Merge pull request #4057 from deitch/build-targets-all-not-macos

make targets separated by OS

.github/workflows/ci.yml

@@ -35,14 +35,14 @@ jobs:
     runs-on: ${{ matrix.target.runner }}
     steps:
 
-    - name: Set up Go 1.19
-      uses: actions/setup-go@v3
+    - name: Set up Go 1.22
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.19.2
+        go-version: 1.22.3
       id: go
 
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Set path
       run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
@@ -50,9 +50,9 @@ jobs:
          GOPATH: ${{runner.workspace}}
 
     - name: golangci-lint CLI
-      uses: golangci/golangci-lint-action@v3
+      uses: golangci/golangci-lint-action@v6
       with:
-        version: v1.50.0
+        version: v1.59.0
         working-directory: src/cmd/linuxkit
         args: --verbose --timeout=10m
     - name: go vet CLI
@@ -79,7 +79,7 @@ jobs:
         GOPATH: ${{runner.workspace}}
 
     - name: Upload binary
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: linuxkit-${{matrix.target.suffix}}
         path: |
@@ -93,14 +93,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Set up binfmt
       # Only register arm64 as we are on amd64 already. s390x is not reliable
       run: docker run --privileged --rm tonistiigi/binfmt --install arm64
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -112,7 +112,7 @@ jobs:
         /usr/local/bin/linuxkit version
 
     - name: Cache Packages
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -130,6 +130,23 @@ jobs:
       run: |
         make OPTIONS="-v --skip-platforms linux/s390x" -C test/pkg build
 
+    - name: Check Kernel Dependencies up to date
+      # checks that any kernel dependencies are up to date.
+      # if they are, then running `make update-kernel-yamls` will not change anything
+      run: |
+        echo "checking git diff before running make update-kernel-yamls"
+        git diff --exit-code
+        echo "running make update-kernel-yamls"
+        make -C kernel update-kernel-yamls
+        echo "checking git diff again after running make update-kernel-yamls; should be no changes"
+        git diff --exit-code
+
+    - name: Build Kernels
+      # ensures that the kernel packages are in linuxkit cache when we need them for tests later
+      # no need for excluding s390x, as each build.yml in the kernel explicitly lists archs
+      run: |
+        make OPTIONS="-v" -C kernel build
+
     - name: list cache contents
       run: |
         linuxkit cache ls
@@ -143,7 +160,7 @@ jobs:
         shard: [1/10,2/10,3/10,4/10,5/10,6/10,7/10,8/10,9/10,10/10]
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Install Pre-Requisites
       run: |
@@ -153,7 +170,7 @@ jobs:
 
     - name: Restore RTF From Cache
       id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: bin
         key: rtf-${{hashFiles('Makefile')}}
@@ -167,7 +184,7 @@ jobs:
         sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -179,7 +196,7 @@ jobs:
         /usr/local/bin/linuxkit version
 
     - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -198,7 +215,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Install Pre-Requisites
       run: |
@@ -208,7 +225,7 @@ jobs:
 
     - name: Restore RTF From Cache
       id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: bin
         key: rtf-${{hashFiles('Makefile')}}
@@ -222,7 +239,7 @@ jobs:
         sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -234,7 +251,7 @@ jobs:
         /usr/local/bin/linuxkit version
 
     - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -254,7 +271,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Install Pre-Requisites
       run: |
@@ -264,13 +281,13 @@ jobs:
 
     - name: Restore RTF From Cache
       id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: bin
         key: rtf-${{hashFiles('Makefile')}}
 
     - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -286,7 +303,7 @@ jobs:
         sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -310,7 +327,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Install Pre-Requisites
       run: |
@@ -320,7 +337,7 @@ jobs:
 
     - name: Restore RTF From Cache
       id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: bin
         key: rtf-${{hashFiles('Makefile')}}
@@ -334,7 +351,7 @@ jobs:
         sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -346,7 +363,7 @@ jobs:
         /usr/local/bin/linuxkit version
 
     - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -366,7 +383,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Install Pre-Requisites
       run: |
@@ -376,7 +393,7 @@ jobs:
 
     - name: Restore RTF From Cache
       id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: bin
         key: rtf-${{hashFiles('Makefile')}}
@@ -390,7 +407,7 @@ jobs:
         sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf
 
     - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: linuxkit-amd64-linux
         path: bin
@@ -402,7 +419,7 @@ jobs:
         /usr/local/bin/linuxkit version
 
     - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}

.github/workflows/package_release.yml

@@ -0,0 +1,38 @@
+name: Release Tagged Packages
+
+on:
+  create:
+
+jobs:
+  release:
+    name: Release packages
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/pkg-v')
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go 1.22
+      uses: actions/setup-go@v5
+      with:
+        go-version: 1.22.3
+      id: go
+    - name: Check out code
+      uses: actions/checkout@v4
+    - name: Ensure bin/ directory
+      run: mkdir -p bin
+    - name: Install linuxkit
+      run: |
+        go -C ./src/cmd/linuxkit build -o $(pwd)/bin/linuxkit 
+        sudo mv bin/linuxkit /usr/local/bin/
+    - name: Login to Docker Hub
+      uses: docker/login-action@v2
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Publish Packages as Release
+      # this should not build anything, as they all should be built already
+      # however, it can fail if we push the tag before the merge-to-master build is complete, since that may publish
+      # so *always* wait for any merge-to-master to complete before publishing pkg-v* tags
+      run: |
+        RELEASE_TAG=${GITHUB_REF#refs/tags/pkg-}
+        echo "RELEASE_TAG=${RELEASE_TAG}"
+        [ -n "${RELEASE_TAG}" ] || { echo "Not a tag"; exit 1; }
+        make OPTIONS="--skip-platforms linux/s390x" -C pkg push PUSHOPTIONS="--nobuild --release ${RELEASE_TAG}"

.github/workflows/publish.yaml

@@ -14,14 +14,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Ensure bin/ directory
       run: mkdir -p bin
     - name: Download linuxkit
-      uses: actions/github-script@v3.1.0
+      uses: actions/github-script@v7
       with:
+        github-token: ${{secrets.GITHUB_TOKEN}}
         script: |
-          var artifacts = await github.actions.listWorkflowRunArtifacts({
+          var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
               owner: context.repo.owner,
               repo: context.repo.repo,
               run_id: ${{github.event.workflow_run.id }},
@@ -29,7 +30,7 @@ jobs:
           var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
             return artifact.name == "${{ env.linuxkit_file }}"
           })[0];
-          var download = await github.actions.downloadArtifact({
+          var download = await github.rest.actions.downloadArtifact({
               owner: context.repo.owner,
               repo: context.repo.repo,
               artifact_id: matchArtifact.id,
@@ -45,7 +46,7 @@ jobs:
         sudo ln -s $(pwd)/bin/${{ env.linuxkit_file }} /usr/local/bin/linuxkit
         /usr/local/bin/linuxkit version
     - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/.linuxkit/cache/
         key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -63,3 +64,11 @@ jobs:
       # Skip s390x as emulation is unreliable
       run: |
         make OPTIONS="--skip-platforms linux/s390x" -C pkg push PUSHOPTIONS="--nobuild"
+
+    - name: Publish Kernels
+      # this should only push changed ones:
+      #  - unchanged: already in the registry
+      #  - changed: already built and cached, so only will push
+      # No need to skip s390x, since kernel build.yml files all have explicit archs
+      run: |
+        make -C kernel push

.github/workflows/release.yml

@@ -1,24 +1,23 @@
-name: Release a tag
+name: Release Tagged Linuxkit
 
 on:
   create:
-    tags:
-      - v*
 
 jobs:
-  build:
-    name: Build all targets
-    runs-on: macos-latest
+  build-all:
+    name: Build all targets expect macOS
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
     steps:
 
-    - name: Set up Go 1.19
-      uses: actions/setup-go@v3
+    - name: Set up Go 1.122
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.19.2
+        go-version: 1.22.3
       id: go
 
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Set path
       run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
@@ -27,10 +26,67 @@ jobs:
 
     - name: Build
       run: |
-        make build-all-targets
+        make build-targets-linux build-targets-windows
       env:
         GOPATH: ${{runner.workspace}}
 
+    - uses: actions/upload-artifact@v4
+      with:
+        name: release-targets-except-cgo
+        path: bin/
+  
+  # separate macos build because macos needs CGO, and it is very hard to cross-compile that
+  build-macos:
+    name: Build macOS target
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
+    runs-on: macos-latest
+    steps:
+
+    - name: Set up Go 1.122
+      uses: actions/setup-go@v5
+      with:
+        go-version: 1.22.3
+      id: go
+
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set path
+      run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+      env:
+         GOPATH: ${{runner.workspace}}
+
+    - name: Build
+      run: |
+        make build-targets-macos
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    - uses: actions/upload-artifact@v4
+      with:
+        name: release-targets-macos
+        path: bin/
+    
+  release-artifacts:
+    needs: [build-all, build-macos]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/download-artifact@v4
+      with:
+        name: release-targets-except-cgo
+        path: bintmp/release-targets-except-cgo
+    - uses: actions/download-artifact@v4
+      with:
+        name: release-targets-macos
+        path: bintmp/release-targets-macos
+    - name: Combine Artifacts
+      run: |
+        mkdir -p bin/
+        cp bintmp/*/* bin/
+    - name: Checksum Artifacts
+      run: |
+        make checksum-targets
     - name: GitHub Release
       uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
       env:
@@ -38,4 +94,4 @@ jobs:
       with:
         draft: true
         files: bin/*
-        generate_release_notes: true
+        generate_release_notes: true

Makefile

@@ -119,18 +119,27 @@ endif
 		./scripts/update-component-sha.sh --image $${img}$(image); \
 	done
 
-.PHONY: build-all-targets
-build-all-targets: bin
-	$(MAKE) GOOS=darwin GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-arm64 local-build
-	file bin/linuxkit-darwin-arm64
-	$(MAKE) GOOS=darwin GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-amd64 local-build
-	file bin/linuxkit-darwin-amd64
+.PHONY: build-targets-all build-targets-linux build-targets-windows build-targets-macos checksum-targets
+
+build-targets-all: build-targets-linux build-targets-windows build-targets-macos
+
+build-targets-linux: bin
 	$(MAKE) GOOS=linux GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-arm64 local-build
 	file bin/linuxkit-linux-arm64
 	$(MAKE) GOOS=linux GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-amd64 local-build
 	file bin/linuxkit-linux-amd64
 	$(MAKE) GOOS=linux GOARCH=s390x LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-s390x local-build
 	file bin/linuxkit-linux-s390x
+
+build-targets-windows: bin
 	$(MAKE) GOOS=windows GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-windows-amd64.exe local-build
 	file bin/linuxkit-windows-amd64.exe
+
+build-targets-macos: bin
+	$(MAKE) GOOS=darwin GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-arm64 local-build
+	file bin/linuxkit-darwin-arm64
+	$(MAKE) GOOS=darwin GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-amd64 local-build
+	file bin/linuxkit-darwin-amd64
+
+checksum-targets: bin
 	cd bin && openssl sha256 -r linuxkit-* | tr -d '*' > checksums.txt

README.md

@@ -63,8 +63,8 @@ Once you have built the tool, use
 ```
 linuxkit build linuxkit.yml
 ```
-to build the example configuration. You can also specify different output formats, eg `linuxkit build -format raw-bios linuxkit.yml` to
-output a raw BIOS bootable disk image, or `linuxkit build -format iso-efi linuxkit.yml` to output an EFI bootable ISO image. See `linuxkit build -help` for more information.
+to build the example configuration. You can also specify different output formats, eg `linuxkit build --format raw-bios linuxkit.yml` to
+output a raw BIOS bootable disk image, or `linuxkit build --format iso-efi linuxkit.yml` to output an EFI bootable ISO image. See `linuxkit build -help` for more information.
 
 ### Booting and Testing
 
@@ -87,7 +87,7 @@ Currently supported platforms are:
   - [OpenStack](docs/platform-openstack.md) `[x86_64]`
   - [Scaleway](docs/platform-scaleway.md) `[x86_64]`
 - Baremetal:
-  - [packet.net](docs/platform-packet.md) `[x86_64, arm64]`
+  - [deploy.equinix.com](docs/platform-equinixmetal.md) `[x86_64, arm64]`
   - [Raspberry Pi Model 3b](docs/platform-rpi3.md)  `[arm64]`
 
 

docs/kernels.md

@@ -167,6 +167,14 @@ Throughout this document, the architecture used is the kernel-recognized one, av
 on most systems as `uname -m`, e.g. `aarch64` or `x86_64`. You may be familiar with the alpine
 or golang one, e.g. `amd64` or `amd64`, which are not used here.
 
+**Note:** After changing _and committing any changes_ to the kernel directory or any
+subdirectories, you must update tests, examples and other dependencies. This is done
+via:
+
+```bash
+make update-kernel-yamls
+```
+
 Each series of kernels has a dedicated directory in [../kernel/](../kernel),
 e.g. [6.6.x](../kernel/6.6.x) or [5.15.x](../kernel/5.15.x).
 Variants, like rt kernels, have their own directory as well, e.g. [5.11.x-rt](../kernel/5.11.x-rt).
@@ -333,7 +341,8 @@ Finally, test that you can build the kernel with that config as `make build-<ver
 If you want to add a new kernel version within an existing series, e.g. `5.15.27` already exists
 and you want to add (or replace it with) `5.15.148`, apply the following process.
 
-1. Modify the list of kernels inside the `Makefile` to include the new version, and, optionally, remove the old one, or move it to deprecated.
+1. Determine the series, i.e. the kernel major.minor version, followed by `x`. E.g. for `5.15.148`, the series is `5.15.x`.
+1. Modify the `KERNEL_VERSION` in the `build-args` file in the series directory to the new version. E.g. `5.15.x/build-args`.
 1. Create a new `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out.
 1. Run a container based on `linuxkit/kconfig`.
 ```sh
@@ -344,7 +353,6 @@ docker run --rm -ti -v $(pwd):/src linuxkit/kconfig
 1. If the config file has changed, copy it out of the container and check it in, e.g. `cp .config /src/5.15.x/config-x86_64`.
 1. Repeat for other architectures.
 1. Commit the changed config files.
-1. Modify the `KERNEL_VERSION` in the `build-args` file in the series directory to the new version. E.g. `5.15.x/build-args`.
 1. Test that you can build the kernel with that config as `make build-<version>`, e.g. `make build-5.15.148`.
 
 ## Adding a new kernel series
@@ -360,12 +368,10 @@ KERNEL_VERSION=<version>
 KERNEL_SERIES=<series>
 BUILD_IMAGE=linuxkit/alpine:<builder>
 ```
-1. Update the list of kernels to build in the `Makefile`
 
 Since the last major series likely is the best basis for the new one, subject to additional modifications, you can use
 the previous one as a starting point.
 
