diff --git a/pkg/acpid/Dockerfile b/pkg/acpid/Dockerfile index ffae7c43c1..fed6eb2e15 100644 --- a/pkg/acpid/Dockerfile +++ b/pkg/acpid/Dockerfile @@ -17,6 +17,3 @@ COPY --from=mirror /out/ / COPY --from=mirror2 /out/etc/acpi /etc/acpi CMD ["/sbin/acpid", "-f", "-d"] - -LABEL org.mobyproject.config='{"binds": ["/dev:/dev"], "pid": "host"}' - diff --git a/pkg/acpid/build.yml b/pkg/acpid/build.yml index cf21e8b147..41bb44319a 100644 --- a/pkg/acpid/build.yml +++ b/pkg/acpid/build.yml @@ -1 +1,5 @@ image: acpid +config: + binds: + - /dev:/dev + pid: host diff --git a/pkg/binfmt/Dockerfile b/pkg/binfmt/Dockerfile index 9048e343bd..5fa98e754e 100644 --- a/pkg/binfmt/Dockerfile +++ b/pkg/binfmt/Dockerfile @@ -22,4 +22,3 @@ COPY --from=mirror /go/bin/binfmt usr/bin/binfmt COPY --from=mirror /binfmt_misc /binfmt_misc/ COPY etc/binfmt.d/00_linuxkit.conf etc/binfmt.d/00_linuxkit.conf CMD ["/usr/bin/binfmt", "-dir", "/etc/binfmt.d/", "-mount", "/binfmt_misc"] -LABEL org.mobyproject.config='{"binds": ["/proc/sys/fs/binfmt_misc:/binfmt_misc"], "readonly": true, "net": "new", "ipc": "new"}' diff --git a/pkg/binfmt/build.yml b/pkg/binfmt/build.yml index c248c8dd71..06150b01da 100644 --- a/pkg/binfmt/build.yml +++ b/pkg/binfmt/build.yml @@ -1,3 +1,9 @@ image: binfmt arches: - amd64 +config: + binds: + - /proc/sys/fs/binfmt_misc:/binfmt_misc + readonly: true + net: new + ipc: new diff --git a/pkg/cadvisor/Dockerfile b/pkg/cadvisor/Dockerfile index 42df6a5fcd..3adbb1c367 100644 --- a/pkg/cadvisor/Dockerfile +++ b/pkg/cadvisor/Dockerfile @@ -37,4 +37,3 @@ COPY --from=build /usr/bin/cadvisor /usr/bin/cadvisor COPY /waitfordocker.sh /usr/bin/waitfordocker.sh ENTRYPOINT ["/usr/bin/waitfordocker.sh", "/usr/bin/cadvisor", "-logtostderr", "--disable_metrics=disk,tcp,udp"] -LABEL org.mobyproject.config='{"pid": "host", "binds": ["/var/lib/docker:/var/lib/docker:ro", "/var/run:/var/run", "/sys:/sys:ro", "/etc/resolv.conf:/etc/resolv.conf:ro"], "capabilities": ["all"]}' diff --git a/pkg/cadvisor/build.yml b/pkg/cadvisor/build.yml index 79a35bc800..7b1eb6c411 100644 --- a/pkg/cadvisor/build.yml +++ b/pkg/cadvisor/build.yml @@ -3,3 +3,12 @@ network: true arches: - amd64 - arm64 +config: + pid: host + binds: + - /var/lib/docker:/var/lib/docker:ro + - /var/run:/var/run + - /sys:/sys:ro + - /etc/resolv.conf:/etc/resolv.conf:ro + capabilities: + - all diff --git a/pkg/dhcpcd/Dockerfile b/pkg/dhcpcd/Dockerfile index c15a945dbe..3f8bf90e66 100644 --- a/pkg/dhcpcd/Dockerfile +++ b/pkg/dhcpcd/Dockerfile @@ -16,4 +16,3 @@ WORKDIR / COPY --from=mirror /out/ / COPY /dhcpcd.conf /usr/ / CMD ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf"] -LABEL org.mobyproject.config='{"binds": ["/run/resolvconf:/etc"], "capabilities": ["CAP_NET_ADMIN", "CAP_NET_BIND_SERVICE", "CAP_NET_RAW", "CAP_SYS_ADMIN"]}' diff --git a/pkg/dhcpcd/build.yml b/pkg/dhcpcd/build.yml index 47241f0fad..40edd31791 100644 --- a/pkg/dhcpcd/build.yml +++ b/pkg/dhcpcd/build.yml @@ -1 +1,9 @@ image: dhcpcd +config: + binds: + - /run/resolvconf:/etc + capabilities: + - CAP_NET_ADMIN + - CAP_NET_BIND_SERVICE + - CAP_NET_RAW + - CAP_SYS_ADMIN diff --git a/pkg/extend/Dockerfile