Commit Graph

50 Commits (c775aec1837391accbdee74a0b00be9354b61f35)

Author SHA1 Message Date
ktock 072126f710 Bump stargz snapshotter to v0.4.1
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
2021-02-24 12:09:14 +09:00
Akihiro Suda 96bd77e766
Merge pull request #1955 from tonistiigi/armhf-seccomp-fix
fix seccomp compatibility in 32bit arm
2021-01-28 14:17:34 +09:00
Tonis Tiigi 1fd4c49605 fix seccomp compatibility in 32bit arm
Seccomp 2.4.2 is needed for new time64 syscalls not to error in
applications

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2021-01-26 11:35:03 -08:00
Tonis Tiigi dae8f156da update qemu emulators
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2021-01-21 18:33:00 -08:00
ktock db794baea7 Bump github.com/containerd/stargz-snapshotter to v0.3.0
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
2021-01-21 18:27:01 +09:00
Akihiro Suda 59880bef10
bump up stargz-snapshotter
The git repo of github.com/containerd/stargz-snapshotter now has two go.mod modules:
- github.com/containerd/stargz-snapshotter
- github.com/containerd/stargz-snapshotter/estargz

So we need to have the following `replace` directive in `go.mod`:
```
github.com/containerd/stargz-snapshotter/estargz => github.com/containerd/stargz-snapshotter/estargz <VERSION>
```

Otherwise `go mod tidy` fails with the following error:
```
go: github.com/containerd/stargz-snapshotter@v0.2.1-0.20201217071531-2b97b583765b requires
        github.com/containerd/stargz-snapshotter/estargz@v0.0.0-00010101000000-000000000000: invalid version: unknown revision 000000000000
```

ref: https://github.com/containerd/stargz-snapshotter/pull/195

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-18 14:59:10 +09:00
Tõnis Tiigi 7880a4ea24
Merge pull request #1885 from ktock/bump-ss2
Bump github.com/containerd/stargz-snapshotter to v0.2.0
2020-12-15 08:36:11 -08:00
ktock ae1b79bbc6 Bump github.com/containerd/stargz-snapshotter to v0.2.0
This enables BuildKit to lazily pull eStargz with new footer format.

Signed-off-by: ktock <ktokunaga.mail@gmail.com>
2020-12-10 15:20:57 +09:00
Tonis Tiigi 245e71fd8b update Dockerfiles to 1.2
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-12-08 15:00:30 -08:00
Tonis Tiigi e50e2c1dba dockerfile: pin binfmt image
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-12-02 13:11:09 -08:00
Akihiro Suda a19843c552
Update containerd, RootlessKit, CNI, and fuse-overlayfs
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-26 17:14:03 +09:00
Andrea Bolognani a4f57b1203 images: Create simple /etc/nsswitch.conf file
This is a workaround for

  https://github.com/golang/go/issues/35305

which makes it possible to successfully push to a local registry
using

  $ docker buildx build --push --tag localhost:5000/foo .

assuming, of course, that the builder instance currently in use
has been created using

  $ docker buildx create --driver-opt network=host

The workaround is no longer going to be necessary once Go 1.16
is used for builds.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2020-11-20 13:58:47 +01:00
Tonis Tiigi 0061b397bd dockerfile: fix base stage platform for exported image
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-11-17 23:49:54 -08:00
Tonis Tiigi 5754ebdf60 Dockerfile: define alpine version with build arg
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-11-17 17:40:47 -08:00
Tonis Tiigi 442c105a8f Revert "Dockerfile: use ARG for Alpine version"
This reverts commit d2cea325e2.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-11-17 17:38:15 -08:00
Tonis Tiigi 2abe963e59 Dockerfile: use pigz to uncompress
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-11-16 08:56:46 -08:00
Akihiro Suda bad541623d
Merge pull request #1781 from AkihiroSuda/arg-alpine-version
Dockerfile: use ARG for Alpine version
2020-11-12 12:54:50 +09:00
Akihiro Suda d2cea325e2
Dockerfile: use ARG for Alpine version
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-10 17:09:59 +09:00
Akihiro Suda 64123a45c3
Dockerfile: remove pre-built git stage
QEMU usermode emulation is robust enough for running `apk add --no-cache
git xz`, so can we can safely remove the pre-built git stage.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-06 16:15:11 +09:00
ktock 3182910bf4 Add fuse dependency to moby/buildkit image
Currently moby/buildkit image misses fuse dependency (fusermount) so currently
stargz support doesn't work on that image. This commit fixes this issue.

