 @@ Currently supported platforms are:
   - [OpenStack](docs/platform-openstack.md) `[x86_64]`
   - [Scaleway](docs/platform-scaleway.md) `[x86_64]`
 - Baremetal:
-  - [packet.net](docs/platform-packet.md) `[x86_64, arm64]`
+  - [deploy.equinix.com](docs/platform-equinixmetal.md) `[x86_64, arm64]`
   - [Raspberry Pi Model 3b](docs/platform-rpi3.md)  `[arm64]`
 
 

contrib/open-vm-tools/open-vm-tools-ds.yaml

@@ -30,7 +30,7 @@ spec:
         operator: Exists
         effect: NoSchedule
       containers:
-      - image: linuxkit/open-vm-tools:4c3158c7ba27f7ad0ede5d383ca25b57c5588a26
+      - image: linuxkit/open-vm-tools:8a320f7453711f0544f4b03558aaf0b80c7c23f1
         name: open-vm-tools
         resources:
           requests:

docs/alpine-base-update.md

@@ -101,9 +101,9 @@ In the below, replace `linuxkit-arch` with each build machine's name:
 
 ```sh
 # one of these will not be necessary, as you will likely be executing it on one of these machines
-scp linuxkit-s390x:$LK_ROOT/tools/alpine/versions.s390x $LK_ROOT/tools/alpine/versions.s390x
-scp linuxkit-aarch64:$LK_ROOT/tools/alpine/versions.aarch64 $LK_ROOT/tools/alpine/versions.aarch64
-scp linuxkit-x86_64:$LK_ROOT/tools/alpine/versions.x86_64 $LK_ROOT/tools/alpine/versions.x86_64
+for arch in x86_64 aarch64 riscv64; do
+    scp linuxkit-$arch:$LK_ROOT/tools/alpine/versions.$arch $LK_ROOT/tools/alpine/versions.$arch
+done
 git commit -a -s -m "tools/alpine: Update to latest"
 git push $LK_REMOTE $LK_BRANCH
 ```
@@ -130,8 +130,8 @@ following which is an explanation of each one.
 ```sh
 # Update tools packages
 cd $LK_ROOT/tools
-$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
-git checkout grub/Dockerfile
+$LK_ROOT/scripts/update-component-sha.sh --image $LK_ALPINE
+git checkout mkimage-rpi3/Dockerfile
 git commit -a -s -m "tools: Update to the latest linuxkit/alpine"
 
 # Update tools dependencies
@@ -143,7 +143,7 @@ git commit -a -s -m "Update use of tools to latest"
 
 # Update test packages
 cd $LK_ROOT/test/pkg
-$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+$LK_ROOT/scripts/update-component-sha.sh --image $LK_ALPINE
 git commit -a -s -m "tests: Update packages to the latest linuxkit/alpine"
 
 # Update test packages dependencies
@@ -155,12 +155,12 @@ git commit -a -s -m "Update use of test packages to latest"
 
 # Update test cases to latest linuxkit/alpine
 cd $LK_ROOT/test/cases
-$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+$LK_ROOT/scripts/update-component-sha.sh --image $LK_ALPINE
 git commit -a -s -m "tests: Update tests cases to the latest linuxkit/alpine"
 
 # Update packages to latest linuxkit/alpine
 cd $LK_ROOT/pkg
-$LK_ROOT/scripts/update-component-sha.sh --pkg $LK_ROOT/tools/alpine
+$LK_ROOT/scripts/update-component-sha.sh --image $LK_ALPINE
 git commit -a -s -m "pkgs: Update packages to the latest linuxkit/alpine"
 
 # update package tags - may want to include the release in it if set
@@ -179,8 +179,12 @@ On your primary build machine, update the other tools packages.
 
 Note, the `git checkout` reverts the changes made by
 `update-component-sha.sh` to files which are accidentally updated.
-Important is the `git checkout` of `grub`. This is a bit old and only can be built with specific
-older versions of packages like `gcc`, and should not be updated.
+Important is the `git checkout` of some sensitive packages that only can be built with
+specific older versions of upstream packages:
+
+* `mkimage-rpi3`
+
+Only update those if you know what you are doing with them.
 
 Then we update any dependencies of these tools.
 

docs/cmdline.md

@@ -0,0 +1,19 @@
+# Kernel command-line options
+
+The kernel command-line is a string of text that the kernel parses as it is starting up. It is passed by the boot loader
+to the kernel and specifies parameters that the kernel uses to configure the system. The command-line is a list of command-line
+options separated by spaces. The options are parsed by the kernel and can be used to enable or disable certain features.
+
+LinuxKit passes all command-line options to the kernel, which uses them in the usual way.
+
+There are several options that can be used to control the behaviour of linuxkit itself, or specifically packages
+within linuxkit. Unless standard Linux options exist, these all are prefaced with `linuxkit.`.
+
+| Option | Description |
+|---|---|
+| `linuxkit.unified_cgroup_hierarchy=0` | Start up cgroups v1. If not present or set to 1, default to cgroups v1. |
+| `linuxkit.runc_debug=1` | Start runc for `onboot` and `onshutdown` containers to run with `--debug`, and add extra logging messages for each stage of starting those containers. If not present or set to 0, default to usual mode. |
+| `linuxkit.runc_console=1` | Send logs for runc for `onboot` and `onshutdown` containers, as well as the output of the containers themselves, to the console, instead of the normal output to logfiles. If not present or set to 0, default to usual mode. |
+
+It often is useful to combine both of the `linuxkit.runc_debug` and `linuxkit.runc_console` options to get the most
+information about what is happening with `onboot` containers.

docs/kernels.md

@@ -10,17 +10,51 @@ The LinuxKit kernels are based on the latest stable releases and are
 updated frequently to include bug and security fixes.  For some
 kernels we do carry additional patches, which are mostly back-ported
 fixes from newer kernels. The full kernel source with patches can be
-found on [github](https://github.com/linuxkit/linux). Each kernel
-image is tagged with the full kernel version (e.g.,
-`linuxkit/kernel:4.9.33`) and with the full kernel version plus the
-hash of the files it was created from (git tree hash of the `./kernel`
-directory). For selected kernels (mostly the LTS kernels and latest
-stable kernels) we also compile/push kernels with additional debugging
-enabled. The hub images for these kernels have the `-dbg` suffix in
-the tag. For some kernels, we also provide matching packages
-containing the `perf` utility for debugging and performance tracing.
-The perf package is called `kernel-perf` and is tagged the same way as
-the kernel packages.
+found on [github](https://github.com/linuxkit/linux).
+
+## Kernel Image Naming and Tags
+
+We publish the following kernel images:
+
+* primary kernel
+* debug kernel
+* tools for the specific kernel build - bcc and perf
+* builder image for the specific kernel build, useful for compiling compatible kernel modules
+
+### Primary Kernel Images
+
+Each kernel image is tagged with:
+
+* the full kernel version, e.g. `linuxkit/kernel:6.6.13`. This is a multi-arch index, and should be used whenever possible.
+* the full kernel version plus hash of the files it was created from (git tree hash of the `./kernel` directory), e.g. `6.6.13-c0d96951e9892a7447a8e7965d2d6bd7e621c3fd`. This is a multi-arch index.
+* the full kernel version plus architecture, e.g. `linuxkit/kernel:6.6.13-amd64` or `linuxkit/kernel:6.6.13-arm64`. Each of these is architecture specific.
+* the full kernel version plus hash of the files it was created from (git tree hash of the `./kernel` directory) plus architecture, e.g. `6.6.13-c0d96951e9892a7447a8e7965d2d6bd7e621c3fd-arm64`.
+
+### Debug Kernel Images
+
+With each kernel image, we also publish kernels with additional debugging enabled.
+These have the same image name and the same tags as the primary kernel, with the `-dbg`
+suffix added immediately after the version. E.g.
+
+* `linuxkit/kernel:6.6.13-dbg`
+* `linuxkit/kernel:6.6.13-dbg-c0d96951e9892a7447a8e7965d2d6bd7e621c3fd`
+* `linuxkit/kernel:6.6.13-dbg-amd64`
+* `linuxkit/kernel:6.6.13-dbg-c0d96951e9892a7447a8e7965d2d6bd7e621c3fd-amd64`
+
+### Tools
+
+With each kernel image, we also publish images with various tools. As of this writing,
+those tools are `perf` and `bcc`.
+
+The tools images are named `linuxkit/kernel-<tool>`, followed by the same tags as the
+primary kernel. For example:
+
+* `linuxkit/kernel-perf:6.6.13`
+* `linuxkit/kernel-perf:6.6.13-c0d96951e9892a7447a8e7965d2d6bd7e621c3fd`
+* `linuxkit/kernel-perf:6.6.13-amd64`
+* `linuxkit/kernel-perf:6.6.13-c0d96951e9892a7447a8e7965d2d6bd7e621c3fd-amd64`
+
+## Additional Contributions
 
 In addition to the official images, there are also some
 [scripts](../contrib/foreign-kernels) which repackage kernels packages
@@ -32,7 +66,6 @@ use cases for the promising IoT scenarios. All -rt patches are grabbed from
 https://www.kernel.org/pub/linux/kernel/projects/rt/. But so far we just
 enable it over 4.14.x.
 
-
 ## Loading kernel modules
 
 Most kernel modules are autoloaded with `mdev` but if you need to `modprobe` a module manually you can use the `modprobe` package in the `onboot` section like this:
@@ -67,7 +100,7 @@ For example:
 * `linuxkit/kernel:5.15.15` has builder `linuxkit/kernel:5.15.15-builder`
 
 With the above in hand, you can create a multi-stage `Dockerfile` build to compile your modules.
-There is an [example](../test/cases/020_kernel/011_kmod_4.9.x), but
+There is an [example](../test/cases/020_kernel/113_kmod_5.10.x), but
 basically one can use a multi-stage build to compile the kernel
 modules:
 
@@ -87,7 +120,7 @@ To use the kernel module, we recommend adding a final stage to the
 Dockerfile above, which copies the kernel module from the `build`
 stage and performs a `insmod` as the entry point. You can add this
 package to the `onboot` section in your YAML
-file. [kmod.yml](../test/cases/020_kernel/010_kmod_4.9.x/kmod.yml)
+file. [test.yml](../test/cases/020_kernel/113_kmod_5.10.x/test.yml)
 contains an example for the configuration.
 
 ### Builder Backups
@@ -121,51 +154,250 @@ FROM linuxkit/kernel:5.10.104 AS ksrc
 FROM linuxkit/alpine:2be490394653b7967c250e86fd42cef88de428ba AS build
 ```
 
-## Modifying the kernel config
+## Building and Modifying
 
-Each series of kernels has a config file dedicated to it
-in [../kernel/](../kernel),
-e.g.
-[config-4.9.x-x86_64](../kernel/config-4.9.x-x86_64),
-which is applied during the kernel build process.
+This section describes how to build kernels, and how to modify existing ones.
 
