Weekly LinuxKit dev report for 2017-06-26 to 2017-07-02 (week 26)

This report covers weekly developments in the linuxkit, linuxkit-ci, rtf, and virtsock repositories. This week, we welcome Avi Deitcher (@deitch) as an official maintainer to the project! (#2116 @justincormack @deitch).

The SIG security agenda for 2017-07-05 is now up, with [@nduaten] due to talk about his Memorizer project, which he also plans to add as a LinuxKit project soon. (#2114 #2141 @ndauten @riyazdf)

Vultr provider: A Vultr.com provider and example is now available in the mainline tree. (#2109 #2101 @furious-luke @riyazdf @justincormack)

Auditing: The auditd userspace components responsible for writing audit records to the disk are now containerised. (#2092 #2121 @tych0 @justincormack @riyazdf)

Improvements to kernel build: (#2113 @rn @justincormack @riyazdf)

• If a package or the kernel is built from a dirty git repository, add -dirty to the tag and disallow pushing to hub (#1812 @rn).
• If the latest commit has a tag, also push an image to hub as <org>/<image>:<tag>. This should allow us to simplify YAML files once we introduce releases.
• For packages, don't build the package if it already exists on Hub. This was already done for the kernel, but for packages, the check was only performed on push. This should make it easier for CI to just attempt to build all packages.
• For kernel build, merge the sign target into push. This brings it in line with the package and other builds which do not have a sign target.
• Update kernels to 4.11.8/4.9.35/4.4.75 (#2140 #2111 @rn @RobbKistler)

Gettying more obvious: the effort to make it more obvious that Getty and Sshd are namespaced and not running on the host namespace is now merged (#2120 @justincormack @deitch @dave-tucker @ijc @rn). We also now ensure ctr works in the getty container (#2102 #2104 @talex5 @justincormack @ijc)

Qemu wih KVM: There is a -enable-kvm option in the linuxkit cli to force (attempted) use (or not) of KVM (#2110 @justincormack @ijc)

Packaging and Blueprints

The Docker for Mac Blueprint continues to integrate customisations from the downstream use within Docker:

• Previously in Docker for Mac we run fstrim /var every 15 minutes from cron to reclaim space. If an image is deleted then it can take a long time for the space to be freed on the host. LinuxKit now has a helper which watches for Docker events and triggers an fstrim after an image delete. If a batch of image deletes happen within 10s (e.g. as part of a docker system prune) then only one fstrim will be issued. (#2112 @djs55 @justincormack @riyazdf)
• Add support for exposing swarm service ports (#2124 @MagnusS @riyazdf @justincormack)
• Add pkg/chronyd and update DfM blueprint (#2132 @rn @justincormack @MagnusS)
• Update Docker CE to 17.06.0 (#2127 @rn)
• Bind /etc/docker/daemon.json in examples/docker.yml (#2130 @caminada @justincormack @MagnusS @riyazdf)
• Split DfM blueprint in base and docker yml (#2137 @justincormack @MagnusS)

Projects

The MirageSDK project development continues, with support for a new file descriptor sharing daemon that allows linked containers to drop even more privileges while transmitting data securely between each other. (#2129 @samoht @riyazdf)

The overall RFC for point-to-point channels between containers is also available for review and comment (#2045 @samoht). There is also a yml example on how to use fdd to create container channels (#2133 @samoht @justincormack).

Docs and Testing

• Makefile: bump rtf version (#2115 @rn)
• Update AUTHORS (#2125 #2105 @justincormack)
• Makefile: Fix bug where network was not disabled (#2135 @justincormack)
• Use custom-2-5120 as recommended by Google (linuxkit-ci#19 @samoht @talex5)
• Add timestamps to LinuxKit build logs (linuxkit-ci#20 @talex5)
• Re-add @rn to rebuild ACL (linuxkit-ci#21 @talex5)
• Fix test sorting for mixed tests/subgroups (rtf#20 @dave-tucker)

Other reports in this series can be browsed directly in the repository at linuxkit:/reports.