b/pkg/extend/Dockerfile index 1990f3cac0..0d1be79c4b 100644 --- a/pkg/extend/Dockerfile +++ b/pkg/extend/Dockerfile @@ -30,4 +30,3 @@ WORKDIR / COPY --from=mirror /out/ / COPY --from=build /go/bin/extend usr/bin/extend CMD ["/usr/bin/extend"] -LABEL org.mobyproject.config='{"binds": ["/dev:/dev"], "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"], "net": "new", "ipc": "new"}' diff --git a/pkg/extend/build.yml b/pkg/extend/build.yml index 6f10de7f3a..75c834692e 100644 --- a/pkg/extend/build.yml +++ b/pkg/extend/build.yml @@ -1 +1,9 @@ image: extend +config: + binds: + - /dev:/dev + capabilities: + - CAP_SYS_ADMIN + - CAP_MKNOD + net: new + ipc: new diff --git a/pkg/format/Dockerfile b/pkg/format/Dockerfile index 5c4bec43c4..d3b08844df 100644 --- a/pkg/format/Dockerfile +++ b/pkg/format/Dockerfile @@ -30,4 +30,3 @@ WORKDIR / COPY --from=mirror /out/ / COPY --from=build /go/bin/format usr/bin/format CMD ["/usr/bin/format"] -LABEL org.mobyproject.config='{"binds": ["/dev:/dev"], "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"], "net": "new", "ipc": "new"}' diff --git a/pkg/format/build.yml b/pkg/format/build.yml index a205794efc..9fb9016f7e 100644 --- a/pkg/format/build.yml +++ b/pkg/format/build.yml @@ -1 +1,9 @@ image: format +config: + binds: + - /dev:/dev + capabilities: + - CAP_SYS_ADMIN + - CAP_MKNOD + net: new + ipc: new diff --git a/pkg/getty/Dockerfile b/pkg/getty/Dockerfile index 53ab5288fe..71f95d9940 100644 --- a/pkg/getty/Dockerfile +++ b/pkg/getty/Dockerfile @@ -32,4 +32,3 @@ COPY --from=mirror /out/ / COPY usr/ /usr/ COPY etc/ /etc/ CMD ["/usr/bin/rungetty.sh"] -LABEL org.mobyproject.config='{"pid": "host", "net":"host", "binds": ["/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}' diff --git a/pkg/getty/build.yml b/pkg/getty/build.yml index 05912cb5b8..4644d3d5c3 100644 --- a/pkg/getty/build.yml +++ b/pkg/getty/build.yml @@ -1 +1,17 @@ image: getty +config: + pid: host + net: host + binds: + - /etc/resolv.conf:/etc/resolv.conf + - /run:/run + - /tmp:/tmp + - /etc:/hostroot/etc + - /usr/bin/ctr:/usr/bin/ctr + - /usr/bin/runc:/usr/bin/runc + - /containers:/containers + - /var/log:/var/log + - /dev:/dev + - /sys:/sys + capabilities: + - all diff --git a/pkg/host-timesync-daemon/Dockerfile b/pkg/host-timesync-daemon/Dockerfile index 622f178d99..796ed0fd4d 100644 --- a/pkg/host-timesync-daemon/Dockerfile +++ b/pkg/host-timesync-daemon/Dockerfile @@ -19,4 +19,3 @@ CMD [] WORKDIR / COPY --from=mirror /go/bin/host-timesync-daemon /usr/bin/host-timesync-daemon CMD ["/usr/bin/host-timesync-daemon", "-port", "0xf3a4"] -LABEL org.mobyproject.config='{"binds": [ "/dev/rtc0:/dev/rtc0" ], "capabilities": ["CAP_SYS_TIME"]}' diff --git a/pkg/host-timesync-daemon/build.yml b/pkg/host-timesync-daemon/build.yml index c3ec54bd7e..4423a01537 100644 --- a/pkg/host-timesync-daemon/build.yml +++ b/pkg/host-timesync-daemon/build.yml @@ -2,3 +2,8 @@ image: host-timesync-daemon network: true arches: - amd64 +config: + binds: + - /dev/rtc0:/dev/rtc0 + capabilities: + - CAP_SYS_TIME diff --git a/pkg/ip/Dockerfile b/pkg/ip/Dockerfile index a1a730d7f6..67f7a4893f 100644 --- a/pkg/ip/Dockerfile +++ b/pkg/ip/Dockerfile @@ -24,4 +24,3 @@ ENTRYPOINT [] CMD [] WORKDIR / COPY --from=mirror /out/ / -LABEL org.mobyproject.config='{"capabilities": ["CAP_NET_ADMIN", "CAP_NET_RAW"]}' diff --git a/pkg/ip/build.yml b/pkg/ip/build.yml index 0994a73215..5cb96539a7 100644 --- a/pkg/ip/build.yml +++ b/pkg/ip/build.yml @@ -1,2 +1,6 @@ image: ip network: true +config: + capabilities: + - CAP_NET_ADMIN + - CAP_NET_RAW diff --git a/pkg/mkimage/Dockerfile b/pkg/mkimage/Dockerfile index 5f62870cc4..778f329e48 100644 --- a/pkg/mkimage/Dockerfile +++ b/pkg/mkimage/Dockerfile @@ -20,4 +20,3 @@ WORKDIR / COPY --from=mirror /out/ / COPY mkimage.sh /usr/bin/ CMD ["mkimage.sh"] -LABEL org.mobyproject.config='{"readonly": true, "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"], "binds": ["/dev:/dev"]}' diff --git a/pkg/mkimage/build.yml b/pkg/mkimage/build.yml index 1fa6e4f1c3..9b69ad29e9 100644 --- a/pkg/mkimage/build.yml +++ b/pkg/mkimage/build.yml @@ -1,3 +1,10 @@ image: mkimage arches: - amd64 +config: + readonly: true + capabilities: + - CAP_SYS_ADMIN + - CAP_MKNOD + binds: + - /dev:/dev diff --git a/pkg/modprobe/Dockerfile b/pkg/modprobe/Dockerfile index 6853e3b928..518839e568 100644 --- a/pkg/modprobe/Dockerfile +++ b/pkg/modprobe/Dockerfile @@ -10,4 +10,3 @@ ENTRYPOINT [] CMD [] WORKDIR / COPY --from=mirror /out/ / -LABEL org.mobyproject.config='{"binds": ["/lib/modules:/lib/modules", "/sys:/sys"], "capabilities": ["CAP_SYS_MODULE"]}' diff --git a/pkg/modprobe/build.yml b/pkg/modprobe/build.yml index 5c653ad79a..f6f36ab00b 100644 --- a/pkg/modprobe/build.yml +++ b/pkg/modprobe/build.yml @@ -1 +1,7 @@ image: modprobe +config: + binds: + - /lib/modules:/lib/modules + - /sys:/sys + capabilities: + - CAP_SYS_MODULE diff --git a/pkg/mount/Dockerfile b/pkg/mount/Dockerfile index 2943c9b4ab..0651df42d9 100644 --- a/pkg/mount/Dockerfile +++ b/pkg/mount/Dockerfile @@ -24,4 +24,3 @@ WORKDIR / COPY --from=mirror /out/ / COPY --from=build /go/bin/mountie usr/bin/mountie CMD ["/usr/bin/mountie"] -LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var:rshared,rbind", "/:/hostroot"], "capabilities": ["CAP_SYS_ADMIN"], "rootfsPropagation": "shared", "net": "new", "ipc": "new"}' diff --git a/pkg/mount/build.yml b/pkg/mount/build.yml index 93801b226b..8f8634a7af 100644 --- a/pkg/mount/build.yml +++ b/pkg/mount/build.yml @@ -1 +1,11 @@ image: mount +config: + binds: + - /dev:/dev + - /var:/var:rshared,rbind + - /:/hostroot + capabilities: + - CAP_SYS_ADMIN + rootfsPropagation: shared + net: new + ipc: new diff --git a/pkg/node_exporter/Dockerfile b/pkg/node_exporter/Dockerfile index c1aa49825b..263320e4ee 100644 --- a/pkg/node_exporter/Dockerfile +++ b/pkg/node_exporter/Dockerfile @@ -23,5 +23,3 @@ ENTRYPOINT ["/bin/node_exporter", "--path.procfs", "/host/proc", \ "--path.sysfs", "/host/sys", \ "--collector.filesystem.ignored-mount-points", \ "^/(sys|proc|dev|host|etc)($|/)"] -LABEL org.mobyproject.config='{"pid": "host", "binds": ["/proc:/host/proc", "/sys:/host/sys", "/:/rootfs"], "capabilities": ["all"]}' - diff --git a/pkg/node_exporter/build.yml b/pkg/node_exporter/build.yml index 883b46c31d..3abcd9d9fd 100644 --- a/pkg/node_exporter/build.yml +++ b/pkg/node_exporter/build.yml @@ -1,2 +1,10 @@ image: node_exporter network: true +config: + pid: host + binds: + - /proc:/host/proc + - /sys:/host/sys + - /:/rootfs + capabilities: + - all diff --git a/pkg/open-vm-tools/Dockerfile b/pkg/open-vm-tools/Dockerfile index 2261b7a119..b28eb4d02a 100644 --- a/pkg/open-vm-tools/Dockerfile +++ b/pkg/open-vm-tools/Dockerfile @@ -15,5 +15,3 @@ WORKDIR / COPY --from=mirror /out/ / COPY scripts /etc/vmware-tools/scripts CMD ["/usr/bin/vmtoolsd"] - -LABEL org.mobyproject.config='{"pid": "host", "capabilities": ["CAP_SYS_BOOT"]}' diff --git a/pkg/open-vm-tools/build.yml b/pkg/open-vm-tools/build.yml index 4c99f31a8b..8626238f34 100644 --- a/pkg/open-vm-tools/build.yml +++ b/pkg/open-vm-tools/build.yml @@ -1,3 +1,7 @@ image: open-vm-tools arches: - amd64 +config: + pid: host + capabilities: + - CAP_SYS_BOOT diff --git a/pkg/openntpd/Dockerfile b/pkg/openntpd/Dockerfile index 6f0208808f..2de2e7b681 100644 --- a/pkg/openntpd/Dockerfile +++ b/pkg/openntpd/Dockerfile @@ -16,4 +16,3 @@ WORKDIR / COPY --from=mirror /out/ / COPY etc/ /etc/ CMD ["/usr/sbin/ntpd", "-d", "-s"] -LABEL org.mobyproject.config='{"binds": ["/etc/resolv.conf:/etc/resolv.conf"], "capabilities": ["CAP_SYS_TIME", "CAP_SYS_NICE", "CAP_SYS_CHROOT", "CAP_SETUID", "CAP_SETGID"]}' diff --git a/pkg/openntpd/build.yml b/pkg/openntpd/build.yml index d9bf82d9b1..af23c59c02 100644 --- a/pkg/openntpd/build.yml +++ b/pkg/openntpd/build.yml @@ -1 +1,10 @@ image: openntpd +config: + binds: + - /etc/resolv.conf:/etc/resolv.conf + capabilities: + - CAP_SYS_TIME + - CAP_SYS_NICE + - CAP_SYS_CHROOT + - CAP_SETUID + - CAP_SETGID diff --git a/pkg/qemu-ga/Dockerfile b/pkg/qemu-ga/Dockerfile index 24d3ca9282..540c5d3da7 100644 --- a/pkg/qemu-ga/Dockerfile +++ b/pkg/qemu-ga/Dockerfile @@ -10,4 +10,3 @@ WORKDIR / ENTRYPOINT [] COPY --from=build /out / CMD ["/usr/bin/qemu-ga", "-p", "/dev/vport0p1"] -LABEL org.mobyproject.config='{"net": "host"}' diff --git a/pkg/qemu-ga/build.yml b/pkg/qemu-ga/build.yml index 70e6af2d3e..77913c8670 100644 --- a/pkg/qemu-ga/build.yml +++ b/pkg/qemu-ga/build.yml @@ -1 +1,3 @@ image: qemu-ga +config: + net: host diff --git a/pkg/rngd/Dockerfile b/pkg/rngd/Dockerfile index db0fc0c021..403793ee63 100644 --- a/pkg/rngd/Dockerfile +++ b/pkg/rngd/Dockerfile @@ -15,4 +15,3 @@ CMD [] WORKDIR / COPY --from=mirror /go/bin/rngd /sbin/rngd CMD ["/sbin/rngd"] -LABEL org.mobyproject.config='{"capabilities": ["CAP_SYS_ADMIN"], "oomScoreAdj": -800, "readonly": true, "net": "new", "ipc": "new"}' diff --git a/pkg/rngd/build.yml b/pkg/rngd/build.yml index b3cbd7f5c7..7b7c55ff0e 100644 --- a/pkg/rngd/build.yml +++ b/pkg/rngd/build.yml @@ -1 +1,8 @@ image: rngd +config: + capabilities: + - CAP_SYS_ADMIN + oomScoreAdj: -800 + readonly: true + net: new + ipc: new diff --git a/pkg/sshd/Dockerfile b/pkg/sshd/Dockerfile index 495ecb174d..db1d89405e 100644 --- a/pkg/sshd/Dockerfile +++ b/pkg/sshd/Dockerfile @@ -22,4 +22,3 @@ COPY etc/ /etc/ COPY usr/ /usr/ RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh CMD ["/sbin/tini", "/usr/bin/ssh.sh"] -LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}' diff --git