profile
viewpoint
Justin Cormack justincormack @docker Cambridge, UK https://www.cloudatomiclab.com/ Engineer at Docker

cncf/sig-security 256

🔐CNCF Special Interest Group on Security -- secure access, policy control, privacy, auditing, explainability and more!

genuinetools/riddler 246

A tool to convert docker inspect to the opencontainers runc spec.

docker/go-p9p 190

A modern, performant 9P library for Go.

joffemd/pscf 17

Public Sector Credit Framework

docker/runtime-spec 1

OCI Runtime Specification

justincormack/alpine-pbulk 1

Alpine pkgsrc configured for pbulk builds

justincormack/alpine-qemu 1

alpine with qemu packages for docker

errordeveloper/community 0

Kubernetes community content

issue commentlinuxkit/linuxkit

Very slow boot on hardware without RDRAND support

It looks like the raspberry pi does have rng support https://www.raspberrypi.org/forums/viewtopic.php?f=29&t=19334&p=273944&hilit=hwrng#p273944 but needs rngd to read values out of /dev/hwrng - support can eb added via the rngd package.

hairyhenderson

comment created time in a day

issue commentcontainers/crun

Request for change of licence

@cyphar I am ok with that for cloned_binary.c.

mehrar

comment created time in 2 days

issue commentcncf/sig-security

[Presentation] Confidential Computing Consortium

Stephen is away again, will try to get a firm date when he is back.

justincormack

comment created time in 3 days

delete branch justincormack/requirements

delete branch : reqs

delete time in 4 days

push eventnotaryproject/requirements

Justin Cormack

commit sha 5944374aeac6db8c1cd556285b989ed705942be6

Add threat model from Justin Cappos Signed-off-by: Justin Cormack <justin.cormack@docker.com>

view details

Justin Cormack

commit sha ba5821b7edd747ac6fe0bce0e24615d5e633ed88

Merge pull request #10 from justincormack/reqs Add threat model from Justin Cappos

view details

push time in 4 days

PR opened notaryproject/requirements

Add threat model from Justin Cappos

Signed-off-by: Justin Cormack justin.cormack@docker.com

+9 -0

0 comment

1 changed file

pr created time in 4 days

create barnchjustincormack/requirements

branch : reqs

created branch time in 4 days

fork justincormack/requirements

Collection of requirements and scenarios to frame the scope of the Notary project

fork in 4 days

issue commentcncf/sig-security

[Assessment] Cloud Custodian

Apologies, I am not going to be able to lead this.

kapilt

comment created time in 4 days

Pull request review commentmoby/moby

Add support of setting hugepage limit on container cgroup sandbox

 func parseSecurityOpt(container *container.Container, config *containertypes.Hos 	return err } +func getHugepageResources(config containertypes.Resources) []specs.LinuxHugepageLimit {+	var hugepages []specs.LinuxHugepageLimit++	for _, hugepage := range config.HugepageLimits {+		hugepages = append(hugepages, specs.LinuxHugepageLimit{+			Pagesize: hugepage.PageSize,+			Limit:    uint64(hugepage.Limit),

Just let it the runtime decide. The kernel validates this not us.

bg-chun

comment created time in 5 days

Pull request review commentmoby/moby

Add support of setting hugepage limit on container cgroup sandbox

 type DeviceMapping struct { 	CgroupPermissions string } +// HugepageLimit corresponds to the file`hugetlb.<hugepagesize>.limit_in_bytes` in container level cgroup.+// For example, `PageSize=1GB`, `Limit=1073741824` means setting `1073741824` bytes to hugetlb.1GB.limit_in_bytes.+type HugepageLimit struct {+	// The value of PageSize has the format <size><unit-prefix>B (2MB, 1GB),+	// and must match the <hugepagesize> of the corresponding control file found in `hugetlb.<hugepagesize>.limit_in_bytes`.+	// The values of <unit-prefix> are intended to be parsed using base 1024("1KB" = 1024, "1MB" = 1048576, etc).+	PageSize string+	// limit in bytes of hugepagesize HugeTLB usage.+	Limit int64

the runtime will fail values that are stupid, we should not check here.

bg-chun

comment created time in 5 days

Pull request review commentnotaryproject/requirements

End to end scenarios, accounting for PR #1 feedback

+# Notary Signing - Scenarios++As containers and cloud native artifacts become the common unit of deployment, users want to know the artifacts in their environments are authentic and unmodified. ++These Notary v2 scenarios define end-to-end scenarios for signing artifacts in a generalized way, storing and moving them between OCI compliant registries, validating them with various artifact hosts and tooling. Notary v2 focuses on the signing of content, enabling e2e workflows, without specifying what those workflows must be.++By developing a generalized solution, artifact authors may develop their unique artifact types, allowing them to leverage Notary for signing and OCI Compliant registries for distribution.++## OCI Images & Artifacts++The [OCI TOB][oci-tob] has adopted [OCI Artifacts][artifacts-repo], generalizing container images as one of many types of artifacts that may be stored in a registry. Other artifact types currently include:++* [Helm Charts][helm-registry]+* [Singularity][singularity]+* Car firmware updates, deployed from OCI Artifact registries+

I think separate files are better, editing PRs is kind of painful anyway.