-1. Modify the list of kernels inside the `Makefile` to include the new version. You do not need to specify the series anywhere, as the `Makefile` calculates it. E.g. adding `7.0.5` will cause it to calculate the series as `7.0.x` automatically.
 1. Make the directory for the new series, e.g. `mkdir 7.0.x`
 1. Create a new `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out.
 1. Run a container based on `linuxkit/kconfig`.
@@ -608,3 +614,31 @@ Alpine `zfs` utilities are available in `linuxkit/alpine` and the
 version of the kernel module should match the version of the
 tools. The container where you run the `zfs` tools might also need
 `CAP_SYS_MODULE` to be able to load the kernel modules.
+
+## Kernels in examples and tests
+
+All of the linuxkit `.yml` files use the images from `linuxkit/kernel:<tag>`.
+
+When updating the kernel, you run commands to update the tests. The updates to any file that contains
+references to `linuxkit/kernel` in this repository work as follows:
+
+- Semver tags are replaced by the most recent kernel version. For example, `linuxkit/kernel:5.10.104` will become `6.6.13` when available, and then `6.6.15`, and then `7.0.1`, etc. The highest semver always is used.
+- Semver+hash tags are replaced by the most recent hash and patch version for that series. For example, `linuxkit/kernel:5.10.104-abcdef1234` will become `5.10.104-aaaa54232` (same semver, newer hash), and then `5.10.105-bbbb12345` (newer semver, newer hash), etc. The highest semver+hash always is used.
+
+This is not an inherent characteristic of `linuxkit` tool, which **never** will change your `.yml` files. It is part of
+the update process for yml files _in this repository_.
+
+The net of the above is the following rule:
+
+* If you want a reference to a specific kernel series, e.g. a test or example that works only with `5.10.x`, then use a specific hash, e.g. `linuxkit/kernel:5.10.104-abcdef1234`. The hash and patch version will update, but not more. The most common use case for this is kernel version-specific tests.
+* If you want a reference to the most recent kernel, whatever version it is, then use a semver tag, e.g. `linuxkit/kernel:6.6.13`. The most common use case for this is examples that work with any kernel version, which is the vast majority of cases.
+
+You can get the current hash by executing the following:
+
+```bash
+$ cd kernel
+$ make tag-plain-kernel-<version>
+# for example:
+$ make tag-plain-kernel-6.6.13
+linuxkit/kernel:6.6.13-3a8b3faf92390265b1fbee792b9a3fe14d14c26e
+```

docs/packages.md

@@ -272,6 +272,8 @@ When building packages, the following build-args automatically are set for you:
 * `SOURCE` - the source repository of the package
 * `REVISION` - the git commit that was used for the build
 * `GOPKGVERSION` - the go package version or pseudo-version per https://go.dev/ref/mod#glos-pseudo-version
+* `PKG_HASH` - the git tree hash of the package directory, e.g. `45a1ad5919f0b6acf0f0cf730e9434abfae11fe6`; tag part of `linuxkit pkg show-tag`
+* `PKG_IMAGE` - the name of the image that is being built, e.g. `linuxkit/init`; image name part of `linuxkit pkg show-tag`. Combine with `PKG_HASH` for the full tag.
 
 Note that the above are set **only** if you do not set them in `build.yaml`. Your settings _always_
 override these built-in ones.
@@ -378,3 +380,16 @@ ARG all_proxy
 
 LinuxKit does not judge between lower-cased or upper-cased variants of these options, e.g. `http_proxy` vs `HTTP_PROXY`,
 as `docker build` does not either. It just passes them through "as-is".
+
+## Releases
+
+Normally, whenever a package is updated, CI will build and push the package to Docker Hub by calling `linuxkit pkg push`.
+This automatically creates a tag based on the git tree hash of the package's directory.
+For example, the package in `./pkg/init` is tagged as `linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6`.
+
+In addition, you can release semver tags for packages by adding a tag to the git repository that begins with `pkg-` and is
+followed by a valid semver tag. For example, `pkg-v1.0.0`. This will cause CI to build and push the package to Docker Hub
+with the tag `v1.0.0`.
+
+Pure semver tags, like `v1.0.0`, are not used for package releases. They are used for the linuxkit project itself and to
+publish releases of the `linuxkit` binary.

docs/platform-equinixmetal.md

@@ -1,26 +1,17 @@
-# LinuxKit with bare metal on Packet
+# LinuxKit with bare metal on Equinix Metal
 
-[Packet](http://packet.net) is a bare metal hosting provider.
+[Equinix Metal](http://deploy.equinix.com) is a bare metal hosting provider.
 
-You will need to [create a Packet account] and a project to
+You will need to [create an Equinix Metal account] and a project to
 put this new machine into. You will also need to [create an API key]
 with appropriate read/write permissions to allow the image to boot.
 
-[create a Packet account]:https://app.packet.net/#/registration/
-[create an API key]:https://help.packet.net/quick-start/api-integrations
+[create an Equinix Metal account]:https://console.equinix.com/sign-up
+[create an API key]:https://deploy.equinix.com/developers/docs/metal/identity-access-management/api-keys/
 
-Linuxkit is known to boot on the [Type 0] 
-and [Type 1] servers at Packet.
-Support for other server types, including the [Type 2A] ARM server,
-is a work in progress.
-
-[Type 0]:https://www.packet.net/bare-metal/servers/type-0/
-[Type 1]:https://www.packet.net/bare-metal/servers/type-1/
-[Type 2A]:https://www.packet.net/bare-metal/servers/type-2a/
-
-The `linuxkit run packet` command can mostly either be configured via
+The `linuxkit run equinixmetal` command can mostly either be configured via
 command line options or with environment variables. see `linuxkit run
-packet --help` for the options and environment variables.
+equinixmetal --help` for the options and environment variables.
 
 By default, `linuxkit run` will provision a new machine and remove it
 once you are done. With the `-keep` option the provisioned machine
@@ -29,8 +20,8 @@ device ID on subsequent `linuxkit run` invocations to re-use an
 existing machine. These subsequent runs will update the iPXE data so
 you can boot alternative kernels on an existing machine.
 
-There is an example YAML file for [x86_64](../examples/packet.yml) and
-an additional YAML for [arm64](../examples/packet.arm64.yml) servers
+There is an example YAML file for [x86_64](../examples/equinixmetal.yml) and
+an additional YAML for [arm64](../examples/equinixmetal.arm64.yml) servers
 which provide both access to the serial console and via ssh and
 configures bonding for network devices via metadata (if supported).
 
@@ -47,52 +38,52 @@ retry the boot typically fixes this.
 
 ## Boot
 
-LinuxKit on Packet boots the `kernel+initrd` output from moby via
-[iPXE](https://help.packet.net/technical/infrastructure/custom-ipxe)
+LinuxKit on Equinix Metal boots the `kernel+initrd` output from moby via
+[iPXE](https://deploy.equinix.com/developers/docs/metal/operating-systems/custom-ipxe/)
 which also requires a iPXE script. iPXE booting requires a HTTP server
 on which you can store your images. The `-base-url` option specifies
 the URL to a HTTP server from which `<name>-kernel`,
-`<name>-initrd.img`, and `<name>-packet.ipxe` can be downloaded during
+`<name>-initrd.img`, and `<name>-equinixmetal.ipxe` can be downloaded during
 boot.
 
-If you have your own HTTP server, you can use `linuxkit push packet`
+If you have your own HTTP server, you can use `linuxkit push equinixmetal`
 to create the files (including the iPXE script) you need to make
 available.
 
 If you don't have a public HTTP server at hand, you can use the
 `-serve` option. This will create a local HTTP server which can either
-be run on another Packet machine or be made accessible with tools
+be run on another Equinix Metal machine or be made accessible with tools
 like [ngrok](https://ngrok.com/).
 
-For example, to boot the [example](../examples/packet.net)
+For example, to boot the [example](../examples/platform-equinixmetal.yml)
 with a local HTTP server:
 
 ```sh
-linuxkit build packet.yml
+linuxkit build platform-equinixmetal.yml
 # run the web server
 # run 'ngrok http 8080' in another window
-PACKET_API_KEY=<API key> PACKET_PROJECT_ID=<Project ID> \
-linuxkit run packet -serve :8080 -base-url <ngrok url> packet
+METAL_AUTH_TOKEN=<API key> METAL_PROJECT_ID=<Project ID> \
+linuxkit run equinixmetal -serve :8080 -base-url <ngrok url> equinixmetal
 ```
 
 To boot a `arm64` image for Type 2a machine (`-machine baremetal_2a`)
-you currently need to build using `linuxkit build packet.yml
-packet.arm64.yml` and then un-compress both the kernel and the initrd
+you currently need to build using `linuxkit build equinixmetal.yml
+equinixmetal.arm64.yml` and then un-compress both the kernel and the initrd
 before booting, e.g:
 
 ```sh
-mv packet-initrd.img packet-initrd.img.gz && gzip -d packet-initrd.img.gz
-mv packet-kernel packet-kernel.gz && gzip -d packet-kernel.gz
+mv equinixmetal-initrd.img equinixmetal-initrd.img.gz && gzip -d equinixmetal-initrd.img.gz
+mv equinixmetal-kernel equinixmetal-kernel.gz && gzip -d equinixmetal-kernel.gz
 ```
 
 The LinuxKit image can then be booted with:
 
 ```sh
-PACKET_API_KEY=<API key> PACKET_PROJECT_ID=<Project ID> \
-linuxkit run packet -machine baremetal_2a  -serve :8080 -base-url -base-url <ngrok url> packet
+METAL_API_TOKEN=<API key> METAL_PROJECT_ID=<Project ID> \
+linuxkit run equinixmetal -machine baremetal_2a  -serve :8080 -base-url -base-url <ngrok url> equinixmetal
 ```
 
-Alternatively, `linuxkit push packet` will uncompress the kernel and
+Alternatively, `linuxkit push equinixmetal` will uncompress the kernel and
 initrd images on arm machines (or explicitly via the `-decompress`
 flag. There is also a `linuxkit serve` command which will start a
 local HTTP server serving the specified directory.
@@ -104,18 +95,18 @@ messages.
 
 ## Console
 
-By default, `linuxkit run packet ...` will connect to the
-Packet
-[SOS ("Serial over SSH") console](https://help.packet.net/technical/networking/sos-rescue-mode). This
+By default, `linuxkit run equinixmetal ...` will connect to the
+Equinix Metal
+[SOS ("Serial over SSH") console](https://deploy.equinix.com/developers/docs/metal/resilience-recovery/serial-over-ssh/). This
 requires `ssh` access, i.e., you must have uploaded your SSH keys to
-Packet beforehand.
+Equinix Metal beforehand.
 
 You can exit the console vi `~.` on a new line once you are
 disconnected from the serial, e.g. after poweroff.
 
-**Note**: We also require that the Packet SOS host is in your
+**Note**: We also require that the Equinix Metal SOS host is in your
 `known_hosts` file, otherwise the connection to the console will
-fail. There is a Packet SOS host per zone.
+fail. There is a Equinix Metal SOS host per zone.
 
 You can disable the serial console access with the `-console=false`
 command line option.
@@ -124,7 +115,7 @@ command line option.
 ## Disks
 
 At this moment the Linuxkit server boots from RAM, with no persistent
-storage.  We are working on adding persistent storage support on Packet.
+storage.  We are working on adding persistent storage support on Equinix Metal.
 
 
 ## Networking
@@ -139,13 +130,13 @@ On the baremetal type 2a system (arm64 Cavium Thunder X) the network device driv
 
 to your YAML files before any containers requiring the network to be up, e.g., the `dhcpcd` container.
 
-Some Packet server types have bonded networks; the `metadata` package has support for setting
+Some Equinix Metal server types have bonded networks; the `metadata` package has support for setting
 these up, and also for adding additional IP addresses.
 
 
 ## Integration services and Metadata
 
-Packet supports [user state](https://help.packet.net/technical/infrastructure/user-state)
+Equinix Metal supports [user state](https://deploy.equinix.com/developers/docs/metal/server-metadata/user-data/)
 during system bringup, which enables the boot process to be more informative about the
 current state of the boot process once the kernel has loaded but before the
 system is ready for login.

examples/addbinds.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.4.30
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/cadvisor.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/dm-crypt-loop.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/dm-crypt.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/docker-for-mac.yml

@@ -1,10 +1,10 @@
 # This is an example for building the open source components of Docker for Mac
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 page_poison=1"
 init:
   - linuxkit/vpnkit-expose-port:77e45e4681c78d59f1d8a48818260948d55f9d05 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/docker.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/getty.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/hostmount-writeable-overlay.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/influxdb-os.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/logging.yml

@@ -1,9 +1,9 @@
 # Simple example of using an external logging service
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/minimal.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
 onboot:

examples/node_exporter.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
 services:

examples/openstack.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-aws.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-azure.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-equinixmetal.arm64.yml

@@ -1,11 +1,11 @@
-# This YAML snippet is to be used in conjunction with packet.yml to
-# build a arm64 image for packet.net. It adds a modprobe of the NIC
+# This YAML snippet is to be used in conjunction with equinixmetal.yml to
+# build a arm64 image for Equinix Metal. It adds a modprobe of the NIC
 # driver and overrides the kernel section to disable prepending the
 # Intel CPU microcode to the initrd. If writing a YAML specifically
 # for arm64 then the 'ucode' line in the kernel section can be left
 # out.
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyAMA0"
   ucode: ""
 onboot:

examples/platform-equinixmetal.yml

@@ -1,9 +1,9 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: console=ttyS1
   ucode: intel-ucode.cpio
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
@@ -19,7 +19,7 @@ onboot:
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
     image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
-    command: ["/usr/bin/metadata", "packet"]
+    command: ["/usr/bin/metadata", "equinixmetal"]
 services:
   - name: rngd
     image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39

examples/platform-gcp.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-hetzner.yml

@@ -1,9 +1,9 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: console=ttyS1
   ucode: intel-ucode.cpio
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-rt-for-vmware.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.11.4-rt
+  image: linuxkit/kernel:6.6.13-rt
   cmdline: "console=tty0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-scaleway.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-vmware.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/platform-vultr.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/redis-os.yml

@@ -1,10 +1,10 @@
 # Minimal YAML to run a redis server (used at DockerCon'17)
 # connect: nc localhost 6379
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
 onboot:

examples/sshd.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/static-ip.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
 onboot:

examples/swap.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/tpm.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

examples/vpnkit-forwarder.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
 onboot:

examples/vsudd-containerd.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
 onboot:

examples/wireguard.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

kernel/5.15.x/build-args

@@ -0,0 +1,3 @@
+KERNEL_VERSION=5.15.27
+KERNEL_SERIES=5.15.x
+BUILD_IMAGE=linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e

kernel/Dockerfile.bcc

@@ -1,6 +1,8 @@
 ARG BUILD_IMAGE
+ARG KERNEL_VERSION
+ARG PKG_HASH
 
-FROM ${KERNEL_VERSION}-${HASH} as ksrc
+FROM linuxkit/kernel:${KERNEL_VERSION}-${PKG_HASH} as ksrc
 
 FROM ${BUILD_IMAGE} AS build
 RUN apk update && apk upgrade -a && \

kernel/Dockerfile.perf

@@ -1,8 +1,10 @@
 # This Dockerfile extracts the source code and headers from a kernel package,
 # builds the perf utility, and places it into a scratch image
 ARG BUILD_IMAGE
+ARG KERNEL_VERSION
+ARG PKG_HASH
 
-FROM ${KERNEL_VERSION}-${HASH} AS ksrc
+FROM linuxkit/kernel:${KERNEL_VERSION}-${PKG_HASH} as ksrc
 