-If you need to modify the kernel config, `make kconfig` in
-the [kernel](../kernel) directory will create a local
-`linuxkit/kconfig` Docker image, which contains the patched sources
-for all support kernels and architectures in
-`/linux-4.<minor>.<rev>`. The kernel source also has the kernel config
-copied to the default kernel config.
+Throughout the document, the terms used are:
 
-Running the image like:
+* kernel version: actual semver version of a kernel, e.g. `6.6.13` or `5.15.27`
+* kernel series: major.minor version of a kernel, e.g. `6.6.x` or `5.15.x`
 
-```sh
-docker run --rm -ti -v $(pwd):/src linuxkit/kconfig
+Throughout this document, the architecture used is the kernel-recognized one, available
+on most systems as `uname -m`, e.g. `aarch64` or `x86_64`. You may be familiar with the alpine
+or golang one, e.g. `amd64` or `amd64`, which are not used here.
+
+**Note:** After changing _and committing any changes_ to the kernel directory or any
+subdirectories, you must update tests, examples and other dependencies. This is done
+via:
+
+```bash
+make update-kernel-yamls
 ```
 
-will give you a interactive shell where you can modify the kernel
-configuration you want, either by editing the config file, or via
-`make menuconfig` etc. Once you are done, save the file as `.config`
-and copy it back to the source tree,
-e.g. `/src/kernel-config-4.9.x-x86_64`.
+Each series of kernels has a dedicated directory in [../kernel/](../kernel),
+e.g. [6.6.x](../kernel/6.6.x) or [5.15.x](../kernel/5.15.x).
+Variants, like rt kernels, have their own directory as well, e.g. [5.11.x-rt](../kernel/5.11.x-rt).
+However, for variants, the patches from _both_ the common kernel, e.g. [5.11.x](../kernel/5.11.x),
+and the variant, e.g. [5.11.x-rt](../kernel/5.11.x-rt), are applied, and the configs from _both_ are combined.
 
-You can also configure other architectures other than the native
-one. For example to configure the arm64 kernel on x86_64, use:
+Within the series-dedicated directory, there are:
 
-```
-make ARCH=arm64 defconfig
-make ARCH=arm64 oldconfig # or menuconfig
-```
+* kernel config file for each architecture named `config-<arch>`, e.g. [6.6.13/config-x86_64](../kernel/6.6.13/config-x86_64), one per target architecture. 
+* optional patches directory, e.g. [6.6.13/patches](../kernel/6.6.13/patches), which contains patches to apply to the kernel source
+
+The config file and patches are applied during the kernel build process.
 
 **Note**: We try to keep the differences between kernel versions and
 architectures to a minimum, so if you make changes to one
 configuration also try to apply it to the others. The script [kconfig-split.py](../scripts/kconfig-split.py) can be used to compare kernel config files. For example:
 
