Fossil SCM
The container now uses BusyBox only in the build and setup stages, leaving just the static Fossil binary in the final stage, plus absolute necessities like a /tmp directory. This removes the justification for the custom BusyBox configuration, which then means we can use Alpine's busybox-static package in the second stage, saving a bunch of network I/O and build time. That in turn means we no longer have any justification for jailing the Fossil binary, since there's nothing extra left inside the container for it to play with. Doing this required bumping the Dockerfile syntax back up from 1.0 to 1.3 to get the "COPY --chmod" feature; tested it in Podman, which has had it [https://github.com/containers/buildah/issues/2961 | for two years now]. Doing all of this simplifies the Dockerfile and its documentation considerably. As a bonus, it builds quicker, and it's nearly a meg lighter in compressed image form. Especially for the case of using the container as a static "fossil" binary builder, this is nothing but win.
Commit
79ac06a5407ecfe0bb5446241cd61135375f5a5b158562438fc2d8cd4554182c
Parent
c04c814e10860bc…
6 files changed
+40
-52
+1
-1
-58
-1200
+2
-1
+163
-203
+40
-52
| --- Dockerfile | ||
| +++ Dockerfile | ||
| @@ -1,49 +1,41 @@ | ||
| 1 | -# syntax=docker/dockerfile:1.0 | |
| 1 | +# syntax=docker/dockerfile:1.3 | |
| 2 | 2 | # See www/containers.md for documentation on how to use this file. |
| 3 | 3 | |
| 4 | 4 | ## --------------------------------------------------------------------- |
| 5 | -## STAGE 1: Build static Fossil & BusyBox binaries atop Alpine Linux | |
| 5 | +## STAGE 1: Build static Fossil binary | |
| 6 | 6 | ## --------------------------------------------------------------------- |
| 7 | 7 | |
| 8 | +### We aren't pinning to a more stable version of Alpine because we want | |
| 9 | +### to build with the latest tools and libraries available in case they | |
| 10 | +### fixed something that matters to us since the last build. Everything | |
| 11 | +### below depends on this layer, and so, alas, we toss this container's | |
| 12 | +### cache on Alpine's release schedule, roughly once a month. | |
| 8 | 13 | FROM alpine:latest AS builder |
| 9 | 14 | WORKDIR /tmp |
| 10 | 15 | |
| 11 | -### Bake the basic Alpine Linux into a base layer so we never have to | |
| 12 | -### repeat that step unless we change the package set. Although we're | |
| 13 | -### going to throw this layer away below, we still pass --no-cache | |
| 14 | -### because that cache is of no use in an immutable layer. | |
| 16 | +### Bake the basic Alpine Linux into a base layer so it only changes | |
| 17 | +### when the upstream image is updated or we change the package set. | |
| 15 | 18 | RUN set -x \ |
| 16 | 19 | && apk update \ |
| 17 | 20 | && apk upgrade --no-cache \ |
| 18 | 21 | && apk add --no-cache \ |
| 19 | - gcc make \ | |
| 22 | + busybox-static gcc make \ | |
| 20 | 23 | linux-headers musl-dev \ |
| 21 | 24 | openssl-dev openssl-libs-static \ |
| 22 | 25 | zlib-dev zlib-static |
| 23 | 26 | |
| 24 | -### Bake the custom BusyBox into another layer. The intent is that this | |
| 25 | -### changes only when we change BBXVER. That will force an update of | |
| 26 | -### the layers below, but this is a rare occurrence. | |
| 27 | -ARG BBXVER="1_35_0" | |
| 28 | -ENV BBXURL "https://github.com/mirror/busybox/tarball/${BBXVER}" | |
| 29 | -COPY containers/busybox-config /tmp/bbx/.config | |
| 30 | -RUN set -x \ | |
| 31 | - && wget -O /tmp/bbx/src.tar.gz ${BBXURL} \ | |
| 32 | - && tar --strip-components=1 -C bbx -xzf bbx/src.tar.gz \ | |
| 33 | - && ( cd bbx && yes "" | make oldconfig && make -j11 ) | |
| 34 | - | |
| 35 | -### The changeable Fossil layer is the only one in the first stage that | |
| 36 | -### changes often, so add it last, to make it independent of the others. | |
| 27 | +### Build Fossil as a separate layer so we don't have to rebuild the | |
| 28 | +### Alpine environment for each iteration of Fossil's dev cycle. | |
| 37 | 29 | ### |
| 38 | -### $FSLSTB can be either a file or a directory due to a bizarre ADD | |
| 39 | -### misfeature: it unpacks tarballs when added from a local file but not | |
| 40 | -### from a URL! It matters because we default to a URL in case you're | |
| 41 | -### building outside a Fossil checkout, but when building via the | |
| 42 | -### container-image target, we can avoid a costly hit on the Fossil | |
| 43 | -### project's home site by pulling the data from the local repo via the | |
| 44 | -### "tarball" command. This is a DVCS, after all! | |
| 30 | +### We must cope with a bizarre ADD misfeature here: it unpacks tarballs | |
| 31 | +### automatically when you give it a local file name but not if you give | |
| 32 | +### it a /tarball URL! It matters because we default to a URL in case | |
