Weekly LinuxKit dev report for 2017-06-12 to 2017-06-18 (week 24)

This report covers weekly developments in the linuxkit virtsock and the linuxkit-ci repositories. There is a Moby development Summit in the Docker office in San Francisco on June 19, with several of the LinuxKit developers present (see agenda at #2033). This week the following major activity went into the tree:

Added a static usermode helper:: Linux 4.11 has a safer mechanism for user mode helpers that forces all user-mode helper binaries to a single read-only path. Allowed binaries are whitelisted, and this reduces the attack surface in the kernel. (#2037 #1760 @tych0 @ijc @MagnusS @rn).

Moby command: The tool now supports ~ in paths, allowing for example the user's ssh key to be automatically added in the ssh examples (#2027 @justincormack). The moby command was also tidied up to use a unified coding style (#2054 @rn @riyazdf).

Dynamic VHD support: There is now a mkimage package to create dynamic VHD images (static/fixed VHD images are already supported by LinuxKit). Dynamic VHD files are smaller in size, making them much easier to upload to the IBM cloud. (#1955 @davefreitag @justincormack)

Cold plug of devices: While mdev handles hot-plug of devices added to the system after it was booted, it did not support cold-plug (i.e. loading modules for devices which are present on boot). This is now supported via rc.init (#2038 @pwFoo @justincormack)

Custom containerd client: The latest containerd has removed the --runtime-config option which we relied on. Since ctr is not (considered by containerd devs) to be a supported interface, LinuxKit now uses a custom client written against the containerd client library. (#2041 @riyazdf @ijc @justincormack)

setsid in init: The containerisation of getty last week continues, with various improvements to support using setsid in the init phase as well as a service (#2036 #2044 @deitch @riyazdf @ijc @rn @justincormack)

Hyperkit multiple disk and vmnet: Now that the Hyperkit Go API has multiple disk support, this is now available from LinuxKit as well. (#2052 @justincormack). Vmnet support was also added to linuxkit run hyperkit to use the builtin OSX DHCP NAT (#2060 @justincormack).

Packaging

• Kubernetes: Updste to the latest init, combine the boot scripts into a single one, and give each instance a separate state directory. (#2032 @ijc @errordeveloper @justincormack @riyazdf)
• Docker for Mac: A blueprint for the open source components of Docker for Mac is now in the tree. It includes support for VPNKit networking and port forwarding to the host. Docker can be controlled via a unix domain socket in the linuxkit state directory. (#2039 @MagnusS @ijc @rn @justincormack)
• Docker CE: Add a vpnkit-expose-port option (#2048 @MagnusS @riyazdf @justincormack)
• Use library Hub org in examples to verify nginx, other official images (#2059 @justincormack)

Kernel and drivers

• Kernel has been updated to 4.11.5/4.9.32/4.4.72 + init update (#2051 @rn)
• USB drivers enabled on the 4.4.x, 4.9.x and 4.11.x kernels (#2043 @m4rcu5 @nrocco @rn @justincormack)
• Remove kernel-compile and add perf package (#2047 @rn)

Projects

• MirageSDK: replace custom transport protocol by Capnproto (#2040 @talex5 @rn), add an https example (#1981 @avsm @talex5 @justincormack) and work is continuing on making the DHCP client a dropin replacement for the current C version (@samoht)

• A new Shiftfs project is available for mapping mountpoints across user namespaces (#2035 @tych0 @estesp @jejb @riyazdf)

Docs

• Update security events with new kernels (#2030 @justincormack)

• Kernel config project docs (#2042 @justincormack)

• Add Packet.net documentation (#2057 #2046 @vielmetti @avsm)

• Update AUTHORS (#2058 @justincormack)

• Removed unused vendoring #2050 @justincormack

• Improve fetching of results linuxkit-ci#8 @talex5

Other reports in this series can be browsed directly in the repository at linuxkit:/reports.