 FROM ${BUILD_IMAGE} AS build
 RUN apk add \

kernel/Makefile

@@ -34,19 +34,16 @@ DIRTY:=$(shell git update-index -q --refresh && git diff-index --quiet HEAD -- $
 endif
 endif
 
-# Path to push-manifest.sh
-PUSH_MANIFEST:=$(shell git rev-parse --show-toplevel)/scripts/push-manifest.sh
+REPO_ROOT:=$(shell git rev-parse --show-toplevel)
 
 # determine our architecture
 BUILDERARCH=
 ifneq ($(ARCH),)
 ifeq ($(ARCH),$(filter $(ARCH),x86_64 amd64))
-SUFFIX=-amd64
 override ARCH=x86_64
 BUILDERARCH=amd64
 endif
 ifeq ($(ARCH),$(filter $(ARCH),aarch64 arm64))
-SUFFIX=-arm64
 override ARCH=aarch64
 BUILDERARCH=arm64
 endif
@@ -65,7 +62,10 @@ notdirty:
 # utility function
 SPACE := $(eval) $(eval)
 PERIOD := .
+# series - convert a version to a series, e.g. 6.6.13 -> 6.6.x
 series = $(word 1,$(subst ., ,$(1))).$(word 2,$(subst ., ,$(1))).x
+# serieswithhash - convert a version with or without a hash to a series with a hash, e.g. 6.6.13-anbcd -> 6.6.x-[0-9a-f]+
+serieswithhash = $(word 1,$(subst ., ,$(1))).$(word 2,$(subst ., ,$(1))).[0-9]+-[0-9a-f]+
 
 # word 1 is the release, word 2 is the tool
 RELEASESEP := PART
@@ -76,21 +76,25 @@ baseimage = $(ORG)/$(IMAGE)$(call baseimageextension,$(1))
 uniq = $(if $1,$(firstword $1) $(call uniq,$(filter-out $(firstword $1),$1)))
 
 
+# DEPRECATED : all kernel versions (actually series) marked as deprecated
+# You might still be able to build them, but they are not built by default or supported
+DEPRECATED_list=$(wildcard */deprecated)
+DEPRECATED := $(patsubst %/deprecated,%,$(DEPRECATED_list))
 #
-# Kernel versions to build.
-# Use all for kernels to be built on all platforms; use KERNELS_x86_64 or KERNELS_aarch64 for platform-specific kernels
-KERNELS_all=6.6.13 5.15.27
-KERNELS_x86_64=
-KERNELS_aarch64=
+# KERNELS : all potential kernel versions, based on the build-args files
 
-# deprecated versions. You might still be able to build them, but they are not built by default or supported
-# Use all for kernels to be built on all platforms; use DEPRECATED_x86_64 or DEPRECATED_aarch64 for platform-specific kernels
-DEPRECATED_all=5.10.104 5.11.4-rt
-DEPRECATED_x86_64=5.4.172 
-DEPRECATED_aarch64=
+# first find all known build-args files
+KERNELS_buildargfiles=$(wildcard */build-args)
+# get their directories
+KERNELS_alldirs=$(patsubst %/build-args,%,$(KERNELS_buildargfiles))
+# remove any directories that are marked as deprecated; what is left is valid dirs
+KERNELS_validdirs=$(filter-out $(DEPRECATED),$(KERNELS_alldirs))
+# get the values from the valid dirs
+KERNELS=$(shell awk -F= '/^KERNEL_VERSION=/ {print $$2}' $(addsuffix /build-args,$(KERNELS_validdirs)))
+
+# get the highest supported one
+KERNEL_HIGHEST=$(shell echo $(KERNELS) | tr ' ' '\n' | sort -V | tail -n 1)
 
-KERNELS?=$(KERNELS_all) $(KERNELS_$(ARCH))
-DEPRECATED?=$(DEPRECATED_all) $(DEPRECATED_$(ARCH))
 
 # we build all tools across all platforms and kernels that we build
 TOOLS=bcc perf
@@ -128,11 +132,13 @@ builddebugkernel-%: buildkerneldeps-%
 
 push-%: notdirty build-% pushkernel-% tagbuilder-% pushtools-%;
 
+# tagbuilder-% tags the builder image with the kernel version and `-builder` and pushes it
+# checks if it already matches on the registry before pushing
+# because the build may have been on a remote builder, or we may not have had to do a local build,
+# we cannot assume that IMAGE_BUILDER is available locally, whether in docker image cache or limuxkit cache
 tagbuilder-%: notdirty
 	$(eval BUILDER_IMAGE=$(call baseimage,$*)-builder)
-	docker tag $(IMAGE_BUILDER) $(BUILDER_IMAGE)$(SUFFIX) && \
-	docker push $(BUILDER_IMAGE)$(SUFFIX) && \
-	$(PUSH_MANIFEST) $(BUILDER_IMAGE)
+	linuxkit pkg remote-tag $(IMAGE_BUILDER) $(BUILDER_IMAGE)
 
 pushkernel-%: pushplainkernel-% pushdebugkernel-%;
 
@@ -170,6 +176,35 @@ pushtool-%: buildtool-%
 	linuxkit cache push $(HASHED_IMAGE)
 	linuxkit cache push $(HASHED_IMAGE) --remote-name $(PLAIN_IMAGE)
 
+#
+# targets for getting names of particular tags and replacing them, like what scripts/update-component-sha.sh does
+#
+
+# get the tag for the normal kernel for a particular version. Accepts version or series
+tag-plainkernel-%:
+	@linuxkit pkg show-tag . --build-yml ./build-kernel.yml --tag "$*-{{.Hash}}"
+
+# get the tag for the debug kernel for a particular version. Accepts version or series
+tag-debugkernel-%:
+	@linuxkit pkg show-tag . --build-yml ./build-kernel.yml --tag "$*-dbg-{{.Hash}}"
+
+# find and replace any usage of the normal kernel with hash for a particular series
+# will update hash for same semver and/or patch version
+update-kernel-hash-yaml-%:
+	$(eval NEWTAG=$(shell $(MAKE) tag-plainkernel-$*))
+	$(eval OLDTAG=$(call serieswithhash,$(NEWTAG)))
+	@cd $(REPO_ROOT) && ./scripts/update-component-sha.sh --hash "$(OLDTAG)" "$(NEWTAG)"
+
+# find and replace any usage of the normal kernel with semver for most recent series
+update-kernel-semver-yaml-%:
+	$(eval NEWTAG=linuxkit/kernel:$*)
+	$(eval OLDTAG=linuxkit/kernel:[0-9]+.[0-9]+.[0-9]+)
+	@cd $(REPO_ROOT) && ./scripts/update-component-sha.sh --hash "$(OLDTAG)" "$(NEWTAG)"
+
+# update-kernel-yamls updates the latest hash for each supported series,
+# as well as the most recent supported semver
+update-kernel-yamls: $(addprefix update-kernel-hash-yaml-,$(KERNELS)) update-kernel-semver-yaml-$(KERNEL_HIGHEST);
+
 # Target for kernel config
 kconfig:
 ifeq (${KCONFIG_TAG},)

kernel/build-bcc.yml

@@ -1,2 +1,3 @@
 image: kernel-bcc
 network: true
+dockerfile: Dockerfile.bcc

kernel/build-perf.yml

@@ -1,2 +1,3 @@
 image: kernel-perf
 network: true
+dockerfile: Dockerfile.perf

linuxkit.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel:6.6.13
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

pkg/firmware/Dockerfile

@@ -1,5 +1,5 @@
 # Make modules from a recentish kernel available
-FROM linuxkit/kernel:5.4.28 AS kernel
+FROM linuxkit/kernel:6.6.13 AS kernel
 
 FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
 RUN apk add --no-cache git kmod
@@ -38,7 +38,7 @@ RUN tar xf /kernel.tar
 RUN set -e && \
     for fw in $(find /lib/modules -name \*.ko -exec modinfo --field=firmware {} \;); do \
         mkdir -p "/out/lib/firmware/$(dirname $fw)" && \
-        cp "/linux-firmware-whence/$fw" "/out/lib/firmware/$fw"; \
+        [ -e "/linux-firmware-whence/$fw" ] && cp "/linux-firmware-whence/$fw" "/out/lib/firmware/$fw"; \
     done
 
 FROM scratch

pkg/init/cmd/rc.init/main.go

@@ -225,9 +225,7 @@ func doMounts() {
 	// misc /proc mounted fs
 	mountSilent("binfmt_misc", "/proc/sys/fs/binfmt_misc", "binfmt_misc", noexec|nosuid|nodev, "")
 
-	if isCgroupV2() {
-		mount("cgroup2", "/sys/fs/cgroup", "cgroup2", noexec|nosuid|nodev, "")
-	} else {
+	if isCgroupV1() {
 		// mount cgroup root tmpfs
 		mount("cgroup_root", "/sys/fs/cgroup", "tmpfs", nodev|noexec|nosuid, "mode=755,size=10m")
 		// mount cgroups filesystems for all enabled cgroups
@@ -243,6 +241,8 @@ func doMounts() {
 		// many things assume systemd
 		mkdir("/sys/fs/cgroup/systemd", 0555)
 		mount("cgroup", "/sys/fs/cgroup/systemd", "cgroup", 0, "none,name=systemd")
+	} else {
+		mount("cgroup2", "/sys/fs/cgroup", "cgroup2", noexec|nosuid|nodev, "")
 	}
 
 	// make / rshared
@@ -423,14 +423,14 @@ func doShutdown(action string) {
 	os.Exit(0)
 }
 
-func isCgroupV2() bool {
+func isCgroupV1() bool {
 	dt, err := os.ReadFile("/proc/cmdline")
 	if err != nil {
 		log.Printf("error reading /proc/cmdline: %v", err)
 		return false
 	}
 	for _, s := range strings.Fields(string(dt)) {
-		if s == "linuxkit.unified_cgroup_hierarchy=1" {
+		if s == "linuxkit.unified_cgroup_hierarchy=0" {
 			return true
 		}
 	}

pkg/memlogd/cmd/logread/main.go

@@ -41,6 +41,11 @@ func main() {
 	flag.BoolVar(&follow, "f", false, "follow log buffer")
 	flag.Parse()
 
+	if dumpFollow {
+		// StreamLogs() has seperate 'dump' and 'follow' flags, since 'dumpFollow' includes 'follow' we set that too
+		follow = true
+	}
+
 	c, err := StreamLogs(socketPath, follow, dumpFollow)
 	if err != nil {
 		panic(err)

pkg/metadata/go.mod

@@ -1,12 +1,22 @@
 module github.com/linuxkit/linuxkit/pkg/metadata
 
-go 1.16
+go 1.21
 
 require (
 	github.com/diskfs/go-diskfs v1.3.1-0.20230612151643-22d22fd7e558
 	github.com/packethost/packngo v0.1.0
 	github.com/sirupsen/logrus v1.9.0
 	github.com/vishvananda/netlink v0.0.0-20170808154308-f5a6f697a596
-	github.com/vishvananda/netns v0.0.0-20170707011535-86bef332bfc3 // indirect
 	github.com/vmware/vmw-guestinfo v0.0.0-20220317130741-510905f0efa3
 )
+
+require (
+	github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/pierrec/lz4/v4 v4.1.17 // indirect
+	github.com/pkg/xattr v0.4.9 // indirect
+	github.com/ulikunitz/xz v0.5.11 // indirect
+	github.com/vishvananda/netns v0.0.0-20170707011535-86bef332bfc3 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	gopkg.in/djherbis/times.v1 v1.3.0 // indirect
+)

pkg/metadata/main.go

@@ -77,7 +77,7 @@ func main() {
 		log.SetLevel(log.DebugLevel)
 	}
 
-	providers := []string{"aws", "gcp", "hetzner", "openstack", "scaleway", "vultr", "digitalocean", "packet", "metaldata", "vmware", "cdrom"}
+	providers := []string{"aws", "gcp", "hetzner", "openstack", "scaleway", "vultr", "digitalocean", "equinixmetal", "metaldata", "vmware", "cdrom"}
 	args := flag.Args()
 	if len(args) > 0 {
 		providers = args
@@ -92,8 +92,8 @@ func main() {
 			netProviders = append(netProviders, NewHetzner())
 		case p == "openstack":
 			netProviders = append(netProviders, NewOpenstack())
-		case p == "packet":
-			netProviders = append(netProviders, NewPacket())
+		case p == "equinixmetal":
+			netProviders = append(netProviders, NewEquinixMetal())
 		case p == "scaleway":
 			netProviders = append(netProviders, NewScaleway())
 		case p == "vultr":

pkg/metadata/provider_equinixmetal.go

@@ -12,30 +12,30 @@ import (
 	"github.com/vishvananda/netlink"
 )
 
-// ProviderPacket is the type implementing the Provider interface for Packet.net
-type ProviderPacket struct {
+// ProviderEquinixMetal is the type implementing the Provider interface for Equinix Metal
+type ProviderEquinixMetal struct {
 	metadata *metadata.CurrentDevice
 	err      error
 }
 
-// NewPacket returns a new ProviderPacket
-func NewPacket() *ProviderPacket {
-	return &ProviderPacket{}
+// NewEquinixMetal returns a new ProviderEquinixMetal
+func NewEquinixMetal() *ProviderEquinixMetal {
+	return &ProviderEquinixMetal{}
 }
 
-func (p *ProviderPacket) String() string {
-	return "Packet"
+func (p *ProviderEquinixMetal) String() string {
+	return "EquinixMetal"
 }
 
-// Probe checks if we are running on Packet
-func (p *ProviderPacket) Probe() bool {
+// Probe checks if we are running on EquinixMetal
+func (p *ProviderEquinixMetal) Probe() bool {
 	// Unfortunately the host is resolveable globally, so no easy test
 	p.metadata, p.err = metadata.GetMetadata()
 	return p.err == nil
 }
 
-// Extract gets both the Packet specific and generic userdata
-func (p *ProviderPacket) Extract() ([]byte, error) {
+// Extract gets both the EquinixMetal specific and generic userdata
+func (p *ProviderEquinixMetal) Extract() ([]byte, error) {
 	// do not retrieve if we Probed
 	if p.metadata == nil && p.err == nil {
 		p.metadata, p.err = metadata.GetMetadata()
@@ -47,7 +47,7 @@ func (p *ProviderPacket) Extract() ([]byte, error) {
 	}
 
 	if err := os.WriteFile(path.Join(ConfigPath, Hostname), []byte(p.metadata.Hostname), 0644); err != nil {
-		return nil, fmt.Errorf("Packet: Failed to write hostname: %s", err)
+		return nil, fmt.Errorf("EquinixMetal: Failed to write hostname: %s", err)
 	}
 
 	if err := os.MkdirAll(path.Join(ConfigPath, SSH), 0755); err != nil {
@@ -66,7 +66,7 @@ func (p *ProviderPacket) Extract() ([]byte, error) {
 
 	userData, err := metadata.GetUserData()
 	if err != nil {
-		return nil, fmt.Errorf("Packet: failed to get userdata: %s", err)
+		return nil, fmt.Errorf("EquinixMetal: failed to get userdata: %s", err)
 	}
 
 	if len(userData) == 0 {
@@ -81,7 +81,7 @@ func (p *ProviderPacket) Extract() ([]byte, error) {
 	return userData, nil
 }
 