SteveLasker

comment created time in 5 days

delete branch justincormack/docker.github.io

delete branch : notary

delete time in 10 days

push eventjustincormack/docker.github.io

Dawn W

commit sha 74e51e94df428019e59f32b07bcf7ff269cf126c

adding link to cve topics under Security heading in relnotes (#1280) adding link to cve topics under Security heading in relnotes

view details

Usha Mandya

commit sha 903cc2e518ba38ddb38d93fbc7d27737aa81f286

Merge pull request #9089 from ollypom/ee2dot1backup Backup EE 2.1 (UCP 3.1 and DTR 2.6)

view details

Ally Smith

commit sha 736d2c76be5a657e8d2415bce065a636f5f080ad

3.0 release configs (#9086) edit configs for 3.0 release

view details

Dawn W

commit sha fd260da4d4c99b7a395e397c2f3932f113820d56

Merge pull request #1281 from docker/amberjack Sync Amberjack with Master

view details

ollypom

commit sha c87ce565d4d1601a45d6fb7819c8eecc20059d4c

Merge remote-tracking branch 'private/master' into public

view details

Olly P

commit sha aa4c53c42d4aa88cc14926032a9793aaada51f69

Merge pull request #9098 from ollypom/privateintopublic Merge remote-tracking branch 'private/master' into public

view details

ollypom

commit sha 120301c143176a83c773e26a5e0e57381f8a0e8b

Fixed DTR 2.6 Reference link

view details

Usha Mandya

commit sha a05dbb8439de7857121dfae891b30365bbfa209f

Merge pull request #9099 from ollypom/ucpclief Fixed DTR 2.6 Reference link

view details

Dawn W

commit sha 7f598f9fa9f31764a3cf48a519dc1e8103e8a456

Dtr relnote (#9101) * adding note for dtr 2.7.1

view details

ollypom

commit sha 2c57aa5b7491b22a3ad7dfcef45bbb2c7f2b7ef5

Updated for DTR 271

view details

ollypom

commit sha 0b909551ea94d7becf950f8d98dfc4fe5d15d557

Rolled back compose version to 1.24.1

view details

Usha Mandya

commit sha 4297220cf7e34f2ea82f22f2c6fa1e98e17c29ce

Merge pull request #9105 from ollypom/dtr271patch Updated for DTR 271

view details

Usha Mandya

commit sha b7c308eeb0ab2960b604ecf77a8513a523f0ab09

Merge pull request #9106 from ollypom/composeverpatch Rolled back compose version to 1.24.1

view details

Olly P

commit sha a8284a1daf4d08af2d789037e0d2dd8d00b1c42d

Removed old CLI and API References (#9113)

view details

Alex Goodman

commit sha 07360ef578829039cae6e7936b9351370984374d

remove depricated methods from go sdk examples (#8689) * remove depricated methods from go sdk examples * use negotiate client option; handle import & tty review comment

view details

Olli Janatuinen

commit sha 500b9b166deef523a4c5e05db35d60d9e1826008

Included npipe to documentation (#7427)

view details

Meng Ye

commit sha de44061a7d50b9ab2537a4f318104b8ae83201e2

fix common use cases broken link (#9112)

view details

Dominik Zogg

commit sha b6bab26a2291cc4e6b0ba774b2c486ae2ca30044

add ubuntu disco to the supported list (#9103)

view details

Dawn W

commit sha e5c4444db83102e47abdc83bb2ddab11a60630ec

Merge pull request #9038 from AkihiroSuda/patch-11 Strongly recommend TLS for API socket

view details

Olly P

commit sha 1655766076b7807ab8d36155460949e499527704

Fixed UCP Upgrade Link and Provided more detail (#9116)

view details

push time in 10 days

PR opened docker/docker.github.io

Use Notary not "Docker Notary"

This has not been the name for some years.

Signed-off-by: Justin Cormack justin.cormack@docker.com

+12 -12

0 comment

6 changed files

pr created time in 10 days

create barnchjustincormack/docker.github.io

branch : notary

created branch time in 10 days

issue commentKillingSpark/rustysd

thoughts on moving to prime-time

@cdbattags really interested in experimentation around this in LinuxKit. I would love to remove all C code from the base system... lots of pieces to work on to get closer to that.

zboldyga

comment created time in 12 days

issue commentlinuxkit/linuxkit

[Question] Additional info / files passed to service directory?

