Weekly LinuxKit dev report for 2017-07-03 to 2017-07-09 (week 27)
Security SIG on Memorizer: This week's security SIG featured @ndauten explaining his ops+memorizer project that provides infrastructure for fine-grained security policy enforcement in Linux. There are meeting notes and slides available (#2153 #2160 @ndauten @riyazdf), as well as work-in-progress PR to add a memorizer project to LinuxKit (#2171 #2170 @ndauten @justincormack).
Content trust: This was updated to make it easier to develop against. An option was added to disable content trust, for the use of (e.g.) projects which are pushing to the linuxkitprojects org (which has no trust setup) rather than the main linuxkit org. Secondly, when trust is enabled then enable it globally, in particular it is now active for the
docker build and hence containers referenced in Dockerfiles via
FROM will be checked. (#2161 @ijc @riyazdf)
linuxkit run no longer hardcodes x86_64 as the architecture, thus letting ARM64 run more easily (#2162 @arm64b). Work is also ongoing to fix Golang ARM binaries running under emulation (#1348 @justincormack @rogaha @ncopa) and multiarch manifest generation for base images used by LinuxKit (#1377 @arm64b @mor1 @justincormack).
Example and build cleanups: The build now works from behind an HTTP proxy (#2144 @kunalkushwaha @justincormack @rn) and cleaning build outputs now covers raw files as well (#2176 @justincormack). The example yaml files are also simpler now by moving
tty0 as it is more common (#2177 @justincormack), and we also consistently don't use quotes around image names (#2178 @justincormack)
Virtsock: The virtsock library for HyperV integration had various improvements to build stress tests using it:
SOCK_CLOEXECto syscall.Socket (virtsock#35 @rn)
- Fix TCP/IPv6 and add Unix Domain Socket support to
- Add AUTHORS and script to generate it (virtsock#36 @rn)
- Update LICENSE (virtsock#37 @justincormack @rn)
The MirageSDK project updated the example unikernels to the latest Capnp-based API. There is a lot of integration work ongoing to publish the reference interface for building privilege separate, unikernel-friendly server applications that can be directly deployed on LinuxKit (#2163 @talex5 @avsm [@samoht]).
Docs and Testing
- Add some more CVE writeups (#2165 @riyazdf)
- Fix markdown format mistake and text re: disk path (#2168 @rn)
- Update AUTHORS (#2169 @justincormack @rn)
- Add some network namespace stress tests (#2172 @justincormack @rn)
- Fix formatting error in README.md (#2175 @justincormack @hansbogert)
Other reports in this series can be browsed directly in the repository at linuxkit:/reports.