This report covers weekly developments in the linuxkit, linuxkit-ci, rtf and virtsock repositories.
Security SIG on Memorizer: This week's security SIG featured @ndauten explaining his ops+memorizer project that provides infrastructure for fine-grained security policy enforcement in Linux. There are meeting notes and slides available (#2153 #2160 @ndauten @riyazdf), as well as work-in-progress PR to add a memorizer project to LinuxKit (#2171 #2170 @ndauten @justincormack).
Kernel: The kernel images were updated to 4.11.9/4.9.36/4.4.76 from upstream (#2167 @rn).
Content trust: This was updated to make it easier to develop against. An option was added to disable content trust, for the use of (e.g.) projects which are pushing to the linuxkitprojects org (which has no trust setup) rather than the main linuxkit org. Secondly, when trust is enabled then enable it globally, in particular it is now active for the docker build and hence containers referenced in Dockerfiles via FROM will be checked. (#2161 @ijc @riyazdf)
ARM64: linuxkit run no longer hardcodes x86_64 as the architecture, thus letting ARM64 run more easily (#2162 @arm64b). Work is also ongoing to fix Golang ARM binaries running under emulation (#1348 @justincormack @rogaha @ncopa) and multiarch manifest generation for base images used by LinuxKit (#1377 @arm64b @mor1 @justincormack).
Example and build cleanups: The build now works from behind an HTTP proxy (#2144 @kunalkushwaha @justincormack @rn) and cleaning build outputs now covers raw files as well (#2176 @justincormack). The example yaml files are also simpler now by moving ttyS0 after tty0 as it is more common (#2177 @justincormack), and we also consistently don't use quotes around image names (#2178 @justincormack)
Virtsock: The virtsock library for HyperV integration had various improvements to build stress tests using it:
- Pass
SOCK_CLOEXECto syscall.Socket (virtsock#35 @rn) - Fix TCP/IPv6 and add Unix Domain Socket support to
sock_stress(virtsock#38 @rn) - Add AUTHORS and script to generate it (virtsock#36 @rn)
- Update LICENSE (virtsock#37 @justincormack @rn)
The Docker for Mac blueprint integration continues, and this week the time sync and ACPI infrastructure (#1773 @ijc) was added to LinuxKit:
-
Add Docker for Mac host time sync daemon (#2119 @riyazdf @djs55 @rn)
-
Update Docker for Mac with ACPI and metadata support (#2157 @rn @MagnusS)
-
Add ACPI hyperkit test and update platform docs (#2158 @MagnusS @rn)
-
The
metadatapackage can now overwrite existing config files, which enables custom defaults to be added to the image (#2164 @rn)
-
The MirageSDK project updated the example unikernels to the latest Capnp-based API. There is a lot of integration work ongoing to publish the reference interface for building privilege separate, unikernel-friendly server applications that can be directly deployed on LinuxKit (#2163 @talex5 @avsm [@samoht]).
-
There is a work-in-progress PR to add a Memorizer project to LinuxKit (#2170 @ndauten @justincormack).
-
The
swarmdproject is also being refreshed and networking supported added (#2126 @ijc).
- Add some more CVE writeups (#2165 @riyazdf)
- Fix markdown format mistake and text re: disk path (#2168 @rn)
- Update AUTHORS (#2169 @justincormack @rn)
- Add some network namespace stress tests (#2172 @justincormack @rn)
- Fix formatting error in README.md (#2175 @justincormack @hansbogert)
Other reports in this series can be browsed directly in the repository at linuxkit:/reports.