I think we should add files in each container section. You can add them by adding to the /containeres/name/... path, or by using bind mounts in the runtime section now (which allows local paths), both of which are less convenient.

pwFoo

comment created time in 13 days

pull request commenttheupdateframework/notary

Feature/go modules

Can you explain what the issue actually is?

marcofranssen

comment created time in 13 days

issue commentmoby/hyperkit

Docker for Mac, minikube and multipass keep crashing

What model of Mac are you using? Can you replicate this with a simpler setup eg running linuxkit directly without docker for mac? Or even just booting hyperkit directly? These issues are hard to debug unfortunately. It could still be a hardware problem, that hyper-v doesn't get affected by.

movd

comment created time in 13 days

issue commentmoby/hyperkit

USB Passthrough

If you implemented PCI passthrough, which may not be possible, then yes, it might also be the case that only the whole USB controller could be attached. I don't know the PCI topology in Macs.

jgoldring

comment created time in 15 days

issue commentmoby/hyperkit

USB Passthrough

That is PCI passthrough, not the USB passthrough design described above. It is not clear that PCI passthrough can be implemented on OSX, and for USB purposes it is not that useful as which devices you can passthrough depends on the PCI topology, eg you might only be able to attach all devices to the VM.

jgoldring

comment created time in 15 days

pull request commentlinuxkit/linuxkit

[README] deprecated infrakit

It was actually archived in 2019.

arthurlogilab

comment created time in 16 days

issue commentlinuxkit/linuxkit

Unable to start Docker for Mac with LinuxKit iso

Hi, this is just an example of how to run linuxkit on mac, we should probably rename it, as the Docker Desktop team use completely different config now.

mfiguiere

comment created time in 17 days

startedB-Lang-org/bsc

started time in 17 days

push eventdockersamples/node-bulletin-board

Stefan Scherer

commit sha f033040261428b4046119233c3f6a4c3b3b05c26

Reset master branch to start of guide Signed-off-by: Stefan Scherer <stefan.scherer@docker.com>

view details

Justin Cormack

commit sha 49ee8e8183de21e642f62c3569518fafc8b7a9ed

Merge pull request #3 from StefanScherer/reset-master-to-start [ENGDOCS-319] Reset master branch to start of guide

view details

push time in 19 days

PR merged dockersamples/node-bulletin-board

[ENGDOCS-319] Reset master branch to start of guide

This PR resets the master branch to the beginning of the starter guide in our docs. The same change will be applied to v1 branch. Also update to a current node base image.

+2 -144

0 comment

4 changed files

StefanScherer

pr closed time in 19 days

push eventdockersamples/node-bulletin-board

Stefan Scherer

commit sha 9a5039a44ea2550ee3b8ca2451e89879c501917d

Update to current node image Signed-off-by: Stefan Scherer <stefan.scherer@docker.com>

view details

Justin Cormack

commit sha 83e53d8268e12d9305f20af7e7ac4551debc7682

Merge pull request #4 from StefanScherer/update-v1 [ENGDOCS-319] Update to current node image

view details

push time in 19 days

PR merged dockersamples/node-bulletin-board

[ENGDOCS-319] Update to current node image

This PR updates the node base image.

+1 -1

0 comment

1 changed file

StefanScherer

pr closed time in 19 days

issue commentdocker/compose

[RfC] validate compose file on supported API, not version

I am not even convinced we need to deprecate v1, just try parsing that schema as well.

ndeloof

comment created time in 20 days

Pull request review commentmoby/moby

Remove 'deny mount' in the apparmor template

 profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {   deny @{PROC}/sysrq-trigger rwklx,   deny @{PROC}/kcore rwklx, -  deny mount,

agree with Akihiro and Brian, these mechanisms are supposed to be independent. We should make them behave in the same way with capabilities.

danifv

comment created time in 24 days

MemberEvent

pull request commentdocker/binfmt

Add support for riscv64

Hi, sorry, been busy with transitional things. I am not sure if we are going to keep this repo going forward, we need to consolidate things, it may be better if all this code moved to linuxkit.

carlosedp

comment created time in 25 days

push eventdocker/binfmt

Carlos de Paula

commit sha 86203db3c914c9c828e420e5632bff611cf0a02c

Add support for riscv64

view details

Justin Cormack

commit sha 1fd9bd2793cabc8fb6453ad7dbc487feeb7082e5

Merge pull request #21 from carlosedp/riscv64 Add support for riscv64

view details

push time in 25 days

PR merged docker/binfmt

Add support for riscv64

Add binfmt support for riscv64 architecture.

+2 -1

3 comments

2 changed files

carlosedp

pr closed time in 25 days

pull request commenttheupdateframework/notary

Feature/go modules

I would like there not to be any version changes; if there are issues can we deal with them in different PRs please.

marcofranssen

comment created time in 25 days

push eventmoby/mobywebsite

Xavier Chopin

commit sha 4f2ff0521fbf7053cf88645b66dd0ea11132f85c

docs: fix github link

view details

Xavier Chopin

commit sha c93f355e01de2e11e6a4253e99c6c944ac87e8b2

docs: fixed link and title

view details

Xavier Chopin

commit sha 4a0345aa0b478be51ec8565e4cb530400a136b51

docs: fix link and title

view details

Xavier Chopin

commit sha 3315e50f8c0d90d2fd11241496f64555251fbed7

docs: fix link and image

view details

Xavier Chopin

commit sha ce7684d73202016cada6f2a6c9e80ac7250280ee

docs: fix image

view details

Xavier Chopin

commit sha 66d3661e71647af278b650f58260aa5bd65cfb87

docs: update year

view details

Justin Cormack

commit sha 6d49a7ba600826f21190f1bc5df3edc61c9f6125

Merge pull request #42 from xchopin/master Fix Markdown, links and more

view details

push time in 25 days

PR merged moby/mobywebsite

Fix Markdown, links and more
  • Fix GitHub links (blob/moby instead of blob/master)
  • Refractor code (indentation)
  • Update footer (year 2017 to year 2019)
  • Fix images in some documents
+34 -30

5 comments

6 changed files

xchopin

pr closed time in 25 days

issue commentlinuxkit/linux

Is this repo deprecated?