-// networkConfig handles Packet network configuration, primarily bonding
+// networkConfig handles EquinixMetal network configuration, primarily bonding
 func networkConfig(ni metadata.NetworkInfo) error {
 	// rename interfaces to match what the metadata calls them
 	links, err := netlink.LinkList()
@@ -119,7 +119,7 @@ func networkConfig(ni metadata.NetworkInfo) error {
 
 	// set up bonding
 	la := netlink.LinkAttrs{Name: "bond0"}
-	bond := &netlink.GenericLink{la, "bond"}
+	bond := &netlink.GenericLink{LinkAttrs: la, LinkType: "bond"}
 	if err := netlink.LinkAdd(bond); err != nil {
 		// weirdly creating a bind always seems to return EEXIST
 		fmt.Fprintf(os.Stderr, "Error adding bond0: %v (ignoring)", err)

pkg/metadata/provider_scaleway.go

@@ -123,7 +123,7 @@ func (p *ProviderScaleway) Extract() ([]byte, error) {
 	return userData, nil
 }
 
-// exctractInformation returns the extracted information given as parameter from the metadata
+// extractInformation returns the extracted information given as parameter from the metadata
 func (p *ProviderScaleway) extractInformation(metadata []byte, information string) ([]byte, error) {
 	query := strings.ToUpper(information) + "="
 	for _, line := range bytes.Split(metadata, []byte("\n")) {

pkg/metadata/vendor/github.com/diskfs/go-diskfs/go.mod

@@ -1,15 +0,0 @@
-module github.com/diskfs/go-diskfs
-
-go 1.19
-
-require (
-	github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab
-	github.com/go-test/deep v1.0.8
-	github.com/google/uuid v1.3.0
-	github.com/pierrec/lz4/v4 v4.1.17
-	github.com/pkg/xattr v0.4.9
-	github.com/sirupsen/logrus v1.9.0
-	github.com/ulikunitz/xz v0.5.11
-	golang.org/x/sys v0.5.0
-	gopkg.in/djherbis/times.v1 v1.3.0
-)

pkg/metadata/vendor/github.com/diskfs/go-diskfs/go.sum

@@ -1,31 +0,0 @@
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
-github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
-github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
-github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=
-github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
-github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
-github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
-github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/djherbis/times.v1 v1.3.0 h1:uxMS4iMtH6Pwsxog094W0FYldiNnfY/xba00vq6C2+o=
-gopkg.in/djherbis/times.v1 v1.3.0/go.mod h1:AQlg6unIsrsCEdQYhTzERy542dz6SFdQFZFv6mUY0P8=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/metadata/vendor/github.com/elliotwutingfeng/asciiset/go.mod

@@ -1,3 +0,0 @@
-module github.com/elliotwutingfeng/asciiset
-
-go 1.11

pkg/metadata/vendor/github.com/google/uuid/go.mod

@@ -1 +0,0 @@
-module github.com/google/uuid

pkg/metadata/vendor/github.com/pierrec/lz4/v4/go.mod

@@ -1,3 +0,0 @@
-module github.com/pierrec/lz4/v4
-
-go 1.14

pkg/metadata/vendor/github.com/pkg/xattr/go.mod

@@ -1,5 +0,0 @@
-module github.com/pkg/xattr
-
-go 1.14
-
-require golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f

pkg/metadata/vendor/github.com/pkg/xattr/go.sum

@@ -1,4 +0,0 @@
-golang.org/x/sys v0.0.0-20201101102859-da207088b7d1 h1:a/mKvvZr9Jcc8oKfcmgzyp7OwF73JPWsQLvH1z2Kxck=
-golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f h1:8w7RhxzTVgUzw/AH/9mUV5q0vMgy40SQRursCcfmkCw=
-golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

pkg/metadata/vendor/github.com/sirupsen/logrus/go.mod

@@ -1,9 +0,0 @@
-module github.com/sirupsen/logrus
-
-require (
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/stretchr/testify v1.7.0
-	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8
-)
-
-go 1.13

pkg/metadata/vendor/github.com/sirupsen/logrus/go.sum

@@ -1,14 +0,0 @@
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/metadata/vendor/github.com/ulikunitz/xz/go.mod

@@ -1,3 +0,0 @@
-module github.com/ulikunitz/xz
-
-go 1.12

pkg/metadata/vendor/modules.txt

@@ -1,5 +1,5 @@
 # github.com/diskfs/go-diskfs v1.3.1-0.20230612151643-22d22fd7e558
-## explicit
+## explicit; go 1.19
 github.com/diskfs/go-diskfs
 github.com/diskfs/go-diskfs/disk
 github.com/diskfs/go-diskfs/filesystem
@@ -12,24 +12,29 @@ github.com/diskfs/go-diskfs/partition/mbr
 github.com/diskfs/go-diskfs/partition/part
 github.com/diskfs/go-diskfs/util
 # github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab
+## explicit; go 1.11
 github.com/elliotwutingfeng/asciiset
 # github.com/google/uuid v1.3.0
+## explicit
 github.com/google/uuid
 # github.com/packethost/packngo v0.1.0
 ## explicit
 github.com/packethost/packngo/metadata
 # github.com/pierrec/lz4/v4 v4.1.17
+## explicit; go 1.14
 github.com/pierrec/lz4/v4
 github.com/pierrec/lz4/v4/internal/lz4block
 github.com/pierrec/lz4/v4/internal/lz4errors
 github.com/pierrec/lz4/v4/internal/lz4stream
 github.com/pierrec/lz4/v4/internal/xxh32
 # github.com/pkg/xattr v0.4.9
+## explicit; go 1.14
 github.com/pkg/xattr
 # github.com/sirupsen/logrus v1.9.0
-## explicit
+## explicit; go 1.13
 github.com/sirupsen/logrus
 # github.com/ulikunitz/xz v0.5.11
+## explicit; go 1.12
 github.com/ulikunitz/xz
 github.com/ulikunitz/xz/internal/hash
 github.com/ulikunitz/xz/internal/xlog
@@ -42,15 +47,17 @@ github.com/vishvananda/netlink/nl
 ## explicit
 github.com/vishvananda/netns
 # github.com/vmware/vmw-guestinfo v0.0.0-20220317130741-510905f0efa3
-## explicit
+## explicit; go 1.12
 github.com/vmware/vmw-guestinfo/bdoor
 github.com/vmware/vmw-guestinfo/message
 github.com/vmware/vmw-guestinfo/rpcout
 github.com/vmware/vmw-guestinfo/rpcvmx
 github.com/vmware/vmw-guestinfo/vmcheck
 # golang.org/x/sys v0.5.0
+## explicit; go 1.17
 golang.org/x/sys/internal/unsafeheader
 golang.org/x/sys/unix
 golang.org/x/sys/windows
 # gopkg.in/djherbis/times.v1 v1.3.0
+## explicit
 gopkg.in/djherbis/times.v1

projects/clear-containers/clear-containers.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel-clear-containers:4.9.x
   cmdline: "root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro rw rootfstype=ext4 tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k panic=1 console=hvc0 console=hvc1 initcall_debug iommu=off quiet  cryptomgr.notests page_poison=on"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
 onboot:
   - name: sysctl
     image: mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c

projects/compose/compose-dynamic.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/compose/compose-static.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/ima-namespace/ima-namespace.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkit/kernel-ima:4.11.1-186dd3605ee7b23214850142f8f02b4679dbd148
   cmdline: "console=ttyS0 console=tty0 page_poison=1 ima_appraise=enforce_ns"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/landlock/landlock.yml

@@ -2,7 +2,7 @@ kernel:
   image: mobylinux/kernel-landlock:4.9.x
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:18eaf72f3f4f9a9f29ca1951f66df701f873060b
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935

projects/memorizer/memorizer.yml

@@ -2,7 +2,7 @@ kernel:
   image: "linuxkitprojects/kernel-memorizer:4.10_dbg"
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
 onboot:

projects/miragesdk/examples/fdd.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:4.9.34
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/miragesdk/examples/mirage-dhcp.yml

@@ -1,8 +1,8 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.13
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
 onboot:

projects/okernel/examples/okernel_simple.yaml

@@ -2,7 +2,7 @@ kernel:
   image: okernel:latest
   cmdline: "console=tty0 page_poison=1"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

projects/shiftfs/shiftfs.yml

@@ -2,7 +2,7 @@ kernel:
   image: linuxkitprojects/kernel-shiftfs:4.11.4-881a041fc14bd95814cf140b5e98d97dd65160b5
   cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
+  - linuxkit/init:8a7b6cdb89197dc94eb6db69ef9dc90b750db598
   - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
   - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
   - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff

scripts/update-component-sha.sh

@@ -69,8 +69,7 @@ case "${mode}" in
         fi
         old=$1
         new=$2
-
-        git grep -w -l "\b$old\b" -- '*.yml' '*.yaml' '*.yml.in' '*.yaml.in' '*/Dockerfile' '*/Makefile' | grep -v /vendor/ | xargs sed -i.bak -e "s,$old,$new,g"
+        git grep -E -l "\b($old)([[:space:]]|$)" -- '*.yml' '*.yaml' '*.yml.in' '*.yaml.in' '*/Dockerfile' '*/Makefile' | grep -v /vendor/ | while read -r file; do sed -ri.bak -e "s,($old)([[:space:]]|$),$new\2,g" "$file"; done
         ;;
 --image)
 	if [ $# -lt 1 ] ; then
@@ -100,4 +99,4 @@ case "${mode}" in
 	;;
 esac
 
-find . -name '*.bak' | xargs rm
+find . -name '*.bak' | xargs rm || true

src/cmd/linuxkit/Makefile

@@ -1,5 +1,24 @@
-VERSION?="v0.0-dev"
+# determine the version we save in the build binary
+# we always include the git commit.
+# the version is the current semver if it this commit matches the tag,
+# else it is the following: <tag>-<commits since tag>-<short commit hash>
+# if the git tree is dirty, append "-dirty"
+# most recent commit
 GIT_COMMIT=$(shell git rev-list -1 HEAD)
+# whether or not it is dirty, i.e. has uncommitted changes
+GIT_DIRTY=$(shell git update-index -q --refresh && git diff-index --quiet HEAD -- . || echo "-dirty")
+# most recent tag, might or might not point to GIT_COMMIT
+GIT_TAG=$(shell git describe --tags --match="v*")
+# include the possible "-dirty" suffix
+VERSION=$(GIT_TAG)$(GIT_DIRTY)
+
+report:
+	@echo "VERSION: $(VERSION)"
+	@echo "GIT_COMMIT: $(GIT_COMMIT)"
+	@echo "GIT_DIRTY: $(GIT_DIRTY)"
+	@echo "GIT_TAG: $(GIT_TAG)"
+	@echo "VERSION: $(VERSION)"
+
 GO_COMPILE?=linuxkit/go-compile:c97703655e8510b7257ffc57f25e40337b0f0813
 export GO_FLAGS=-mod=vendor
 

src/cmd/linuxkit/build.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/moby"
+	mobybuild "github.com/linuxkit/linuxkit/src/cmd/linuxkit/moby/build"
 	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/spec"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -52,9 +53,10 @@ func buildCmd() *cobra.Command {
 		arch               string
 		cacheDir           flagOverEnvVarOverDefaultString
 		buildFormats       formatList
-		outputTypes        = moby.OutputTypes()
+		outputTypes        = mobybuild.OutputTypes()
 		noSbom             bool
 		sbomOutputFilename string
+		inputTar           string
 		sbomCurrentTime    bool
 		dryRun             bool
 	)
@@ -66,7 +68,7 @@ func buildCmd() *cobra.Command {
 The generated image can be in one of multiple formats which can be run on various platforms.
 `,
 		Example: `  linuxkit build [options] <file>[.yml]`,
-		Args:    cobra.ExactArgs(1),
+		Args:    cobra.MinimumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if name == "" && outputFile == "" {
 				conf := args[len(args)-1]
@@ -93,13 +95,13 @@ The generated image can be in one of multiple formats which can be run on variou
 
 			if len(buildFormats) > 1 {
 				for _, o := range buildFormats {
-					if moby.Streamable(o) {
-						return fmt.Errorf("Format type %s must be the only format specified", o)
+					if mobybuild.Streamable(o) {
+						return fmt.Errorf("format type %s must be the only format specified", o)
 					}
 				}
 			}
 
-			if len(buildFormats) == 1 && moby.Streamable(buildFormats[0]) {
+			if len(buildFormats) == 1 && mobybuild.Streamable(buildFormats[0]) {
 				if outputFile == "" {
 					outputFile = filepath.Join(dir, name+"."+buildFormats[0])
 					// stop the errors in the validation below
@@ -107,25 +109,29 @@ The generated image can be in one of multiple formats which can be run on variou
 					dir = ""
 				}
 			} else {
-				err := moby.ValidateFormats(buildFormats, cacheDir.String())
+				err := mobybuild.ValidateFormats(buildFormats, cacheDir.String())
 				if err != nil {
-					return fmt.Errorf("Error parsing formats: %v", err)
+					return fmt.Errorf("error parsing formats: %v", err)
 				}
 			}
 
+			if inputTar != "" && pull {
+				return fmt.Errorf("cannot use --input-tar and --pull together")
+			}
+
 			var outfile *os.File
 			if outputFile != "" {
 				if len(buildFormats) > 1 {
-					return fmt.Errorf("The -output option can only be specified when generating a single output format")
+					return fmt.Errorf("the -output option can only be specified when generating a single output format")
 				}
 				if name != "" {
-					return fmt.Errorf("The -output option cannot be specified with -name")
+					return fmt.Errorf("the -output option cannot be specified with -name")
 				}
 				if dir != "" {
-					return fmt.Errorf("The -output option cannot be specified with -dir")
+					return fmt.Errorf("the -output option cannot be specified with -dir")
 				}
-				if !moby.Streamable(buildFormats[0]) {
-					return fmt.Errorf("The -output option cannot be specified for build type %s as it cannot be streamed", buildFormats[0])
+				if !mobybuild.Streamable(buildFormats[0]) {
+					return fmt.Errorf("the -output option cannot be specified for build type %s as it cannot be streamed", buildFormats[0])
 				}
 				if outputFile == "-" {
 					outfile = os.Stdout
@@ -133,7 +139,7 @@ The generated image can be in one of multiple formats which can be run on variou
 					var err error
 					outfile, err = os.Create(outputFile)
 					if err != nil {
-						log.Fatalf("Cannot open output file: %v", err)
+						log.Fatalf("cannot open output file: %v", err)
 					}
 					defer outfile.Close()
 				}
@@ -141,7 +147,7 @@ The generated image can be in one of multiple formats which can be run on variou
 
 			size, err := getDiskSizeMB(sizeString)
 			if err != nil {
-				log.Fatalf("Unable to parse disk size: %v", err)
+				log.Fatalf("unable to parse disk size: %v", err)
 			}
 
 			var (
@@ -154,25 +160,25 @@ The generated image can be in one of multiple formats which can be run on variou
 					var err error
 					config, err = io.ReadAll(os.Stdin)
 					if err != nil {
-						return fmt.Errorf("Cannot read stdin: %v", err)
+						return fmt.Errorf("cannot read stdin: %v", err)
 					}
 				} else if strings.HasPrefix(arg, "http://") || strings.HasPrefix(arg, "https://") {
 					buffer := new(bytes.Buffer)
 					response, err := http.Get(arg)
 					if err != nil {
-						return fmt.Errorf("Cannot fetch remote yaml file: %v", err)
+						return fmt.Errorf("cannot fetch remote yaml file: %v", err)
 					}
 					defer response.Body.Close()
 					_, err = io.Copy(buffer, response.Body)
 					if err != nil {
-						return fmt.Errorf("Error reading http body: %v", err)
+						return fmt.Errorf("error reading http body: %v", err)
 					}
 					config = buffer.Bytes()
 				} else {
 					var err error
 					config, err = os.ReadFile(conf)
 					if err != nil {
-						return fmt.Errorf("Cannot open config file: %v", err)
+						return fmt.Errorf("cannot open config file: %v", err)
 					}
 					// templates are only supported for local files
 					templatesSupported = true
@@ -183,49 +189,54 @@ The generated image can be in one of multiple formats which can be run on variou
 				}
 				c, err := moby.NewConfig(config, pkgFinder)
 				if err != nil {
-					return fmt.Errorf("Invalid config: %v", err)
+					return fmt.Errorf("invalid config: %v", err)
 				}
 				m, err = moby.AppendConfig(m, c)
 				if err != nil {
-					return fmt.Errorf("Cannot append config files: %v", err)
+					return fmt.Errorf("cannot append config files: %v", err)
 				}
 			}
 
 			if dryRun {
 				yml, err := yaml.Marshal(m)
 				if err != nil {
-					return fmt.Errorf("Error generating YAML: %v", err)
+					return fmt.Errorf("error generating YAML: %v", err)
 				}
 				fmt.Println(string(yml))
 				return nil
 			}
 
