- remove --disable-readahead
- remove --disable-multi-seat-x
- add --disable-selinux
Also, write one option per line for better readability.
I kept the configure --help output order.
When building stage1 from sources with RKT_STAGE1_USR_FROM=src,
it is now possible to choose which systemd tag or branch should be
built:
$ export RKT_STAGE1_USR_FROM=src
$ export RKT_STAGE1_SYSTEMD_SRC=git://anongit.freedesktop.org/systemd/systemd
$ export RKT_STAGE1_SYSTEMD_VER=v215
$ ./build
By default, it still fetch the upstream git repository with tag v215 as
before. So defining the new variables is not necessary.
It is also possible to build against a local systemd repository:
$ export RKT_STAGE1_USR_FROM=src
$ export RKT_STAGE1_SYSTEMD_SRC=/home/user/git/systemd
$ export RKT_STAGE1_SYSTEMD_VER=HEAD
$ ./build
This should help developers to test newer systemd versions.
The patches in stage1/rootfs/usr_from_src/patches/ are versioned: the
subdirectory used is defined by $RKT_STAGE1_SYSTEMD_VER. If "HEAD" is
used, the master patchset will be selected.
- Fixup pod.getPID() to cover race between xToRun() and stage1 getting
around to writing the pid file.
- Rework `rkt enter` to retrieve the pid in rkt/stage0 and supply it to
stage1 enter.
- Rework stage1 enter to consume pid from argv instead of opening it
itself, so as to not have to duplicate the same race coverage.
- Some stage1 enter code cleanups thrown in for good measure, particularly
around the argv forwarding copy which started simple had become unwieldy.
Currently only systemd is being built from source, toggled from the
top-level build script by setting RKT_STAGE1_USR_FROM=src, e.g:
RKT_STAGE1_USR_FROM=src ./build
The default stage1 continues to be coreos-derived, but may be explicitly
specified via:
RKT_STAGE1_USR_FROM=coreos ./build
The stage1 init program has been modified to introspect the "flavor" of
stage1 at runtime, which influences how it invokes systemd-nspawn.
A small series of patches are included to give systemd-nspawn the
functionalities enabled via LD_PRELOAD of the shim in the coreos-derived
stage1.
The systemd source is cloned at build time the first time an
RKT_STAGE1_USR_FROM=src build is performed, at this time the same version
as the coreos image provided is being used, but this can be bumped in the
future.
Moving towards fewer external dependencies, aiming for only systemd being
external so it's the only complicated thing we need to do things like try
pulling from the host or building from source when not deriving stage1 from
a CoreOS image.
macvlan uses the specified host's interface to send the
packets. However macvlan will have its own MAC address
(randomly generated by the kernel) making it look like
yet another interface on the link.
Fixes#478
prepare-app runs in stage1, so it knows how to handle dynamic
/dev/console.
It does not change diagexec so it does not break rkt enter.
Bind mount individual /dev entries instead of bind mounting the /dev
directory so rkt run --volume /dev/sda6 (performed in stage0) should
still work.
Do not use a bunch of systemd mount units because they don't create
nonexistent target files. See:
http://lists.freedesktop.org/archives/systemd-devel/2015-February/028657.html
We might revisit this option if systemd mount units automatically create
the nonexistent target files.
Avoid systemd option PrivateDevices to avoid shadowing additional bind
mounts passed with --volume.
Currently the annotation "coreos.com/rocket/stage1/init" represents the stage1
entrypoint used by `rkt run`. Renaming to "coreos.com/rocket/stage1/run" is
more consistent and self-documenting, aligning with the `rkt enter` entrypoint
annotation "coreos.com/rocket/stage1/enter".
Take two at getting the spec vendored into Rocket with Godep.