 ```sh
-../scripts/kconfig-split.py config-4.9.x-aarch64 config-4.9.x-x86_64
+../scripts/kconfig-split.py 5.15.x/config-aarch64 5.15.x/config-x86_64
 ```
 
 creates a file with the common and the x86_64 and arm64 specific
-config options for the 4.9.x kernel series.
+config options for the 5.15.x kernel series.
+
+**Note**: The CI pipeline does *not* push out kernel images.
+Anyone modifying a kernel should:
+
+1. Follow the steps below for the desired changes and commit them.
+1. Run appropriate `make build` or variants to ensure that it works.
+1. Open a PR with the changes. This may fail, as the CI pipeline may not have access to the modified kernels.
+1. A maintainer should run `make push` to push out the images.
+1. Run (or rerun) the tests.
+
+#### Build options
+
+The targets and variants for building are as follows:
+
+* `make build` - make all kernels in the version list and their variants
+* `make build-<version>` - make all variants of a specific kernel version
+* `make buildkernel-<version>` - make all variants of a specific kernel version
+* `make buildplainkernel-<version>` - make just the provided version's kernel
+* `make builddebugkernel-<version>` - make just the provided version's debug kernel
+* `make buildtools-<version>` - make just the provided version's tools
+
+To push:
+
+* `make push` - push all kernels in the version list and their variants
+* `make push-<version>` - push all variants of a specific kernel version
+
+Finally, for convenience:
+
+* `make list` - list all kernels in the version list
+
+By default, it builds for all supported architectures. To build just for a specific
+architecture:
+
+```sh
+make build ARCH=amd64
+```
+
+The variable `ARCH` should use the golang variants only, i.e. `amd64` and `arm64`.
+
+To build for multiple architectures, call it multiple times:
+
+```sh
+make build ARCH=amd64
+make build ARCH=arm64
+```
+
+When building for a specific architecture, the build process will use your local
+Docker, passing it `--platforms` for the architecture. If you have a builder on a different
+architecture, e.g. you are running on an Apple Silicon Mac (arm64) and want to build for
+`x86_64` without emulating (which can be very slow), you can use the `BUILDER` variable:
+
+```sh
+make build ARCH=x86_64 BUILDER=remote-amd64-builder
+```
+
+Builder also supports a builder pattern. If `BUILDER` contains the string `{{.Arch}}`,
+it will be replaced with the architecture being built.
+
+For example:
+
+```sh
+make build ARCH=x86_64 BUILDER=remote-{{.Arch}}-builder
+make build ARCH=aarch64 BUILDER=remote-{{.Arch}}-builder
+```
+
+will build `x86_64` on `remote-amd64-builder` and `aarch64` on `remote-arm64-builder`.
+
+Finally, if no `BUILDER` is specified, the build will look for a builder named
+`linuxkit-linux-{{.Arch}}-builder`, e.g. `linuxkit-linux-amd64-builder` or
+`linuxkit-linux-arm64-builder`. If that builder does not exist, it will fall back to
+your local Docker setup.
+
+### Modifying the kernel config
+
+The process of modifying the kernel configuration is as follows:
+
+1. Create a `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out. By default, this will be for your local architecture, but you can override it with `make kconfig ARCH=${ARCH}`, e.g. `make kconfig ARCH=arm64`. The image is tagged with the architecture, e.g. `linuxkit/kconfig:arm64`.
+1. Run a container based on `linuxkit/kconfig`.
+1. In the container, modify the config to suit your needs using normal kernel tools like `make defconfig` or `make menuconfig`.
+1. Save the config from the image.
+
+The `linuxkit/kconfig` image contains the patched sources
+for all support kernels and architectures in `/linux-<major>.<minor>.<rev>`.
+The kernel source also has the kernel config copied to the default kernel config location,
+so that `make menuconfig` and `make defconfig` work correctly.
+
+Run the container as follows:
+
+```sh
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig:aarch64
+# or
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig:x86_64
+# or 
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig:riscv64
+```
+
+This will give you a interactive shell where you can modify the kernel
+configuration you want, while mounting the directory, so that you can save the
+modified config.
+
+To create or modify the config, you must cd to the correct directory,
+e.g.
+
+```sh
+cd /linux-6.6.13
+# or
+cd /linux-5.15.27
+```
+
+Now you can build the config.
+
+When `make defconfig` or `make menuconfig` is done,
+the modified config file will be in `.config`; save the file back to `/src`,
+e.g.
+
+```sh
+cp .config /src/6.6.x/config-x86_64
+```
+
+You can also configure other architectures other than the native
+one. For example to configure the arm64 kernel on x86_64, use:
+
+```sh
+make ARCH=arm64 defconfig
+make ARCH=arm64 oldconfig # or menuconfig
+```
+
+It is important to note that sometimes the configuration can be subtly different
+when running `make defconfig` across architectures. Of note is that `make ARCH=riscv` on
+x86_64 or aarch64 comes out slightly differently than when run natively on riscv64.
+Feel free to try it cross, but do not be surprised if it generates outputs that are not the same.
+
+Note that the generated file **must** be final. When you actually build the kernel,
+it will check that running `make defconfig` will have no changes. If there are changes,
+the build will fail.
+
+The easiest way to check it is to rerun `make defconfig` inside the kconfig container.
+
+1. Finish your creation of the config file, as above.
+1. Copy the `.config` file to the target location, as above.
+1. Copy the `.config` file to the source location for defconfig, e.g. `cp .config arch/x86/configs/x86_64_config` or `cp. config /linux/arch/arm64/configs/defconfig`
+1. Run `make defconfig` again, and check that there are no changes, e.g. `diff .config arch/x86/configs/x86_64_config` or `diff .config /linux/arch/arm64/configs/defconfig`
+
+If there are no differences, then you can commit the new config file.
+
+Finally, test that you can build the kernel with that config as `make build-<version>`, e.g. `make build-5.15.148`.
+
+## Adding a new kernel version
+
+If you want to add a new kernel version within an existing series, e.g. `5.15.27` already exists
+and you want to add (or replace it with) `5.15.148`, apply the following process.
+
+1. Determine the series, i.e. the kernel major.minor version, followed by `x`. E.g. for `5.15.148`, the series is `5.15.x`.
+1. Modify the `KERNEL_VERSION` in the `build-args` file in the series directory to the new version. E.g. `5.15.x/build-args`.
+1. Create a new `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out.
+1. Run a container based on `linuxkit/kconfig`.
+```sh
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig
+```
+1. In the container, change directory to the kernel source directory for the new version, e.g. `cd /linux-5.15.148`.
+1. Run `make defconfig` to create the default config file.
+1. If the config file has changed, copy it out of the container and check it in, e.g. `cp .config /src/5.15.x/config-x86_64`.
+1. Repeat for other architectures.
+1. Commit the changed config files.
+1. Test that you can build the kernel with that config as `make build-<version>`, e.g. `make build-5.15.148`.
+
+## Adding a new kernel series
+
+To add a new kernel series, you need to:
+
+1. Create new directory for the series, e.g. `6.7.x`
+1. Create config files for each architecture in that directory
+1. Optionally, create a `patches/` subdirectory in that directory with any patches to add
+1. Create a `build-args` file in that directory with at least the following settings:
+```bash
+KERNEL_VERSION=<version>
+KERNEL_SERIES=<series>
+BUILD_IMAGE=linuxkit/alpine:<builder>
+```
+
+Since the last major series likely is the best basis for the new one, subject to additional modifications, you can use
+the previous one as a starting point.
+
+1. Make the directory for the new series, e.g. `mkdir 7.0.x`
+1. Create a new `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out.
+1. Run a container based on `linuxkit/kconfig`.
+```sh
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig
+```
+1. In the container, change directory to the kernel source directory for the new version, e.g. `cd /linux-7.0.5`.
+1. Copy the existing config file for the previous series, e.g. `cp /src/6.6.x/config-x86_64 .config`.
+1. Run `make oldconfig` to create the config file for the new series from the old one. Answer any questions.
+1. Save the newly generated config file `.config` to the source directory, e.g. `cp .config /src/7.0.x/config-x86_64`.
+1. Repeat for other architectures.
+1. Commit the new config files.
+1. Test that you can build the kernel with that config as `make build-<version>`, e.g. `make build-7.0.5`.
+
+In addition, there are tests that are applied to a specific kernel version, notably the tests in
+[020_kernel](../test/cases/020_kernel/). You will need to add a new test case for the new series,
+copying an existing one and modifying it as needed.
 
 ## Building and using custom kernels
 
@@ -391,3 +623,31 @@ Alpine `zfs` utilities are available in `linuxkit/alpine` and the
 version of the kernel module should match the version of the
 tools. The container where you run the `zfs` tools might also need
 `CAP_SYS_MODULE` to be able to load the kernel modules.
+
+## Kernels in examples and tests
+
+All of the linuxkit `.yml` files use the images from `linuxkit/kernel:<tag>`.
+
+When updating the kernel, you run commands to update the tests. The updates to any file that contains
+references to `linuxkit/kernel` in this repository work as follows:
+
+- Semver tags are replaced by the most recent kernel version. For example, `linuxkit/kernel:5.10.104` will become `6.6.13` when available, and then `6.6.15`, and then `7.0.1`, etc. The highest semver always is used.
+- Semver+hash tags are replaced by the most recent hash and patch version for that series. For example, `linuxkit/kernel:5.10.104-abcdef1234` will become `5.10.104-aaaa54232` (same semver, newer hash), and then `5.10.105-bbbb12345` (newer semver, newer hash), etc. The highest semver+hash always is used.
+
+This is not an inherent characteristic of `linuxkit` tool, which **never** will change your `.yml` files. It is part of
+the update process for yml files _in this repository_.
+
+The net of the above is the following rule:
+
+* If you want a reference to a specific kernel series, e.g. a test or example that works only with `5.10.x`, then use a specific hash, e.g. `linuxkit/kernel:5.10.104-abcdef1234`. The hash and patch version will update, but not more. The most common use case for this is kernel version-specific tests.
+* If you want a reference to the most recent kernel, whatever version it is, then use a semver tag, e.g. `linuxkit/kernel:6.6.13`. The most common use case for this is examples that work with any kernel version, which is the vast majority of cases.
+
+You can get the current hash by executing the following:
+
+```bash
+$ cd kernel
+$ make tag-plain-kernel-<version>
+# for example:
+$ make tag-plain-kernel-6.6.13
+linuxkit/kernel:6.6.13-3a8b3faf92390265b1fbee792b9a3fe14d14c26e
+```

docs/metadata.md

@@ -63,6 +63,21 @@ This hierarchy can then be used by individual containers, who can bind
 mount the config sub-directory into their namespace where it is
 needed.
 
+## A note on SSH
+
+Supported providers will extract public keys from metadata to a file
+located at `/run/config/ssh/authorized_keys`.  You must bind this path
+into the `sshd` namespace in order to make use of these keys.  Use a
+configuration similar to the one shown below to enable root login
+based on keys from the metadata service:
+
+```
+  - name: sshd
+    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    binds.add:
+     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
+```
+
 # Metadata image creation
 
 `linuxkit run` backends accept two options to pass metadata to the VM in a platform specific

docs/packages.md

@@ -50,6 +50,8 @@ A package source consists of a directory containing at least two files:
 