We use this to generate the patches that we add to the patch directories, rather than cloning this repo directly. So yes it is used, but you should not in general use this repo, as it does not necessarily have all the kernel patch releases in it.

cdbattags

comment created time in 25 days

issue commentmoby/moby

Redundant blocking of mount in the default apparmor and seccomp profiles.

I believe that most users do not have apparmor running, and historically a lot didnt have seccomp though most do now. They should probably be consistent though.

danifv

comment created time in 25 days

issue commentcncf/sig-security

[Assessment] Cloud Custodian

Hard conflicts: Reviewer is a maintainer of the project - No Reviewer is a direct report of/to a maintainer of the project - No Reviewer is paid to work on the project - No Reviewer has significant financial interest directly tied to success of the project - No

Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - No Reviewer uses the project in his/her work - Not at present, it is something we are considering Reviewer has contributed to the project. - No Reviewer has a personal stake in the project (personal relationships, etc.) - No

kapilt

comment created time in a month

delete branch justincormack/linuxkit

delete branch : nocircle

delete time in a month

issue commentcncf/sig-security

[Assessment] Cloud Custodian

I could lead this, and mentor @ericavonb if that works better.

kapilt

comment created time in a month

push eventlinuxkit/linuxkit

Roman Shaposhnik

commit sha d07dd2c28c71faeebc2df59284281a3b186fac2e

Updating pointer to EVE Signed-off-by: Roman Shaposhnik <rvs@zededa.com>

view details

Justin Cormack

commit sha 2012f4a3a4b4f59375fd2e755394041af4b30a43

Merge pull request #3465 from rvs/eve Updating pointer to EVE

view details

push time in a month

PR merged linuxkit/linuxkit

Updating pointer to EVE status/0-triage

Trivial update to the documentation

+1 -1

0 comment

1 changed file

rvs

pr closed time in a month

push eventjustincormack/linuxkit

Justin Cormack

commit sha 6ebeabc06171602be5f2c1e1a1c352288fe1431c

Remove circleCI Using GitHub actions now. Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in a month

PR opened linuxkit/linuxkit

Remove circleCI

Using GitHub actions now.

circlecat

+0 -62

0 comment

1 changed file

pr created time in a month

create barnchjustincormack/linuxkit

branch : nocircle

created branch time in a month

delete branch justincormack/cloudatomiclab

delete branch : might

delete time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha 54d0b1e1725ef530ef175ff4dbed332834d7d87b

Fix typo Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

Justin Cormack

commit sha c3f9c60236007d7b17f6a7b0d0c19e84fc378942

Merge pull request #33 from justincormack/might Fix typo

view details

push time in a month

PR merged justincormack/cloudatomiclab

Fix typo

Signed-off-by: Justin Cormack justin@specialbusservice.com

+1 -1

0 comment

1 changed file

justincormack

pr closed time in a month

PR opened justincormack/cloudatomiclab

Fix typo

Signed-off-by: Justin Cormack justin@specialbusservice.com

+1 -1

0 comment

1 changed file

pr created time in a month

create barnchjustincormack/cloudatomiclab

branch : might

created branch time in a month

delete branch justincormack/cloudatomiclab

delete branch : pwl

delete time in a month

delete branch justincormack/cloudatomiclab

delete branch : wtf

delete time in a month

delete branch justincormack/cloudatomiclab

delete branch : xtrapic

delete time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha dd02bd94cb3e15e2b083b80be7d910bab0455df7

Add another pic Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

Justin Cormack

commit sha 9a946b1c3ca82974df50e8828bfc2d92b38a25bb

word wrap Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

Justin Cormack

commit sha 300315e6c5dd7ef1c6af8155f16fbcf621ac303b

Merge pull request #32 from justincormack/xtrapic add another picture

view details

push time in a month

PR merged justincormack/cloudatomiclab

add another picture

and word wrap

+144 -27

0 comment

2 changed files

justincormack

pr closed time in a month

PR opened justincormack/cloudatomiclab

add another picture

and word wrap

+144 -27

0 comment

2 changed files

pr created time in a month

create barnchjustincormack/cloudatomiclab

branch : xtrapic

created branch time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha e68af70ff25272d23a78059a7c4635f6e1dfd743