| 33 | +### you're building outside a Fossil checkout, but when building via the | |
| 34 | +### container-image target, we avoid a costly hit on fossil-scm.org | |
| 35 | +### by leveraging its DVCS nature via the "tarball" command and passing | |
| 36 | +### the resulting file's name in. | |
| 45 | 37 | ARG FSLCFG="" |
| 46 | 38 | ARG FSLVER="trunk" |
| 47 | 39 | ARG FSLURL="https://fossil-scm.org/home/tarball/src?r=${FSLVER}" |
| 48 | 40 | ENV FSLSTB=/tmp/fsl/src.tar.gz |
| 49 | 41 | ADD $FSLURL $FSLSTB |
| @@ -57,52 +49,48 @@ | ||
| 57 | 49 | ## --------------------------------------------------------------------- |
| 58 | 50 | ## STAGE 2: Pare that back to the bare essentials. |
| 59 | 51 | ## --------------------------------------------------------------------- |
| 60 | 52 | |
| 61 | 53 | FROM scratch AS os |
| 62 | -WORKDIR /jail | |
| 63 | 54 | ARG UID=499 |
| 64 | -ENV PATH "/bin:/jail/bin" | |
| 65 | 55 | |
| 66 | 56 | ### Lay BusyBox down as the first base layer. Coupled with the host's |
| 67 | 57 | ### kernel, this is the "OS" used to RUN the subsequent setup script. |
| 68 | -COPY --from=builder /tmp/bbx/busybox /bin/ | |
| 58 | +COPY --from=builder /bin/busybox.static /bin/busybox | |
| 69 | 59 | RUN [ "/bin/busybox", "--install", "/bin" ] |
| 70 | 60 | |
| 71 | 61 | ### Set up that base OS for our specific use without tying it to |
| 72 | 62 | ### anything likely to change often. So long as the user leaves |
| 73 | 63 | ### UID alone, this layer will be durable. |
| 74 | -RUN set -x \ | |
| 75 | - && echo "root:x:0:0:Admin:/:/false" > /etc/passwd \ | |
| 76 | - && echo "root:x:0:root" > /etc/group \ | |
| 77 | - && echo "fossil:x:${UID}:${UID}:User:/jail:/false" >> /etc/passwd \ | |
| 78 | - && echo "fossil:x:${UID}:fossil" >> /etc/group \ | |
| 79 | - && install -d -m 700 -o fossil -g fossil log museum \ | |
| 80 | - && install -d -m 755 -o fossil -g fossil dev \ | |
| 81 | - && install -d -m 1777 -o root -g root /tmp \ | |
| 82 | - && mknod -m 666 dev/null c 1 3 \ | |
| 83 | - && mknod -m 444 dev/urandom c 1 9 | |
| 84 | - | |
| 85 | -### Do Fossil-specific things atop those base layers; this will change | |
| 86 | -### as often as the Fossil build-from-source layer above. | |
| 87 | -COPY --from=builder /tmp/fossil bin/ | |
| 88 | -RUN set -x \ | |
| 89 | - && ln -s /jail/bin/fossil /bin/f \ | |
| 90 | - && echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /bin/sha1sum \ | |
| 91 | - && echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /bin/sha3sum \ | |
| 92 | - && echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > \ | |
| 93 | - /bin/sqlite3 \ | |
| 94 | - && chmod +x /bin/sha?sum /bin/sqlite3 | |
| 64 | +RUN set -x \ | |
| 65 | + && mkdir log museum tmp \ | |
| 66 | + && echo "root:x:0:0:Admin:/:/false" > /tmp/passwd \ | |
| 67 | + && echo "root:x:0:root" > /tmp/group \ | |
| 68 | + && echo "fossil:x:${UID}:${UID}:User:/museum:/false" >> /tmp/passwd \ | |
| 69 | + && echo "fossil:x:${UID}:fossil" >> /tmp/group | |
| 70 | + | |
| 71 | + | |
| 72 | +## --------------------------------------------------------------------- | |
| 73 | +## STAGE 3: Drop BusyBox, too, now that we're done with its /bin/sh &c | |
| 74 | +## --------------------------------------------------------------------- | |
| 75 | + | |
| 76 | +FROM scratch AS run | |
| 77 | +COPY --from=os /tmp/group /tmp/passwd /etc/ | |
| 78 | +COPY --from=os --chown=fossil:fossil /log /log/ | |
| 79 | +COPY --from=os --chown=fossil:fossil /museum /museum/ | |
| 80 | +COPY --from=os --chmod=1777 /tmp /tmp/ | |
| 81 | +COPY --from=builder /tmp/fossil /bin/ | |
| 95 | 82 | |
| 96 | 83 | |
| 97 | 84 | ## --------------------------------------------------------------------- |
| 98 | 85 | ## RUN! |
| 99 | 86 | ## --------------------------------------------------------------------- |
| 100 | 87 | |
| 88 | +ENV PATH "/bin" | |
| 101 | 89 | EXPOSE 8080/tcp |
| 90 | +USER fossil | |
| 102 | 91 | CMD [ \ |
| 103 | 92 | "fossil", "server", \ |
| 104 | - "--chroot", "/jail", \ | |
| 105 | 93 | "--create", \ |
| 106 | 94 | "--jsmode", "bundled", \ |
| 107 | 95 | "--user", "admin", \ |
| 108 | 96 | "museum/repo.fossil" ] |
| 109 | 97 |
| --- Dockerfile | |
| +++ Dockerfile | |
| @@ -1,49 +1,41 @@ | |
| 1 | # syntax=docker/dockerfile:1.0 |
| 2 | # See www/containers.md for documentation on how to use this file. |
| 3 | |
| 4 | ## --------------------------------------------------------------------- |
| 5 | ## STAGE 1: Build static Fossil & BusyBox binaries atop Alpine Linux |
| 6 | ## --------------------------------------------------------------------- |
| 7 | |
| 8 | FROM alpine:latest AS builder |
| 9 | WORKDIR /tmp |
| 10 | |
| 11 | ### Bake the basic Alpine Linux into a base layer so we never have to |
| 12 | ### repeat that step unless we change the package set. Although we're |
| 13 | ### going to throw this layer away below, we still pass --no-cache |