-			var tf *os.File
-			var w io.Writer
+			var (
+				tf *os.File
+				w  io.Writer
+			)
 			if outfile != nil {
 				w = outfile
 			} else {
 				if tf, err = os.CreateTemp("", ""); err != nil {
-					log.Fatalf("Error creating tempfile: %v", err)
+					log.Fatalf("error creating tempfile: %v", err)
 				}
 				defer os.Remove(tf.Name())
 				w = tf
 			}
+			if inputTar != "" && inputTar == outputFile {
+				return fmt.Errorf("input-tar and output file cannot be the same")
+			}
 
 			// this is a weird interface, but currently only streamable types can have additional files
 			// need to split up the base tarball outputs from the secondary stages
 			var tp string
-			if moby.Streamable(buildFormats[0]) {
+			if mobybuild.Streamable(buildFormats[0]) {
 				tp = buildFormats[0]
 			}
-			var sbomGenerator *moby.SbomGenerator
+			var sbomGenerator *mobybuild.SbomGenerator
 			if !noSbom {
-				sbomGenerator, err = moby.NewSbomGenerator(sbomOutputFilename, sbomCurrentTime)
+				sbomGenerator, err = mobybuild.NewSbomGenerator(sbomOutputFilename, sbomCurrentTime)
 				if err != nil {
 					return fmt.Errorf("error creating sbom generator: %v", err)
 				}
 			}
-			err = moby.Build(m, w, moby.BuildOpts{Pull: pull, BuilderType: tp, DecompressKernel: decompressKernel, CacheDir: cacheDir.String(), DockerCache: docker, Arch: arch, SbomGenerator: sbomGenerator})
+			err = mobybuild.Build(m, w, mobybuild.BuildOpts{Pull: pull, BuilderType: tp, DecompressKernel: decompressKernel, CacheDir: cacheDir.String(), DockerCache: docker, Arch: arch, SbomGenerator: sbomGenerator, InputTar: inputTar})
 			if err != nil {
 				return fmt.Errorf("%v", err)
 			}
@@ -233,13 +244,13 @@ The generated image can be in one of multiple formats which can be run on variou
 			if outfile == nil {
 				image := tf.Name()
 				if err := tf.Close(); err != nil {
-					return fmt.Errorf("Error closing tempfile: %v", err)
+					return fmt.Errorf("error closing tempfile: %v", err)
 				}
 
 				log.Infof("Create outputs:")
-				err = moby.Formats(filepath.Join(dir, name), image, buildFormats, size, arch, cacheDir.String())
+				err = mobybuild.Formats(filepath.Join(dir, name), image, buildFormats, size, arch, cacheDir.String())
 				if err != nil {
-					return fmt.Errorf("Error writing outputs: %v", err)
+					return fmt.Errorf("error writing outputs: %v", err)
 				}
 			}
 			return nil
@@ -255,6 +266,7 @@ The generated image can be in one of multiple formats which can be run on variou
 	cmd.Flags().BoolVar(&decompressKernel, "decompress-kernel", false, "Decompress the Linux kernel (default false)")
 	cmd.Flags().StringVar(&arch, "arch", runtime.GOARCH, "target architecture for which to build")
 	cmd.Flags().VarP(&buildFormats, "format", "f", "Formats to create [ "+strings.Join(outputTypes, " ")+" ]")
+	cmd.Flags().StringVar(&inputTar, "input-tar", "", "path to tar from previous linuxkit build to use as input; if provided, will take files from images from this tar, using OCI images only to replace or update files. Always copies to a temporary working directory to avoid overwriting. Only works if input-tar file has the linuxkit.yaml used to build it in the exact same location. Incompatible with --pull")
 	cacheDir = flagOverEnvVarOverDefaultString{def: defaultLinuxkitCache(), envVar: envVarCacheDir}
 	cmd.Flags().Var(&cacheDir, "cache", fmt.Sprintf("Directory for caching and finding cached image, overrides env var %s", envVarCacheDir))
 	cmd.Flags().BoolVar(&noSbom, "no-sbom", false, "suppress consolidation of sboms on input container images to a single sbom and saving in the output filesystem")

src/cmd/linuxkit/cache/push.go

@@ -18,7 +18,7 @@ import (
 // If withArchSpecificTags is true, it will push all arch-specific images in the index, each as
 // their own tag with the same name as the index, but with the architecture appended, e.g.
 // image:foo will have image:foo-amd64, image:foo-arm64, etc.
-func (p *Provider) Push(name, remoteName string, withArchSpecificTags bool) error {
+func (p *Provider) Push(name, remoteName string, withArchSpecificTags, override bool) error {
 	var (
 		err     error
 		options []remote.Option
@@ -30,14 +30,25 @@ func (p *Provider) Push(name, remoteName string, withArchSpecificTags bool) erro
 	if err != nil {
 		return err
 	}
+	options = append(options, remote.WithAuthFromKeychain(authn.DefaultKeychain))
 
 	fmt.Printf("Pushing local %s as %s\n", name, remoteName)
+
+	// check if it already exists, unless override is explicit
+	if !override {
+		if _, err := remote.Get(ref, options...); err == nil {
+			log.Infof("image %s already exists in the registry, skipping", remoteName)
+			return nil
+		}
+	}
+
+	// if we made it this far, either we had a specific override, or we do not have the image remotely
+
 	// do we even have the given one?
 	root, err := p.FindRoot(name)
 	if err != nil {
 		return err
 	}
-	options = append(options, remote.WithAuthFromKeychain(authn.DefaultKeychain))
 
 	img, err1 := root.Image()
 	ii, err2 := root.ImageIndex()

src/cmd/linuxkit/cache/source.go

@@ -1,6 +1,7 @@
 package cache
 
 import (
+	"archive/tar"
 	"bytes"
 	"encoding/json"
 	"fmt"
@@ -9,10 +10,12 @@ import (
 	"github.com/containerd/containerd/reference"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/match"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/partial"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
+	"github.com/google/go-containerregistry/pkg/v1/types"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	lktspec "github.com/linuxkit/linuxkit/src/cmd/linuxkit/spec"
 	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/util"
@@ -21,6 +24,9 @@ import (
 
 const (
 	inTotoJsonMediaType = "application/vnd.in-toto+json"
+	layoutFile          = `{
+		"imageLayoutVersion": "1.0.0"
+	}`
 )
 
 // ImageSource a source for an image in the OCI distribution cache.
@@ -111,6 +117,189 @@ func (c ImageSource) V1TarReader(overrideName string) (io.ReadCloser, error) {
 	return r, nil
 }
 
+// OCITarReader return an io.ReadCloser to read the image as a v1 tarball
+func (c ImageSource) OCITarReader(overrideName string) (io.ReadCloser, error) {
+	imageName := c.ref.String()
+	saveName := imageName
+	if overrideName != "" {
+		saveName = overrideName
+	}
+	refName, err := name.ParseReference(saveName)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing image name: %v", err)
+	}
+	// get a reference to the image
+	image, err := c.provider.findImage(imageName, c.architecture)
+	if err != nil {
+		return nil, err
+	}
+	// convert the writer to a reader
+	r, w := io.Pipe()
+	go func() {
+		defer w.Close()
+		tw := tar.NewWriter(w)
+		defer tw.Close()
+		// layout file
+		layoutFileBytes := []byte(layoutFile)
+		if err := tw.WriteHeader(&tar.Header{
+			Name:     "oci-layout",
+			Mode:     0644,
+			Size:     int64(len(layoutFileBytes)),
+			Typeflag: tar.TypeReg,
+		}); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		if _, err := tw.Write(layoutFileBytes); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+
+		// make blobs directory
+		if err := tw.WriteHeader(&tar.Header{
+			Name:     "blobs/",
+			Mode:     0755,
+			Typeflag: tar.TypeDir,
+		}); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		// make blobs/sha256 directory
+		if err := tw.WriteHeader(&tar.Header{
+			Name:     "blobs/sha256/",
+			Mode:     0755,
+			Typeflag: tar.TypeDir,
+		}); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		// write config, each layer, manifest, saving the digest for each
+		config, err := image.RawConfigFile()
+		if err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		configDigest, configSize, err := v1.SHA256(bytes.NewReader(config))
+		if err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+
+		if err := tw.WriteHeader(&tar.Header{
+			Name:     fmt.Sprintf("blobs/sha256/%s", configDigest.Hex),
+			Mode:     0644,
+			Typeflag: tar.TypeReg,
+			Size:     configSize,
+		}); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		if _, err := tw.Write(config); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		layers, err := image.Layers()
+		if err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		for _, layer := range layers {
+			blob, err := layer.Compressed()
+			if err != nil {
+				_ = w.CloseWithError(err)
+				return
+			}
+			defer blob.Close()
+			blobDigest, err := layer.Digest()
+			if err != nil {
+				_ = w.CloseWithError(err)
+				return
+			}
+			blobSize, err := layer.Size()
+			if err != nil {
+				_ = w.CloseWithError(err)
+				return
+			}
+			if err := tw.WriteHeader(&tar.Header{
+				Name:     fmt.Sprintf("blobs/sha256/%s", blobDigest.Hex),
+				Mode:     0644,
+				Size:     blobSize,
+				Typeflag: tar.TypeReg,
+			}); err != nil {
+				_ = w.CloseWithError(err)
+				return
+			}
+			if _, err := io.Copy(tw, blob); err != nil {
+				_ = w.CloseWithError(err)
+				return
+			}
+		}
+		// write the manifest
+		manifest, err := image.RawManifest()
+		if err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		manifestDigest, manifestSize, err := v1.SHA256(bytes.NewReader(manifest))
+		if err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+
+		if err := tw.WriteHeader(&tar.Header{
+			Name:     fmt.Sprintf("blobs/sha256/%s", manifestDigest.Hex),
+			Mode:     0644,
+			Size:     int64(len(manifest)),
+			Typeflag: tar.TypeReg,
+		}); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		if _, err := tw.Write(manifest); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		// write the index file
+		desc := v1.Descriptor{
+			MediaType: types.OCIImageIndex,
+			Size:      manifestSize,
+			Digest:    manifestDigest,
+			Annotations: map[string]string{
+				imagespec.AnnotationRefName: refName.String(),
+			},
+		}
+		ii := empty.Index
+
+		index, err := ii.IndexManifest()
+		if err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+
+		index.Manifests = append(index.Manifests, desc)
+
+		rawIndex, err := json.MarshalIndent(index, "", "   ")
+		if err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		// write the index
+		if err := tw.WriteHeader(&tar.Header{
+			Name: "index.json",
+			Mode: 0644,
+			Size: int64(len(rawIndex)),
+		}); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+		if _, err := tw.Write(rawIndex); err != nil {
+			_ = w.CloseWithError(err)
+			return
+		}
+	}()
+	return r, nil
+}
+
 // Descriptor return the descriptor of the image.
 func (c ImageSource) Descriptor() *v1.Descriptor {
 	return c.descriptor

src/cmd/linuxkit/cache/write.go

@@ -20,6 +20,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	lktspec "github.com/linuxkit/linuxkit/src/cmd/linuxkit/spec"
+	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/util"
 	lktutil "github.com/linuxkit/linuxkit/src/cmd/linuxkit/util"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	log "github.com/sirupsen/logrus"
@@ -41,6 +42,12 @@ const (
 // Note that ImagePull does try ValidateImage first, so if the image is already in the cache, it will not
 // do any network activity at all.
 func (p *Provider) ImagePull(ref *reference.Spec, trustedRef, architecture string, alwaysPull bool) (lktspec.ImageSource, error) {
+	imageName := util.ReferenceExpand(ref.String())
+	canonicalRef, err := reference.Parse(imageName)
+	if err != nil {
+		return ImageSource{}, fmt.Errorf("invalid image name %s: %v", imageName, err)
+	}
+	ref = &canonicalRef
 	image := ref.String()
 	pullImageName := image
 	remoteOptions := []remote.Option{remote.WithAuthFromKeychain(authn.DefaultKeychain)}

src/cmd/linuxkit/cache_export.go

@@ -45,12 +45,18 @@ func cacheExportCmd() *cobra.Command {
 			src := p.NewSource(&ref, arch, desc)
 			var reader io.ReadCloser
 			switch format {
-			case "oci":
+			case "docker":
 				fullTagName := fullname
 				if tagName != "" {
 					fullTagName = util.ReferenceExpand(tagName)
 				}
 				reader, err = src.V1TarReader(fullTagName)
+			case "oci":
+				fullTagName := fullname
+				if tagName != "" {
+					fullTagName = util.ReferenceExpand(tagName)
+				}
+				reader, err = src.OCITarReader(fullTagName)
 			case "filesystem":
 				reader, err = src.TarReader()
 			default:
@@ -84,7 +90,7 @@ func cacheExportCmd() *cobra.Command {
 
 	cmd.Flags().StringVar(&arch, "arch", runtime.GOARCH, "Architecture to resolve an index to an image, if the provided image name is an index")
 	cmd.Flags().StringVar(&outputFile, "outfile", "", "Path to file to save output, '-' for stdout")
-	cmd.Flags().StringVar(&format, "format", "oci", "export format, one of 'oci', 'filesystem'")
+	cmd.Flags().StringVar(&format, "format", "oci", "export format, one of 'oci' (OCI tar), 'docker' (docker tar), 'filesystem'")
 	cmd.Flags().StringVar(&tagName, "name", "", "override the provided image name in the exported tar file; useful only for format=oci")
 
 	return cmd

src/cmd/linuxkit/cache_push.go

@@ -11,6 +11,7 @@ func cachePushCmd() *cobra.Command {
 	var (
 		remoteName           string
 		pushArchSpecificTags bool
+		override             bool
 	)
 	cmd := &cobra.Command{
 		Use:   "push",
@@ -29,7 +30,7 @@ func cachePushCmd() *cobra.Command {
 					log.Fatalf("unable to read a local cache: %v", err)
 				}
 