 - `image` _(string)_: *(mandatory)* The name of the image to build
 - `org` _(string)_: The hub/registry organisation to which this package belongs
+- `tag` _(string)_: The tag to use for the image, can be fixed string or template (default: `{{.Hash}}`)
+- `dockerfile` _(string)_: The dockerfile to use to build this package, must be in this directory or below (default: `Dockerfile`)
 - `arches` _(list of string)_: The architectures which this package should be built for (valid entries are `GOARCH` names)
 - `extra-sources` _(list of strings)_: Additional sources for the package outside the package directory. The format is `src:dst`, where `src` can be relative to the package directory and `dst` is the destination in the build context. This is useful for sharing files, such as vendored go code, between packages.
 - `gitrepo` _(string)_: The git repository where the package source is kept.
@@ -264,6 +266,25 @@ linuxkit pkg build --platforms=linux/arm64 --builders linux/arm64=my-remote-arm6
 
 linuxkit will try to build for `linux/arm64` using the context `my-remote-arm64`. Since that context does not exist, you will get an error.
 
+##### Preset build arguments
+
+When building packages, the following build-args automatically are set for you:
+
+* `SOURCE` - the source repository of the package
+* `REVISION` - the git commit that was used for the build
+* `GOPKGVERSION` - the go package version or pseudo-version per https://go.dev/ref/mod#glos-pseudo-version
+* `PKG_HASH` - the git tree hash of the package directory, e.g. `45a1ad5919f0b6acf0f0cf730e9434abfae11fe6`; tag part of `linuxkit pkg show-tag`
+* `PKG_IMAGE` - the name of the image that is being built, e.g. `linuxkit/init`; image name part of `linuxkit pkg show-tag`. Combine with `PKG_HASH` for the full tag.
+
+Note that the above are set **only** if you do not set them in `build.yaml`. Your settings _always_
+override these built-in ones.
+
+To use them, simply address them in your `Dockerfile`:
+
+```dockerfile
+ARG SOURCE
+```
+
 ### Build packages as a maintainer
 
 All official LinuxKit packages are multi-arch manifests and most of
@@ -360,3 +381,16 @@ ARG all_proxy
 
 LinuxKit does not judge between lower-cased or upper-cased variants of these options, e.g. `http_proxy` vs `HTTP_PROXY`,
 as `docker build` does not either. It just passes them through "as-is".
+
+## Releases
+
+Normally, whenever a package is updated, CI will build and push the package to Docker Hub by calling `linuxkit pkg push`.
+This automatically creates a tag based on the git tree hash of the package's directory.
+For example, the package in `./pkg/init` is tagged as `linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6`.
+
+In addition, you can release semver tags for packages by adding a tag to the git repository that begins with `pkg-` and is
+followed by a valid semver tag. For example, `pkg-v1.0.0`. This will cause CI to build and push the package to Docker Hub
+with the tag `v1.0.0`.
+
+Pure semver tags, like `v1.0.0`, are not used for package releases. They are used for the linuxkit project itself and to
+publish releases of the `linuxkit` binary.

docs/platform-equinixmetal.md

@@ -0,0 +1,142 @@
+# LinuxKit with bare metal on Equinix Metal
+
+[Equinix Metal](http://deploy.equinix.com) is a bare metal hosting provider.
+
+You will need to [create an Equinix Metal account] and a project to
+put this new machine into. You will also need to [create an API key]
+with appropriate read/write permissions to allow the image to boot.
+
+[create an Equinix Metal account]:https://console.equinix.com/sign-up
+[create an API key]:https://deploy.equinix.com/developers/docs/metal/identity-access-management/api-keys/
+
+The `linuxkit run equinixmetal` command can mostly either be configured via
+command line options or with environment variables. see `linuxkit run
+equinixmetal --help` for the options and environment variables.
+
+By default, `linuxkit run` will provision a new machine and remove it
+once you are done. With the `-keep` option the provisioned machine
+will not be removed. You can then use the `-device` option with the
+device ID on subsequent `linuxkit run` invocations to re-use an
+existing machine. These subsequent runs will update the iPXE data so
+you can boot alternative kernels on an existing machine.
+
+There is an example YAML file for [x86_64](../examples/equinixmetal.yml) and
+an additional YAML for [arm64](../examples/equinixmetal.arm64.yml) servers
+which provide both access to the serial console and via ssh and
+configures bonding for network devices via metadata (if supported).
+
+For x86_64 builds for Intel servers we strongly recommend adding
+`ucode: intel-ucode.cpio` to the kernel section in the YAML. This
+updates the Intel CPU microcode to the latest by prepending it to the
+generated initrd file. The `ucode` entry is only recommended when
+booting on baremetal. It should be omitted (but is harmless) when
+building images to boot in VMs.
+
+**Note**: The update of the iPXE configuration sometimes may take some
+time and the first boot may fail. Hitting return on the console to
+retry the boot typically fixes this.
+
+## Boot
+
+LinuxKit on Equinix Metal boots the `kernel+initrd` output from moby via
+[iPXE](https://deploy.equinix.com/developers/docs/metal/operating-systems/custom-ipxe/)
+which also requires a iPXE script. iPXE booting requires a HTTP server
+on which you can store your images. The `-base-url` option specifies
+the URL to a HTTP server from which `<name>-kernel`,
+`<name>-initrd.img`, and `<name>-equinixmetal.ipxe` can be downloaded during
+boot.
+
+If you have your own HTTP server, you can use `linuxkit push equinixmetal`
+to create the files (including the iPXE script) you need to make
+available.
+
+If you don't have a public HTTP server at hand, you can use the
+`-serve` option. This will create a local HTTP server which can either
+be run on another Equinix Metal machine or be made accessible with tools
+like [ngrok](https://ngrok.com/).
+
+For example, to boot the [example](../examples/platform-equinixmetal.yml)
+with a local HTTP server:
+
+```sh
+linuxkit build platform-equinixmetal.yml
+# run the web server
+# run 'ngrok http 8080' in another window
+METAL_AUTH_TOKEN=<API key> METAL_PROJECT_ID=<Project ID> \
+linuxkit run equinixmetal -serve :8080 -base-url <ngrok url> equinixmetal
+```
+
+To boot a `arm64` image for Type 2a machine (`-machine baremetal_2a`)
+you currently need to build using `linuxkit build equinixmetal.yml
+equinixmetal.arm64.yml` and then un-compress both the kernel and the initrd
+before booting, e.g:
+
+```sh
+mv equinixmetal-initrd.img equinixmetal-initrd.img.gz && gzip -d equinixmetal-initrd.img.gz
+mv equinixmetal-kernel equinixmetal-kernel.gz && gzip -d equinixmetal-kernel.gz
+```
+
+The LinuxKit image can then be booted with:
+
+```sh
+METAL_API_TOKEN=<API key> METAL_PROJECT_ID=<Project ID> \
+linuxkit run equinixmetal -machine baremetal_2a  -serve :8080 -base-url -base-url <ngrok url> equinixmetal
+```
+
+Alternatively, `linuxkit push equinixmetal` will uncompress the kernel and
+initrd images on arm machines (or explicitly via the `-decompress`
+flag. There is also a `linuxkit serve` command which will start a
+local HTTP server serving the specified directory.
+
+**Note**: It may take several minutes to deploy a new server. If you
+are attached to the console, you should see the BIOS and the boot
+messages.
+
+
+## Console
+
+By default, `linuxkit run equinixmetal ...` will connect to the
+Equinix Metal
+[SOS ("Serial over SSH") console](https://deploy.equinix.com/developers/docs/metal/resilience-recovery/serial-over-ssh/). This
+requires `ssh` access, i.e., you must have uploaded your SSH keys to
+Equinix Metal beforehand.
+
+You can exit the console vi `~.` on a new line once you are
+disconnected from the serial, e.g. after poweroff.
+
+**Note**: We also require that the Equinix Metal SOS host is in your
+`known_hosts` file, otherwise the connection to the console will
+fail. There is a Equinix Metal SOS host per zone.
+
+You can disable the serial console access with the `-console=false`
+command line option.
+
+
+## Disks
+
+At this moment the Linuxkit server boots from RAM, with no persistent
+storage.  We are working on adding persistent storage support on Equinix Metal.
+
+
+## Networking
+
+On the baremetal type 2a system (arm64 Cavium Thunder X) the network device driver does not get autoloaded by `mdev`. Please add:
+
+```
+  - name: modprobe
+    image: linuxkit/modprobe:<hash>
+    command: ["modprobe", "nicvf"]
+```
+
+to your YAML files before any containers requiring the network to be up, e.g., the `dhcpcd` container.
+
+Some Equinix Metal server types have bonded networks; the `metadata` package has support for setting
+these up, and also for adding additional IP addresses.
+
+
+## Integration services and Metadata
+
+Equinix Metal supports [user state](https://deploy.equinix.com/developers/docs/metal/server-metadata/user-data/)
+during system bringup, which enables the boot process to be more informative about the
+current state of the boot process once the kernel has loaded but before the
+system is ready for login.

docs/platform-hyperkit.md

@@ -20,7 +20,7 @@ The HyperKit backend currently supports booting:
 You need to select the boot method manually using the command line
 options. The default is `kernel+initrd`. `kernel+squashfs` can be
 selected using `-squashfs` and to boot a ISO with EFI you have to
-specify `-iso -uefi`.
+specify `--iso --uefi`.
 
 The `kernel+initrd` uses a RAM disk for the root filesystem. If you
 have RAM constraints or large images we recommend using either the

docs/platform-hyperv.md

@@ -8,7 +8,7 @@ manage the Hyper-V VMs.
 
 Example:
 ```sh
-linuxkit.exe run -disk size=1 linuxkit-efi.iso
+linuxkit.exe run --disk size=1 linuxkit-efi.iso
 ```
 
 The Hyper-V VM, by default, is named after the prefix of the ISO, ie

docs/platform-packet.md

@@ -1,151 +0,0 @@
-# LinuxKit with bare metal on Packet
-
-[Packet](http://packet.net) is a bare metal hosting provider.
-
-You will need to [create a Packet account] and a project to
-put this new machine into. You will also need to [create an API key]
-with appropriate read/write permissions to allow the image to boot.
-
-[create a Packet account]:https://app.packet.net/#/registration/
-[create an API key]:https://help.packet.net/quick-start/api-integrations
-
-Linuxkit is known to boot on the [Type 0] 
-and [Type 1] servers at Packet.
-Support for other server types, including the [Type 2A] ARM server,
-is a work in progress.
-
-[Type 0]:https://www.packet.net/bare-metal/servers/type-0/
-[Type 1]:https://www.packet.net/bare-metal/servers/type-1/
-[Type 2A]:https://www.packet.net/bare-metal/servers/type-2a/
-
-The `linuxkit run packet` command can mostly either be configured via
-command line options or with environment variables. see `linuxkit run
-packet --help` for the options and environment variables.
-
-By default, `linuxkit run` will provision a new machine and remove it
-once you are done. With the `-keep` option the provisioned machine
-will not be removed. You can then use the `-device` option with the
-device ID on subsequent `linuxkit run` invocations to re-use an
-existing machine. These subsequent runs will update the iPXE data so
-you can boot alternative kernels on an existing machine.
-
-There is an example YAML file for [x86_64](../examples/packet.yml) and
-an additional YAML for [arm64](../examples/packet.arm64.yml) servers
-which provide both access to the serial console and via ssh and
-configures bonding for network devices via metadata (if supported).
-
-For x86_64 builds for Intel servers we strongly recommend adding
-`ucode: intel-ucode.cpio` to the kernel section in the YAML. This
-updates the Intel CPU microcode to the latest by prepending it to the
-generated initrd file. The `ucode` entry is only recommended when
-booting on baremetal. It should be omitted (but is harmless) when
-building images to boot in VMs.
-
-**Note**: The update of the iPXE configuration sometimes may take some
-time and the first boot may fail. Hitting return on the console to