| 14 | ### because that cache is of no use in an immutable layer. |
| 15 | RUN set -x \ |
| 16 | && apk update \ |
| 17 | && apk upgrade --no-cache \ |
| 18 | && apk add --no-cache \ |
| 19 | gcc make \ |
| 20 | linux-headers musl-dev \ |
| 21 | openssl-dev openssl-libs-static \ |
| 22 | zlib-dev zlib-static |
| 23 | |
| 24 | ### Bake the custom BusyBox into another layer. The intent is that this |
| 25 | ### changes only when we change BBXVER. That will force an update of |
| 26 | ### the layers below, but this is a rare occurrence. |
| 27 | ARG BBXVER="1_35_0" |
| 28 | ENV BBXURL "https://github.com/mirror/busybox/tarball/${BBXVER}" |
| 29 | COPY containers/busybox-config /tmp/bbx/.config |
| 30 | RUN set -x \ |
| 31 | && wget -O /tmp/bbx/src.tar.gz ${BBXURL} \ |
| 32 | && tar --strip-components=1 -C bbx -xzf bbx/src.tar.gz \ |
| 33 | && ( cd bbx && yes "" | make oldconfig && make -j11 ) |
| 34 | |
| 35 | ### The changeable Fossil layer is the only one in the first stage that |
| 36 | ### changes often, so add it last, to make it independent of the others. |
| 37 | ### |
| 38 | ### $FSLSTB can be either a file or a directory due to a bizarre ADD |
| 39 | ### misfeature: it unpacks tarballs when added from a local file but not |
| 40 | ### from a URL! It matters because we default to a URL in case you're |
| 41 | ### building outside a Fossil checkout, but when building via the |
| 42 | ### container-image target, we can avoid a costly hit on the Fossil |
| 43 | ### project's home site by pulling the data from the local repo via the |
| 44 | ### "tarball" command. This is a DVCS, after all! |
| 45 | ARG FSLCFG="" |
| 46 | ARG FSLVER="trunk" |
| 47 | ARG FSLURL="https://fossil-scm.org/home/tarball/src?r=${FSLVER}" |
| 48 | ENV FSLSTB=/tmp/fsl/src.tar.gz |
| 49 | ADD $FSLURL $FSLSTB |
| @@ -57,52 +49,48 @@ | |
| 57 | ## --------------------------------------------------------------------- |
| 58 | ## STAGE 2: Pare that back to the bare essentials. |
| 59 | ## --------------------------------------------------------------------- |
| 60 | |
| 61 | FROM scratch AS os |
| 62 | WORKDIR /jail |
| 63 | ARG UID=499 |
| 64 | ENV PATH "/bin:/jail/bin" |
| 65 | |
| 66 | ### Lay BusyBox down as the first base layer. Coupled with the host's |
| 67 | ### kernel, this is the "OS" used to RUN the subsequent setup script. |
| 68 | COPY --from=builder /tmp/bbx/busybox /bin/ |
| 69 | RUN [ "/bin/busybox", "--install", "/bin" ] |
| 70 | |
| 71 | ### Set up that base OS for our specific use without tying it to |
| 72 | ### anything likely to change often. So long as the user leaves |
| 73 | ### UID alone, this layer will be durable. |
| 74 | RUN set -x \ |
| 75 | && echo "root:x:0:0:Admin:/:/false" > /etc/passwd \ |
| 76 | && echo "root:x:0:root" > /etc/group \ |
| 77 | && echo "fossil:x:${UID}:${UID}:User:/jail:/false" >> /etc/passwd \ |
| 78 | && echo "fossil:x:${UID}:fossil" >> /etc/group \ |
| 79 | && install -d -m 700 -o fossil -g fossil log museum \ |
| 80 | && install -d -m 755 -o fossil -g fossil dev \ |
| 81 | && install -d -m 1777 -o root -g root /tmp \ |
| 82 | && mknod -m 666 dev/null c 1 3 \ |
| 83 | && mknod -m 444 dev/urandom c 1 9 |
| 84 | |
| 85 | ### Do Fossil-specific things atop those base layers; this will change |
| 86 | ### as often as the Fossil build-from-source layer above. |
| 87 | COPY --from=builder /tmp/fossil bin/ |
| 88 | RUN set -x \ |
| 89 | && ln -s /jail/bin/fossil /bin/f \ |
| 90 | && echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /bin/sha1sum \ |
| 91 | && echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /bin/sha3sum \ |
| 92 | && echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > \ |
| 93 | /bin/sqlite3 \ |
| 94 | && chmod +x /bin/sha?sum /bin/sqlite3 |
| 95 | |
| 96 | |
| 97 | ## --------------------------------------------------------------------- |
| 98 | ## RUN! |
| 99 | ## --------------------------------------------------------------------- |
| 100 | |
| 101 | EXPOSE 8080/tcp |
| 102 | CMD [ \ |
| 103 | "fossil", "server", \ |
| 104 | "--chroot", "/jail", \ |
| 105 | "--create", \ |
| 106 | "--jsmode", "bundled", \ |
| 107 | "--user", "admin", \ |
| 108 | "museum/repo.fossil" ] |
| 109 |
| --- Dockerfile | |
| +++ Dockerfile | |
| @@ -1,49 +1,41 @@ | |
| 1 | # syntax=docker/dockerfile:1.3 |
| 2 | # See www/containers.md for documentation on how to use this file. |
| 3 | |
| 4 | ## --------------------------------------------------------------------- |
| 5 | ## STAGE 1: Build static Fossil binary |
| 6 | ## --------------------------------------------------------------------- |
| 7 | |
| 8 | ### We aren't pinning to a more stable version of Alpine because we want |
| 9 | ### to build with the latest tools and libraries available in case they |
| 10 | ### fixed something that matters to us since the last build. Everything |