-				if err := p.Push(fullname, remoteName, pushArchSpecificTags); err != nil {
+				if err := p.Push(fullname, remoteName, pushArchSpecificTags, override); err != nil {
 					log.Fatalf("unable to push image named %s: %v", name, err)
 				}
 			}
@@ -38,5 +39,6 @@ func cachePushCmd() *cobra.Command {
 	}
 	cmd.Flags().StringVar(&remoteName, "remote-name", "", "Push it under a different name, e.g. push local image foo/bar:mine as baz/bee:yours. If blank, uses same local name.")
 	cmd.Flags().BoolVar(&pushArchSpecificTags, "with-arch-tags", false, "When the local reference is an index, add to the remote arch-specific tags for each arch in the index, each as their own tag with the same name as the index, but with the architecture appended, e.g. image:foo will have image:foo-amd64, image:foo-arm64, etc.")
+	cmd.Flags().BoolVar(&override, "override", false, "Even if the image already exists in the registry, push it again, overwriting the existing image.")
 	return cmd
 }

src/cmd/linuxkit/docker/cmd.go

@@ -10,7 +10,7 @@ import (
 	"github.com/containerd/containerd/reference"
 	"github.com/docker/cli/cli/connhelper"
 	dockertypes "github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
+	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 	log "github.com/sirupsen/logrus"
 )
@@ -85,7 +85,7 @@ func Create(image string, withNetwork bool) (string, error) {
 		return "", errors.New("could not initialize Docker API client")
 	}
 	// we do not ever run the container, so /dev/null is used as command
-	config := &container.Config{
+	config := &containertypes.Config{
 		Cmd:             []string{"/dev/null"},
 		Image:           image,
 		NetworkDisabled: !withNetwork,
@@ -128,7 +128,7 @@ func Rm(container string) error {
 	if err != nil {
 		return errors.New("could not initialize Docker API client")
 	}
-	if err = cli.ContainerRemove(context.Background(), container, dockertypes.ContainerRemoveOptions{}); err != nil {
+	if err = cli.ContainerRemove(context.Background(), container, containertypes.RemoveOptions{}); err != nil {
 		return err
 	}
 	log.Debugf("docker rm: %s...Done", container)

src/cmd/linuxkit/docker/source.go

@@ -86,6 +86,11 @@ func (d ImageSource) V1TarReader(overrideName string) (io.ReadCloser, error) {
 	return Save(saveName)
 }
 
+// OCITarReader return an io.ReadCloser to read the save of the image
+func (d ImageSource) OCITarReader(overrideName string) (io.ReadCloser, error) {
+	return nil, fmt.Errorf("unsupported")
+}
+
 // Descriptor return the descriptor of the image.
 func (d ImageSource) Descriptor() *v1.Descriptor {
 	return nil

src/cmd/linuxkit/go.mod

@@ -1,6 +1,6 @@
 module github.com/linuxkit/linuxkit/src/cmd/linuxkit
 
-go 1.19
+go 1.21
 
 require (
 	github.com/Azure/azure-sdk-for-go v56.3.0+incompatible
@@ -8,105 +8,110 @@ require (
 	github.com/Azure/go-autorest/autorest v0.11.24
 	github.com/Azure/go-autorest/autorest/adal v0.9.18
 	github.com/Azure/go-autorest/autorest/to v0.4.0
-	github.com/Microsoft/go-winio v0.5.2
+	github.com/Microsoft/go-winio v0.6.1
 	github.com/ScaleFT/sshkeys v0.0.0-20181112160850-82451a803681
 	github.com/aws/aws-sdk-go v1.44.82
-	github.com/containerd/containerd v1.6.18
-	github.com/docker/buildx v0.8.2
-	github.com/docker/cli v23.0.0-rc.1+incompatible
-	github.com/docker/docker v23.0.0-rc.1+incompatible
+	github.com/containerd/containerd v1.7.15
+	github.com/docker/buildx v0.14.1
+	github.com/docker/cli v26.1.3+incompatible
+	github.com/docker/docker v26.0.0+incompatible
 	github.com/docker/go-units v0.5.0
-	github.com/estesp/manifest-tool/v2 v2.0.7-0.20230216152337-24a86fc0b513
-	github.com/google/go-containerregistry v0.6.1-0.20211105150418-5c9c442d5d68
-	github.com/google/uuid v1.3.0
+	github.com/google/go-containerregistry v0.14.0
+	github.com/google/uuid v1.6.0
 	github.com/gophercloud/gophercloud v0.1.0
 	github.com/gophercloud/utils v0.0.0-20181029231510-34f5991525d1
 	github.com/hashicorp/go-version v1.2.0
 	github.com/klauspost/pgzip v1.2.5
-	github.com/moby/buildkit v0.11.1
+	github.com/moby/buildkit v0.13.2
 	github.com/moby/hyperkit v0.0.0-20180416161519-d65b09c1c28a
 	//github.com/moby/moby v20.10.3-0.20220728162118-71cb54cec41e+incompatible // indirect
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6
+	github.com/moby/term v0.5.0
 	github.com/moby/vpnkit v0.4.1-0.20200311130018-2ffc1dd8a84e
 	github.com/moul/gotty-client v1.7.1-0.20180526075433-e5589f6df359
-	github.com/opencontainers/image-spec v1.1.0-rc2
-	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
-	github.com/packethost/packngo v0.1.1-0.20171201154433-f1be085ecd6f
+	github.com/opencontainers/image-spec v1.1.0-rc5
+	github.com/opencontainers/runtime-spec v1.1.0
 	github.com/pkg/term v1.1.0
 	github.com/radu-matei/azure-sdk-for-go v5.0.0-beta.0.20161118192335-3b1282355199+incompatible
 	github.com/radu-matei/azure-vhd-utils v0.0.0-20170531165126-e52754d5569d
 	github.com/rn/iso9660wrap v0.0.0-20171120145750-baf8d62ad315
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.6
-	github.com/sirupsen/logrus v1.9.0
-	github.com/stretchr/testify v1.8.4
+	github.com/sirupsen/logrus v1.9.3
+	github.com/stretchr/testify v1.9.0
 	github.com/surma/gocpio v1.0.2-0.20160926205914-fcb68777e7dc
 	github.com/vmware/govmomi v0.20.3
 	github.com/xeipuuv/gojsonschema v1.2.0
-	golang.org/x/crypto v0.2.0
-	golang.org/x/net v0.4.0
-	golang.org/x/oauth2 v0.1.0
-	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.3.0
-	golang.org/x/term v0.3.0
-	google.golang.org/api v0.84.0
+	golang.org/x/crypto v0.21.0
+	golang.org/x/net v0.23.0
+	golang.org/x/oauth2 v0.11.0
+	golang.org/x/sync v0.6.0
+	golang.org/x/sys v0.18.0
+	golang.org/x/term v0.18.0
+	google.golang.org/api v0.128.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
 	github.com/Code-Hex/vz/v3 v3.0.0
+	github.com/equinix/equinix-sdk-go v0.42.0
 	github.com/in-toto/in-toto-golang v0.5.0
 	github.com/spdx/tools-golang v0.5.3
-	github.com/spf13/cobra v1.6.1
+	github.com/spf13/cobra v1.8.0
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	cloud.google.com/go/compute v1.7.0 // indirect
+	cloud.google.com/go/compute v1.23.1 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-autorest v14.2.1-0.20210115164004-c0fe8b0fea3d+incompatible // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/Microsoft/hcsshim v0.9.6 // indirect
+	github.com/Microsoft/hcsshim v0.11.4 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
-	github.com/containerd/cgroups v1.0.4 // indirect
-	github.com/containerd/console v1.0.3 // indirect
-	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/containerd/fifo v1.0.0 // indirect
-	github.com/containerd/nydus-snapshotter v0.3.1 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.13.0 // indirect
-	github.com/containerd/ttrpc v1.1.0 // indirect
-	github.com/containerd/typeurl v1.0.2 // indirect
+	github.com/containerd/console v1.0.4 // indirect
+	github.com/containerd/continuity v0.4.3 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/containerd/ttrpc v1.2.3 // indirect
+	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/creack/goselect v0.0.0-20180501195510-58854f77ee8d // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
-	github.com/docker/go-connections v0.4.1-0.20190612165340-fd1b1942c4d5 // indirect
-	github.com/felixge/httpsnoop v1.0.2 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/distribution/reference v0.5.0 // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/gogo/googleapis v1.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/s2a-go v0.1.4 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa // indirect
-	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/klauspost/compress v1.15.12 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v0.0.0-20190716172923-621e5597135b // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/patternmatcher v0.5.0 // indirect
+	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
@@ -114,30 +119,31 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/smartystreets/goconvey v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/tonistiigi/fsutil v0.0.0-20230105215944-fb433841cbfa // indirect
+	github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
-	github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f // indirect
-	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/tonistiigi/vt100 v0.0.0-20230623042737-f9a4f7ef6531 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	go.opencensus.io v0.23.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.29.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.29.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.29.0 // indirect
-	go.opentelemetry.io/otel v1.4.1 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.4.1 // indirect
-	go.opentelemetry.io/otel/internal/metric v0.27.0 // indirect
-	go.opentelemetry.io/otel/metric v0.27.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.4.1 // indirect
-	go.opentelemetry.io/otel/trace v1.4.1 // indirect
-	go.opentelemetry.io/proto/otlp v0.12.0 // indirect
-	golang.org/x/mod v0.6.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
-	golang.org/x/time v0.1.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
+	go.opentelemetry.io/otel v1.21.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.21.0 // indirect
+	go.opentelemetry.io/otel/trace v1.21.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.17.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220706185917-7780775163c4 // indirect
-	google.golang.org/grpc v1.50.1 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
+	google.golang.org/grpc v1.59.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 )

src/cmd/linuxkit/moby/apk_tarwriter.go

@@ -8,17 +8,21 @@ import (
 // apkTarWriter apk-aware tar writer that consolidates installed database, so that
 // it can be called multiple times and will do the union of all such databases,
 // rather than overwriting the previous one.
+// Useful only for things that write to the base filesystem, i.e. init, since everything
+// else is inside containers.
 const apkInstalledPath = "lib/apk/db/installed"
 
 type apkTarWriter struct {
 	*tar.Writer
-	dbs     [][]byte
-	current *bytes.Buffer
+	dbs      [][]byte
+	current  *bytes.Buffer
+	location string
 }
 
-func newAPKTarWriter(w *tar.Writer) *apkTarWriter {
+func NewAPKTarWriter(w *tar.Writer, location string) *apkTarWriter {
 	return &apkTarWriter{
-		Writer: w,
+		Writer:   w,
+		location: location,
 	}
 }
 
@@ -67,6 +71,10 @@ func (a *apkTarWriter) WriteAPKDB() error {
 			Gid:      0,
 			Typeflag: tar.TypeReg,
 			Size:     int64(size),
+			PAXRecords: map[string]string{
+				PaxRecordLinuxkitSource:   "LINUXKIT.apkinit",
+				PaxRecordLinuxkitLocation: a.location,
+			},
 		}
 		if err := a.Writer.WriteHeader(hdr); err != nil {
 			return err

src/cmd/linuxkit/moby/build/build.go

@@ -1,4 +1,4 @@
-package moby
+package build
 
 import (
 	"archive/tar"
@@ -18,6 +18,7 @@ import (
 	"github.com/containerd/containerd/reference"
 	// drop-in 100% compatible replacement and 17% faster than compress/gzip.
 	gzip "github.com/klauspost/pgzip"
+	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/moby"
 	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/util"
 	log "github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v2"
@@ -83,7 +84,7 @@ func OutputTypes() []string {
 	return ts
 }
 
-func outputImage(image *Image, section string, prefix string, m Moby, idMap map[string]uint32, dupMap map[string]string, iw *tar.Writer, opts BuildOpts) error {
+func outputImage(image *moby.Image, section string, index int, prefix string, m moby.Moby, idMap map[string]uint32, dupMap map[string]string, iw *tar.Writer, opts BuildOpts) error {
 	log.Infof("  Create OCI config for %s", image.Image)
 	imageName := util.ReferenceExpand(image.Image)
 	ref, err := reference.Parse(imageName)
@@ -92,31 +93,32 @@ func outputImage(image *Image, section string, prefix string, m Moby, idMap map[
 	}
 	src, err := imagePull(&ref, opts.Pull, opts.CacheDir, opts.DockerCache, opts.Arch)
 	if err != nil {
-		return fmt.Errorf("Could not pull image %s: %v", image.Image, err)
+		return fmt.Errorf("could not pull image %s: %v", image.Image, err)
 	}
 	configRaw, err := src.Config()
 	if err != nil {
-		return fmt.Errorf("Failed to retrieve config for %s: %v", image.Image, err)
+		return fmt.Errorf("failed to retrieve config for %s: %v", image.Image, err)
 	}
-	oci, runtime, err := ConfigToOCI(image, configRaw, idMap)
+	oci, runtime, err := moby.ConfigToOCI(image, configRaw, idMap)
 	if err != nil {
-		return fmt.Errorf("Failed to create OCI spec for %s: %v", image.Image, err)
+		return fmt.Errorf("failed to create OCI spec for %s: %v", image.Image, err)
 	}
 	config, err := json.MarshalIndent(oci, "", "    ")
 	if err != nil {
-		return fmt.Errorf("Failed to create config for %s: %v", image.Image, err)
+		return fmt.Errorf("failed to create config for %s: %v", image.Image, err)
 	}
 	path := path.Join("containers", section, prefix+image.Name)
 	readonly := oci.Root.Readonly
-	err = ImageBundle(path, image.ref, config, runtime, iw, readonly, dupMap, opts)
+	err = ImageBundle(path, fmt.Sprintf("%s[%d]", section, index), image.Ref(), config, runtime, iw, readonly, dupMap, opts)
 	if err != nil {
-		return fmt.Errorf("Failed to extract root filesystem for %s: %v", image.Image, err)
+		return fmt.Errorf("failed to extract root filesystem for %s: %v", image.Image, err)
 	}
 	return nil
 }
 
-// Build performs the actual build process
-func Build(m Moby, w io.Writer, opts BuildOpts) error {
+// Build performs the actual build process. The output is the filesystem
+// in a tar stream written to w.
+func Build(m moby.Moby, w io.Writer, opts BuildOpts) error {
 	if MobyDir == "" {
 		MobyDir = defaultMobyConfigDir()
 	}
@@ -126,6 +128,57 @@ func Build(m Moby, w io.Writer, opts BuildOpts) error {
 		return err
 	}
 
