Using LinuxKit on real hardware

LinuxKit is a promising toolkit for building secure, portable and lean operating systems for containers. One of its advantages is having a predictable container set (in other words, installed packages in the system), hence providing a homomorphic environment for QA and benchmarking tests.

However, the project is fairly new, and users may have problems setting and running it up, especially on the real hardware. The documentation and packages are under way, but it's already possible to get it working.

Yaml Configuration

See below the sample configuration that you can use to boot the image on the real hardware and get Wi-Fi working. Few notes though:

  • The OS is assumed to be run from USB mass storage (see root=/dev/sda1 kernel parameter). Please modify it for your needs.
  • Please use your own Wi-Fi driver instead of brcmfmac for the modprobe. You can use lspci tool to get the required name.
  • Please use real <ssid> and <password> values for the wpa_supplicant configuration.
  • I've provided few Docker images to use while the official packages are not updated yet. You may want to create your own versions, the related information is available in their description:
The sample configuration: 
\src: linuxkit.yml
kernel:
  image: nuald/kernel:4.12.14-extra
  cmdline: "console=tty0 root=/dev/sda1 rootwait vga=791"
init:
  - linuxkit/init:6fe9d31a53bbd200183bb31edd795305e868d5a7
  - linuxkit/runc:a1b564248a0d0b118c11e61db9f84ecf41dd2d2a
  - linuxkit/containerd:ad6710e069cb538c76314a28e09d6b49958c88e0
  - nuald/linux-firmware:latest
onboot:
  - name: modprobe
    image: linuxkit/modprobe:69494c187eddc12b3f24e4e0cbd5d3360bda3504
    command: ["modprobe", "-a", "brcmfmac"]
services:
  - name: wpa_supplicant
    image: nuald/wpa_supplicant:a5cef22bd214b2845f65636bc9cf60d805712fe5-amd64
    binds:
     - /etc/wpa_supplicant:/etc/wpa_supplicant
    command: ["/sbin/wpa_supplicant", "-i", "wlan0", "-c", "/etc/wpa_supplicant/wpa_supplicant.conf"]
  - name: dhcpcd
    image: linuxkit/dhcpcd:d4408777ed6b6e6e562a5d4938fd09804324b33e
    command: ["/sbin/dhcpcd", "wlan0"]
  - name: getty
    image: linuxkit/getty:bf6872ce0a9f3ab519b3e502cc41ba3958bda2a6
    env:
     - INSECURE=true
files:
  - path: etc/wpa_supplicant/wpa_supplicant.conf
    contents: |
      network={
        ssid="<ssid>"
        psk="<password>"
      }
trust:
  org:
    - linuxkit

Usage Notes

The configuration has been tested for the image loaded by so-called "Legacy" BIOS mode. You may need to change the BIOS settings to disable Secure Boot and/or enable Legacy BIOS booting options.

The image is prepared with the moby tool: 

moby build -format iso-bios linuxkit.yml

Please verify the USB device you're putting image into. For macOS you can use Disk Utility Tool: 

diskutil list

Before writing, please unmount the device. For macOS (assuming /dev/disk2 the proper USB device): 

diskutil umountDisk /dev/disk2

Next step is putting the image into USB. For both Linux and macOS the procedure the same (please note /dev/rdisk2 - "r" prefix stands for the BSD "raw" device, it's used to make the operation faster): 

sudo dd if=linuxkit.iso of=/dev/rdisk2 bs=1m

The last step (for safety), please eject the disk (it may not be visible directly in the system, therefore need to use CLI). For macOS (assuming the same device as above): 

diskutil eject /dev/disk2

That's it! It may not working immediately, but it's a step forward. LinuxKit has the great potential, and I hope you can enjoy it as much as I do. 
Scalateχ \src: LinuxKit.scalatex

Comments

Post a Comment

Popular posts from this blog

Web application framework comparison by memory consumption

Memory consumption is slightly specific to my area of software development now, but I did some research recently and maybe these results can be useful for others. Of course, I know that precious comparison is very difficult to carry out, but actually I needed only overall picture. And let me admit that results are pretty interesting and even frustrated (at least for me). As a basis I took so-starving project, and measured initial RSS (Resident Set Size) of the each process (local development webservers). Platform: x86_64 Linux (latest Ubuntu with all updates). As a reference, here is the RSS of the interpreters in interactive console mode: Interpreter Version RSS (kB) stackless python 2.6.4 3916 ruby (via irb) 1.8.7 4664 python 2.7.1 5624 php 5.3.5 6924 v8 (via node.js shell) 2.5.9.9 8796 One more reference - the most simplest WSGI app ( example  in the Python documentation). It's RSS: 7336 Kb , so I assume it's almost impossible to consume l
Read more

Trac Ticket Workflow

Trac is the wiki and issue tracking system that is the most used for my software development projects. Let me share few hints about its ticket workflow, especially about the statuses, the roles of the participants, and let me give an example of the workflow config. But if you are interested in other things like Trac plugins, source browser, customizing, etc, let me know. All the information given below regards the workflow described at the end of the article. The original Trac workflow is missed vital features like the support for ticket verifying, or the required ticket statuses range, so I do not use it in my projects. The description of the main statuses: new - the ticket has been created; in-progress - the developer has began to work with the ticket; fixed - the ticket is fixed (the problem issued in the ticket is solved); verified - the ticket is verified (tester or PM has verified that the ticket is fixed correctly); closed - the ticket is closed (it's not
Read more

Shellcode detection using libemu

Shellcode can be seen as a list of instructions that has been developed in a manner that allows it to be injected in an application during runtime. Each security researcher face the shellcodes during their work, and in this article I'll show how to detect shellcodes using Python (via libemu Python binding). Few words about libemu : libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. Intended use is within network intrusion/prevention detections and honeypots. The information on the site is not actual in some places, so I'll give direct and clear instruction how to get and install libemu. Clone the git repository: $ git clone git://git.carnivore.it/libemu.git Firstly, configure, make and install libemu itself (without binding): $ autoreconf -v -i $ ./configure --prefix=/opt/libemu $ make $ sudo make install If you set up prefix as shown above, you have to add the library path to /etc/ld.so.conf file
Read more