a/pkg/sshd/build.yml b/pkg/sshd/build.yml index 7c04a29f85..3d8216d409 100644 --- a/pkg/sshd/build.yml +++ b/pkg/sshd/build.yml @@ -1 +1,17 @@ image: sshd +config: + pid: host + binds: + - /root/.ssh:/root/.ssh + - /etc/resolv.conf:/etc/resolv.conf + - /run:/run + - /tmp:/tmp + - /etc:/hostroot/etc + - /usr/bin/ctr:/usr/bin/ctr + - /usr/bin/runc:/usr/bin/runc + - /containers:/containers + - /var/log:/var/log + - /dev:/dev + - /sys:/sys + capabilities: + - all diff --git a/pkg/swap/Dockerfile b/pkg/swap/Dockerfile index 65cfcf2e00..2f359dd703 100644 --- a/pkg/swap/Dockerfile +++ b/pkg/swap/Dockerfile @@ -16,4 +16,3 @@ WORKDIR / COPY --from=mirror /out/ / COPY /swap.sh . ENTRYPOINT ["swap.sh"] -LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var"], "capabilities": ["CAP_SYS_ADMIN", "CAP_MKNOD"], "net": "new", "ipc": "new"}' diff --git a/pkg/swap/build.yml b/pkg/swap/build.yml index 2c8a3583e7..1b8c7ec533 100644 --- a/pkg/swap/build.yml +++ b/pkg/swap/build.yml @@ -1 +1,10 @@ image: swap +config: + binds: + - /dev:/dev + - /var:/var + capabilities: + - CAP_SYS_ADMIN + - CAP_MKNOD + net: new + ipc: new diff --git a/pkg/sysfs/Dockerfile b/pkg/sysfs/Dockerfile index b988a36e97..a54728fd62 100644 --- a/pkg/sysfs/Dockerfile +++ b/pkg/sysfs/Dockerfile @@ -13,4 +13,3 @@ WORKDIR / COPY --from=mirror /go/bin/sysfs /usr/bin/sysfs COPY etc/ /etc/ CMD ["/usr/bin/sysfs"] -LABEL org.mobyproject.config='{"net": "new", "ipc": "new"}' diff --git a/pkg/sysfs/build.yml b/pkg/sysfs/build.yml index 642d0d0475..59fe8dd68c 100644 --- a/pkg/sysfs/build.yml +++ b/pkg/sysfs/build.yml @@ -1 +1,4 @@ image: sysfs +config: + net: new + ipc: new diff --git a/pkg/trim-after-delete/Dockerfile b/pkg/trim-after-delete/Dockerfile index 17524d1163..40d4e84768 100644 --- a/pkg/trim-after-delete/Dockerfile +++ b/pkg/trim-after-delete/Dockerfile @@ -23,4 +23,3 @@ WORKDIR / COPY --from=mirror /out/ / COPY --from=mirror /go/bin/trim-after-delete /usr/bin/trim-after-delete CMD ["/usr/bin/trim-after-delete", "--", "/sbin/fstrim", "/var/lib/docker"] -LABEL org.mobyproject.config='{"binds": ["/var/run:/var/run", "/var/lib/docker:/var/lib/docker"], "capabilities": ["CAP_SYS_ADMIN"]}' diff --git a/pkg/trim-after-delete/build.yml b/pkg/trim-after-delete/build.yml index 3ddef36f7d..24ebf38a93 100644 --- a/pkg/trim-after-delete/build.yml +++ b/pkg/trim-after-delete/build.yml @@ -1 +1,7 @@ image: trim-after-delete +config: + binds: + - /var/run:/var/run + - /var/lib/docker:/var/lib/docker + capabilities: + - CAP_SYS_ADMIN diff --git a/pkg/tss/Dockerfile b/pkg/tss/Dockerfile index 7950915a21..08a868ae57 100644 --- a/pkg/tss/Dockerfile +++ b/pkg/tss/Dockerfile @@ -61,4 +61,3 @@ RUN busybox chmod 0644 /etc/passwd /etc/group && \ busybox rm /bin/busybox /bin/sh CMD ["/sbin/tcsd","-f"] -LABEL org.mobyproject.config='{"pid": "host", "net":"host", "binds": ["/dev:/dev"], "capabilities": ["all"]}' diff --git a/pkg/tss/build.yml b/pkg/tss/build.yml index e72bb1b916..cea1558cfe 100644 --- a/pkg/tss/build.yml +++ b/pkg/tss/build.yml @@ -2,3 +2,10 @@ image: tss network: true arches: - amd64 +config: + pid: host + net: host + binds: + - /dev:/dev + capabilities: + - all