diff --git a/files/dhcp.sh b/files/dhcp.sh index 054826ee..d634556b 100755 --- a/files/dhcp.sh +++ b/files/dhcp.sh @@ -9,11 +9,11 @@ set -x run_dhcp_client() { one_shot="$1" - al="en*" + al="e*" vlan_id=$(sed -n 's/.* vlan_id=\([0-9]*\).*/\1/p' /proc/cmdline) if [ -n "$vlan_id" ]; then - al="en*.*" + al="e*.*" fi if [ "$one_shot" = "true" ]; then diff --git a/images/hook-bootkit/Dockerfile b/images/hook-bootkit/Dockerfile index 125e57a4..b49b40aa 100644 --- a/images/hook-bootkit/Dockerfile +++ b/images/hook-bootkit/Dockerfile @@ -1,9 +1,9 @@ -FROM golang:1.22.6-alpine AS dev +FROM golang:1.24-alpine AS dev COPY . /src/ WORKDIR /src RUN go mod download RUN CGO_ENABLED=0 go build -a -ldflags '-s -w -extldflags "-static"' -o /bootkit -FROM alpine +FROM scratch COPY --from=dev /bootkit . ENTRYPOINT ["/bootkit"] diff --git a/images/hook-containerd/Dockerfile b/images/hook-containerd/Dockerfile index 5ccdf423..38447c71 100644 --- a/images/hook-containerd/Dockerfile +++ b/images/hook-containerd/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS builder +FROM alpine:3.22 AS builder ARG TARGETPLATFORM @@ -7,10 +7,10 @@ ARG TARGETPLATFORM # `test/pkg/containerd/Dockerfile` when changing this. ENV CONTAINERD_REPO=https://github.com/containerd/containerd.git -ENV CONTAINERD_COMMIT=v1.7.15 -ENV NERDCTL_VERSION=1.7.6 +ENV CONTAINERD_COMMIT=v2.1.3 +ENV NERDCTL_VERSION=2.1.2 ENV GOPATH=/go -RUN apk add go git +RUN apk add go=1.24.4-r0 git RUN mkdir -p $GOPATH/src/github.com/containerd && \ cd $GOPATH/src/github.com/containerd && \ git clone https://github.com/containerd/containerd.git && \ @@ -18,27 +18,27 @@ RUN mkdir -p $GOPATH/src/github.com/containerd && \ git checkout $CONTAINERD_COMMIT RUN apk add --no-cache btrfs-progs-dev gcc libc-dev linux-headers make libseccomp-dev WORKDIR $GOPATH/src/github.com/containerd/containerd -RUN make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-w -s -extldflags "-fno-PIC -static"' BUILDTAGS="static_build no_devmapper" +RUN make binaries STATIC=1 EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-w -s -extldflags "-fno-PIC -static"' BUILDTAGS="static_build no_devmapper" # install nerdctl RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then ARCHITECTURE=amd64; elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then ARCHITECTURE=arm64; else ARCHITECTURE=amd64; fi \ && wget https://github.com/containerd/nerdctl/releases/download/v${NERDCTL_VERSION}/nerdctl-${NERDCTL_VERSION}-linux-${ARCHITECTURE}.tar.gz \ && tar -zxvf nerdctl-${NERDCTL_VERSION}-linux-${ARCHITECTURE}.tar.gz -C /usr/local/bin/ -RUN cp bin/containerd bin/ctr bin/containerd-shim bin/containerd-shim-runc-v2 /usr/bin/ -RUN strip /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/containerd-shim-runc-v2 +RUN cp bin/containerd bin/ctr bin/containerd-shim-runc-v2 /usr/bin/ +RUN strip /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim-runc-v2 RUN mkdir -p /opt/containerd FROM scratch AS containerd-dev ENTRYPOINT [] WORKDIR / -COPY --from=builder /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/containerd-shim-runc-v2 /usr/bin/ +COPY --from=builder /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim-runc-v2 /usr/bin/ COPY --from=builder /go/src/github.com/containerd/containerd /go/src/github.com/containerd/containerd COPY --from=builder /usr/local/bin/nerdctl /usr/bin/ COPY --from=builder /opt/containerd/ /opt/containerd/ # Dockerfile to build linuxkit/containerd for linuxkit -FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS alpine +FROM alpine:3.22 AS alpine RUN apk add tzdata binutils RUN mkdir -p /etc/init.d && ln -s /usr/bin/service /etc/init.d/020-containerd @@ -48,7 +48,7 @@ FROM containerd-dev FROM scratch ENTRYPOINT [] WORKDIR / -COPY --from=containerd-dev /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/containerd-shim-runc-v2 /usr/bin/ +COPY --from=containerd-dev /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim-runc-v2 /usr/bin/ COPY --from=containerd-dev /usr/bin/nerdctl /usr/bin/ COPY --from=containerd-dev /opt/containerd/ /opt/containerd/ COPY --from=alpine /usr/share/zoneinfo/UTC /etc/localtime diff --git a/images/hook-containerd/etc/containerd/config.toml b/images/hook-containerd/etc/containerd/config.toml index 1cbd93d2..e76a9b97 100644 --- a/images/hook-containerd/etc/containerd/config.toml +++ b/images/hook-containerd/etc/containerd/config.toml @@ -1,295 +1,246 @@ # default containerd configuration file, generated via `containerd config default` +version = 3 +root = '/var/lib/containerd' +state = '/run/containerd' +temp = '' disabled_plugins = [] -imports = [] -oom_score = 0 -plugin_dir = "" required_plugins = [] -root = "/var/lib/containerd" -state = "/run/containerd" -temp = "" -version = 2 - -[cgroup] - path = "" - -[debug] - address = "" - format = "" - gid = 0 - level = "" - uid = 0 +oom_score = 0 +imports = [] [grpc] - address = "/run/containerd/containerd.sock" + address = '/run/containerd/containerd.sock' + tcp_address = '' + tcp_tls_ca = '' + tcp_tls_cert = '' + tcp_tls_key = '' + uid = 0 gid = 0 max_recv_message_size = 16777216 max_send_message_size = 16777216 - tcp_address = "" - tcp_tls_ca = "" - tcp_tls_cert = "" - tcp_tls_key = "" + +[ttrpc] + address = '' + uid = 0 + gid = 0 + +[debug] + address = '' uid = 0 + gid = 0 + level = '' + format = '' [metrics] - address = "" + address = '' grpc_histogram = false [plugins] + [plugins.'io.containerd.cri.v1.images'] + snapshotter = 'overlayfs' + disable_snapshot_annotations = true + discard_unpacked_layers = false + max_concurrent_downloads = 3 + concurrent_layer_fetch_buffer = 0 + image_pull_progress_timeout = '5m0s' + image_pull_with_sync_fs = false + stats_collect_period = 10 + use_local_image_pull = false - [plugins."io.containerd.gc.v1.scheduler"] - deletion_threshold = 0 - mutation_threshold = 100 - pause_threshold = 0.02 - schedule_delay = "0s" - startup_delay = "100ms" + [plugins.'io.containerd.cri.v1.images'.pinned_images] + sandbox = 'registry.k8s.io/pause:3.10' - [plugins."io.containerd.grpc.v1.cri"] - cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"] - device_ownership_from_security_context = false - disable_apparmor = false - disable_cgroup = false - disable_hugetlb_controller = true - disable_proc_mount = false - disable_tcp_service = true - drain_exec_sync_io_timeout = "0s" - enable_cdi = false + [plugins.'io.containerd.cri.v1.images'.registry] + config_path = '' + + [plugins.'io.containerd.cri.v1.images'.image_decryption] + key_model = 'node' + + [plugins.'io.containerd.cri.v1.runtime'] enable_selinux = false - enable_tls_streaming = false - enable_unprivileged_icmp = false - enable_unprivileged_ports = false - ignore_image_defined_volumes = false - image_pull_progress_timeout = "5m0s" - max_concurrent_downloads = 3 + selinux_category_range = 1024 max_container_log_line_size = 16384 - netns_mounts_under_state_dir = false + disable_apparmor = false restrict_oom_score_adj = false - sandbox_image = "registry.k8s.io/pause:3.8" - selinux_category_range = 1024 - stats_collect_period = 10 - stream_idle_timeout = "4h0m0s" - stream_server_address = "127.0.0.1" - stream_server_port = "0" - systemd_cgroup = false + disable_proc_mount = false + unset_seccomp_profile = '' tolerate_missing_hugetlb_controller = true - unset_seccomp_profile = "" - - [plugins."io.containerd.grpc.v1.cri".cni] - bin_dir = "/opt/cni/bin" - conf_dir = "/etc/cni/net.d" - conf_template = "" - ip_pref = "" - max_conf_num = 1 - setup_serially = false - - [plugins."io.containerd.grpc.v1.cri".containerd] - default_runtime_name = "runc" - disable_snapshot_annotations = true - discard_unpacked_layers = false + disable_hugetlb_controller = true + device_ownership_from_security_context = false + ignore_image_defined_volumes = false + netns_mounts_under_state_dir = false + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + enable_cdi = true + cdi_spec_dirs = ['/etc/cdi', '/var/run/cdi'] + drain_exec_sync_io_timeout = '0s' + ignore_deprecation_warnings = [] + + [plugins.'io.containerd.cri.v1.runtime'.containerd] + default_runtime_name = 'runc' ignore_blockio_not_enabled_errors = false ignore_rdt_not_enabled_errors = false - no_pivot = false - snapshotter = "overlayfs" - - [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] - base_runtime_spec = "" - cni_conf_dir = "" - cni_max_conf_num = 0 - container_annotations = [] - pod_annotations = [] - privileged_without_host_devices = false - privileged_without_host_devices_all_devices_allowed = false - runtime_engine = "" - runtime_path = "" - runtime_root = "" - runtime_type = "" - sandbox_mode = "" - snapshotter = "" - - [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options] - - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] - - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] - base_runtime_spec = "" - cni_conf_dir = "" - cni_max_conf_num = 0 - container_annotations = [] + + [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes] + [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc] + runtime_type = 'io.containerd.runc.v2' + runtime_path = '' pod_annotations = [] + container_annotations = [] privileged_without_host_devices = false privileged_without_host_devices_all_devices_allowed = false - runtime_engine = "" - runtime_path = "" - runtime_root = "" - runtime_type = "io.containerd.runc.v2" - sandbox_mode = "podsandbox" - snapshotter = "" - - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] - BinaryName = "" - CriuImagePath = "" - CriuPath = "" - CriuWorkPath = "" + cgroup_writable = false + base_runtime_spec = '' + cni_conf_dir = '' + cni_max_conf_num = 0 + snapshotter = '' + sandboxer = 'podsandbox' + io_type = '' + + [plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.runc.options] + BinaryName = '' + CriuImagePath = '' + CriuWorkPath = '' IoGid = 0 IoUid = 0 NoNewKeyring = false - NoPivotRoot = false - Root = "" - ShimCgroup = "" - SystemdCgroup = false - - [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime] - base_runtime_spec = "" - cni_conf_dir = "" - cni_max_conf_num = 0 - container_annotations = [] - pod_annotations = [] - privileged_without_host_devices = false - privileged_without_host_devices_all_devices_allowed = false - runtime_engine = "" - runtime_path = "" - runtime_root = "" - runtime_type = "" - sandbox_mode = "" - snapshotter = "" - - [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options] - - [plugins."io.containerd.grpc.v1.cri".image_decryption] - key_model = "node" + Root = '' + ShimCgroup = '' - [plugins."io.containerd.grpc.v1.cri".registry] - config_path = "" + [plugins.'io.containerd.cri.v1.runtime'.cni] + bin_dir = '' + bin_dirs = ['/opt/cni/bin'] + conf_dir = '/etc/cni/net.d' + max_conf_num = 1 + setup_serially = false + conf_template = '' + ip_pref = '' + use_internal_loopback = false - [plugins."io.containerd.grpc.v1.cri".registry.auths] + [plugins.'io.containerd.differ.v1.erofs'] + mkfs_options = [] - [plugins."io.containerd.grpc.v1.cri".registry.configs] + [plugins.'io.containerd.gc.v1.scheduler'] + pause_threshold = 0.02 + deletion_threshold = 0 + mutation_threshold = 100 + schedule_delay = '0s' + startup_delay = '100ms' - [plugins."io.containerd.grpc.v1.cri".registry.headers] + [plugins.'io.containerd.grpc.v1.cri'] + disable_tcp_service = true + stream_server_address = '127.0.0.1' + stream_server_port = '0' + stream_idle_timeout = '4h0m0s' + enable_tls_streaming = false - [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + [plugins.'io.containerd.grpc.v1.cri'.x509_key_pair_streaming] + tls_cert_file = '' + tls_key_file = '' - [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming] - tls_cert_file = "" - tls_key_file = "" + [plugins.'io.containerd.image-verifier.v1.bindir'] + bin_dir = '/opt/containerd/image-verifier/bin' + max_verifiers = 10 + per_verifier_timeout = '10s' - [plugins."io.containerd.internal.v1.opt"] - path = "/opt/containerd" + [plugins.'io.containerd.internal.v1.opt'] + path = '/opt/containerd' - [plugins."io.containerd.internal.v1.restart"] - interval = "10s" + [plugins.'io.containerd.internal.v1.tracing'] - [plugins."io.containerd.internal.v1.tracing"] - sampling_ratio = 1.0 - service_name = "containerd" + [plugins.'io.containerd.metadata.v1.bolt'] + content_sharing_policy = 'shared' + no_sync = false - [plugins."io.containerd.metadata.v1.bolt"] - content_sharing_policy = "shared" + [plugins.'io.containerd.monitor.container.v1.restart'] + interval = '10s' - [plugins."io.containerd.monitor.v1.cgroups"] + [plugins.'io.containerd.monitor.task.v1.cgroups'] no_prometheus = false - [plugins."io.containerd.nri.v1.nri"] - disable = true + [plugins.'io.containerd.nri.v1.nri'] + disable = false + socket_path = '/var/run/nri/nri.sock' + plugin_path = '/opt/nri/plugins' + plugin_config_path = '/etc/nri/conf.d' + plugin_registration_timeout = '5s' + plugin_request_timeout = '2s' disable_connections = false - plugin_config_path = "/etc/nri/conf.d" - plugin_path = "/opt/nri/plugins" - plugin_registration_timeout = "5s" - plugin_request_timeout = "2s" - socket_path = "/var/run/nri/nri.sock" - - [plugins."io.containerd.runtime.v1.linux"] - no_shim = false - runtime = "runc" - runtime_root = "" - shim = "containerd-shim" - shim_debug = false - - [plugins."io.containerd.runtime.v2.task"] - platforms = ["linux/amd64"] - sched_core = false - - [plugins."io.containerd.service.v1.diff-service"] - default = ["walking"] - - [plugins."io.containerd.service.v1.tasks-service"] - blockio_config_file = "" - rdt_config_file = "" - - [plugins."io.containerd.snapshotter.v1.aufs"] - root_path = "" - - [plugins."io.containerd.snapshotter.v1.blockfile"] - fs_type = "" - mount_options = [] - root_path = "" - scratch_file = "" - [plugins."io.containerd.snapshotter.v1.btrfs"] - root_path = "" + [plugins.'io.containerd.runtime.v2.task'] + platforms = ['linux/amd64'] - [plugins."io.containerd.snapshotter.v1.devmapper"] - async_remove = false - base_image_size = "" - discard_blocks = false - fs_options = "" - fs_type = "" - pool_name = "" - root_path = "" + [plugins.'io.containerd.service.v1.diff-service'] + default = ['walking'] + sync_fs = false - [plugins."io.containerd.snapshotter.v1.native"] - root_path = "" + [plugins.'io.containerd.service.v1.tasks-service'] + blockio_config_file = '' + rdt_config_file = '' - [plugins."io.containerd.snapshotter.v1.overlayfs"] + [plugins.'io.containerd.shim.v1.manager'] + env = [] + + [plugins.'io.containerd.snapshotter.v1.blockfile'] + root_path = '' + scratch_file = '' + fs_type = '' mount_options = [] - root_path = "" - sync_remove = false - upperdir_label = false + recreate_scratch = false - [plugins."io.containerd.snapshotter.v1.zfs"] - root_path = "" + [plugins.'io.containerd.snapshotter.v1.btrfs'] + root_path = '' - [plugins."io.containerd.tracing.processor.v1.otlp"] - endpoint = "" - insecure = false - protocol = "" + [plugins.'io.containerd.snapshotter.v1.erofs'] + root_path = '' + ovl_mount_options = [] + enable_fsverity = false - [plugins."io.containerd.transfer.v1.local"] - config_path = "" - max_concurrent_downloads = 3 - max_concurrent_uploaded_layers = 3 + [plugins.'io.containerd.snapshotter.v1.native'] + root_path = '' - [[plugins."io.containerd.transfer.v1.local".unpack_config]] - differ = "" - platform = "linux/amd64" - snapshotter = "overlayfs" + [plugins.'io.containerd.snapshotter.v1.overlayfs'] + root_path = '' + upperdir_label = false + sync_remove = false + slow_chown = false + mount_options = [] -[proxy_plugins] + [plugins.'io.containerd.snapshotter.v1.zfs'] + root_path = '' -[stream_processors] + [plugins.'io.containerd.tracing.processor.v1.otlp'] - [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] - accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] - args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] - env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] - path = "ctd-decoder" - returns = "application/vnd.oci.image.layer.v1.tar" + [plugins.'io.containerd.transfer.v1.local'] + max_concurrent_downloads = 3 + concurrent_layer_fetch_buffer = 0 + max_concurrent_uploaded_layers = 3 + check_platform_supported = false + config_path = '' - [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"] - accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"] - args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] - env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] - path = "ctd-decoder" - returns = "application/vnd.oci.image.layer.v1.tar+gzip" +[cgroup] + path = '' [timeouts] - "io.containerd.timeout.bolt.open" = "0s" - "io.containerd.timeout.metrics.shimstats" = "2s" - "io.containerd.timeout.shim.cleanup" = "5s" - "io.containerd.timeout.shim.load" = "5s" - "io.containerd.timeout.shim.shutdown" = "3s" - "io.containerd.timeout.task.state" = "2s" + 'io.containerd.timeout.bolt.open' = '0s' + 'io.containerd.timeout.cri.defercleanup' = '1m0s' + 'io.containerd.timeout.metrics.shimstats' = '2s' + 'io.containerd.timeout.shim.cleanup' = '5s' + 'io.containerd.timeout.shim.load' = '5s' + 'io.containerd.timeout.shim.shutdown' = '3s' + 'io.containerd.timeout.task.state' = '2s' -[ttrpc] - address = "" - gid = 0 - uid = 0 +[stream_processors] + [stream_processors.'io.containerd.ocicrypt.decoder.v1.tar'] + accepts = ['application/vnd.oci.image.layer.v1.tar+encrypted'] + returns = 'application/vnd.oci.image.layer.v1.tar' + path = 