-retry the boot typically fixes this.
-
-## Boot
-
-LinuxKit on Packet boots the `kernel+initrd` output from moby via
-[iPXE](https://help.packet.net/technical/infrastructure/custom-ipxe)
-which also requires a iPXE script. iPXE booting requires a HTTP server
-on which you can store your images. The `-base-url` option specifies
-the URL to a HTTP server from which `<name>-kernel`,
-`<name>-initrd.img`, and `<name>-packet.ipxe` can be downloaded during
-boot.
-
-If you have your own HTTP server, you can use `linuxkit push packet`
-to create the files (including the iPXE script) you need to make
-available.
-
-If you don't have a public HTTP server at hand, you can use the
-`-serve` option. This will create a local HTTP server which can either
-be run on another Packet machine or be made accessible with tools
-like [ngrok](https://ngrok.com/).
-
-For example, to boot the [example](../examples/packet.net)
-with a local HTTP server:
-
-```sh
-linuxkit build packet.yml
-# run the web server
-# run 'ngrok http 8080' in another window
-PACKET_API_KEY=<API key> PACKET_PROJECT_ID=<Project ID> \
-linuxkit run packet -serve :8080 -base-url <ngrok url> packet
-```
-
-To boot a `arm64` image for Type 2a machine (`-machine baremetal_2a`)
-you currently need to build using `linuxkit build packet.yml
-packet.arm64.yml` and then un-compress both the kernel and the initrd
-before booting, e.g:
-
-```sh
-mv packet-initrd.img packet-initrd.img.gz && gzip -d packet-initrd.img.gz
-mv packet-kernel packet-kernel.gz && gzip -d packet-kernel.gz
-```
-
-The LinuxKit image can then be booted with:
-
-```sh
-PACKET_API_KEY=<API key> PACKET_PROJECT_ID=<Project ID> \
-linuxkit run packet -machine baremetal_2a  -serve :8080 -base-url -base-url <ngrok url> packet
-```
-
-Alternatively, `linuxkit push packet` will uncompress the kernel and
-initrd images on arm machines (or explicitly via the `-decompress`
-flag. There is also a `linuxkit serve` command which will start a
-local HTTP server serving the specified directory.
-
-**Note**: It may take several minutes to deploy a new server. If you
-are attached to the console, you should see the BIOS and the boot
-messages.
-
-
-## Console
-
-By default, `linuxkit run packet ...` will connect to the
-Packet
-[SOS ("Serial over SSH") console](https://help.packet.net/technical/networking/sos-rescue-mode). This
-requires `ssh` access, i.e., you must have uploaded your SSH keys to
-Packet beforehand.
-
-You can exit the console vi `~.` on a new line once you are
-disconnected from the serial, e.g. after poweroff.
-
-**Note**: We also require that the Packet SOS host is in your
-`known_hosts` file, otherwise the connection to the console will
-fail. There is a Packet SOS host per zone.
-
-You can disable the serial console access with the `-console=false`
-command line option.
-
-
-## Disks
-
-At this moment the Linuxkit server boots from RAM, with no persistent
-storage.  We are working on adding persistent storage support on Packet.
-
-
-## Networking
-
-On the baremetal type 2a system (arm64 Cavium Thunder X) the network device driver does not get autoloaded by `mdev`. Please add:
-
-```
-  - name: modprobe
-    image: linuxkit/modprobe:<hash>
-    command: ["modprobe", "nicvf"]
-```
-
-to your YAML files before any containers requiring the network to be up, e.g., the `dhcpcd` container.
-
-Some Packet server types have bonded networks; the `metadata` package has support for setting
-these up, and also for adding additional IP addresses.
-
-
-## Integration services and Metadata
-
-Packet supports [user state](https://help.packet.net/technical/infrastructure/user-state)
-during system bringup, which enables the boot process to be more informative about the
-current state of the boot process once the kernel has loaded but before the
-system is ready for login.

docs/platform-qemu.md

@@ -24,9 +24,9 @@ specified with `-arch` and currently accepts `x86_64`, `aarch64`, and
 `linuxkit run qemu` can boot in different types of images:
 
 - `kernel+initrd`: This is the default mode of `linuxkit run qemu` [`x86_64`, `arm64`, `s390x`]
-- `kernel+squashfs`: `linuxkit run qemu -squashfs <path to directory>`. This expects a kernel and a squashfs image. [`x86_64`, `arm64`, `s390x`]
-- `iso-bios`: `linuxkit run qemu -iso <path to iso>` [`x86_64`]
-- `iso-efi`: `linuxkit run qemu -iso -uefi <path to iso>`. This looks in `/usr/share/ovmf/bios.bin` for the EFI firmware by default. Can be overwritten with `-fw`. [`x86_64`, `arm64`]
+- `kernel+squashfs`: `linuxkit run qemu --squashfs <path to directory>`. This expects a kernel and a squashfs image. [`x86_64`, `arm64`, `s390x`]
+- `iso-bios`: `linuxkit run qemu --iso <path to iso>` [`x86_64`]
+- `iso-efi`: `linuxkit run qemu --iso --uefi <path to iso>`. This looks in `/usr/share/ovmf/bios.bin` for the EFI firmware by default. Can be overwritten with `-fw`. [`x86_64`, `arm64`]
 - `qcow-bios`: `linuxkit run qemu disk.qcow2` [`x86_64`]
 - `raw-bios`:  `linuxkit run qemu disk.img` [`x86_64`]
 - `aws`: `linuxkit run qemu disk.img` boots a raw AWS disk image. [`x86_64`]

docs/platform-virtualization-framework.md

@@ -21,7 +21,7 @@ The Virtualization.Framework backend currently supports booting:
 You need to select the boot method manually using the command line
 options. The default is `kernel+initrd`. `kernel+squashfs` can be
 selected using `-squashfs` and to boot a ISO with EFI you have to
-specify `-iso -uefi`.
+specify `--iso --uefi`.
 
 The `kernel+initrd` uses a RAM disk for the root filesystem. If you
 have RAM constraints or large images we recommend using either the

docs/sbom.md

@@ -0,0 +1,72 @@
+# Software Bill-of-Materials
+
+LinuxKit bootable images are composed of existing OCI images.
+OCI images, when built, often are scanned to create a
+software bill-of-materials (SBoM). The buildkit builder
+system itself contains the [ability to integrate SBoM scanning and generation into the build process](https://docs.docker.com/build/attestations/sbom/).
+
+When LinuxKit composes an operating system image using `linuxkit build`,
+it will, by default, combine the SBoMs of all the OCI images used to create
+the final image.
+
+It looks for SBoMs in the following locations:
+
+* [image attestation storage](https://docs.docker.com/build/attestations/attestation-storage/)
+
+Future support for [OCI Image-Spec v1.1 Artifacts](https://github.com/opencontainers/image-spec)
+is under consideration, and will be reviewed when it is generally available.
+
+When building packages with `linuxkit pkg build`, it also has the ability to generate an SBoM for the
+package, which later can be consumed by `linuxkit build`.
+
+## Consuming SBoM From Packages
+
+When `linuxkit build` is run, it does the following for dealing with SBoMs:
+
+1. For each OCI image that it processes:
+   1. check if the image contains an SBoM attestation; it not, skip this step.
+   1. Retrieve the SBoM attestation.
+1. After generating the root filesystem, combine all of the individual SBoMs into a single unified SBoM.
+1. Save the output single SBoM into the root of the image as `sbom.spdx.json`.
+
+Currently, only SPDX json format is supported.
+
+### SBoM Scanner and Output Format
+
+By default, linuxkit combines the SBoMs into a file with output format SPDX json,
+and the file saved to the filename `sbom.spdx.json`.
+
+In addition, in order to assist with reproducible builds, the creation date/time of the SBoM is
+a fixed date/time set by linuxkit, rather than the current date/time. Note, however, that even
+with a fixed date/time, reproducible builds depends on reproducible SBoMs on the underlying container images.
+This is not always the case, as the unique IDs for each package and file might be deterministic, but it might not.
+
+This can be overridden by using the CLI flags:
+
+* `--no-sbom`: do not find and consolidate the SBoMs
+* `--sbom-output <filename>`: the filename to save the output to in the image.
+* `--sbom-current-time true|false`: whether or not to use the current time for the SBoM creation date/time (default `false`)
+
+### Disable SBoM for Images
+
+To disable SBoM generation when running `linuxkit build`, use the CLI flag `--sbom false`.
+
+## Generating SBoM For Packages
+
+When `linuxkit pkg build` is run, by default it enables generating an SBoM using the
+[SBoM generating capabilities of buildkit](https://www.docker.com/blog/generate-sboms-with-buildkit/).
+This means that it inherits all of those capabilities as well, and saves the SBoM in the same location,
+as an attestation on the image.
+
+### SBoM Scanner
+
+By default, buildkit runs [syft](http://hub.docker.com/r/anchore/syft) with output format SPDX json,
+specifically via its integration image [buildkit-syft-scanner](docker.io/docker/buildkit-syft-scanner).
+You can select a different image to run a scanner, provided it complies with the
+[buildkit SBoM protocol](https://github.com/moby/buildkit/blob/master/docs/attestations/sbom-protocol.md),
+by passing the CLI flag `--sbom-scanner <image>`.
+
+### Disable SBoM for Packages
+
+To disable SBoM generation when running `linuxkit pkg build`, use the CLI flag `--sbom-scanner=false`.
+

docs/troubleshooting.md

@@ -0,0 +1,36 @@
+# Troubleshooting
+
+This document contains a list of known issues related to using, building or testing linuxkit.
+
+## Images
+
+## Packages
+
+### Invalid MediaType
+
+**Problem**
+
+```
+Error: error building and pushing "linuxkit/mkimage-iso-efi-initrd:0e66171ffde9bb735b0e014f811f9626fc8b9bc9": PUT https://index.docker.io/v2/linuxkit/mkimage-iso-efi-initrd/manifests/0e66171ffde9bb735b0e014f811f9626fc8b9bc9: MANIFEST_INVALID: manifest invalid; if present, mediaType in image index should be 'application/vnd.oci.image.index.v1+json' not 'application/vnd.docker.distribution.manifest.list.v2+json'
+```
+
+The above message is caused by registries, notably docker hub, refusing to accept indexes with the
+docker media type of `application/vnd.docker.distribution.manifest.list.v2+json`, rather than the OCI
+one `application/vnd.oci.image.index.v1+json`.
+
+Linuxkit _does_ use the OCI media type, however, if the image _already_ exists in the registry, linuxkit will
+pull the index down, update it, and push it back up. The above error occurs because the index that exists in
+the hub, the one that is pulled down, has the older media type, from when the registry accepted it.
+
+**Solution**
+
+The solution is to force an entirely new build, which will generate the images and index with the correct media
+type.
+
+```
+linuxkit pkg build --force <path>
+linuxkit pkg push <path>
+```
+
+## Testing
+

docs/yaml.md

@@ -3,7 +3,7 @@
 The `linuxkit build` command assembles a set of containerised components into in image. The simplest
 type of image is just a `tar` file of the contents (useful for debugging) but more useful
 outputs add a `Dockerfile` to build a container, or build a full disk image that can be
-booted as a linuxKit VM. The main use case is to build an assembly that includes
+booted as a linuxkit VM. The main use case is to build an assembly that includes
 `containerd` to run a set of containers, but the tooling is very generic.
 
 The yaml configuration specifies the components used to build up an image . All components
@@ -16,8 +16,19 @@ The Docker images are optionally verified with Docker Content Trust.
 For private registries or private repositories on a registry credentials provided via
 `docker login` are re-used.
 
-The configuration file is processed in the order `kernel`, `init`, `onboot`, `onshutdown`,
-`services`, `files`. Each section adds files to the root file system. Sections may be omitted.
+## Sections
+
+The configuration file is processed in the order:
+
+1. `kernel`
+1. `init`
+1. `volumes`
+1. `onboot`
+1. `onshutdown`
+1. `services`
+1. `files`
+
+Each section adds files to the root file system. Sections may be omitted.
 
 Each container that is specified is allocated a unique `uid` and `gid` that it may use if it
 wishes to run as an isolated user (or user namespace). Anywhere you specify a `uid` or `gid`
@@ -40,7 +51,7 @@ files:
     mode: "0600"
 ```
 
