fickit: include local pkg

fickit-pkg/boot/Dockerfile

@@ -0,0 +1,3 @@
+FROM alpine:latest
+
+COPY init.sh /init

fickit-pkg/boot/build.yml

@@ -0,0 +1 @@
+image: boot

fickit-pkg/boot/init.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# /proc/cmdline parser (from Gentoo Wiki)
+cmdline() {
+    local value
+    value=" $(cat /proc/cmdline) "
+    value="${value##* $1=}"
+    value="${value%% *}"
+    [ "$value" != "" ] && echo "$value"
+}
+
+mount -t devtmpfs none /dev
+mount -t proc none /proc
+
+mount -o ro /dev/sda1 /boot
+
+mount -o loop -t squashfs /boot/imgs/$(cmdline root) /mnt || /bin/sh
+
+umount /dev
+umount /proc
+mount --move /boot /mnt/boot
+
+# Switch
+exec switch_root /mnt /init

fickit-pkg/mdadm/Dockerfile

@@ -0,0 +1,11 @@
+FROM alpine AS mirror
+
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out \
+    mdadm
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+COPY --from=mirror /out/ /
+COPY etc/ /etc/
+CMD ["/sbin/mdadm", "--monitor", "--scan"]

fickit-pkg/mdadm/build.yml

@@ -0,0 +1,10 @@
+image: mdadm
+network: true
+config:
+  binds:
+    - /dev:/dev
+  capabilities:
+    - CAP_SYS_ADMIN
+    - CAP_MKNOD
+  net: new
+  ipc: new

fickit-pkg/mdadm/etc/init.d/005-mdadm

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+mdadm --assemble /dev/md0 /dev/sda3 /dev/sdb3

fickit-pkg/rsync/Dockerfile

@@ -0,0 +1,26 @@
+FROM alpine:latest AS mirror
+
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out \
+    alpine-baselayout \
+    apk-tools \
+    busybox \
+    ca-certificates \
+    musl \
+    openssh-server \
+    openssh-client \
+    rsync \
+    tini \
+    util-linux \
+    && true
+#RUN mv /out/etc/apk/repositories.upstream /out/etc/apk/repositories
+
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=mirror /out/ /
+COPY etc/ /etc/
+COPY usr/ /usr/
+RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh
+CMD ["/sbin/tini", "/usr/bin/ssh.sh"]
+LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}'

fickit-pkg/rsync/build.yml

@@ -0,0 +1,2 @@
+image: rsync
+network: true

fickit-pkg/rsync/etc/motd

@@ -0,0 +1,4 @@
+Welcome to LinuxKit!
+
+NOTE: This system is namespaced.
+The namespace you are currently in may not be the root.

fickit-pkg/rsync/etc/profile.d/namespace.sh

@@ -0,0 +1 @@
+export PS1="(ns: sshd) $PS1"

fickit-pkg/rsync/etc/ssh/sshd_config

@@ -0,0 +1,144 @@
+#	$OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Default of no subsystems
+#Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+ 
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

fickit-pkg/rsync/usr/bin/ssh.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+KEYS=$(find /etc/ssh -name 'ssh_host_*_key')
+[ -z "$KEYS" ] && ssh-keygen -A >/dev/null 2>/dev/null
+
+exec /usr/sbin/sshd -D -e

fickit-pkg/syslinux/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine AS mirror
+
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out \
+    dosfstools \
+    syslinux
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+COPY --from=mirror /out/ /

fickit-pkg/syslinux/build.yml

@@ -0,0 +1,8 @@
+image: syslinux
+network: true
+config:
+  binds:
+    - /dev:/dev
+  capabilities:
+    - CAP_SYS_ADMIN
+  ipc: new

fickit-pkg/unbound/Dockerfile

@@ -0,0 +1,11 @@
+FROM alpine AS mirror
+
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out \
+    unbound
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+RUN wget -O /out/etc/unbound/root.hints ftp://ftp.internic.net/domain/named.cache
+
+FROM scratch
+COPY --from=mirror /out/ /
+COPY etc/unbound/ /etc/unbound

fickit-pkg/unbound/build.yml

@@ -0,0 +1,8 @@
+image: unbound
+network: true
+config:
+  capabilities:
+    - CAP_NET_BIND_SERVICE
+  ipc: new
+  pid: new
+  uts: new

