Comments (7)
i'm in favor of updating the template spec to allow specifying namespaces and seccomps like they do in linuxkit. I like this because gives end-users the flexibility to run a greater amount of actions images to accomplish specific user case goals.
Just dropping this script below in as a note on the bare amount of capabilities and seccomp i was able to find to get kexec
working in a container. I believe this would be similar to other things like reboot
. 3 namespaces (pid, ipc, net(needed to down interfaces on reboots)), cap-add CAP_SYS_BOOT
, and the seccomp profile.
# write the seccomp profile out
cat <<EOF> profile.json
{
"names": [
"kexec_file_load",
"kexec_load"
],
"action": "SCMP_ACT_ALLOW",
"args": [],
"comment": "",
"includes": {
"caps": [
"CAP_SYS_BOOT"
]
},
"excludes": {}
}
EOF
# run the container
docker run -it --pid=host --ipc=host --net=host --cap-add=CAP_SYS_BOOT --security-opt="seccomp=profile.json" --volume /:/host --rm busybox chroot /host
# load and run new kernel
kexec -l /boot/vmlinuz-5.4.0-65-generic --append=root=/dev/sda1 --initrd=/boot/initrd.img-5.4.0-65-generic
kexec -e
from hook.
Boom,
The Tink docker image also has the kexec-tools, tested with:
alias d="ctr -n services.linuxkit t exec -t --exec-id test docker"
d bash
mount /dev/sda3 /mnt
kexec -l /mnt/boot/vmlinuz --initramfs /mnt/boot/initramfs --append "rootfs=/dev/sda3 ro"
kexec -e
from hook.
I think overall, we have to figure out a clear implementation for requirements like:
- How do we reboot?
- How do we kexec?
A big concern I have is how do we define this feature to keep well-defined boundaries between components? Is this feature something that has to be implemented in the installation environment and the template definition? Does it require tink-worker to be aware of it? We should do our best to be sure that it is self-contained and easy to re-implement if somebody wants to write its own OSIE or even its own tink-worker.
I keep mentioning that somebody will want to write its own tink-worker mainly because as soon as more people pick up the project, they will want to use something that is not Docker, they will want to use Vault to authenticate to, or things like that... And it will be way easier to say: "this is the worker interface, have a look and write your own one in Rust."
from hook.
We were discussing this yesterday and spit balling some ideas. We thought about pipes or running cmds from tink-worker, but the one we like the most was to extend the template/workflows to provide for "super containers" or "uncontained containers" :D. tink-docker is an example of that here, we could expand the privileges/capabilities we can tweak in the template so that for example the kexec action would just be able to do it itself. No need to coordinate the feature between osie/tinkie/somethingelse since its part of the tink engine.
One thing that we need to think about though is properly finishing the workflow, succesfully if we kexec or reboot.
from hook.
This is epic !
err := unix.KexecFileLoad(kernelFD, initrdFD, cmdline, flags)
if err != nil {
return err
}
unix.Reboot(LINUX_REBOOT_CMD_KEXEC)
from hook.
One thing that we need to think about though is properly finishing the workflow, successfully if we kexec or reboot.
Which is what was nice about dropping a file to a path.. it completes successfully and something else then reboots.
from hook.
Ok! There is nothing left to do in this repository about kexec support. The action is in tinkerbell/hub as PR right now blocked by some work that has to be done in tink-worker. I am closing this issue.
from hook.
Related Issues (20)
- question around use of `cpio` HOT 4
- boot w/ the dev-dist build HOT 7
- Wrong /dev/null permission making ubuntu jammy deployment impossible HOT 6
- how to recoginze the lvm on my disk HOT 2
- changes to `kernel/` directory require `validation` check
- add lvm2 package into kernel Dockerfile, lead to failure of kernel build HOT 1
- Make deterministic device paths available
- Hook dynamic runtime driver support HOT 1
- git tag "latest" behaves in a mutable way. HOT 1
- Hook doesn't create required files/folder for docker trusted certificates HOT 2
- [Feature Request] Let the user choose which architecture to build HOT 1
- Include the checksums as a release artifact
- include a version file in Hook
- How to enable docker insecure-registries on OSIE HOT 1
- How to install from official ISO image
- Possible Bug In VLAN parsing HOT 2
- Ability to signal host shutdown HOT 1
- ARM64 server gets stuck on "bpfilter write fail: -32" when activating Linuxkit (Alpine) HOT 1
- ARM64 server gets stuck on "bpfilter write fail: -32" when activating Linuxkit (Alpine). HOT 11
- `/dev/disk/by-id` not populated HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hook.