-## `kernel`
+### `kernel`
 
 The `kernel` section is only required if booting a VM. The files will be put into the `boot/`
 directory, where they are used to build bootable images.
@@ -50,6 +61,9 @@ which should contain a `kernel` file that will be booted (eg a `bzImage` for `am
 called `kernel.tar` which is a tarball that is unpacked into the root, which should usually
 contain a kernel modules directory. `cmdline` specifies the kernel command line options if required.
 
+The contents of `cmdline` are passed to the kernel as-is. There are several special values that are
+used to control the behaviour of linuxkit packages. See [kernel command line options](../docs/cmdline.md).
+
 To override the names, you can specify the kernel image name with `binary: bzImage` and the tar image
 with `tar: kernel.tar` or the empty string or `none` if you do not want to use a tarball at all.
 
@@ -57,7 +71,7 @@ Kernel packages may also contain a cpio archive containing CPU microcode which n
 the initrd. To select this option, recommended when booting on bare metal, add `ucode: intel-ucode.cpio`
 to the kernel section.
 
-## `init`
+### `init`
 
 The `init` section is a list of images that are used for the `init` system and are unpacked directly
 into the root filesystem. This should bring up `containerd`, start the system and daemon containers,
@@ -65,14 +79,14 @@ and set up basic filesystem mounts. in the case of a LinuxKit system. For ease o
 modification `runc` and `containerd` images, which just contain these programs are added here
 rather than bundled into the `init` container.
 
-## `onboot`
+### `onboot`
 
 The `onboot` section is a list of images. These images are run before any other
 images. They are run sequentially and each must exit before the next one is run.
 These images can be used to configure one shot settings. See [Image
 specification](#image-specification) for a list of supported fields.
 
-## `onshutdown`
+### `onshutdown`
 
 This is a list of images to run on a clean shutdown. Note that you must not rely on these
 being run at all, as machines may be be powered off or shut down without having time to run
@@ -81,18 +95,149 @@ run and when they are not. Most systems are likely to be "crash only" and not ha
 but you can attempt to deregister cleanly from a network service here, rather than relying
 on timeouts, for example.
 
-## `services`
+### `services`
 
 The `services` section is a list of images for long running services which are
 run with `containerd`.  Startup order is undefined, so containers should wait
 on any resources, such as networking, that they need.  See [Image
 specification](#image-specification) for a list of supported fields.
 
-## `files`
+### `volumes`
+
+The volumes section is a list of named volumes that can be used by other containers,
+including those in `services`, `onboot` and `onshutdown`. The volumes are created in a directory
+chosen by linuxkit at build-time. The volumes then can be referenced by other containers and
+mounted into them.
+
+Volumes can be in one of several formats:
+
+* Blank directory: This is the default, and is an empty directory that is created at build-time. It is an overlayfs mount, and can be shared among multiple containers.
+* Image laid out as filesystem: The contents of the image are used to populate the volume. Default format when an image is provided.
+* Image as OCI v1-layout: The image is used as an [OCI v1-layout](https://github.com/opencontainers/image-spec/blob/main/image-layout.md). Indicated by `format: oci`.
+
+Examples of each are given later in this section.
+
+The `volumes` section can declare a volume to be read-write or read-only. If the volume is read-write,
+a volume that is mounted into a container can be mounted read-only or read-write. If the volume is read-only,
+it can be mounted into a container read-only; attempting to do so read-write will generate a build-time error.
+By default, volumes are created read-write, and are mounted read-write.
+
+Volume names **must** be unique, and must contain only lower-case alphanumeric characters, hyphens, and
+underscores.
+
+#### Samples of `volumes`
+
+##### Empty directory
+
+Yaml showing both read-only and read-write:
+
+```yml
+volumes:
+- name: dira
+  readonly: true
+- name: dirb
+  readonly: true
+```
+
+Contents:
+
+```sh
+$ cd dir && ls -la
+drwxr-xr-x   19 root  wheel   608 Sep 30 15:03 .
+drwxrwxrwt  130 root  wheel  4160 Sep 30 15:03 ..
+```
+
+In the above example:
+
+* `dira` is empty and is read-only.
+* `volb` is empty and is read-write.
+
+##### Image directory
+
+Yaml showing both read-only and read-write:
+
+```yml
+volumes:
+- name: vola
+  image: alpine:latest
+  readonly: true
+- name: volb
+  image: alpine:latest
+  format: filesystem     # optional, as this is the default format
+  readonly: false
+```
+
+In the above example:
+
+* `vola` is populated by the contents of `alpine:latest` and is read-only.
+* `volb` is populated by the contents of `alpine:latest` and is read-write.
+
+Contents:
+
+```sh
+$ cd dir && ls -la
+drwxr-xr-x   19 root  wheel   608 Sep 30 15:03 .
+drwxrwxrwt  130 root  wheel  4160 Sep 30 15:03 ..
+drwxr-xr-x   84 root  wheel  2688 Sep  6 14:34 bin
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 dev
+drwxr-xr-x   37 root  wheel  1184 Sep  6 14:34 etc
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 home
+drwxr-xr-x   13 root  wheel   416 Sep  6 14:34 lib
+drwxr-xr-x    5 root  wheel   160 Sep  6 14:34 media
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 mnt
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 opt
+dr-xr-xr-x    2 root  wheel    64 Sep  6 14:34 proc
+drwx------    2 root  wheel    64 Sep  6 14:34 root
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 run
+drwxr-xr-x   63 root  wheel  2016 Sep  6 14:34 sbin
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 srv
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 sys
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 tmp
+drwxr-xr-x    7 root  wheel   224 Sep  6 14:34 usr
+drwxr-xr-x   13 root  wheel   416 Sep  6 14:34 var
+```
+
+##### Image OCI Layout
+
+Yaml showing both read-only and read-write, and both all architectures and a limited subset:
+
+```yml
+volumes:
+- name: volo
+  image: alpine:latest
+  format: oci
+  readonly: true
+- name: volp
+  image: alpine:latest
+  readonly: false
+  format: oci
+  platforms:
+    - linux/amd64
+```
+
+In the above example:
+
+* `volo` is populated by the contents of `alpine:latest` as an OCI v1-layout for all architectures and is read-only.
+* `volb` is populated by the contents of `alpine:latest` as an OCI v1-layout just for linux/amd64 and is read-write.
+
+##### Volumes in `services`
+
+Sample usage of volumes in `services` section:
+
+```yml
+services:
+- name: myservice
+  image: alpine:latest
+  binds:
+  - volA:/mnt/volA:ro
+  - volB:/mnt/volB
+```
+
+### `files`
 
 The files section can be used to add files inline in the config, or from an external file.
 
-```
+```yml
 files:
   - path: dir
     directory: true
@@ -118,16 +263,20 @@ user's home directory.
 In addition there is a `metadata` option that will generate the file. Currently the only value
 supported here is `"yaml"` which will output the yaml used to generate the image into the specified
 file:
-```
+
+```yml
   - path: etc/linuxkit.yml
     metadata: yaml
 ```
 
+Note that if you use templates in the yaml, the final resolved version will be included in the image,
+and not the original input template.
+
 Because a `tmpfs` is mounted onto `/var`, `/run`, and `/tmp` by default, the `tmpfs` mounts will shadow anything specified in `files` section for those directories.
 
 ## Image specification
 
-Entries in the `onboot` and `services` sections specify an OCI image and
+Entries in the `onboot`, `onshutdown`, `volumes` and `services` sections specify an OCI image and
 options. Default values may be specified using the `org.mobyproject.config` image label.
 For more details see the [OCI specification](https://github.com/opencontainers/runtime-spec/blob/master/spec.md).
 
@@ -202,7 +351,8 @@ which specifies some actions to take place when the container is being started.
 - `namespace` overrides the LinuxKit default containerd namespace to put the container in; only applicable to services.
 
 An example of using the `runtime` config to configure a network namespace with `wireguard` and then run `nginx` in that namespace is shown below:
-```
+
+```yml
 onboot:
   - name: dhcpcd
     image: linuxkit/dhcpcd:<hash>
@@ -293,3 +443,43 @@ binds:
  - /var:/var:rshared,rbind
 rootfsPropagation: shared
 ```
+
+## Templates
+
+The `yaml` file supports templates for the names of images. Anyplace an image is used in a file and begins
+with the character `@`, it indicates that it is not an actual name, but a template. The first word after
+the `@` indicates the type of template, and the rest of the line is the argument to the template. The
+templates currently supported are:
+
+* `@pkg:` - the argument is the path to a linuxkit package. For example, `@pkg:./pkg/init`.
+
+For `pkg`, linuxkit will resolve the path to the package, and then run the equivalent of `linuxkit pkg show-tag <dir>`.
+For example:
+
+```yaml
+init:
+  - "@pkg:../pkg/init"
+```
+
+Will cause linuxkit to resolve `../pkg/init` to a package, and then run `linuxkit pkg show-tag ../pkg/init`.
+
+The paths are relative to the directory of the yaml file.
+You can specify absolute paths, although it is not recommended, as that can make the yaml file less portable.
+
+The `@pkg:` templating is supported **only** when the yaml file is being read from a local filesystem. It does not
+support when using via stdin, e.g. `cat linuxkit.yml | linuxkit build -`, or URLs, e.g. `linuxkit build https://example.com/foo.yml`.
+
+The `@pkg:` template currently supports only default `linuxkit pkg` options, i.e. `build.yml` and `tag` options. There
+are no command-line options to override them.
+
+**Note:** The character `@` is reserved in yaml. To use it in the beginning of a string, you must put the entire string in
+quotes.
+
+If you use the template, the actual derived value, and not the initial template, is what will be stored in the final
+image when adding it via:
+
+```yaml
+files:
+  - path: etc/linuxkit.yml
+    metadata: yaml
+```

examples/addbinds.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:5.4.30
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     binds.add:
       # this will keep all of the existing ones as well
       - /var/tmp:/var/tmp
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)

examples/cadvisor.yml

@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: sysfs
-    image: linuxkit/sysfs:c3bdb00c5e23bf566d294bafd5f7890ca319056f
+    image: linuxkit/sysfs:7345172dbf4d436c861adfc27150af474194289b
   - name: format
-    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
   - name: mount
-    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
       - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: ntpd
-    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
+    image: linuxkit/openntpd:f99c4117763480815553b72022b426639a13ce86
 