Move to proper title Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

Justin Cormack

commit sha f62ef75bf1f352540e3029fdfa53a8581a1311c8

Merge pull request #31 from justincormack/wtf Move to proper title

view details

push time in a month

PR merged justincormack/cloudatomiclab

Move to proper title

Signed-off-by: Justin Cormack justin@specialbusservice.com

+0 -0

0 comment

1 changed file

justincormack

pr closed time in a month

PR opened justincormack/cloudatomiclab

Move to proper title

Signed-off-by: Justin Cormack justin@specialbusservice.com

+0 -0

0 comment

1 changed file

pr created time in a month

create barnchjustincormack/cloudatomiclab

branch : wtf

created branch time in a month

delete branch justincormack/cloudatomiclab

delete branch : fosdem

delete time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha c1cb08cb6d6c0b0099c590b67651140a15933fe5

Add Fosdem piece Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

Justin Cormack

commit sha 1ccb2186372c2157e7718b9019bd8814df88d26f

Merge pull request #30 from justincormack/fosdem Add Fosdem piece

view details

push time in a month

PR merged justincormack/cloudatomiclab

Add Fosdem piece

Signed-off-by: Justin Cormack justin@specialbusservice.com

+51 -0

0 comment

6 changed files

justincormack

pr closed time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha c1cb08cb6d6c0b0099c590b67651140a15933fe5

Add Fosdem piece Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha 1f6d60a6a69fdaa7a6bc33fd6da0010cbca7bf4c

Add Fosdem piece Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha f670991c61bcf0d37431c133abc2fcd57d270829

Add Fosdem piece Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha e2a943e28ce4b3fe8c111c4563a2cbbb6aacd23d

Add Fosdem piece Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha 64216e9f1be55c0fa1cd1d9240d5287692b969e4

Add Fosdem piece Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha b43f45dfdca3fb99148adc251210682f5e02e6e9

Add Fosdem piece Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in a month

push eventjustincormack/cloudatomiclab

Justin Cormack

commit sha f08e50dd0e289c4c2831a14dad7112f6c7d0994d

Add Fosdem piece Signed-off-by: Justin Cormack <justin@specialbusservice.com>

view details

push time in a month

PR opened justincormack/cloudatomiclab

Add Fosdem piece

Signed-off-by: Justin Cormack justin@specialbusservice.com

+49 -0

0 comment

5 changed files

pr created time in a month

create barnchjustincormack/cloudatomiclab

branch : fosdem

created branch time in a month

PR closed moby/moby

Reviewers
Added more information on Using Moby Projects

<!-- Please make sure you've read and understood our contributing guidelines; https://github.com/moby/moby/blob/master/CONTRIBUTING.md

** Make sure all your commits include a signature generated with git commit -s **

For additional information on our contributing process, read our contributing guide https://docs.docker.com/opensource/code/

If this is a bug fix, make sure your description includes "fixes #xxxx", or "closes #xxxx"

Please provide the following information: -->

- What I did

- How I did it

- How to verify it

- Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: -->

- A picture of a cute animal (not mandatory but encouraged)

+46 -0

1 comment

1 changed file

VishakhaShah

pr closed time in a month

pull request commentmoby/moby

Added more information on Using Moby Projects

Hi, this PR is not accurate and not signed off and not the right information at this time.

VishakhaShah

comment created time in a month

issue commentdocker/cli

Observation/Question/Potential Bug trust signature bytesize different then notary

No, it is the size of the manifest, not the image.

Here is an example signing a multi-arch manifest (which is similar) https://github.com/linuxkit/linuxkit/blob/292dbdf46f0b1720bf710946a3a40a3ac0209463/tools/alpine/push-manifest.sh

It uses this manifest-tool https://github.com/estesp/manifest-tool to query the registry for the size and hash.

marcofranssen

comment created time in a month

issue commentdocker/cli

Observation/Question/Potential Bug trust signature bytesize different then notary

The size is not the layer size, it is the size of the manifest, which is what gets signed. The manifest contains the hashes of the layers so those are indirectly signed. You can't currently get the manifest size from Docker directly I don't think, as it is just created on push. This is one of the reasons why we want to shift to containerd backend fully, as that keeps manifests locally.

marcofranssen

comment created time in a month

Pull request review commenttheupdateframework/notary

Feature/go modules

+#!/usr/bin/env bash++#   Copyright The containerd Authors.++#   Licensed under the Apache License, Version 2.0 (the "License");+#   you may not use this file except in compliance with the License.+#   You may obtain a copy of the License at++#       http://www.apache.org/licenses/LICENSE-2.0++#   Unless required by applicable law or agreed to in writing, software+#   distributed under the License is distributed on an "AS IS" BASIS,+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+#   See the License for the specific language governing permissions and+#   limitations under the License.+++set -eu -o pipefail++if [ -f vendor.conf ]; then+  rm -rf vendor/+  vndr |& grep -v -i clone

you can remove all the parts related to vndr as we will only be using this with go mod

marcofranssen

comment created time in a month

pull request commentdocker/docker.github.io

[WIP] Remove "docker engine" commands

LGTM

thaJeztah

comment created time in a month

pull request commentdocker/docker.github.io

Remove "bundle" subcommand and support for DAB files

LGTM

thaJeztah

comment created time in a month

MemberEvent

pull request commentdocker/go-connections

Add TLS 1.3 to list of TLS versions

You have to set a GODEBUG flag to be able to use it on Go 1.12, it is just for testing, not for production use really. So enabling it seems very confusing.

