Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to Kernel 5.2 + Debian 9.9 + Docker 18.09 #5

Merged
merged 9 commits into from
Jul 9, 2019
Merged

Update to Kernel 5.2 + Debian 9.9 + Docker 18.09 #5

merged 9 commits into from
Jul 9, 2019

Conversation

AkihiroSuda
Copy link
Contributor

@AkihiroSuda AkihiroSuda commented Jul 9, 2019
edited
Loading

  • Update to Kernel 5.2 + Debian 9.9 + Docker 18.09 (get-docker.sh called in Dockerfile will soon begin to install Docker 19.03 in a few days)
  • Add rngd so as to prevent Go runtime from blocking due to insufficient entropy
  • Update README not to use --cap-add if the host is running Docker 19.03+ on kernel 4.8+
  • Stop using insecure TCP, which was accessible from diuid containers and can easily result in container breakout (though the host is still protected)
  • log everything to /tmp/kernel.log for ease of debugging

Tested on Ubuntu 19.04 (fix #4)

@AkihiroSuda
Update to kernel 5.2
a4fc1a3 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
increase entropy; otherwise Go runtime blocks
048660c 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
README.md: cap-add is no longer needed
f0453d0 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
stop using insecure TCP
1de1ca6 
The TCP port was accessible from diuid containers and can easily result
in container breakout (though the host is still protected)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Dockerfile: avoid using :latest
e533622 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
update KERNEL.config
7288afd 
updated via `docker build -t foo --target print_config . && docker run
-it --rm foo > KERNEL.config`

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda AkihiroSuda mentioned this pull request Jul 9, 2019
Closed
@AkihiroSuda
log everything to /tmp/kernel.log for ease of debugging
aab4a6a 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
simplify scripts
6a614a9 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
use docker version rather than docker info for wait (20s->16s on …
ff55157 
…my machine)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda AkihiroSuda mentioned this pull request Jul 9, 2019
Closed
@weber-software weber-software merged commit ae0e38c into weber-software:master Jul 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Doesn't work on recent envs (Ubuntu 19.04, Docker 19.03+)
2 participants
@AkihiroSuda @weber-software