+	// find the Moby config file from the existing tar
+	var metadataLocation string
+	if m.Files != nil {
+		for _, f := range m.Files {
+			if f.Metadata == "" {
+				continue
+			}
+			metadataLocation = strings.TrimPrefix(f.Path, "/")
+		}
+	}
+	var (
+		oldConfig *moby.Moby
+		in        *os.File
+		err       error
+	)
+	if metadataLocation != "" && opts.InputTar != "" {
+		// copy the file over, in case it ends up being the same output
+		in, err = os.Open(opts.InputTar)
+		if err != nil {
+			return fmt.Errorf("failed to open input tar: %w", err)
+		}
+		defer in.Close()
+		if _, err := in.Seek(0, 0); err != nil {
+			return fmt.Errorf("failed to seek to beginning of tmpfile: %w", err)
+		}
+		// read the tar until we find the metadata file
+		inputTarReader := tar.NewReader(in)
+		for {
+			hdr, err := inputTarReader.Next()
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				return fmt.Errorf("failed to read input tar: %w", err)
+			}
+			if strings.TrimPrefix(hdr.Name, "/") == metadataLocation {
+				buf := new(bytes.Buffer)
+				if _, err := buf.ReadFrom(inputTarReader); err != nil {
+					return fmt.Errorf("failed to read metadata file from input tar: %w", err)
+				}
+				config, err := moby.NewConfig(buf.Bytes(), nil)
+				if err != nil {
+					return fmt.Errorf("invalid config in existing tar file: %v", err)
+				}
+				oldConfig = &config
+				break
+			}
+		}
+	}
+
+	// do we have an inTar
 	iw := tar.NewWriter(w)
 
 	// add additions
@@ -150,17 +203,29 @@ func Build(m Moby, w io.Writer, opts BuildOpts) error {
 	// deduplicate containers with the same image
 	dupMap := map[string]string{}
 
-	if m.Kernel.ref != nil {
-		// get kernel and initrd tarball and ucode cpio archive from container
-		log.Infof("Extract kernel image: %s", m.Kernel.ref)
-		kf := newKernelFilter(iw, m.Kernel.Cmdline, m.Kernel.Binary, m.Kernel.Tar, m.Kernel.UCode, opts.DecompressKernel)
-		err := ImageTar(m.Kernel.ref, "", kf, "", opts)
-		if err != nil {
-			return fmt.Errorf("Failed to extract kernel image and tarball: %v", err)
-		}
-		err = kf.Close()
-		if err != nil {
-			return fmt.Errorf("Close error: %v", err)
+	kernelRef := m.Kernel.Ref()
+	var oldKernelRef *reference.Spec
+	if oldConfig != nil {
+		oldKernelRef = oldConfig.Kernel.Ref()
+	}
+	if kernelRef != nil {
+		// first check if the existing one had it
+		if oldKernelRef != nil && oldKernelRef.String() == kernelRef.String() {
+			if err := extractPackageFilesFromTar(in, iw, kernelRef.String(), "kernel"); err != nil {
+				return err
+			}
+		} else {
+			// get kernel and initrd tarball and ucode cpio archive from container
+			log.Infof("Extract kernel image: %s", m.Kernel.Ref())
+			kf := newKernelFilter(kernelRef, iw, m.Kernel.Cmdline, m.Kernel.Binary, m.Kernel.Tar, m.Kernel.UCode, opts.DecompressKernel)
+			err := ImageTar("kernel", kernelRef, "", kf, "", opts)
+			if err != nil {
+				return fmt.Errorf("failed to extract kernel image and tarball: %v", err)
+			}
+			err = kf.Close()
+			if err != nil {
+				return fmt.Errorf("close error: %v", err)
+			}
 		}
 	}
 
@@ -168,12 +233,23 @@ func Build(m Moby, w io.Writer, opts BuildOpts) error {
 	if len(m.Init) != 0 {
 		log.Infof("Add init containers:")
 	}
-	apkTar := newAPKTarWriter(iw)
-	for _, ii := range m.initRefs {
-		log.Infof("Process init image: %s", ii)
-		err := ImageTar(ii, "", apkTar, resolvconfSymlink, opts)
-		if err != nil {
-			return fmt.Errorf("failed to build init tarball from %s: %v", ii, err)
+	apkTar := moby.NewAPKTarWriter(iw, "init")
+	initRefs := m.InitRefs()
+	var oldInitRefs []*reference.Spec
+	if oldConfig != nil {
+		oldInitRefs = oldConfig.InitRefs()
+	}
+	for i, ii := range initRefs {
+		if len(oldInitRefs) > i && oldInitRefs[i].String() == ii.String() {
+			if err := extractPackageFilesFromTar(in, apkTar, ii.String(), fmt.Sprintf("init[%d]", i)); err != nil {
+				return err
+			}
+		} else {
+			log.Infof("Process init image: %s", ii)
+			err := ImageTar(fmt.Sprintf("init[%d]", i), ii, "", apkTar, resolvconfSymlink, opts)
+			if err != nil {
+				return fmt.Errorf("failed to build init tarball from %s: %v", ii, err)
+			}
 		}
 	}
 	if err := apkTar.WriteAPKDB(); err != nil {
@@ -184,9 +260,15 @@ func Build(m Moby, w io.Writer, opts BuildOpts) error {
 		log.Infof("Add onboot containers:")
 	}
 	for i, image := range m.Onboot {
-		so := fmt.Sprintf("%03d", i)
-		if err := outputImage(image, "onboot", so+"-", m, idMap, dupMap, iw, opts); err != nil {
-			return err
+		if oldConfig != nil && len(oldConfig.Onboot) > i && oldConfig.Onboot[i].Equal(image) {
+			if err := extractPackageFilesFromTar(in, iw, image.Image, fmt.Sprintf("onboot[%d]", i)); err != nil {
+				return err
+			}
+		} else {
+			so := fmt.Sprintf("%03d", i)
+			if err := outputImage(image, "onboot", i, so+"-", m, idMap, dupMap, iw, opts); err != nil {
+				return err
+			}
 		}
 	}
 
@@ -194,24 +276,35 @@ func Build(m Moby, w io.Writer, opts BuildOpts) error {
 		log.Infof("Add onshutdown containers:")
 	}
 	for i, image := range m.Onshutdown {
-		so := fmt.Sprintf("%03d", i)
-		if err := outputImage(image, "onshutdown", so+"-", m, idMap, dupMap, iw, opts); err != nil {
-			return err
+		if oldConfig != nil && len(oldConfig.Onshutdown) > i && oldConfig.Onshutdown[i].Equal(image) {
+			if err := extractPackageFilesFromTar(in, iw, image.Image, fmt.Sprintf("onshutdown[%d]", i)); err != nil {
+				return err
+			}
+		} else {
+			so := fmt.Sprintf("%03d", i)
+			if err := outputImage(image, "onshutdown", i, so+"-", m, idMap, dupMap, iw, opts); err != nil {
+				return err
+			}
 		}
 	}
 
 	if len(m.Services) != 0 {
 		log.Infof("Add service containers:")
 	}
-	for _, image := range m.Services {
-		if err := outputImage(image, "services", "", m, idMap, dupMap, iw, opts); err != nil {
-			return err
+	for i, image := range m.Services {
+		if oldConfig != nil && len(oldConfig.Services) > i && oldConfig.Services[i].Equal(image) {
+			if err := extractPackageFilesFromTar(in, iw, image.Image, fmt.Sprintf("services[%d]", i)); err != nil {
+				return err
+			}
+		} else {
+			if err := outputImage(image, "services", i, "", m, idMap, dupMap, iw, opts); err != nil {
+				return err
+			}
 		}
 	}
 
 	// add files
-	err := filesystem(m, iw, idMap)
-	if err != nil {
+	if err := filesystem(m, iw, idMap); err != nil {
 		return fmt.Errorf("failed to add filesystem parts: %v", err)
 	}
 
@@ -252,9 +345,10 @@ type kernelFilter struct {
 	foundKernel      bool
 	foundKTar        bool
 	foundUCode       bool
+	ref              *reference.Spec
 }
 
-func newKernelFilter(tw *tar.Writer, cmdline string, kernel string, tar, ucode *string, decompressKernel bool) *kernelFilter {
+func newKernelFilter(ref *reference.Spec, tw *tar.Writer, cmdline string, kernel string, tar, ucode *string, decompressKernel bool) *kernelFilter {
 	tarName, kernelName, ucodeName := "kernel.tar", "kernel", ""
 	if tar != nil {
 		tarName = *tar
@@ -268,7 +362,7 @@ func newKernelFilter(tw *tar.Writer, cmdline string, kernel string, tar, ucode *
 	if ucode != nil {
 		ucodeName = *ucode
 	}
-	return &kernelFilter{tw: tw, cmdline: cmdline, kernel: kernelName, tar: tarName, ucode: ucodeName, decompressKernel: decompressKernel}
+	return &kernelFilter{ref: ref, tw: tw, cmdline: cmdline, kernel: kernelName, tar: tarName, ucode: ucodeName, decompressKernel: decompressKernel}
 }
 
 func (k *kernelFilter) finishTar() error {
@@ -299,7 +393,7 @@ func (k *kernelFilter) finishTar() error {
 	}
 
 	tr := tar.NewReader(k.buffer)
-	err := tarAppend(k.tw, tr)
+	err := tarAppend(k.ref, k.tw, tr)
 	k.buffer = nil
 	return err
 }
@@ -348,11 +442,12 @@ func (k *kernelFilter) WriteHeader(hdr *tar.Header) error {
 		// If we handled the ucode, /boot already exist.
 		if !k.foundUCode {
 			whdr := &tar.Header{
-				Name:     "boot",
-				Mode:     0755,
-				Typeflag: tar.TypeDir,
-				ModTime:  defaultModTime,
-				Format:   tar.FormatPAX,
+				Name:       "boot",
+				Mode:       0755,
+				Typeflag:   tar.TypeDir,
+				ModTime:    defaultModTime,
+				Format:     tar.FormatPAX,
+				PAXRecords: hdr.PAXRecords,
 			}
 			if err := tw.WriteHeader(whdr); err != nil {
 				return err
@@ -360,11 +455,12 @@ func (k *kernelFilter) WriteHeader(hdr *tar.Header) error {
 		}
 		// add the cmdline in /boot/cmdline
 		whdr := &tar.Header{
-			Name:    "boot/cmdline",
-			Mode:    0644,
-			Size:    int64(len(k.cmdline)),
-			ModTime: defaultModTime,
-			Format:  tar.FormatPAX,
+			Name:       "boot/cmdline",
+			Mode:       0644,
+			Size:       int64(len(k.cmdline)),
+			ModTime:    defaultModTime,
+			Format:     tar.FormatPAX,
+			PAXRecords: hdr.PAXRecords,
 		}
 		if err := tw.WriteHeader(whdr); err != nil {
 			return err
@@ -375,11 +471,12 @@ func (k *kernelFilter) WriteHeader(hdr *tar.Header) error {
 		}
 		// Stash the kernel header and prime the buffer for the kernel
 		k.hdr = &tar.Header{
-			Name:    "boot/kernel",
-			Mode:    hdr.Mode,
-			Size:    hdr.Size,
-			ModTime: defaultModTime,
-			Format:  tar.FormatPAX,
+			Name:       "boot/kernel",
+			Mode:       hdr.Mode,
+			Size:       hdr.Size,
+			ModTime:    defaultModTime,
+			Format:     tar.FormatPAX,
+			PAXRecords: hdr.PAXRecords,
 		}
 		k.buffer = new(bytes.Buffer)
 	case k.tar:
@@ -392,22 +489,24 @@ func (k *kernelFilter) WriteHeader(hdr *tar.Header) error {
 		// If we handled the kernel, /boot already exist.
 		if !k.foundKernel {
 			whdr := &tar.Header{
-				Name:     "boot",
-				Mode:     0755,
-				Typeflag: tar.TypeDir,
-				ModTime:  defaultModTime,
-				Format:   tar.FormatPAX,
+				Name:       "boot",
+				Mode:       0755,
+				Typeflag:   tar.TypeDir,
+				ModTime:    defaultModTime,
+				Format:     tar.FormatPAX,
+				PAXRecords: hdr.PAXRecords,
 			}
 			if err := tw.WriteHeader(whdr); err != nil {
 				return err
 			}
 		}
 		whdr := &tar.Header{
-			Name:    "boot/ucode.cpio",
-			Mode:    hdr.Mode,
-			Size:    hdr.Size,
-			ModTime: defaultModTime,
-			Format:  tar.FormatPAX,
+			Name:       "boot/ucode.cpio",
+			Mode:       hdr.Mode,
+			Size:       hdr.Size,
+			ModTime:    defaultModTime,
+			Format:     tar.FormatPAX,
+			PAXRecords: hdr.PAXRecords,
 		}
 		if err := tw.WriteHeader(whdr); err != nil {
 			return err
@@ -419,7 +518,7 @@ func (k *kernelFilter) WriteHeader(hdr *tar.Header) error {
 	return nil
 }
 
-func tarAppend(iw *tar.Writer, tr *tar.Reader) error {
+func tarAppend(ref *reference.Spec, iw *tar.Writer, tr *tar.Reader) error {
 	for {
 		hdr, err := tr.Next()
 		if err == io.EOF {
@@ -428,6 +527,12 @@ func tarAppend(iw *tar.Writer, tr *tar.Reader) error {
 		if err != nil {
 			return err
 		}
+		hdr.Format = tar.FormatPAX
+		if hdr.PAXRecords == nil {
+			hdr.PAXRecords = make(map[string]string)
+		}
+		hdr.PAXRecords[moby.PaxRecordLinuxkitSource] = ref.String()
+		hdr.PAXRecords[moby.PaxRecordLinuxkitLocation] = "kernel"
 		err = iw.WriteHeader(hdr)
 		if err != nil {
 			return err
@@ -478,7 +583,7 @@ func decompressKernel(src *bytes.Buffer) (*bytes.Buffer, error) {
 		versionMajor := int(s[versionIdx])
 		versionMinor := int(s[versionIdx+1])
 		if versionMajor < 2 && versionMinor < 8 {
-			return nil, fmt.Errorf("Unsupported bzImage version: %d.%d", versionMajor, versionMinor)
+			return nil, fmt.Errorf("unsupported bzImage version: %d.%d", versionMajor, versionMinor)
 		}
 
 		setupSectors := uint32(s[setupSectorsIdx])
@@ -488,7 +593,7 @@ func decompressKernel(src *bytes.Buffer) (*bytes.Buffer, error) {
 		log.Debugf("bzImage: Payload at Offset: %d Length: %d", payloadOff, payloadLen)
 
 		if len(s) < int(payloadOff+payloadLen) {
-			return nil, fmt.Errorf("Compressed bzImage payload exceeds size of image")
+			return nil, fmt.Errorf("compressed bzImage payload exceeds size of image")
 		}
 
 		if bytes.HasPrefix(s[payloadOff:], []byte(gzipMagic)) {
@@ -496,10 +601,10 @@ func decompressKernel(src *bytes.Buffer) (*bytes.Buffer, error) {
 			return gunzip(bytes.NewBuffer(s[payloadOff : payloadOff+payloadLen]))
 		}
 		// TODO(rn): Add more supported formats
-		return nil, fmt.Errorf("Unsupported bzImage payload format at offset %d", payloadOff)
+		return nil, fmt.Errorf("unsupported bzImage payload format at offset %d", payloadOff)
 	}
 