fickit-pkg/unbound/etc/unbound/unbound.conf

@@ -0,0 +1,132 @@
+server:
+        verbosity: 1
+
+        # number of threads to create. 1 disables threading.
+        # num-threads: 1
+
+        # specify the interfaces to answer queries from by ip-address.
+        interface: 0.0.0.0
+        interface: ::0
+
+        # Detach from the terminal, run in background, "yes" or "no".
+        # Set the value to "no" when unbound runs as systemd service.
+        do-daemonize: no
+
+        # control which clients are allowed to make (recursive) queries
+        # to this server. Specify classless netblocks with /size and action.
+        # By default everything is refused, except for localhost.
+        # Choose deny (drop message), refuse (polite error reply),
+        # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+        # deny_non_local (drop queries unless can be answered from local-data)
+        # refuse_non_local (like deny_non_local but polite error reply).
+        #access-control: 172.23.0.0/16 allow
+
+        # if given, user privileges are dropped (after binding port),
+        # and the given username is assumed. Default is user "unbound".
+        # If you give "" no privileges are dropped.
+        # username: "unbound"
+
+        # print one line with time, IP, name, type, class for every query.
+        # log-queries: no
+        log-queries: yes
+
+        # print one line per reply, with time, IP, name, type, class, rcode,
+        # timetoresolve, fromcache and responsesize.
+        # log-replies: no
+        log-replies: yes
+
+        # log the local-zone actions, like local-zone type inform is enabled
+        # also for the other local zone types.
+        # log-local-actions: no
+
+        # print log lines that say why queries return SERVFAIL to clients.
+        log-servfail: yes
+
+        # file to read root hints from.
+        # get one from https://www.internic.net/domain/named.cache
+        # root-hints: ""
+        root-hints: "root.hints"
+
+        # enable to not answer id.server and hostname.bind queries.
+        # hide-identity: no
+        hide-identity: yes
+
+        # enable to not answer version.server and version.bind queries.
+        # hide-version: no
+        hide-version: yes
+
+        # enable to not answer trustanchor.unbound queries.
+        # hide-trustanchor: no
+
+        # Sent minimum amount of information to upstream servers to enhance
+        # privacy. Only sent minimum required labels of the QNAME and set QTYPE
+        # to NS when possible.
+        qname-minimisation: yes
+
+        # Enforce privacy of these addresses. Strips them away from answers.
+        # It may cause DNSSEC validation to additionally mark it as bogus.
+        # Protects against 'DNS Rebinding' (uses browser as network proxy).
+        # Only 'private-domain' and 'local-data' names are allowed to have
+        # these private addresses. No default.
+        # private-address: 10.0.0.0/8
+        # private-address: 172.16.0.0/12
+        # private-address: 192.168.0.0/16
+        # private-address: 169.254.0.0/16
+        # private-address: fd00::/8
+        # private-address: fe80::/10
+        # private-address: ::ffff:0:0/96
+
+        # if yes, Unbound rotates RRSet order in response.
+        rrset-roundrobin: yes
+
+        # if yes, Unbound doesn't insert authority/additional sections
+        # into response messages when those sections are not required.
+        minimal-responses: yes
+
+        # true to disable DNSSEC lameness check in iterator.
+        # disable-dnssec-lame-check: no
+
+        # module configuration of the server. A string with identifiers
+        # separated by spaces. Syntax: "[dns64] [validator] iterator"
+        module-config: "validator iterator"
+
+        # File with trusted keys, kept uptodate using RFC5011 probes,
+        # initial file like trust-anchor-file, then it stores metadata.
+        # Use several entries, one per domain name, to track multiple zones.
+        #
+        # If you want to perform DNSSEC validation, run unbound-anchor before
+        # you start unbound (i.e. in the system boot scripts).  And enable:
+        # Please note usage of unbound-anchor root anchor is at your own risk
+        # and under the terms of our LICENSE (see that file in the source).
+        #auto-trust-anchor-file: "var/root-anchors.txt"
+
+        # trust anchor signaling sends a RFC8145 key tag query after priming.
+        # trust-anchor-signaling: yes
+
+        # File with DLV trusted keys. Same format as trust-anchor-file.
+        # There can be only one DLV configured, it is trusted from root down.
+        # DLV is going to be decommissioned.  Please do not use it any more.
+        # dlv-anchor-file: "dlv.isc.org.key"
+
+        # File with trusted keys for validation. Specify more than one file
+        # with several entries, one file per entry.
+        # Zone file format, with DS and DNSKEY entries.
+        # Note this gets out of date, use auto-trust-anchor-file please.
+        # trust-anchor-file: "/etc/dnssec/root-anchors.txt"
+        trust-anchor-file: "root-anchors.txt"
+
+        # Trusted key for validation. DS or DNSKEY. specify the RR on a
+        # single line, surrounded by "". TTL is ignored. class is IN default.
+        # Note this gets out of date, use auto-trust-anchor-file please.
+        # (These examples are from August 2007 and may not be valid anymore).
+        # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
+        # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
+
+        # Turn permissive mode on to permit bogus messages. Thus, messages
+        # for which security checks failed will be returned to clients,
+        # instead of SERVFAIL. It still performs the security checks, which
+        # result in interesting log files and possibly the AD bit in
+        # replies if the message is found secure. The default is off.
+        #val-permissive-mode: yes
+
+	include: /etc/unbound/unbound.d/*.conf