Signed-off-by: ktock <ktokunaga.mail@gmail.com>
2020-11-06 15:08:36 +09:00
Akihiro Suda b07668418d
update RootlessKit, fuse-overlayfs, and containerd-fuse-overlayfs
Changes:
- https://github.com/rootless-containers/rootlesskit/compare/v0.9.5...v0.11.0
- https://github.com/containers/fuse-overlayfs/compare/v1.1.2...v1.2.0
- https://github.com/AkihiroSuda/containerd-fuse-overlayfs/compare/v0.10.0...v1.0.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-05 17:22:56 +09:00
Cory Bennett 2b025f623d update runc used in integration tests so exec no longer panics
Signed-off-by: Cory Bennett <cbennett@netflix.com>
2020-11-02 06:34:43 +00:00
ktock e3f6e0d249 Bump stargz-snapshotter and partial registry logic integration
Current stargz snapshotter pkg doesn't contain registry configuration and the
client of that pkg needs to pass it to that pkg. So this commit includes changes
of propagating buildkitd's registry configuration to stargz snapshotter.

But this is a partial integration of registry logic between buildkitd and stargz
snapshotter because buildkitd's session-based authentication logic is still not
applied to stargz snapshotter. This means private images that require
`~/.docker/config.json` creds can't be lazily pulled yet.

Signed-off-by: ktock <ktokunaga.mail@gmail.com>
2020-10-29 12:37:03 +09:00
Tonis Tiigi 588a149ff7 Dockerfile: don’t remove debug info on buildkitd/runc binaries
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-10-25 21:48:59 -07:00
ktock 32e70827f7 Allow stargz target in Dockerfile to use golang build cache
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
2020-09-22 18:26:24 +09:00
ktock cf3d695cc2 Enable to run integration tests with stargz snapshotter
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
2020-09-03 16:52:21 +09:00
ktock 76189201a8 Add integration test for containerd and stargz snapshotter
Signed-off-by: ktock <ktokunaga.mail@gmail.com>
2020-08-27 15:50:11 +09:00
Akihiro Suda 4da183e083
update containerd to v1.4.0, runc to v1.0.0-rc92
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-08-18 22:19:53 +09:00
Tonis Tiigi 942c39adfd add testing for containerd 1.4-beta2
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-07-28 18:13:15 -07:00
Paul "TBBle" Hampson 97314e8567 Don't build the containerd-shim shim for tests
This is the shim used by the containerd Runtime V1 on Linux,
which was the default under containerd 1.2 and earlier.

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-07-16 15:06:20 +10:00
Paul "TBBle" Hampson 2de8df3268 Build the containerd-shim-runc-v2 shim for tests
This is the shim used by the containerd Runtime V2 on Linux, per the
default setting of `io.containerd.runc.v2`.

Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
2020-07-16 15:06:09 +10:00
Akihiro Suda d954b77f60
update runc binary to v1.0.0-rc91
release note: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91

vendored library isn't updated in this commit (waiting for containerd to vendor runc rc91)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-07-02 12:54:18 +09:00
Akihiro Suda ceb41d4350
Dockerfile: update binaries
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-07-01 13:32:22 +09:00
Tonis Tiigi f9e26128c0 exec: use qemu emulator automatically
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-06-07 22:08:52 -07:00
Akihiro Suda f026da9f1a Dockerfile: fix linking newuidmap and newgidmap (partially reverts #1405)
* Existing releases v0.3.0...v0.7.1 use newuidmap dynamically linked with musl

* #1405 attempted to link newuidmap statically with glibc, but it was actually dynamically linked by accident and was never used as the external base.
Switching from musl (Alpine) to glibc (Debian) is just because we don't have `cross.sh` for Alpine.
We could fix the script to link the binary statically, but statically linked binary doesn't work on Alpine because of "Cannot determine your user name." error.