'ctd-decoder' + args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys'] + env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf'] + + [stream_processors.'io.containerd.ocicrypt.decoder.v1.tar.gzip'] + accepts = ['application/vnd.oci.image.layer.v1.tar+gzip+encrypted'] + returns = 'application/vnd.oci.image.layer.v1.tar+gzip' + path = 'ctd-decoder' + args = ['--decryption-keys-path', '/etc/containerd/ocicrypt/keys'] + env = ['OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf'] diff --git a/images/hook-docker/Dockerfile b/images/hook-docker/Dockerfile index 737a9670..28258012 100644 --- a/images/hook-docker/Dockerfile +++ b/images/hook-docker/Dockerfile @@ -1,17 +1,24 @@ -FROM golang:1.20-alpine AS dev +FROM golang:1.24-alpine AS dev COPY . /src/ WORKDIR /src RUN CGO_ENABLED=0 go build -a -ldflags '-s -w -extldflags "-static"' -o /hook-docker -FROM docker:26.1.0-dind +FROM docker:28.2.2-dind AS docker RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories RUN apk update && apk add kexec-tools binutils && rm -rf /var/cache/apk/* # Won't use docker-buildx nor docker-compose RUN rm -rf /usr/local/libexec/docker/cli-plugins # Strip some large binaries -RUN strip /usr/local/bin/docker /usr/local/bin/dockerd /usr/local/bin/docker-proxy /usr/local/bin/runc +RUN strip /usr/local/bin/docker /usr/local/bin/dockerd /usr/local/bin/docker-proxy /usr/local/bin/runc /usr/local/bin/containerd /usr/local/bin/containerd-shim-runc-v2 # Purge binutils package after stripping RUN apk del binutils + +FROM alpine:3.22 COPY --from=dev /hook-docker . +COPY --from=docker /usr/local/bin/docker-init /usr/local/bin/docker /usr/local/bin/dockerd /usr/local/bin/docker-proxy /usr/local/bin/runc /usr/local/bin/ +COPY --from=docker /usr/local/bin/containerd /usr/local/bin/containerd-shim-runc-v2 /usr/local/bin/ +COPY --from=docker /usr/local/bin/dockerd-entrypoint.sh /usr/local/bin/dockerd-entrypoint.sh + +RUN apk add --no-cache ca-certificates iptables openssl ENTRYPOINT ["/hook-docker"] diff --git a/images/hook-docker/main.go b/images/hook-docker/main.go index eb0afc2c..4a7ff764 100644 --- a/images/hook-docker/main.go +++ b/images/hook-docker/main.go @@ -63,6 +63,10 @@ func run() error { myEnvs = append(myEnvs, fmt.Sprintf("HTTP_PROXY=%s", cfg.httpProxy)) myEnvs = append(myEnvs, fmt.Sprintf("HTTPS_PROXY=%s", cfg.httpsProxy)) myEnvs = append(myEnvs, fmt.Sprintf("NO_PROXY=%s", cfg.noProxy)) + // We set this so that the dockerd-entrypoint.sh will run docker with TLS enabled. + // This is needed as the docker daemon is listening on 0.0.0.0 and it's not straightforward + // to reconfigure this. Enabling TLS will block remote access to the docker daemon for now. + myEnvs = append(myEnvs, "DOCKER_TLS_CERTDIR=/certs") cmd.Env = append(os.Environ(), myEnvs...) diff --git a/images/hook-runc/Dockerfile b/images/hook-runc/Dockerfile index dfe5bc1c..afa0a4b8 100644 --- a/images/hook-runc/Dockerfile +++ b/images/hook-runc/Dockerfile @@ -1,11 +1,11 @@ # Dockerfile to build linuxkit/runc for linuxkit -FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS alpine +FROM alpine:3.22 AS alpine RUN \ apk add \ bash \ gcc \ git \ - go \ + go=1.24.4-r0 \ libc-dev \ libseccomp-dev \ libseccomp-static \ @@ -13,7 +13,7 @@ RUN \ make \ && true ENV GOPATH=/go PATH=$PATH:/go/bin GO111MODULE=off -ENV RUNC_COMMIT=v1.1.12 +ENV RUNC_COMMIT=v1.3.0 RUN mkdir -p $GOPATH/src/github.com/opencontainers && \ cd $GOPATH/src/github.com/opencontainers && \ git clone https://github.com/opencontainers/runc.git