Since actool is used during the construction of the stage1.aci, it
really needs to be vendored too to prevent any unexpected divergence
between whatever version the user happens to have in their PATH. Thus,
we introduce a silly dummy package (stage1/dummy.go) to coerce Godep
into vendoring actool. This also requires a slight rearrangement of the
appc repo, moving some functionality from actool itself into the aci
package.
This change places per-app environment files in stage1/rootfs/rkt/env/$id
The stage1 systemd service files no longer contain Environment directives,
instead they simply supply the env file path to diagexec.
`rkt enter` also uses diagexec and needs to enter the same enviroment of the
app being entered. This commit also modifies the stage1 /enter to supply the
env file to its diagexec invocation, giving `rkt enter` an environment
consistent with the app's.
- Convert ipamanager into IPAM plugin (static) that uses env
variables instead of cmd line args
- Make bridge and veth plugins call out to IPAM plugin
- Refacor code around the new IPAM plugins
One may now specify an alternative stage1 in a style like run and fetch:
rkt run --stage1-image foo.com/rocket/stage1 app
--stage1-image defaults to "stage1.aci" within the same directory as the rkt
binary. This is discovered at runtime via "/proc/self/exe"; as long as the rkt
executable and stage1.aci share a directory it should "just work" regardless of
the directory's location and where rkt is executed from.
Simplifying the plugin interface. No more HTTP interface and plugin
configs. Plugin type maps to executable name in stage1 rootfs or
on host in a well known dir. Env vars are used for parameter passing
to the plugin. Also, default net conf is kept in stage1 rootfs to make
private networking work "out of the box".
This introduces a stage1 /enter entrypoint which expects:
* the CWD to be the container root (/var/lib/rkt/containers/$cuuid)
* argv[1] to be the shorthash app imageid to enter
* argv[2] to be the command for executing via execvp
* argv[3+] any additional arguments for the command
An example manual /enter shell invocation would be:
cd /var/lib/rkt/containers/9793daa1-e064-49a6-9d52-261a992bddd8 && \
./enter sha512-9e6a3ab113ed783c1ffdcbbaa7d16f3b /bin/bash -i
"rkt enter" effectively does this after some simple argv parsing/checks and
verification of the container being presently active.
What must occur within /enter is stage1-implementation specific, hence its
inclusion within the stage1 rootfs.
The /enter implemented here consists of a statically-linked minimal C
program which:
* reads the container's PID from ./pid
* enters the namespaces of the container's PID 1
* forks to realize CLONE_NEWPID
* execs /diagexec in the child using the argv[] /enter received
* waits for the child to exit
The UX side looks like:
rkt enter [--imageid IMAGEID] UUID [CMD [ARGS ...]]
If no IMAGEID is specified, and the container is a singleton then its lone
app is entered. Otherwise a list of apps and their ids is printed and the
user must specify which app to enter in a separate invocation via --imageid.
If no cmd is specified, /bin/bash is assumed.
Examples:
Multiple images, ambiguous enter:
$ rkt enter 7324849e-80b7-4874-a14b-79de35291485
Container "7324849e-80b7-4874-a14b-79de35291485" contains multiple apps:
sha512-8a4a96dac7216ca311962d19ffa00b6c: pauser
sha512-2893e1a4714bea23ee9f21c7dd6561a4: sleeper
Unable to determine image id: specify app using "rkt enter --imageid ..."
Multiple images, specified "pauser":
$ rkt enter --imageid sha512-8a4a96dac7216ca311962d19ffa00b6c 7324849e-80b7-4874-a14b-79de35291485
No command specified, assuming "/bin/bash"
bash-4.3#
Multiple images, enter "pauser", run /pause:
$ rkt enter --imageid sha512-8a4a96dac7216ca311962d19ffa00b6c 7324849e-80b7-4874-a14b-79de35291485 /pause
paused...^C
$
Single image:
$ rkt enter 98d688dc-5665-496c-8556-f553020ccd57
No command specified, assuming "/bin/bash"
bash-4.3#
Dimitri John Ledkov