This report covers weekly developments in the linuxkit, linuxkit-ci, virtsock, and linuxkit/rtf repositories.
We now sign and verify LinuxKit component images, such as linuxkit/kernel, using Notary (#1900 @justincormack @ijc25 @rneugeba). The Alpine base was also updated to add config labels and trust (#1909 @rneugeba), and the organisation key wad added to the yaml file (#1913 @dave-tucker @justincormack @rneugeba @riyazdf).
The linuxkit tool has had several improvements that change its syntax:
- Output formats must be specified in the CLI not in the yaml file. (#1908 @justincormack)
- Disk command line options for local hypervisors have been unified (#1888 @thebsdbox @justincormack @IJC @ijc25 @rneugeba)
- Hyperkit backends now have a
-start-vpnkitflag (#1891 @rneugeba @MagnusS) and a-vpnkit-socketflag (#1907 @justincormack @rneugeba) - The Qemu backend was made more consistent. For all output formats except kernel+initrd, we now require the full path of the file to run, and in return makes the default options more automatic. It also now allows specifying a bootable disk image, so we can test disk image output formats with qemu too. (#1873 @justincormack)
A VMware vCenter backend was added, by using the VMware Go SDK in order to allow LinuxKit to push ISOs to VMware and run them. (#1882 #1860 @justincormack @thebsdbox)
The Alpine base image was extended with:
- VM integration agents (#1887 @MagnusS @ijc25 @rneugeba)
- Strace (#1922 @justincormack)
- There is discussion on how to improve the Address Space Layout Randomization (ASLR) and Position Independent Executables (PIE) in the base (#1902 @rneugeba @justincormack @riyazdf @fntlnz)
Other improvements were made to the packages:
- Add a mkimage package (#1896 @justincormack)
- Add a open-vm-tools package (#1898 @ijc25 @justincormack @rneugeba)
- Moby config labels were added to common packages (#1884 @rneugeba)
Managing kernel configurations got easier via the kernel-config project which now has a real implementation of kernel configs (#1877 @tych0). There is also ongoing work to update to the 4.11.2/4.10.17/4.9.29/4.4.69 kernels (#1870 @rneugeba).
The experimental projects area saw several changes:
- Wireguard improvements (#1915 @tych0 @justincormack @riyazdf)
- Use kernel images for Integrity Measurement Architecture (IMA) (#1914 @rneugeba)
The first Moby Security SIG was held, with meeting notes and PRs available in the tree. Please continue to send any fixes to them from your participation:
- 2017-05-24 meeting notes (#1892 @jcvenegas @zx2c4 @avsm @tych0 @riyazdf @mcastelino)
- Draft agenda for 2017-06-07 meeting (#1893 @tych0 @riyazdf)
- Video recording of meeting notes (#1894 @tych0 @riyazdf)
- Fix link to ima-namespace project (#1899 @cyli @rneugeba)
- Add buildchain security to agenda, proposed time allocations (#1903 @fntlnz @avsm @samoht @rneugeba @riyazdf @SvenDowideit)
- More detail to security SIG agenda (#1876 @tych0)
General housekeeping activity:
- Improve Makefile to rebuild
bin/mobyas necessary (#1910 @tych0 @justincormack) - Only output qemu disk creation info in debug mode (#1911 @justincormack)
- Add a few more aliases to .mailmap and re-generated AUTHORS (#1879 @justincormack @rneugeba)
- Add a blurb about CVE-2017-1000363 (#1885 @justincormack)
- Remove AUTHOR from tests (#1890 @justincormack)
- Add docs on how to use external disk (#1776 @justincormack @deitch)
- Add a docs section on custom kernel builds (#1838 @rneugeba @yankunsam)
- Update LinuxKit YAML file for Virtsock (virtsock#29 @rneugeba)
- RTF templates: Fix path To top-wevel library (linuxkit/rtf#15 @dave-tucker)
- Improve fetching of CI results (linuxkit-ci#8)
- Add a test-containerd to CI (#1906 @dmcgowan @justincormack @rneugeba)
- Continue fixing
qemu-imgin a container (#1871)
Other reports in this series can be browsed directly in the repository at linuxkit:/reports.