thaJeztah

comment created time in a month

pull request commentdocker/go-connections

Add TLS 1.3 to list of TLS versions

I think we should just make it 1.13+ to avoid any weirdness.

thaJeztah

comment created time in a month

pull request commentlinuxkit/linuxkit

Add GitHub Actions

Lets go ahead and then iterate on this.

dave-tucker

comment created time in a month

Pull request review commenttheupdateframework/notary

Bump mariadb from 10.1.28 to 10.4

 services:       - mdb     volumes:       - ./notarysql/mysql-initdb.d:/docker-entrypoint-initdb.d-    image: mariadb:10.1.28+    image: mariadb:10.4

Its a dev image, that seems fine.

marcofranssen

comment created time in a month

Pull request review commentcncf/toc

Add SIG-Runtime Charter

+## CNCF Runtime SIG Charter+++### Primary Author: Quinton Hoole++2019-09-02++Also reviewed and contributed to by:++*   Liz Rice+*   Brian Grant++## Introduction++This is the charter referred to in “[CNCF+SIGs](https://github.com/cncf/toc/blob/master/sigs/cncf-sigs.md#sig-charter)”+by the CNCF TOC, and consistent with the [proposed SIG+definition](https://github.com/cncf/toc/blob/master/sigs/proposed.md).+++## Areas Considered In Scope++Workload execution and management systems, components and interfaces+used in [modern cloud-native+environments](https://github.com/cncf/toc/blob/master/DEFINITION.md)+are in scope, including:++++*   generalized orchestration, autoscaling, scheduling, execution, container+    runtimes, sandboxing, virtualization, image packaging and distribution and specialized architectures thereof, e.g. +    *   those aimed specifically at Edge, IoT, Batch, Big Data, AI/ML, etc+    *   those incorporating specialized computing elements beyond CPUs, including GPUs, TPUs, FPGAs, ASICs, etc.++We strive to understand the fundamental characteristics of different approaches with respect to availability,+scalability, performance, consistency, ease-of-use, cost and operational complexity; and relate these to their+suitability to various cloud-native use cases.+++## Areas Considered Out Of Scope++Anything not considered in scope above is out of scope.  See also “Interfaces with Related Groups” below.++Examples include:++++*   General authentication, authorization, accounting, auditing, etc (even though these clearly apply to )+    - because AAA, etc is clearly the domain of the [CNCF Security SIG](https://github.com/cncf/sig-app-delivery).

this should read SIG App Deliver, not Security SIG

quinton-hoole

comment created time in 2 months

Pull request review commentlinuxkit/linuxkit

Add GitHub Actions

+name: LinuxKit CI+on: [push, pull_request]++jobs:+  build:+    name: Build & Test+    strategy:+      matrix:+        arch:+          - amd64-linux+          - arm64-linux+          - s390x-linux+          - amd64-darwin+          - amd64-windows.exe++    runs-on: ubuntu-latest+    steps:++    - name: Set up Go 1.11+      uses: actions/setup-go@v1+      with:+        go-version: 1.11+      id: go++    - name: Check out code+      uses: actions/checkout@v1+      with:+        path: ./src/github.com/linuxkit/linuxkit++    - name: Get pre-requisites+      run: |+            echo "::set-env name=PATH::$PATH:$(go env GOPATH)/bin"+            go get -u golang.org/x/lint/golint+            go get -u github.com/gordonklaus/ineffassign+      env:+        GOPATH: ${{runner.workspace}}++    - name: Lint+      run: |+        make local-check+      env:+        GOPATH: ${{runner.workspace}}++    - name: Build+      run: |+        make LOCAL_TARGET=bin/linuxkit-${{matrix.arch}} local-build+      env:+        GOPATH: ${{runner.workspace}}++    - name: Checksum+      run: cd bin && sha256sum linuxkit-${{matrix.arch}} > linuxkit-${{matrix.arch}}.SHA256SUM++    - name: Test+      run: make local-test+      env:+        GOPATH: ${{runner.workspace}}++    - name: Cache binary+      uses: actions/cache@v1+      with:+        path: bin+        key: linuxkit-${{matrix.arch}}-${{hashFiles('src/**')}}++    - name: Upload binary+      uses: actions/upload-artifact@v1.0.0+      with:+        name: linuxkit-${{matrix.arch}}+        path: bin++  build_packages:+    name: Build Packages+    needs: build+    runs-on: ubuntu-latest+    steps:+    - name: Check out code+      uses: actions/checkout@v1+      with:+        path: ./src/github.com/linuxkit/linuxkit++    - name: Restore LinuxKit From Cache+      uses: actions/cache@v1+      with:+        path: lkt+        key: linuxkit-amd64-linux-${{hashFiles('src/**')}}++    - name: Symlink Linuxkit+      run: |+        sudo ln -s `pwd`/lkt/linuxkit-amd64-linux /bin/linuxkit++    - name: Build Packages+      run: |+        make -C pkg build++  test_packages:+    name: Packages Tests+    needs: [ build_packages, build ]+    runs-on: ubuntu-latest+    steps:+    - name: Check out code+      uses: actions/checkout@v1+      with:+        path: ./src/github.com/linuxkit/linuxkit+    +    - name: Install Pre-Requisites+      run: |+        export DEBIAN_FRONTEND=noninteractive+        sudo apt-get update +        sudo apt-get install -qy qemu-utils qemu-system-x86 expect+    +    - name: Restore RTF From Cache+      id: cache-rtf+      uses: actions/cache@v1+      with:+        path: bin+        key: rtf-${{hashFiles('Makefile')}}+    +    - name: Build RTF+      if: steps.cache-rtf.outputs.cache-hit != 'true' +      run: make bin/rtf+    +    - name: Symlink RTF+      run: |+        sudo ln -s `pwd`/bin/rtf /bin/rtf++    - name: Restore LinuxKit From Cache+      uses: actions/cache@v1+      with:+        path: lkt+        key: linuxkit-amd64-linux-${{hashFiles('src/**')}}+  +    - name: Symlink Linuxkit+      run: |+        sudo ln -s `pwd`/lkt/linuxkit-amd64-linux /bin/linuxkit++    - name: Run Tests+      run: |+          cd test+          rtf -l build -v run -x linuxkit.packages++  test_kernel:+    name: Kernel Tests+    needs: build+    runs-on: ubuntu-latest+    steps:+    - name: Check out code+      uses: actions/checkout@v1+      with:+        path: ./src/github.com/linuxkit/linuxkit+   +    - name: Install Pre-Requisites+      run: |+        export DEBIAN_FRONTEND=noninteractive+        sudo apt-get update +        sudo apt-get install -qy qemu-utils qemu-system-x86 expect++    - name: Restore RTF From Cache+      id: cache-rtf+      uses: actions/cache@v1+      with:+        path: bin+        key: rtf-${{hashFiles('Makefile')}}+    +    - name: Build RTF+      if: steps.cache-rtf.outputs.cache-hit != 'true' +      run: make bin/rtf+    +    - name: Symlink RTF+      run: |+        sudo ln -s `pwd`/bin/rtf /bin/rtf