| 11 | ### below depends on this layer, and so, alas, we toss this container's |
| 12 | ### cache on Alpine's release schedule, roughly once a month. |
| 13 | FROM alpine:latest AS builder |
| 14 | WORKDIR /tmp |
| 15 | |
| 16 | ### Bake the basic Alpine Linux into a base layer so it only changes |
| 17 | ### when the upstream image is updated or we change the package set. |
| 18 | RUN set -x \ |
| 19 | && apk update \ |
| 20 | && apk upgrade --no-cache \ |
| 21 | && apk add --no-cache \ |
| 22 | busybox-static gcc make \ |
| 23 | linux-headers musl-dev \ |
| 24 | openssl-dev openssl-libs-static \ |
| 25 | zlib-dev zlib-static |
| 26 | |
| 27 | ### Build Fossil as a separate layer so we don't have to rebuild the |
| 28 | ### Alpine environment for each iteration of Fossil's dev cycle. |
| 29 | ### |
| 30 | ### We must cope with a bizarre ADD misfeature here: it unpacks tarballs |
| 31 | ### automatically when you give it a local file name but not if you give |
| 32 | ### it a /tarball URL! It matters because we default to a URL in case |
| 33 | ### you're building outside a Fossil checkout, but when building via the |
| 34 | ### container-image target, we avoid a costly hit on fossil-scm.org |
| 35 | ### by leveraging its DVCS nature via the "tarball" command and passing |
| 36 | ### the resulting file's name in. |
| 37 | ARG FSLCFG="" |
| 38 | ARG FSLVER="trunk" |
| 39 | ARG FSLURL="https://fossil-scm.org/home/tarball/src?r=${FSLVER}" |
| 40 | ENV FSLSTB=/tmp/fsl/src.tar.gz |
| 41 | ADD $FSLURL $FSLSTB |
| @@ -57,52 +49,48 @@ | |
| 49 | ## --------------------------------------------------------------------- |
| 50 | ## STAGE 2: Pare that back to the bare essentials. |
| 51 | ## --------------------------------------------------------------------- |
| 52 | |
| 53 | FROM scratch AS os |
| 54 | ARG UID=499 |
| 55 | |
| 56 | ### Lay BusyBox down as the first base layer. Coupled with the host's |
| 57 | ### kernel, this is the "OS" used to RUN the subsequent setup script. |
| 58 | COPY --from=builder /bin/busybox.static /bin/busybox |
| 59 | RUN [ "/bin/busybox", "--install", "/bin" ] |
| 60 | |
| 61 | ### Set up that base OS for our specific use without tying it to |
| 62 | ### anything likely to change often. So long as the user leaves |
| 63 | ### UID alone, this layer will be durable. |
| 64 | RUN set -x \ |
| 65 | && mkdir log museum tmp \ |
| 66 | && echo "root:x:0:0:Admin:/:/false" > /tmp/passwd \ |
| 67 | && echo "root:x:0:root" > /tmp/group \ |
| 68 | && echo "fossil:x:${UID}:${UID}:User:/museum:/false" >> /tmp/passwd \ |
| 69 | && echo "fossil:x:${UID}:fossil" >> /tmp/group |
| 70 | |
| 71 | |
| 72 | ## --------------------------------------------------------------------- |
| 73 | ## STAGE 3: Drop BusyBox, too, now that we're done with its /bin/sh &c |
| 74 | ## --------------------------------------------------------------------- |
| 75 | |
| 76 | FROM scratch AS run |
| 77 | COPY --from=os /tmp/group /tmp/passwd /etc/ |
| 78 | COPY --from=os --chown=fossil:fossil /log /log/ |
| 79 | COPY --from=os --chown=fossil:fossil /museum /museum/ |
| 80 | COPY --from=os --chmod=1777 /tmp /tmp/ |
| 81 | COPY --from=builder /tmp/fossil /bin/ |
| 82 | |
| 83 | |
| 84 | ## --------------------------------------------------------------------- |
| 85 | ## RUN! |
| 86 | ## --------------------------------------------------------------------- |
| 87 | |
| 88 | ENV PATH "/bin" |
| 89 | EXPOSE 8080/tcp |
| 90 | USER fossil |
| 91 | CMD [ \ |
| 92 | "fossil", "server", \ |
| 93 | "--create", \ |
| 94 | "--jsmode", "bundled", \ |
| 95 | "--user", "admin", \ |
| 96 | "museum/repo.fossil" ] |
| 97 |
+1
-1
| --- Makefile.in | ||
| +++ Makefile.in | ||
| @@ -137,11 +137,11 @@ | ||
| 137 | 137 | --cap-drop NET_BIND_SERVICE \ |
| 138 | 138 | --cap-drop NET_RAW \ |
| 139 | 139 | --cap-drop SETFCAP \ |
| 140 | 140 | --cap-drop SETPCAP \ |
| 141 | 141 | --publish 8080:8080 \ |
| 142 | - $(DCFLAGS) $(IMGVER) | |
| 142 | + $(DCFLAGS) $(IMGVER) $(DCCMD) | |
| 143 | 143 | |
| 144 | 144 | container-clean: |
| 145 | 145 | -docker container kill $(CNTVER) |
| 146 | 146 | -docker container rm $(CNTVER) |
| 147 | 147 | -docker image rm $(IMGVER) |
| 148 | 148 | |
| 149 | 149 | DELETED containers/Dockerfile-nojail.patch |
| 150 | 150 | DELETED containers/busybox-config |
| --- Makefile.in | |
| +++ Makefile.in | |
| @@ -137,11 +137,11 @@ | |
| 137 | --cap-drop NET_BIND_SERVICE \ |
| 138 | --cap-drop NET_RAW \ |
| 139 | --cap-drop SETFCAP \ |
| 140 | --cap-drop SETPCAP \ |
| 141 | --publish 8080:8080 \ |
| 142 | $(DCFLAGS) $(IMGVER) |
| 143 | |
| 144 | container-clean: |
| 145 | -docker container kill $(CNTVER) |
| 146 | -docker container rm $(CNTVER) |
| 147 | -docker image rm $(IMGVER) |
| 148 | |
| 149 | ELETED containers/Dockerfile-nojail.patch |
| 150 | ELETED containers/busybox-config |
| --- Makefile.in | |
