LinuxKit dev report for 2017-06-05 to 2017-06-11 (week 23)

This report covers weekly developments in the linuxkit, virtsock, linuxkit-ci and rtf repositories. There will be a Moby development Summit in the Docker office in San Francisco on June 19, with several of the LinuxKit developers.

Homebrew: On MacOS there is a brew tap available. Detailed instructions are at linuxkit/homebrew-linuxkit, and the short summary is (#2012 @justincormack @riyazdf)

 brew tap linuxkit/linuxkit
 brew install --HEAD moby
 brew install --HEAD linuxkit

This week also saw the addition of several new backends for LinuxKit:

Hyper-V: Add a new Hyper-V backend that provides interactive console access in Powershell (and potentially bash, untested). It supports networking via an existing switch, and supports multiple disks. (#2017 @rn @justincormack).

Microsoft Azure: The CLI now has linuxkit run azure functionality by integrating with the Azure Go SDK. (#1933 #1421 @radu-matei).

AWS support: following on from the initial addition last week, the CLI now has push and run support for AMIs (#1918 #1964 @kencochrane @dave-tucker @justincormack @riyazdf). The AWS provider in the metadata Go package was also enhanced to include more data (#2014 @kencochrane @riyazdf @rn), and the default image name is now set correctly if one is not supplied (#1969 @DieterReuter). If you are debugging the push support, there is now more verbose logging available (#1973 @kencochrane @riyazdf).

VMWare VCenter: Added the capability to wait for the OpenVM tools to report the IP of new VM on doing a linuxkit vcenter run (#1968 @thebsdbox).

Meanwhile, the tools all compile cleanly on Linux, macOS and Windows now (#2000 @rn @mor1) and there is a make local target that does not use Docker (#2011 @justincormack).

Base

• Add tg3 module for Broadcom NIC support (#1971 @justincormack @nrocco)
• Containerd was updated to the latest upstream (#1976 #1979 @rn @justincormack) which in turn fixed ctr exec -t that used to hang (#1837 @rn).
• The Moby tool has been update to the latest upstream (#1983 @justincormack)
• The Linux kernels have been updated to 4.11.4/4.9.31./4.4.71 (#1990 @rn @RobbKistler)
• The default disk size parameter is now in gigabytes instead of megabytes (#2009 @rn)

Packaging

Getty containerised: Added a getty pkg that containerises the serial handling (#1977 #1993 #1997 @deitch @justincormack @riyazdf). Also update linuxkit/init to remove the getty logic, and the getty package to relevant examples (#2004 #2016 @riyazdf @deitch @justincormack @rn).

Leave no port behind: The containerd metrics port is now not exposed by default (#1951 @dave-tucker @rn @justincormack @ijc @riyazdf). See the issue for discussion about further security implications of which ports to leave open.

vsudd virtual communication: There is a new package vsudd that clones and builds linuxkit/virtsock/cmd/vsudd for virtsock communication (#1960 @MagnusS).

Other packaging activity:

• Update packages to use linuxkit run instead of moby run (#2007 @riyazdf)
• In the build, make GOOS and GOARCH over-writeable (#1984 @riyazdf @rn)
• Fix the repository build in some cases (#1994 @tych0 @riyazdf)
• Update LinuxKit target for the virtsock build (virtsock#31 @rn)
• The sshd pkg should have additional mounts (@justincormack @rn @deitch)
• Fix perms on /etc/init.d/000-issue (#2005 @justincormack @deitch)

Projects

The MirageSDK was the topic of this week's Moby Security SIG#2, so there is a presentation available (see the SIG notes). There were various updates in the tree to continue to build the DHCP container (#1965 #2013 #1952 @yomimono [@samoht] @avsm @m4rcu5 @riyazdf).

The projects/aws was removed now that the functionality is mainline (#1975 @avsm @riyazdf).

The probational channel proposal PR was closed (#1945 @tych0) with the following actions based on feedback from the SIG.

• we should use the new merging functionality in the moby tool to do the userspace init merging
• there should be no new tooling in projects/ so e.g. the stuff that merges kernel command lines and such needs to be integrated into the moby tool proper
• we should try to reduce bitrot by doing Makefile includes instead of copy/paste everywhere

These guidelines above generally help to reduce the difference in tooling between experimental projects and the mainline LinuxKit distribution tools.

Discussion continues on the issues about EBPF Jit verification ([linuxkit#1623] @l0kod @thestinger @tych0) and the containerd test harness ([linuxkit/linuxkit#1906] @justincormack @AkihiroSuda)

Docs and Examples

• Remove docker.json from linuxkit.yml (#1996 @justincormack @rn)
• Fix outdated GCP docs (#1967 #1966 @dgageot @riyazdf)
• Improved the AWS docs (#1974 @justincormack)
• Update platform documentation (#1980 @rn)
• Moby SIG: notes and links for 2017-06-07 [(#1985] #1986 #1987 @mgoelzer @riyazdf @l0kod)
• Update MAINTAINERS (#2010 rtf#19 virtsock#32 @ijc @rn @dave-tucker)
• Update AUTHORS (#1999 @djs55 @justincormack)
• Update .mailmap to make auto-generating work (#2001 @justincormack @thaJeztah)
• Move the yaml docs to moby/tool (#2002 @riyazdf)
• Add a test pattern to help text (rtf#17 @dave-tucker)
• Convert some tests to run on hyperkit when run on OSX (#1982 @justincormack @riyazdf @rn)
• Re-enable content trust on build test (#1998 @justincormack)

Ongoing Activity

• The CI is being extended to build and sign Packages ([linuxkit#2003] @talex5 @rn @dave-tucker @justincormack @riyazdf)
• The moby tool and qemu are being updated with fixes ([linuxkit#1959] @justincormack)
• Add https example for the MirageSDK ([linuxkit#1981] @talex5 @justincormack @rn @avsm)
• There is now a vpnkit-forwarder in /pkg/vpnkit-forwarder ([linuxkit#2008] @MagnusS @justincormack @ijc)
• Change label check logic to look for only one match ([linuxkit/rtf#18] @dave-tucker)
• RFC: Enabling signed kernel modules support (#2015 @riyazdf @justincormack @fntlnz)

Other reports in this series can be browsed directly in the repository at linuxkit:/reports.