same here

dave-tucker

comment created time in 2 months

Pull request review commentlinuxkit/linuxkit

Add GitHub Actions

+name: LinuxKit CI+on: [push, pull_request]++jobs:+  build:+    name: Build & Test+    strategy:+      matrix:+        arch:+          - amd64-linux+          - arm64-linux+          - s390x-linux+          - amd64-darwin+          - amd64-windows.exe++    runs-on: ubuntu-latest+    steps:++    - name: Set up Go 1.11+      uses: actions/setup-go@v1+      with:+        go-version: 1.11+      id: go++    - name: Check out code+      uses: actions/checkout@v1+      with:+        path: ./src/github.com/linuxkit/linuxkit++    - name: Get pre-requisites+      run: |+            echo "::set-env name=PATH::$PATH:$(go env GOPATH)/bin"+            go get -u golang.org/x/lint/golint+            go get -u github.com/gordonklaus/ineffassign+      env:+        GOPATH: ${{runner.workspace}}++    - name: Lint+      run: |+        make local-check+      env:+        GOPATH: ${{runner.workspace}}++    - name: Build+      run: |+        make LOCAL_TARGET=bin/linuxkit-${{matrix.arch}} local-build+      env:+        GOPATH: ${{runner.workspace}}++    - name: Checksum+      run: cd bin && sha256sum linuxkit-${{matrix.arch}} > linuxkit-${{matrix.arch}}.SHA256SUM++    - name: Test+      run: make local-test+      env:+        GOPATH: ${{runner.workspace}}++    - name: Cache binary+      uses: actions/cache@v1+      with:+        path: bin+        key: linuxkit-${{matrix.arch}}-${{hashFiles('src/**')}}++    - name: Upload binary+      uses: actions/upload-artifact@v1.0.0+      with:+        name: linuxkit-${{matrix.arch}}+        path: bin++  build_packages:+    name: Build Packages+    needs: build+    runs-on: ubuntu-latest+    steps:+    - name: Check out code+      uses: actions/checkout@v1+      with:+        path: ./src/github.com/linuxkit/linuxkit++    - name: Restore LinuxKit From Cache+      uses: actions/cache@v1+      with:+        path: lkt+        key: linuxkit-amd64-linux-${{hashFiles('src/**')}}++    - name: Symlink Linuxkit+      run: |+        sudo ln -s `pwd`/lkt/linuxkit-amd64-linux /bin/linuxkit++    - name: Build Packages+      run: |+        make -C pkg build++  test_packages:+    name: Packages Tests+    needs: [ build_packages, build ]+    runs-on: ubuntu-latest+    steps:+    - name: Check out code+      uses: actions/checkout@v1+      with:+        path: ./src/github.com/linuxkit/linuxkit+    +    - name: Install Pre-Requisites+      run: |+        export DEBIAN_FRONTEND=noninteractive+        sudo apt-get update +        sudo apt-get install -qy qemu-utils qemu-system-x86 expect+    +    - name: Restore RTF From Cache+      id: cache-rtf+      uses: actions/cache@v1+      with:+        path: bin+        key: rtf-${{hashFiles('Makefile')}}+    +    - name: Build RTF+      if: steps.cache-rtf.outputs.cache-hit != 'true' +      run: make bin/rtf+    +    - name: Symlink RTF+      run: |+        sudo ln -s `pwd`/bin/rtf /bin/rtf++    - name: Restore LinuxKit From Cache+      uses: actions/cache@v1+      with:+        path: lkt+        key: linuxkit-amd64-linux-${{hashFiles('src/**')}}+  +    - name: Symlink Linuxkit+      run: |+        sudo ln -s `pwd`/lkt/linuxkit-amd64-linux /bin/linuxkit