| +++ Makefile.in | |
| @@ -137,11 +137,11 @@ | |
| 137 | --cap-drop NET_BIND_SERVICE \ |
| 138 | --cap-drop NET_RAW \ |
| 139 | --cap-drop SETFCAP \ |
| 140 | --cap-drop SETPCAP \ |
| 141 | --publish 8080:8080 \ |
| 142 | $(DCFLAGS) $(IMGVER) $(DCCMD) |
| 143 | |
| 144 | container-clean: |
| 145 | -docker container kill $(CNTVER) |
| 146 | -docker container rm $(CNTVER) |
| 147 | -docker image rm $(IMGVER) |
| 148 | |
| 149 | ELETED containers/Dockerfile-nojail.patch |
| 150 | ELETED containers/busybox-config |
D
containers/Dockerfile-nojail.patch
-58
| --- a/containers/Dockerfile-nojail.patch | ||
| +++ b/containers/Dockerfile-nojail.patch | ||
| @@ -1,59 +0,0 @@ | ||
| 1 | -Index: Dockerfile | |
| 2 | -================================================================== | |
| ---- Dockerfile | ||
| 3 | -+++ Dockerfile | |
| 4 | -@@ -57,13 +57,13 @@ | |
| 5 | - ## --------------------------------------------------------------------- | |
| 6 | - ## STAGE 2: Pare that back to the bare essentials. | |
| 7 | - ## --------------------------------------------------------------------- | |
| 8 | - | |
| 9 | - FROM scratch AS os | |
| 10 | --WORKDIR /jail | |
| 11 | -+WORKDIR / | |
| 12 | - ARG UID=499 | |
| 13 | --ENV PATH "/bin:/jail/bin" | |
| 14 | -+ENV PATH "/bin" | |
| 15 | - | |
| 16 | - ### Lay BusyBox down as the first base layer. Coupled with the host's | |
| 17 | - ### kernel, this is the "OS" used to RUN the subsequent setup script. | |
| 18 | - COPY --from=builder /tmp/bbx/busybox /bin/ | |
| 19 | - RUN [ "/bin/busybox", "--install", "/bin" ] | |
| 20 | -@@ -72,23 +72,23 @@ | |
| 21 | - ### anything likely to change often. So long as the user leaves | |
| 22 | - ### UID alone, this layer will be durable. | |
| 23 | - RUN set -x \ | |
| 24 | - && echo "root:x:0:0:Admin:/:/false" > /etc/passwd \ | |
| 25 | - && echo "root:x:0:root" > /etc/group \ | |
| 26 | -- && echo "fossil:x:${UID}:${UID}:User:/jail:/false" >> /etc/passwd \ | |
| 27 | -+ && echo "fossil:x:${UID}:${UID}:User:/:/false" >> /etc/passwd \ | |
| 28 | - && echo "fossil:x:${UID}:fossil" >> /etc/group \ | |
| 29 | - && install -d -m 700 -o fossil -g fossil log museum \ | |
| 30 | - && install -d -m 755 -o fossil -g fossil dev \ | |
| 31 | - && install -d -m 1777 -o root -g root /tmp \ | |
| 32 | - && mknod -m 666 dev/null c 1 3 \ | |
| 33 | - && mknod -m 444 dev/urandom c 1 9 | |
| 34 | - | |
| 35 | - ### Do Fossil-specific things atop those base layers; this will change | |
| 36 | - ### as often as the Fossil build-from-source layer above. | |
| 37 | --COPY --from=builder /tmp/fossil bin/ | |
| 38 | -+COPY --from=builder /tmp/fossil /bin/ | |
| 39 | - RUN set -x \ | |
| 40 | -- && ln -s /jail/bin/fossil /bin/f \ | |
| 41 | -+ && ln -s /bin/fossil /bin/f \ | |
| 42 | - && echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /bin/sha1sum \ | |
| 43 | - && echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /bin/sha3sum \ | |
| 44 | - && echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > \ | |
| 45 | - /bin/sqlite3 \ | |
| 46 | - && chmod +x /bin/sha?sum /bin/sqlite3 | |
| 47 | -@@ -99,10 +99,9 @@ | |
| 48 | - ## --------------------------------------------------------------------- | |
| 49 | - | |
| 50 | - EXPOSE 8080/tcp | |
| 51 | - CMD [ \ | |
| 52 | - "fossil", "server", \ | |
| 53 | -- "--chroot", "/jail", \ | |
| 54 | - "--create", \ | |
| 55 | - "--jsmode", "bundled", \ | |
| 56 | - "--user", "admin", \ | |
| 57 | - "museum/repo.fossil" ] | |
| 58 | - |
| --- a/containers/Dockerfile-nojail.patch | |
| +++ b/containers/Dockerfile-nojail.patch | |
| @@ -1,59 +0,0 @@ | |
| 1 | Index: Dockerfile |
| 2 | ================================================================== |
| ---- Dockerfile | |
| 3 | +++ Dockerfile |
| 4 | @@ -57,13 +57,13 @@ |
| 5 | ## --------------------------------------------------------------------- |
| 6 | ## STAGE 2: Pare that back to the bare essentials. |
| 7 | ## --------------------------------------------------------------------- |
| 8 | |
| 9 | FROM scratch AS os |
| 10 | -WORKDIR /jail |
| 11 | +WORKDIR / |
| 12 | ARG UID=499 |
| 13 | -ENV PATH "/bin:/jail/bin" |
| 14 | +ENV PATH "/bin" |
| 15 | |
| 16 | ### Lay BusyBox down as the first base layer. Coupled with the host's |
| 17 | ### kernel, this is the "OS" used to RUN the subsequent setup script. |
| 18 | COPY --from=builder /tmp/bbx/busybox /bin/ |
| 19 | RUN [ "/bin/busybox", "--install", "/bin" ] |
| 20 | @@ -72,23 +72,23 @@ |
| 21 | ### anything likely to change often. So long as the user leaves |
| 22 | ### UID alone, this layer will be durable. |
| 23 | RUN set -x \ |
| 24 | && echo "root:x:0:0:Admin:/:/false" > /etc/passwd \ |
| 25 | && echo "root:x:0:root" > /etc/group \ |
| 26 | - && echo "fossil:x:${UID}:${UID}:User:/jail:/false" >> /etc/passwd \ |
| 27 | + && echo "fossil:x:${UID}:${UID}:User:/:/false" >> /etc/passwd \ |