   - name: docker
     image: docker:20.10.6-dind
@@ -46,7 +46,7 @@ services:
       - /etc/docker/daemon.json:/etc/docker/daemon.json
     command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
   - name: cadvisor
-    image: linuxkit/cadvisor:38174e03a9495a2ba8a8a049458f585a8b8e4a59
+    image: linuxkit/cadvisor:8dfefe0f9593ba21aca5d08fadac16de907d470d
 files:
   - path: var/lib/docker
     directory: true

examples/containerd-debug-runtime-config.toml

@@ -0,0 +1,4 @@
+cliopts="--log-level trace"
+stderr="/var/log/containerd.err.log"
+stdout="/var/log/containerd.out.log"
+

examples/containerd-debug.yml

@@ -0,0 +1,42 @@
+# example with volumes, both blank and populated
+kernel:
+  image: linuxkit/kernel:6.6.71
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+onshutdown:
+  - name: shutdown
+    image: busybox:latest
+    command: ["/bin/echo", "so long and thanks for all the fish"]
+services:
+  - name: getty
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
+  - name: nginx
+    image: nginx:1.19.5-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf
+files:
+  - path: etc/linuxkit-config
+    metadata: yaml
+  - path: /etc/containerd/runtime-config.toml
+    source: "containerd-debug-runtime-config.toml"  # must include the file runtime-config.toml in this directory
+    mode: "0644"

examples/dm-crypt-loop.yml

@@ -1,31 +1,31 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
     command: ["/usr/bin/format", "/dev/sda"]
   - name: mount
-    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/dev/sda1", "/var/external"]
   - name: loop
-    image: linuxkit/losetup:43e40be0c82cbccf171ebd2a8065246e2e84f66e
+    image: linuxkit/losetup:095ff80d8e8fad1707741ea2584a36f3b80e787d
     command: ["/usr/bin/loopy", "--create", "/var/external/storage_file"]
   - name: dm-crypt
-    image: linuxkit/dm-crypt:908d3a270650aff7388092a307673c44d86e1ed0
+    image: linuxkit/dm-crypt:981fde241bb84616a5ba94c04cdefa1489431a25
     command: ["/usr/bin/crypto", "crypt_loop_dev", "/dev/loop0"]
   - name: mount
-    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/dev/mapper/crypt_loop_dev", "/var/secure_storage"]
   - name: bbox
     image: busybox
@@ -34,11 +34,11 @@ onboot:
       - /var:/var
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/dm-crypt/key
     # the below key is just to keep the example self-contained

examples/dm-crypt.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
     command: ["/usr/bin/format", "/dev/sda"]
   - name: dm-crypt
-    image: linuxkit/dm-crypt:908d3a270650aff7388092a307673c44d86e1ed0
+    image: linuxkit/dm-crypt:981fde241bb84616a5ba94c04cdefa1489431a25
     command: ["/usr/bin/crypto", "crypt_dev", "/dev/sda1"]
   - name: mount
-    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/dev/mapper/crypt_dev", "/var/secure_storage"]
   - name: bbox
     image: busybox
@@ -28,11 +28,11 @@ onboot:
       - /var:/var
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/dm-crypt/key
     # the below key is just to keep the example self-contained

examples/docker-for-mac.md

@@ -16,7 +16,7 @@ $ linuxkit build -format iso-efi docker-for-mac.yml
 To run the VM with a 4G disk:
 
 ```
-linuxkit run hyperkit -networking=vpnkit -vsock-ports=2376 -disk size=4096M -data-file ./metadata.json -iso -uefi docker-for-mac-efi
+linuxkit run hyperkit --networking=vpnkit --vsock-ports=2376 --disk size=4096M --data-file ./metadata.json --iso --uefi docker-for-mac-efi
 ```
 
 Where the file `./metadata.json` should contain the desired docker daemon

examples/docker-for-mac.yml

@@ -1,32 +1,32 @@
 # This is an example for building the open source components of Docker for Mac
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/vpnkit-expose-port:87ac61469247b2a0483cbd1fd2915f220e078b78 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/vpnkit-expose-port:b30e8456ac128b2ac360329898368b309ea6e477 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   # support metadata for optional config in /run/config
   - name: metadata
-    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: sysfs
-    image: linuxkit/sysfs:c3bdb00c5e23bf566d294bafd5f7890ca319056f
+    image: linuxkit/sysfs:7345172dbf4d436c861adfc27150af474194289b
   - name: binfmt
-    image: linuxkit/binfmt:a17941b47f5cb262638cfb49ffc59ac5ac2bf334
+    image: linuxkit/binfmt:ce9509ccfa25002227ccd7ed8dd48d6947854427
   # Format and mount the disk image in /var/lib/docker
   - name: format
-    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
   - name: mount
-    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/var/lib"]
   # make a swap file on the mounted disk
   - name: swap
-    image: linuxkit/swap:77305236719ed7ab4be0f3bccc179c583fe7f5ff
+    image: linuxkit/swap:f4b8ffef87c8c72165bd8a92b790ac252ccf1821
     command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"]
   # mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding
   - name: mount-vpnkit
@@ -44,41 +44,41 @@ onboot:
         - /var:/host_var
     command: ["sh", "-c", "mv -v /host_var/log /host_var/lib && ln -vs /var/lib/log /host_var/log"]
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   # Enable acpi to shutdown on power events
   - name: acpid
-    image: linuxkit/acpid:c05a368754f6436b326945dc16135ba547568d8d
+    image: linuxkit/acpid:6cb5575e487a8fcbd4c3eb6721c23299e6ea452f
   # Enable getty for easier debugging
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
         - INSECURE=true
   # Run ntpd to keep time synchronised in the VM
   - name: ntpd
-    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
+    image: linuxkit/openntpd:f99c4117763480815553b72022b426639a13ce86
   # VSOCK to unix domain socket forwarding. Forwards guest /var/run/docker.sock
   # to a socket on the host.
   - name: vsudd
-    image: linuxkit/vsudd:89980cd551d3174b6d8528f39fbd7fd1ca049161
+    image: linuxkit/vsudd:127acd1453f7bfda791491ac4c55be0d2b9223cc
     binds:
         - /var/run:/var/run
     command: ["/vsudd", "-inport", "2376:unix:/var/run/docker.sock"]
   # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. 
   # It needs access to the vpnkit 9P coordination share 
   - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:ea4dded7386b09dd647e854664b029be0a4f420f
+    image: linuxkit/vpnkit-forwarder:e22bb70abdb5550c369f91ae7068c24e19beff73
     binds:
         - /var/vpnkit:/port
     net: host
     command: ["/vpnkit-forwarder", "-vsockPort", "62373"]
   # Monitor for image deletes and invoke a TRIM on the container filesystem
   - name: trim-after-delete
-    image: linuxkit/trim-after-delete:533ed712cf5cede1d5aec121c3f8afc1f471f723
+    image: linuxkit/trim-after-delete:fe73247abd4ab7584a75e95083543af97fe90d4d
   # When the host resumes from sleep, force a clock resync
   - name: host-timesync-daemon
-    image: linuxkit/host-timesync-daemon:cc7c2f88c0e585c292624b9665412c9aca615d55
+    image: linuxkit/host-timesync-daemon:548bfe9d35c930ee42d6c0485bb4bf25d2729bad
   # Run dockerd with the vpnkit userland proxy from the vpnkit-forwarder container.
   # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit
   # for vpnkit coordination and /run/config/docker for the configuration file.

examples/docker.yml

@@ -1,32 +1,32 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: sysfs
-    image: linuxkit/sysfs:c3bdb00c5e23bf566d294bafd5f7890ca319056f
+    image: linuxkit/sysfs:7345172dbf4d436c861adfc27150af474194289b
   - name: format
-    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
   - name: mount
-    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: ntpd
-    image: linuxkit/openntpd:d6c36ac367ed26a6eeffd8db78334d9f8041b038
+    image: linuxkit/openntpd:f99c4117763480815553b72022b426639a13ce86
   - name: docker
     image: docker:20.10.6-dind
     capabilities:

examples/getty.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     # to make insecure with passwordless root login, uncomment following lines
     #env:
     # - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)

examples/hostmount-writeable-overlay.yml

@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
   - name: shutdown
@@ -18,7 +18,7 @@ onshutdown:
     command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
     runtime:
@@ -30,7 +30,7 @@ services:
           destination: writeable-host-etc
           options: ["rw", "lowerdir=/etc", "upperdir=/run/hostetc/upper", "workdir=/run/hostetc/work"]
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: nginx
     image: nginx:1.13.8-alpine
     capabilities:

examples/influxdb-os.yml

@@ -1,18 +1,18 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: influxdb

examples/logging.yml

@@ -1,23 +1,23 @@
 # Simple example of using an external logging service
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
-  - linuxkit/memlogd:014f86dce2ea4bb2ec13e92ae5c1e854bcefec40
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
+  - linuxkit/memlogd:e28ecaa23a3693ae96575fb3bc421bc1d9f46c4f
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
 # Inside the getty type `/proc/1/root/usr/bin/logread -F` to follow the log
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
 # A service which generates log messages for testing
@@ -25,6 +25,6 @@ services:
     image: alpine:3.13
     command: ["/bin/sh", "-c", "while /bin/true; do echo hello $(date); sleep 1; done" ]
   - name: write-and-rotate-logs
-    image: linuxkit/logwrite:4d8aa07d4a7130239fc62b09f33e3401ecf62a38
+    image: linuxkit/logwrite:3f138a010098862845b7270fc3715a03d0e3871e
   - name: kmsg
-    image: linuxkit/kmsg:b2f6cd4ce9041120e30a4b5ab36bb8db4f5eb458
+    image: linuxkit/kmsg:9b0a33abebde8de005a3bfaf8dc06f183a9ba7b8

examples/minimal.yml

@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true

examples/node_exporter.yml

@@ -1,18 +1,18 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: node_exporter
-    image: linuxkit/node_exporter:bd11bc62e0cdf7a600556c0cb9f6582bf055f245
+    image: linuxkit/node_exporter:1415b52c08ddc5799b2fc83cf3f080c56c3ff5a9

examples/openstack.yml

@@ -1,26 +1,26 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
     command: ["/usr/bin/metadata", "openstack"]
 services:
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: sshd
-    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
-    binds:
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
+    binds.add:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx
     image: nginx:1.13.8-alpine

examples/platform-aws.yml

@@ -1,25 +1,28 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
 services:
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
+  - name: dhcpcd2
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf"]
   - name: sshd
-    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
-    binds:
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
+    binds.add:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx
     image: nginx:1.13.8-alpine

examples/platform-azure.yml

@@ -1,21 +1,23 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
 services:
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: sshd
-    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
+    binds.add:
+      - /root/.ssh:/root/.ssh
 files:
   - path: root/.ssh/authorized_keys
     source: ~/.ssh/id_rsa.pub