* This commit reverts #1405 for newuidmap, and build the stage with `--platform=$TARGETPLATFORM`.
In future we should port over `cross.sh` to Alpine and use `--platform=$BUILDPLATFORM`.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-20 08:05:32 +09:00
Akihiro Suda 9380d34799 Dockerfile: ditch ROOTLESS_BASE_MODE=external
Fix #1378

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-19 11:41:38 +09:00
Sam Whited c62983bbde all: run integration tests against dockerd
Signed-off-by: Sam Whited <sam@samwhited.com>
2020-04-08 23:27:17 -07:00
Akihiro Suda 60c56c2a35 Dockerfile: cross-compile fuse-overlayfs and idmap
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-18 02:15:53 +09:00
Tõnis Tiigi b9ef26d15f
Merge pull request #1403 from Container-Projects/master
optimization debian package manager tweaks
2020-03-11 17:34:11 -07:00
Pratik Raj 2910de68b1 optimization debian package manager tweaks
By default, Ubuntu or Debian based "apt" or "apt-get" system installs recommended but not suggested packages .

By passing "--no-install-recommends" option, the user lets apt-get know not to consider recommended packages as a dependency to install.

This results in smaller downloads and installation of packages .

Refer to blog at [Ubuntu Blog](https://ubuntu.com/blog/we-reduced-our-docker-images-by-60-with-no-install-recommends) .

Signed-off-by: Pratik Raj <rajpratik71@gmail.com>
2020-03-11 15:27:54 +05:30
Akihiro Suda ccc689a87d Dockerfile: update tonistiigi/buildkit:rootless-base
https://github.com/moby/buildkit/pull/1392#issuecomment-597478241

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-11 16:12:27 +09:00
Akihiro Suda dc70bca748 Dockerfile: put fuse3 to rootless-base-internal
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-11 15:02:54 +09:00
Akihiro Suda 436cd1e5da update RootlessKit to v0.9.1
Notable change: RootlessKit now prints warnings when the sysctl preconditions are not satisfied.

https://github.com/rootless-containers/rootlesskit/pull/122

https://github.com/rootless-containers/rootlesskit/releases

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-09 23:23:49 +09:00
Akihiro Suda 9f90f5a985 rootless: support fuse-overlayfs
While real overlayfs is available only in Ubuntu and Debian kernels,
fuse-overlayfs is universally available for kernel >= 4.18.

For dockerized deployment, `--device /dev/fuse` needs to be added to
`docker run` flags.

Kubernetes deployment needs a custom device plugin that enables
`/dev/fuse`, e.g. https://github.com/honkiko/k8s-hostdev-plugin

Instead of a device plugin, the device can be also enabled by setting
`securityContext.privileged` to `true`.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-03 11:30:29 +09:00
Tonis Tiigi a60ecfa4ae vendor: restore dependency versions
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-02-24 17:31:01 -08:00
Tonis Tiigi eccae3e469 dockerfile: update static base images
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-02-12 22:02:10 -08:00
Tõnis Tiigi 3790395364
Merge pull request #1343 from AkihiroSuda/dockerfile-runc-rc10
Dockerfile: update dependencies (including runc rc10)
2020-01-28 14:40:29 -08:00
Akihiro Suda 55009bee88 Dockerfile: support Kubernetes runAsNonRoot
Kubernetes runAsNonRoot requires `USER` in Dockerfile to be numeric:
https://github.com/kubernetes/kubernetes/blob/v1.18.0-alpha.2/pkg/kubelet/kuberuntime/security_context.go#L98

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-25 04:36:56 +09:00
Akihiro Suda b7e189d77d Dockerfile: update dependencies (including runc rc10)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-25 04:30:54 +09:00
Akihiro Suda 5938170b84 hack: rename Dockerfiles
Fix https://github.com/moby/buildkit/issues/1208

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-18 17:21:48 +09:00