| 28 | && echo "fossil:x:${UID}:fossil" >> /etc/group \ |
| 29 | && install -d -m 700 -o fossil -g fossil log museum \ |
| 30 | && install -d -m 755 -o fossil -g fossil dev \ |
| 31 | && install -d -m 1777 -o root -g root /tmp \ |
| 32 | && mknod -m 666 dev/null c 1 3 \ |
| 33 | && mknod -m 444 dev/urandom c 1 9 |
| 34 | |
| 35 | ### Do Fossil-specific things atop those base layers; this will change |
| 36 | ### as often as the Fossil build-from-source layer above. |
| 37 | -COPY --from=builder /tmp/fossil bin/ |
| 38 | +COPY --from=builder /tmp/fossil /bin/ |
| 39 | RUN set -x \ |
| 40 | - && ln -s /jail/bin/fossil /bin/f \ |
| 41 | + && ln -s /bin/fossil /bin/f \ |
| 42 | && echo -e '#!/bin/sh\nfossil sha1sum "$@"' > /bin/sha1sum \ |
| 43 | && echo -e '#!/bin/sh\nfossil sha3sum "$@"' > /bin/sha3sum \ |
| 44 | && echo -e '#!/bin/sh\nfossil sqlite3 --no-repository "$@"' > \ |
| 45 | /bin/sqlite3 \ |
| 46 | && chmod +x /bin/sha?sum /bin/sqlite3 |
| 47 | @@ -99,10 +99,9 @@ |
| 48 | ## --------------------------------------------------------------------- |
| 49 | |
| 50 | EXPOSE 8080/tcp |
| 51 | CMD [ \ |
| 52 | "fossil", "server", \ |
| 53 | - "--chroot", "/jail", \ |
| 54 | "--create", \ |
| 55 | "--jsmode", "bundled", \ |
| 56 | "--user", "admin", \ |
| 57 | "museum/repo.fossil" ] |
| 58 |
| --- a/containers/Dockerfile-nojail.patch | |
| +++ b/containers/Dockerfile-nojail.patch | |
| @@ -1,59 +0,0 @@ | |
| ---- Dockerfile | |
D
containers/busybox-config
-1200
| --- a/containers/busybox-config | ||
| +++ b/containers/busybox-config | ||
| @@ -1,1200 +0,0 @@ | ||
| 1 | -# | |
| 2 | -# Automatically generated make config: don't edit | |
| 3 | -# Busybox version: 1.35.0 | |
| 4 | -# Tue Aug 16 02:15:21 2022 | |
| 5 | -# | |
| 6 | -CONFIG_HAVE_DOT_CONFIG=y | |
| 7 | - | |
| 8 | -# | |
| 9 | -# Settings | |
| 10 | -# | |
| 11 | -CONFIG_DESKTOP=y | |
| 12 | -# CONFIG_EXTRA_COMPAT is not set | |
| 13 | -# CONFIG_FEDORA_COMPAT is not set | |
| 14 | -CONFIG_INCLUDE_SUSv2=y | |
| 15 | -CONFIG_LONG_OPTS=y | |
| 16 | -CONFIG_SHOW_USAGE=y | |
| 17 | -CONFIG_FEATURE_VERBOSE_USAGE=y | |
| 18 | -CONFIG_FEATURE_COMPRESS_USAGE=y | |
| 19 | -CONFIG_LFS=y | |
| 20 | -# CONFIG_PAM is not set | |
| 21 | -CONFIG_FEATURE_DEVPTS=y | |
| 22 | -CONFIG_FEATURE_UTMP=y | |
| 23 | -CONFIG_FEATURE_WTMP=y | |
| 24 | -CONFIG_FEATURE_PIDFILE=y | |
| 25 | -CONFIG_PID_FILE_PATH="/var/run" | |
| 26 | -CONFIG_BUSYBOX=y | |
| 27 | -CONFIG_FEATURE_SHOW_SCRIPT=y | |
| 28 | -CONFIG_FEATURE_INSTALLER=y | |
| 29 | -# CONFIG_INSTALL_NO_USR is not set | |
| 30 | -CONFIG_FEATURE_SUID=y | |
| 31 | -CONFIG_FEATURE_SUID_CONFIG=y | |
| 32 | -CONFIG_FEATURE_SUID_CONFIG_QUIET=y | |
| 33 | -# CONFIG_FEATURE_PREFER_APPLETS is not set | |
| 34 | -CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe" | |
| 35 | -# CONFIG_SELINUX is not set | |
| 36 | -# CONFIG_FEATURE_CLEAN_UP is not set | |
| 37 | -CONFIG_FEATURE_SYSLOG_INFO=y | |
| 38 | -CONFIG_FEATURE_SYSLOG=y | |
| 39 | - | |
| 40 | -# | |
| 41 | -# Build Options | |
| 42 | -# | |
| 43 | -CONFIG_STATIC=y | |
| 44 | -# CONFIG_PIE is not set | |
| 45 | -# CONFIG_NOMMU is not set | |
| 46 | -# CONFIG_BUILD_LIBBUSYBOX is not set | |
| 47 | -# CONFIG_FEATURE_LIBBUSYBOX_STATIC is not set | |
| 48 | -# CONFIG_FEATURE_INDIVIDUAL is not set | |
| 49 | -# CONFIG_FEATURE_SHARED_BUSYBOX is not set | |
| 50 | -CONFIG_CROSS_COMPILER_PREFIX="" | |
| 51 | -CONFIG_SYSROOT="" | |
| 52 | -CONFIG_EXTRA_CFLAGS="" | |
| 53 | -CONFIG_EXTRA_LDFLAGS="" | |
| 54 | -CONFIG_EXTRA_LDLIBS="" | |
| 55 | -# CONFIG_USE_PORTABLE_CODE is not set | |
| 56 | -CONFIG_STACK_OPTIMIZATION_386=y | |
| 57 | -CONFIG_STATIC_LIBGCC=y | |
| 58 | - | |
| 59 | -# | |
| 60 | -# Installation Options ("make install" behavior) | |
| 61 | -# | |
| 62 | -CONFIG_INSTALL_APPLET_SYMLINKS=y | |
| 63 | -# CONFIG_INSTALL_APPLET_HARDLINKS is not set | |
| 64 | -# CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS is not set | |
| 65 | -# CONFIG_INSTALL_APPLET_DONT is not set | |
| 66 | -# CONFIG_INSTALL_SH_APPLET_SYMLINK is not set | |
| 67 | -# CONFIG_INSTALL_SH_APPLET_HARDLINK is not set | |
| 68 | -# CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER is not set | |
| 69 | -CONFIG_PREFIX="./_install" | |
| 70 | - | |
| 71 | -# | |
| 72 | -# Debugging Options | |
| 73 | -# | |
| 74 | -# CONFIG_DEBUG is not set | |
| 75 | -# CONFIG_DEBUG_PESSIMIZE is not set | |
| 76 | -# CONFIG_DEBUG_SANITIZE is not set | |
| 77 | -# CONFIG_UNIT_TEST is not set | |
| 78 | -# CONFIG_WERROR is not set | |
| 79 | -# CONFIG_WARN_SIMPLE_MSG is not set | |
| 80 | -CONFIG_NO_DEBUG_LIB=y | |
| 81 | -# CONFIG_DMALLOC is not set | |
| 82 | -# CONFIG_EFENCE is not set | |
| 83 | - | |
| 84 | -# | |
| 85 | -# Library Tuning | |
| 86 | -# | |
| 87 | -# CONFIG_FEATURE_USE_BSS_TAIL is not set | |
| 88 | -CONFIG_FLOAT_DURATION=y | |
| 89 | -CONFIG_FEATURE_RTMINMAX=y | |