I think /usr/local/bin/linuxkit is better - adding stuff in /bin is a bit weird...

dave-tucker

comment created time in 2 months

issue commentdocker/for-linux

Containers can starve the host of memory despite limits if overcommit protection is active

This is a Linux kernel issue, nothing we can do in Docker directly, we just apply the kernel memory controls.

koniiiik

comment created time in 2 months

push eventlinuxkit/linuxkit

Rolf Neugebauer

commit sha 27f829f4f5d6bfac881ff8f2c446f0f1f543ff6b

tools/alpine: Fix WireGuard tools build The alpine patch is no longer needed Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha f7e0dcba0bb9c28bf6e41a6df0ea829bd7a56912

tools/alpine: Update wireguard-tools to 0.0.20191219 Also update other packages while at it. Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha bbf174d374b75ab43105d8b542efc47d60159b7e

pkg/ip: Pick up the new version of wireguard-tools Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha 51864cd03c95ae9a1a88cae07f6f0ef6fd7a31c1

Update YAMLs to latest pkg/ip package Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Justin Cormack

commit sha fce020a111aa775a0631e590fda661a6fe361817

Merge pull request #3456 from rn/wg-up Update WireGuard tools to 0.0.20191219

view details

push time in 2 months

PR merged linuxkit/linuxkit

Update WireGuard tools to 0.0.20191219 status/0-triage

This is primarily a fix for the WireGuard tools build in the Alpine base image (removal of the alpine patch).

wasp

+122 -123

0 comment

9 changed files

rn

pr closed time in 2 months

pull request commentlinuxkit/linuxkit

Revert "Removed fixed size arg from mkimage-gcp script."

It timed out again...

rn

comment created time in 2 months

push eventlinuxkit/linuxkit

Rolf Neugebauer

commit sha 81c148a3c422d1269c49f5bca685c21f729a03e6

kernel: Update to 5.3.17/4.19.90/4.14.159/4.9.206 Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha a638c2814c20cb92104165e8628ec0d67c423f63

kernel: Update Intel uCode to microcode-20191115 Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha 7ae9b7b1417e04e6b5def986d584ec35ea19bcd3

kernel: Remove support for 5.2.x Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha 991eebaeab7a01176c7fd1ba7b3c50db67ba2ce7

tests: Re-arrange the kernel tests This is a simple rename of directories to make more space in the test namespace for future kernels. Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha f9fee518a7524b467e9d089713ba92a233bc57b5

kernel: Add support for 5.4.x kernels The kernel config files are derived from the 5.3.x config files run through 'make oldconfig'. Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha a28ebce2f415ec218e4873b31b1a53e4eb7ade14

kernel: Build perf/bcc for 5.4.x kernels not 5.3.x Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha 4e2b69bc2f277e2332fd51cba1c85bad80baa69e

kernel: Remove 5.3.x kernels for arm64 and s390x Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha 02ed4c261fa9661121893236fa600c7254b646d0

kernel: Adjust kernel configs Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha 54a26545012733bdb9c460dcf6217623674bfe1b

Update YAMLs to latest kernels Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Rolf Neugebauer

commit sha 48f1008ec8b20405b34fa91c608154ea8463127f

tests: Add kernel tests for 5.4.x Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>

view details

Justin Cormack

commit sha de4364fe68c5744145d69acd2673880abdfc680c

Merge pull request #3450 from rn/kern-up Update kernels, and Intel ucode, add support for 5.4.x kernels

view details

push time in 2 months

PR merged linuxkit/linuxkit

Update kernels, and Intel ucode, add support for 5.4.x kernels status/0-triage

Also remove 5.3.x support for arm64 and s390x.

crow-tail

+464 -8816

0 comment

305 changed files

rn

pr closed time in 2 months

issue commentlinuxkit/linuxkit

Remove support for 4.9.x and 4.14.x kernels

Hmm, 4.14 is the long long term support kernel, so maybe there is a case to keep it. Definitely can remove 4.9. I think we should get rid of 4.19 sooner maybe, although desktop currently uses it.

rn

comment created time in 2 months

issue commentcncf/sig-security

[Project] 2020 EU Cloud Native Security Day (aka SIG-Security day) at Kubecon

Happy to review submissions. Not yet sure if able to help on day.

TheFoxAtWork

comment created time in 2 months

more