examples/platform-equinixmetal.arm64.yml

@@ -0,0 +1,14 @@
+# This YAML snippet is to be used in conjunction with equinixmetal.yml to
+# build a arm64 image for Equinix Metal. It adds a modprobe of the NIC
+# driver and overrides the kernel section to disable prepending the
+# Intel CPU microcode to the initrd. If writing a YAML specifically
+# for arm64 then the 'ucode' line in the kernel section can be left
+# out.
+kernel:
+  image: linuxkit/kernel:6.6.71
+  cmdline: "console=ttyAMA0"
+  ucode: ""
+onboot:
+  - name: modprobe
+    image: linuxkit/modprobe:773ee174006ecbb412830e48889795bae40b62f9
+    command: ["modprobe", "nicvf"]

examples/platform-equinixmetal.yml

@@ -0,0 +1,38 @@
+kernel:
+  image: linuxkit/kernel:6.6.71
+  cmdline: console=ttyS1
+  ucode: intel-ucode.cpio
+init:
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
+  - linuxkit/firmware:bfc7802f909c4b760de5dd2bc02a7f52e86b78f7
+onboot:
+  - name: rngd1
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
+    command: ["/sbin/rngd", "-1"]
+  - name: sysctl
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
+    command: ["/usr/bin/metadata", "equinixmetal"]
+services:
+  - name: rngd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
+  - name: getty
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
+    env:
+     - INSECURE=true
+  - name: sshd
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
+    binds.add:
+      - /root/.ssh:/root/.ssh
+files:
+  - path: root/.ssh/authorized_keys
+    source: ~/.ssh/id_rsa.pub
+    mode: "0600"
+    optional: true

examples/platform-gcp.yml

@@ -1,29 +1,29 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: sshd
-    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
-    binds:
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
+    binds.add:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx
     image: nginx:1.13.8-alpine

examples/platform-hetzner.yml

@@ -1,34 +1,36 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: console=ttyS1
   ucode: intel-ucode.cpio
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
-  - linuxkit/firmware:8f89601312327c78999a880ee104ceae9a25d20e
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
+  - linuxkit/firmware:bfc7802f909c4b760de5dd2bc02a7f52e86b78f7
 onboot:
   - name: rngd1
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
     command: ["/sbin/rngd", "-1"]
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
     command: ["/usr/bin/metadata", "hetzner"]
 services:
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: sshd
-    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
+    binds.add:
+      - /root/.ssh:/root/.ssh
 files:
   - path: root/.ssh/authorized_keys
     source: ~/.ssh/id_rsa.pub

examples/platform-packet.arm64.yml

@@ -1,14 +0,0 @@
-# This YAML snippet is to be used in conjunction with packet.yml to
-# build a arm64 image for packet.net. It adds a modprobe of the NIC
-# driver and overrides the kernel section to disable prepending the
-# Intel CPU microcode to the initrd. If writing a YAML specifically
-# for arm64 then the 'ucode' line in the kernel section can be left
-# out.
-kernel:
-  image: linuxkit/kernel:5.10.104
-  cmdline: "console=ttyAMA0"
-  ucode: ""
-onboot:
-  - name: modprobe
-    image: linuxkit/modprobe:1b59b4f2ebb877085ea0d8d3a41cf06f64c09a15
-    command: ["modprobe", "nicvf"]

examples/platform-packet.yml

@@ -1,36 +0,0 @@
-kernel:
-  image: linuxkit/kernel:5.10.104
-  cmdline: console=ttyS1
-  ucode: intel-ucode.cpio
-init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
-  - linuxkit/firmware:8f89601312327c78999a880ee104ceae9a25d20e
-onboot:
-  - name: rngd1
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
-    command: ["/sbin/rngd", "-1"]
-  - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
-    command: ["/usr/bin/metadata", "packet"]
-services:
-  - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
-  - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
-    env:
-     - INSECURE=true
-  - name: sshd
-    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
-files:
-  - path: root/.ssh/authorized_keys
-    source: ~/.ssh/id_rsa.pub
-    mode: "0600"
-    optional: true

examples/platform-rt-for-vmware.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:5.11.4-rt
+  image: linuxkit/kernel:6.6.71-rt
   cmdline: "console=tty0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: open-vm-tools
-    image: linuxkit/open-vm-tools:4c3158c7ba27f7ad0ede5d383ca25b57c5588a26
+    image: linuxkit/open-vm-tools:8a320f7453711f0544f4b03558aaf0b80c7c23f1
   - name: nginx
     image: nginx:1.13.8-alpine
     capabilities:

examples/platform-scaleway.yml

@@ -1,26 +1,26 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: rngd1
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
     command: ["/sbin/rngd", "-1"]
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032

examples/platform-vmware.yml

@@ -1,23 +1,23 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: nginx
     image: nginx:1.13.8-alpine
     capabilities:

examples/platform-vultr.yml

@@ -1,30 +1,30 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:646c00ad6c0b3fc246b6af9ccfcd6b1eb6b6da8a
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
     command: ["/usr/bin/metadata", "vultr"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: sshd
-    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
-    binds:
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
+    binds.add:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx
     image: nginx:1.13.8-alpine

examples/redis-os.yml

@@ -1,19 +1,19 @@
 # Minimal YAML to run a redis server (used at DockerCon'17)
 # connect: nc localhost 6379
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   # Currently redis:4.0.6-alpine has trust issue with multi-arch

examples/sshd.yml

@@ -1,28 +1,30 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: rngd1
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
     command: ["/sbin/rngd", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: sshd
-    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
+    binds.add:
+      - /root/.ssh:/root/.ssh
 files:
   - path: root/.ssh/authorized_keys
     source: ~/.ssh/id_rsa.pub

examples/static-ip.yml

@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: ip
-    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
+    image: linuxkit/ip:9696394a7d57b384ae919662ae162c9152029156
     binds:
      - /etc/ip:/etc/ip
     command: ["ip", "-b", "/etc/ip/eth0.conf"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
 files:     

examples/swap.yml

@@ -1,31 +1,31 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:7efa07559dd23cb4dbebfd3ab48c50fd33625918
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
   - name: mount
-    image: linuxkit/mount:422b219bb1c7051096126ac83e6dcc8b2f3f1176
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/var/external"]
   - name: swap
-    image: linuxkit/swap:77305236719ed7ab4be0f3bccc179c583fe7f5ff
+    image: linuxkit/swap:f4b8ffef87c8c72165bd8a92b790ac252ccf1821
     # to use unencrypted swap, use:
     # command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"]
     command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032

examples/tpm.yml

@@ -1,26 +1,26 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: tss
-    image: linuxkit/tss:9cfa8c15f2120415aab35efcfdede5b3b5fe5b4c
+    image: linuxkit/tss:dbdcce4c3a840f8337d20991807439b2096a1457
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)

examples/volumes.yml

@@ -0,0 +1,45 @@
+# example with volumes, both blank and populated
+kernel:
+  image: linuxkit/kernel:6.6.71
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+onshutdown:
+  - name: shutdown
+    image: busybox:latest
+    command: ["/bin/echo", "so long and thanks for all the fish"]
+services:
+  - name: getty
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
+  - name: nginx
+    image: nginx:1.19.5-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf
+     - blank:/blank
+     - alpine:/alpine
+volumes:
+- name: blank   # blank volume
+- name: alpine  # populated volume
+  image: alpine:3.21
+files:
+  - path: etc/linuxkit-config
+    metadata: yaml

examples/vpnkit-forwarder.yml

@@ -1,13 +1,13 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: mount-vpnkit
     image: alpine:3.13
@@ -19,9 +19,11 @@ onboot:
     command: ["sh", "-c", "mkdir /host_var/vpnkit && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
 services:
   - name: sshd
-    image: linuxkit/sshd:4696ba61c3ec091328e1c14857d77e675802342f
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
+    binds.add:
+      - /root/.ssh:/root/.ssh
   - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:ea4dded7386b09dd647e854664b029be0a4f420f
+    image: linuxkit/vpnkit-forwarder:e22bb70abdb5550c369f91ae7068c24e19beff73
     binds:
         - /var/vpnkit:/port
     net: host

examples/vsudd-containerd.yml

@@ -1,17 +1,17 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: vsudd
-    image: linuxkit/vsudd:89980cd551d3174b6d8528f39fbd7fd1ca049161
+    image: linuxkit/vsudd:127acd1453f7bfda791491ac4c55be0d2b9223cc
     binds:
         - /run/containerd/containerd.sock:/run/containerd/containerd.sock
     command: ["/vsudd",

examples/wireguard.yml

@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:8f1e6a0747acbbb4d7e24dc98f97faa8d1c6cec7
-  - linuxkit/runc:f01b88c7033180d50ae43562d72707c6881904e4
-  - linuxkit/containerd:de1b18eed76a266baa3092e5c154c84f595e56da
-  - linuxkit/ca-certificates:c1c73ef590dffb6a0138cf758fe4a4305c9864f4
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:bdc99eeedc224439ff237990ee06e5b992c8c1ae
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:52d2c4df0311b182e99241cdc382ff726755c450
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: wg0
-    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
+    image: linuxkit/ip:9696394a7d57b384ae919662ae162c9152029156
     net: new
     binds:
       - /etc/wireguard:/etc/wireguard
@@ -26,7 +26,7 @@ onboot:
       bindNS:
           net: /run/netns/wg0
   - name: wg1
-    image: linuxkit/ip:6cc44dd4e18ddb02de01bc4b34b5799971b6a7bf
+    image: linuxkit/ip:9696394a7d57b384ae919662ae162c9152029156
     net: new
     binds:
       - /etc/wireguard:/etc/wireguard
@@ -40,12 +40,12 @@ onboot:
           net: /run/netns/wg1
 services:
   - name: getty
-    image: linuxkit/getty:76951a596aa5e0867a38e28f0b94d620e948e3e8
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
     net: /run/netns/wg1
   - name: rngd
-    image: linuxkit/rngd:4f85d8de3f6f45973a8c88dc8fba9ec596e5495a
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: nginx
     image: nginx:1.13.8-alpine
     net: /run/netns/wg0