| 90 | -CONFIG_FEATURE_RTMINMAX_USE_LIBC_DEFINITIONS=y | |
| 91 | -CONFIG_FEATURE_BUFFERS_USE_MALLOC=y | |
| 92 | -# CONFIG_FEATURE_BUFFERS_GO_ON_STACK is not set | |
| 93 | -# CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set | |
| 94 | -CONFIG_PASSWORD_MINLEN=6 | |
| 95 | -CONFIG_MD5_SMALL=1 | |
| 96 | -CONFIG_SHA3_SMALL=1 | |
| 97 | -CONFIG_FEATURE_NON_POSIX_CP=y | |
| 98 | -# CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set | |
| 99 | -CONFIG_FEATURE_USE_SENDFILE=y | |
| 100 | -CONFIG_FEATURE_COPYBUF_KB=4 | |
| 101 | -CONFIG_MONOTONIC_SYSCALL=y | |
| 102 | -CONFIG_IOCTL_HEX2STR_ERROR=y | |
| 103 | -CONFIG_FEATURE_EDITING=y | |
| 104 | -CONFIG_FEATURE_EDITING_MAX_LEN=1024 | |
| 105 | -# CONFIG_FEATURE_EDITING_VI is not set | |
| 106 | -CONFIG_FEATURE_EDITING_HISTORY=255 | |
| 107 | -CONFIG_FEATURE_EDITING_SAVEHISTORY=y | |
| 108 | -# CONFIG_FEATURE_EDITING_SAVE_ON_EXIT is not set | |
| 109 | -CONFIG_FEATURE_REVERSE_SEARCH=y | |
| 110 | -CONFIG_FEATURE_TAB_COMPLETION=y | |
| 111 | -CONFIG_FEATURE_USERNAME_COMPLETION=y | |
| 112 | -CONFIG_FEATURE_EDITING_FANCY_PROMPT=y | |
| 113 | -CONFIG_FEATURE_EDITING_WINCH=y | |
| 114 | -# CONFIG_FEATURE_EDITING_ASK_TERMINAL is not set | |
| 115 | -# CONFIG_LOCALE_SUPPORT is not set | |
| 116 | -CONFIG_UNICODE_SUPPORT=y | |
| 117 | -# CONFIG_UNICODE_USING_LOCALE is not set | |
| 118 | -# CONFIG_FEATURE_CHECK_UNICODE_IN_ENV is not set | |
| 119 | -CONFIG_SUBST_WCHAR=63 | |
| 120 | -CONFIG_LAST_SUPPORTED_WCHAR=767 | |
| 121 | -# CONFIG_UNICODE_COMBINING_WCHARS is not set | |
| 122 | -# CONFIG_UNICODE_WIDE_WCHARS is not set | |
| 123 | -# CONFIG_UNICODE_BIDI_SUPPORT is not set | |
| 124 | -# CONFIG_UNICODE_NEUTRAL_TABLE is not set | |
| 125 | -# CONFIG_UNICODE_PRESERVE_BROKEN is not set | |
| 126 | - | |
| 127 | -# | |
| 128 | -# Applets | |
| 129 | -# | |
| 130 | - | |
| 131 | -# | |
| 132 | -# Archival Utilities | |
| 133 | -# | |
| 134 | -# CONFIG_FEATURE_SEAMLESS_XZ is not set | |
| 135 | -# CONFIG_FEATURE_SEAMLESS_LZMA is not set | |
| 136 | -# CONFIG_FEATURE_SEAMLESS_BZ2 is not set | |
| 137 | -CONFIG_FEATURE_SEAMLESS_GZ=y | |
| 138 | -# CONFIG_FEATURE_SEAMLESS_Z is not set | |
| 139 | -# CONFIG_AR is not set | |
| 140 | -# CONFIG_FEATURE_AR_LONG_FILENAMES is not set | |
| 141 | -# CONFIG_FEATURE_AR_CREATE is not set | |
| 142 | -# CONFIG_UNCOMPRESS is not set | |
| 143 | -CONFIG_GUNZIP=y | |
| 144 | -CONFIG_ZCAT=y | |
| 145 | -CONFIG_FEATURE_GUNZIP_LONG_OPTIONS=y | |
| 146 | -# CONFIG_BUNZIP2 is not set | |
| 147 | -# CONFIG_BZCAT is not set | |
| 148 | -# CONFIG_UNLZMA is not set | |
| 149 | -# CONFIG_LZCAT is not set | |
| 150 | -# CONFIG_LZMA is not set | |
| 151 | -# CONFIG_UNXZ is not set | |
| 152 | -# CONFIG_XZCAT is not set | |
| 153 | -# CONFIG_XZ is not set | |
| 154 | -# CONFIG_BZIP2 is not set | |
| 155 | -CONFIG_BZIP2_SMALL=0 | |
| 156 | -# CONFIG_FEATURE_BZIP2_DECOMPRESS is not set | |
| 157 | -# CONFIG_CPIO is not set | |
| 158 | -# CONFIG_FEATURE_CPIO_O is not set | |
| 159 | -# CONFIG_FEATURE_CPIO_P is not set | |
| 160 | -# CONFIG_FEATURE_CPIO_IGNORE_DEVNO is not set | |
| 161 | -# CONFIG_FEATURE_CPIO_RENUMBER_INODES is not set | |
| 162 | -# CONFIG_DPKG is not set | |
| 163 | -# CONFIG_DPKG_DEB is not set | |
| 164 | -CONFIG_GZIP=y | |
| 165 | -CONFIG_FEATURE_GZIP_LONG_OPTIONS=y | |
| 166 | -CONFIG_GZIP_FAST=0 | |
| 167 | -# CONFIG_FEATURE_GZIP_LEVELS is not set | |
| 168 | -CONFIG_FEATURE_GZIP_DECOMPRESS=y | |
| 169 | -# CONFIG_LZOP is not set | |
| 170 | -# CONFIG_UNLZOP is not set | |
| 171 | -# CONFIG_LZOPCAT is not set | |
| 172 | -# CONFIG_LZOP_COMPR_HIGH is not set | |
| 173 | -# CONFIG_RPM is not set | |
| 174 | -# CONFIG_RPM2CPIO is not set | |
| 175 | -CONFIG_TAR=y | |
| 176 | -CONFIG_FEATURE_TAR_LONG_OPTIONS=y | |
| 177 | -CONFIG_FEATURE_TAR_CREATE=y | |
| 178 | -CONFIG_FEATURE_TAR_AUTODETECT=y | |
| 179 | -CONFIG_FEATURE_TAR_FROM=y | |
| 180 | -# CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set | |
| 181 | -# CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY is not set | |
| 182 | -CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y | |
| 183 | -# CONFIG_FEATURE_TAR_TO_COMMAND is not set | |
| 184 | -CONFIG_FEATURE_TAR_UNAME_GNAME=y | |
| 185 | -CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y | |
| 186 | -# CONFIG_FEATURE_TAR_SELINUX is not set | |
| 187 | -CONFIG_UNZIP=y | |
| 188 | -CONFIG_FEATURE_UNZIP_CDF=y | |
| 189 | -CONFIG_FEATURE_UNZIP_BZIP2=y | |
| 190 | -CONFIG_FEATURE_UNZIP_LZMA=y | |
| 191 | -CONFIG_FEATURE_UNZIP_XZ=y | |
| 192 | -# CONFIG_FEATURE_LZMA_FAST is not set | |
| 193 | - | |
| 194 | -# | |
| 195 | -# Coreutils | |
| 196 | -# | |
| 197 | -CONFIG_FEATURE_VERBOSE=y | |
| 198 | - | |
| 199 | -# | |
| 200 | -# Common options for date and touch | |
| 201 | -# | |
| 202 | -CONFIG_FEATURE_TIMEZONE=y | |
| 203 | - | |
| 204 | -# | |