-	return nil, fmt.Errorf("No compressed kernel or no supported format found")
+	return nil, fmt.Errorf("no compressed kernel or no supported format found")
 }
 
 func gunzip(src *bytes.Buffer) (*bytes.Buffer, error) {
@@ -520,30 +625,30 @@ func gunzip(src *bytes.Buffer) (*bytes.Buffer, error) {
 }
 
 // this allows inserting metadata into a file in the image
-func metadata(m Moby, md string) ([]byte, error) {
+func metadata(m moby.Moby, md string) ([]byte, error) {
 	// Make sure the Image strings are update to date with the refs
-	updateImages(&m)
+	moby.UpdateImages(&m)
 	switch md {
 	case "json":
 		return json.MarshalIndent(m, "", "    ")
 	case "yaml":
 		return yaml.Marshal(m)
 	default:
-		return []byte{}, fmt.Errorf("Unsupported metadata type: %s", md)
+		return []byte{}, fmt.Errorf("unsupported metadata type: %s", md)
 	}
 }
 
-func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error {
+func filesystem(m moby.Moby, tw *tar.Writer, idMap map[string]uint32) error {
 	// TODO also include the files added in other parts of the build
 	var addedFiles = map[string]bool{}
 
 	if len(m.Files) != 0 {
 		log.Infof("Add files:")
 	}
-	for _, f := range m.Files {
+	for filecount, f := range m.Files {
 		log.Infof("  %s", f.Path)
 		if f.Path == "" {
-			return errors.New("Did not specify path for file")
+			return errors.New("did not specify path for file")
 		}
 		// tar archives should not have absolute paths
 		if f.Path[0] == '/' {
@@ -557,7 +662,7 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error {
 			var err error
 			mode, err = strconv.ParseInt(f.Mode, 8, 32)
 			if err != nil {
-				return fmt.Errorf("Cannot parse file mode as octal value: %v", err)
+				return fmt.Errorf("cannot parse file mode as octal value: %v", err)
 			}
 		}
 		dirMode := mode
@@ -571,11 +676,11 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error {
 			dirMode |= 0001
 		}
 
-		uid, err := idNumeric(f.UID, idMap)
+		uid, err := moby.IDNumeric(f.UID, idMap)
 		if err != nil {
 			return err
 		}
-		gid, err := idNumeric(f.GID, idMap)
+		gid, err := moby.IDNumeric(f.GID, idMap)
 		if err != nil {
 			return err
 		}
@@ -586,10 +691,10 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error {
 		}
 		if !f.Directory && f.Symlink == "" && f.Contents == nil {
 			if f.Source == "" && f.Metadata == "" {
-				return fmt.Errorf("Contents of file (%s) not specified", f.Path)
+				return fmt.Errorf("contents of file (%s) not specified", f.Path)
 			}
 			if f.Source != "" && f.Metadata != "" {
-				return fmt.Errorf("Specified Source and Metadata for file: %s", f.Path)
+				return fmt.Errorf("specified Source and Metadata for file: %s", f.Path)
 			}
 			if f.Source != "" {
 				source := f.Source
@@ -600,7 +705,7 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error {
 					_, err := os.Stat(source)
 					if err != nil {
 						// skip if not found or readable
-						log.Debugf("Skipping file [%s] as not readable and marked optional", source)
+						log.Debugf("skipping file [%s] as not readable and marked optional", source)
 						continue
 					}
 				}
@@ -617,10 +722,10 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error {
 			}
 		} else {
 			if f.Metadata != "" {
-				return fmt.Errorf("Specified Contents and Metadata for file: %s", f.Path)
+				return fmt.Errorf("specified Contents and Metadata for file: %s", f.Path)
 			}
 			if f.Source != "" {
-				return fmt.Errorf("Specified Contents and Source for file: %s", f.Path)
+				return fmt.Errorf("specified Contents and Source for file: %s", f.Path)
 			}
 		}
 		// we need all the leading directories
@@ -644,6 +749,10 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error {
 					Uid:      int(uid),
 					Gid:      int(gid),
 					Format:   tar.FormatPAX,
+					PAXRecords: map[string]string{
+						moby.PaxRecordLinuxkitSource:   "linuxkit.files",
+						moby.PaxRecordLinuxkitLocation: fmt.Sprintf("files[%d]", filecount),
+					},
 				}
 				err := tw.WriteHeader(hdr)
 				if err != nil {
@@ -660,10 +769,14 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error {
 			Uid:     int(uid),
 			Gid:     int(gid),
 			Format:  tar.FormatPAX,
+			PAXRecords: map[string]string{
+				moby.PaxRecordLinuxkitSource:   "linuxkit.files",
+				moby.PaxRecordLinuxkitLocation: fmt.Sprintf("files[%d]", filecount),
+			},
 		}
 		if f.Directory {
 			if f.Contents != nil {
-				return errors.New("Directory with contents not allowed")
+				return errors.New("directory with contents not allowed")
 			}
 			hdr.Typeflag = tar.TypeDir
 			err := tw.WriteHeader(hdr)
@@ -691,3 +804,35 @@ func filesystem(m Moby, tw *tar.Writer, idMap map[string]uint32) error {
 	}
 	return nil
 }
+
+// extractPackageFilesFromTar reads files from the input tar and extracts those that have the correct
+// PAXRecords - keys and values - to the tarWriter.
+func extractPackageFilesFromTar(inTar *os.File, tw tarWriter, image, section string) error {
+	log.Infof("Copy %s files from input tar: %s", section, image)
+	// copy kernel files over
+	if _, err := inTar.Seek(0, 0); err != nil {
+		return fmt.Errorf("failed to seek to beginning of input tar: %w", err)
+	}
+	tr := tar.NewReader(inTar)
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("failed to read input tar: %w", err)
+		}
+		if hdr.PAXRecords == nil {
+			continue
+		}
+		if hdr.PAXRecords[moby.PaxRecordLinuxkitSource] == image && hdr.PAXRecords[moby.PaxRecordLinuxkitLocation] == section {
+			if err := tw.WriteHeader(hdr); err != nil {
+				return fmt.Errorf("failed to write header: %w", err)
+			}
+			if _, err := io.Copy(tw, tr); err != nil {
+				return fmt.Errorf("failed to copy %s file: %w", section, err)
+			}
+		}
+	}
+	return nil
+}

src/cmd/linuxkit/moby/build/dir.go

@@ -1,4 +1,4 @@
-package moby
+package build
 
 import (
 	"path/filepath"

src/cmd/linuxkit/moby/build/docker.go

@@ -1,4 +1,4 @@
-package moby
+package build
 
 // We want to replace much of this with use of containerd tools
 // and also using the Docker API not shelling out

src/cmd/linuxkit/moby/build/image.go

@@ -1,4 +1,4 @@
-package moby
+package build
 
 import (
 	"archive/tar"
@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/containerd/containerd/reference"
+	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/moby"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	log "github.com/sirupsen/logrus"
 )
@@ -140,7 +141,8 @@ var touch = map[string]tar.Header{
 }
 
 // tarPrefix creates the leading directories for a path
-func tarPrefix(path string, tw tarWriter) error {
+// path is the path to prefix, location is where this appears in the linuxkit.yaml file
+func tarPrefix(path, location string, ref *reference.Spec, tw tarWriter) error {
 	if path == "" {
 		return nil
 	}
@@ -160,6 +162,10 @@ func tarPrefix(path string, tw tarWriter) error {
 			ModTime:  defaultModTime,
 			Typeflag: tar.TypeDir,
 			Format:   tar.FormatPAX,
+			PAXRecords: map[string]string{
+				moby.PaxRecordLinuxkitSource:   ref.String(),
+				moby.PaxRecordLinuxkitLocation: location,
+			},
 		}
 		if err := tw.WriteHeader(hdr); err != nil {
 			return err
@@ -170,13 +176,14 @@ func tarPrefix(path string, tw tarWriter) error {
 }
 
 // ImageTar takes a Docker image and outputs it to a tar stream
-func ImageTar(ref *reference.Spec, prefix string, tw tarWriter, resolv string, opts BuildOpts) (e error) {
+// location is where it is in the linuxkit.yaml file
+func ImageTar(location string, ref *reference.Spec, prefix string, tw tarWriter, resolv string, opts BuildOpts) (e error) {
 	log.Debugf("image tar: %s %s", ref, prefix)
 	if prefix != "" && prefix[len(prefix)-1] != '/' {
 		return fmt.Errorf("prefix does not end with /: %s", prefix)
 	}
 
-	err := tarPrefix(prefix, tw)
+	err := tarPrefix(prefix, location, ref, tw)
 	if err != nil {
 		return err
 	}
@@ -185,12 +192,12 @@ func ImageTar(ref *reference.Spec, prefix string, tw tarWriter, resolv string, o
 	// If pull==true, then it always tries to pull from registry.
 	src, err := imagePull(ref, opts.Pull, opts.CacheDir, opts.DockerCache, opts.Arch)
 	if err != nil {
-		return fmt.Errorf("Could not pull image %s: %v", ref, err)
+		return fmt.Errorf("could not pull image %s: %v", ref, err)
 	}
 
 	contents, err := src.TarReader()
 	if err != nil {
-		return fmt.Errorf("Could not unpack image %s: %v", ref, err)
+		return fmt.Errorf("could not unpack image %s: %v", ref, err)
 	}
 
 	defer contents.Close()
@@ -214,6 +221,12 @@ func ImageTar(ref *reference.Spec, prefix string, tw tarWriter, resolv string, o
 		// force PAX format, since it allows for unlimited Name/Linkname
 		// and we move all files below prefix.
 		hdr.Format = tar.FormatPAX
+		// ensure we record the source of the file in the PAX header
+		if hdr.PAXRecords == nil {
+			hdr.PAXRecords = make(map[string]string)
+		}
+		hdr.PAXRecords[moby.PaxRecordLinuxkitSource] = ref.String()
+		hdr.PAXRecords[moby.PaxRecordLinuxkitLocation] = location
 		if exclude[hdr.Name] {
 			log.Debugf("image tar: %s %s exclude %s", ref, prefix, hdr.Name)
 			_, err = io.Copy(io.Discard, tr)
@@ -286,6 +299,12 @@ func ImageTar(ref *reference.Spec, prefix string, tw tarWriter, resolv string, o
 			continue
 		}
 		hdr := touch[name]
+		// ensure that we record the source of the file
+		if hdr.PAXRecords == nil {
+			hdr.PAXRecords = make(map[string]string)
+		}
+		hdr.PAXRecords[moby.PaxRecordLinuxkitSource] = ref.String()
+		hdr.PAXRecords[moby.PaxRecordLinuxkitLocation] = location
 		origName := hdr.Name
 		hdr.Name = prefix + origName
 		hdr.Format = tar.FormatPAX
@@ -329,7 +348,7 @@ func ImageTar(ref *reference.Spec, prefix string, tw tarWriter, resolv string, o
 }
 
 // ImageBundle produces an OCI bundle at the given path in a tarball, given an image and a config.json
-func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runtime, tw tarWriter, readonly bool, dupMap map[string]string, opts BuildOpts) error { // nolint: lll
+func ImageBundle(prefix, location string, ref *reference.Spec, config []byte, runtime moby.Runtime, tw tarWriter, readonly bool, dupMap map[string]string, opts BuildOpts) error { // nolint: lll
 	// if read only, just unpack in rootfs/ but otherwise set up for overlay
 	rootExtract := "rootfs"
 	if !readonly {
@@ -340,12 +359,12 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 	root := path.Join(prefix, rootExtract)
 	var foundElsewhere = dupMap[ref.String()] != ""
 	if !foundElsewhere {
-		if err := ImageTar(ref, root+"/", tw, "", opts); err != nil {
+		if err := ImageTar(location, ref, root+"/", tw, "", opts); err != nil {
 			return err
 		}
 		dupMap[ref.String()] = root
 	} else {
-		if err := tarPrefix(prefix+"/", tw); err != nil {
+		if err := tarPrefix(prefix+"/", location, ref, tw); err != nil {
 			return err
 		}
 		root = dupMap[ref.String()]
@@ -357,6 +376,10 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 		Size:    int64(len(config)),
 		ModTime: defaultModTime,
 		Format:  tar.FormatPAX,
+		PAXRecords: map[string]string{
+			moby.PaxRecordLinuxkitSource:   ref.String(),
+			moby.PaxRecordLinuxkitLocation: location,
+		},
 	}
 	if err := tw.WriteHeader(hdr); err != nil {
 		return err
@@ -375,6 +398,10 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 			Typeflag: tar.TypeDir,
 			ModTime:  defaultModTime,
 			Format:   tar.FormatPAX,
+			PAXRecords: map[string]string{
+				moby.PaxRecordLinuxkitSource:   ref.String(),
+				moby.PaxRecordLinuxkitLocation: location,
+			},
 		}
 		if err := tw.WriteHeader(hdr); err != nil {
 			return err
@@ -386,6 +413,10 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 			Typeflag: tar.TypeDir,
 			ModTime:  defaultModTime,
 			Format:   tar.FormatPAX,
+			PAXRecords: map[string]string{
+				moby.PaxRecordLinuxkitSource:   ref.String(),
+				moby.PaxRecordLinuxkitLocation: location,
+			},
 		}
 		if err := tw.WriteHeader(hdr); err != nil {
 			return err
@@ -406,6 +437,10 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 				Typeflag: tar.TypeDir,
 				ModTime:  defaultModTime,
 				Format:   tar.FormatPAX,
+				PAXRecords: map[string]string{
+					moby.PaxRecordLinuxkitSource:   ref.String(),
+					moby.PaxRecordLinuxkitLocation: location,
+				},
 			}
 			if err := tw.WriteHeader(hdr); err != nil {
 				return err
@@ -424,7 +459,7 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 	// write the runtime config
 	runtimeConfig, err := json.MarshalIndent(runtime, "", "    ")
 	if err != nil {
-		return fmt.Errorf("Failed to create runtime config for %s: %v", ref, err)
+		return fmt.Errorf("failed to create runtime config for %s: %v", ref, err)
 	}
 
 	hdr = &tar.Header{
@@ -433,6 +468,10 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 		Size:    int64(len(runtimeConfig)),
 		ModTime: defaultModTime,
 		Format:  tar.FormatPAX,
+		PAXRecords: map[string]string{
+			moby.PaxRecordLinuxkitSource:   ref.String(),
+			moby.PaxRecordLinuxkitLocation: location,
+		},
 	}
 	if err := tw.WriteHeader(hdr); err != nil {
 		return err

src/cmd/linuxkit/moby/build/images.go

@@ -1,4 +1,4 @@
-package moby
+package build
 
 import (
 	"github.com/containerd/containerd/reference"

src/cmd/linuxkit/moby/build/linuxkit.go

@@ -1,4 +1,4 @@
-package moby
+package build
 
 import (
 	"crypto/sha256"
@@ -13,6 +13,7 @@ import (
 	"path/filepath"
 	"runtime"
 
+	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/moby"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -43,7 +44,7 @@ func ensureLinuxkitImage(name, cache string) error {
 
 	yaml := linuxkitYaml[name]
 
-	m, err := NewConfig([]byte(yaml), nil)
+	m, err := moby.NewConfig([]byte(yaml), nil)
 	if err != nil {
 		return err
 	}