| 205 | -# Common options for cp and mv | |
| 206 | -# | |
| 207 | -CONFIG_FEATURE_PRESERVE_HARDLINKS=y | |
| 208 | - | |
| 209 | -# | |
| 210 | -# Common options for df, du, ls | |
| 211 | -# | |
| 212 | -CONFIG_FEATURE_HUMAN_READABLE=y | |
| 213 | -CONFIG_BASENAME=y | |
| 214 | -CONFIG_CAT=y | |
| 215 | -CONFIG_FEATURE_CATN=y | |
| 216 | -CONFIG_FEATURE_CATV=y | |
| 217 | -CONFIG_CHGRP=y | |
| 218 | -CONFIG_CHMOD=y | |
| 219 | -CONFIG_CHOWN=y | |
| 220 | -CONFIG_FEATURE_CHOWN_LONG_OPTIONS=y | |
| 221 | -CONFIG_CHROOT=y | |
| 222 | -# CONFIG_CKSUM is not set | |
| 223 | -# CONFIG_CRC32 is not set | |
| 224 | -CONFIG_COMM=y | |
| 225 | -CONFIG_CP=y | |
| 226 | -CONFIG_FEATURE_CP_LONG_OPTIONS=y | |
| 227 | -CONFIG_FEATURE_CP_REFLINK=y | |
| 228 | -CONFIG_CUT=y | |
| 229 | -CONFIG_FEATURE_CUT_REGEX=y | |
| 230 | -CONFIG_DATE=y | |
| 231 | -CONFIG_FEATURE_DATE_ISOFMT=y | |
| 232 | -# CONFIG_FEATURE_DATE_NANO is not set | |
| 233 | -CONFIG_FEATURE_DATE_COMPAT=y | |
| 234 | -CONFIG_DD=y | |
| 235 | -CONFIG_FEATURE_DD_SIGNAL_HANDLING=y | |
| 236 | -CONFIG_FEATURE_DD_THIRD_STATUS_LINE=y | |
| 237 | -CONFIG_FEATURE_DD_IBS_OBS=y | |
| 238 | -CONFIG_FEATURE_DD_STATUS=y | |
| 239 | -CONFIG_DF=y | |
| 240 | -CONFIG_FEATURE_DF_FANCY=y | |
| 241 | -CONFIG_FEATURE_SKIP_ROOTFS=y | |
| 242 | -CONFIG_DIRNAME=y | |
| 243 | -CONFIG_DOS2UNIX=y | |
| 244 | -CONFIG_UNIX2DOS=y | |
| 245 | -CONFIG_DU=y | |
| 246 | -CONFIG_FEATURE_DU_DEFAULT_BLOCKSIZE_1K=y | |
| 247 | -# CONFIG_ECHO is not set | |
| 248 | -CONFIG_FEATURE_FANCY_ECHO=y | |
| 249 | -CONFIG_ENV=y | |
| 250 | -CONFIG_EXPAND=y | |
| 251 | -CONFIG_UNEXPAND=y | |
| 252 | -CONFIG_EXPR=y | |
| 253 | -CONFIG_EXPR_MATH_SUPPORT_64=y | |
| 254 | -# CONFIG_FACTOR is not set | |
| 255 | -CONFIG_FALSE=y | |
| 256 | -CONFIG_FOLD=y | |
| 257 | -CONFIG_HEAD=y | |
| 258 | -CONFIG_FEATURE_FANCY_HEAD=y | |
| 259 | -CONFIG_HOSTID=y | |
| 260 | -CONFIG_ID=y | |
| 261 | -CONFIG_GROUPS=y | |
| 262 | -CONFIG_INSTALL=y | |
| 263 | -CONFIG_FEATURE_INSTALL_LONG_OPTIONS=y | |
| 264 | -CONFIG_LINK=y | |
| 265 | -CONFIG_LN=y | |
| 266 | -# CONFIG_LOGNAME is not set | |
| 267 | -CONFIG_LS=y | |
| 268 | -CONFIG_FEATURE_LS_FILETYPES=y | |
| 269 | -CONFIG_FEATURE_LS_FOLLOWLINKS=y | |
| 270 | -CONFIG_FEATURE_LS_RECURSIVE=y | |
| 271 | -CONFIG_FEATURE_LS_WIDTH=y | |
| 272 | -CONFIG_FEATURE_LS_SORTFILES=y | |
| 273 | -CONFIG_FEATURE_LS_TIMESTAMPS=y | |
| 274 | -CONFIG_FEATURE_LS_USERNAME=y | |
| 275 | -CONFIG_FEATURE_LS_COLOR=y | |
| 276 | -CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y | |
| 277 | -# CONFIG_MD5SUM is not set | |
| 278 | -# CONFIG_SHA1SUM is not set | |
| 279 | -# CONFIG_SHA256SUM is not set | |
| 280 | -# CONFIG_SHA512SUM is not set | |
| 281 | -# CONFIG_SHA3SUM is not set | |
| 282 | -# CONFIG_FEATURE_MD5_SHA1_SUM_CHECK is not set | |
| 283 | -CONFIG_MKDIR=y | |
| 284 | -CONFIG_MKFIFO=y | |
| 285 | -CONFIG_MKNOD=y | |
| 286 | -CONFIG_MKTEMP=y | |
| 287 | -CONFIG_MV=y | |
| 288 | -CONFIG_NICE=y | |
| 289 | -CONFIG_NL=y | |
| 290 | -CONFIG_NOHUP=y | |
| 291 | -CONFIG_NPROC=y | |
| 292 | -CONFIG_OD=y | |
| 293 | -CONFIG_PASTE=y | |
| 294 | -# CONFIG_PRINTENV is not set | |
| 295 | -# CONFIG_PRINTF is not set | |
| 296 | -CONFIG_PWD=y | |
| 297 | -CONFIG_READLINK=y | |
| 298 | -CONFIG_FEATURE_READLINK_FOLLOW=y | |
| 299 | -CONFIG_REALPATH=y | |
| 300 | -CONFIG_RM=y | |
| 301 | -CONFIG_RMDIR=y | |
| 302 | -CONFIG_SEQ=y | |
| 303 | -CONFIG_SHRED=y | |
| 304 | -CONFIG_SHUF=y | |
| 305 | -CONFIG_SLEEP=y | |
| 306 | -CONFIG_FEATURE_FANCY_SLEEP=y | |
| 307 | -CONFIG_SORT=y | |
| 308 | -# CONFIG_FEATURE_SORT_BIG is not set | |
| 309 | -# CONFIG_FEATURE_SORT_OPTIMIZE_MEMORY is not set | |
| 310 | -CONFIG_SPLIT=y | |
| 311 | -CONFIG_FEATURE_SPLIT_FANCY=y | |
| 312 | -CONFIG_STAT=y | |
| 313 | -CONFIG_FEATURE_STAT_FORMAT=y | |
| 314 | -CONFIG_FEATURE_STAT_FILESYSTEM=y | |
| 315 | -CONFIG_STTY=y | |
| 316 | -# CONFIG_SUM is not set | |
| 317 | -CONFIG_SYNC=y | |
| 318 | -CONFIG_FEATURE_SYNC_FANCY=y | |
| 319 | -CONFIG_FSYNC=y | |
| 320 | -CONFIG_TAC=y | |
| 321 | -CONFIG_TAIL=y | |
| 322 | -CONFIG_FEATURE_FANCY_TAIL=y | |
| 323 | -CONFIG_TEE=y | |
| 324 | -CONFIG_FEATURE_TEE_USE_BLOCK_IO=y | |
| 325 | -# CONFIG_TEST is not set | |
| 326 | -# CONFIG_TEST1 is not set | |
| 327 | -# CONFIG_TEST2 is not set | |
| 328 | -# CONFIG_FEATURE_TEST_64 is not set | |
| 329 | -CONFIG_TIMEOUT=y | |
| 330 | -CONFIG_TOUCH=y | |
| 331 | -CONFIG_FEATURE_TOUCH_SUSV3=y | |
| 332 | -CONFIG_TR=y | |
| 333 | -CONFIG_FEATURE_TR_CLASSES=y | |
| 334 | -CONFIG_FEATURE_TR_EQUIV=y | |
| 335 | -CONFIG_TRUE=y | |
| 336 | -CONFIG_TRUNCATE=y | |
| 337 | -CONFIG_TTY=y | |
| 338 | -CONFIG_UNAME=y | |
| 339 | -CONFIG_UNAME_OSNAME="GNU/Linux" | |
| 340 | -CONFIG_BB_ARCH=y | |
| 341 | -CONFIG_UNIQ=y | |
| 342 | -CONFIG_UNLINK=y | |
| 343 | -CONFIG_USLEEP=y | |
| 344 | -CONFIG_UUDECODE=y | |
| 345 | -CONFIG_BASE32=y | |
| 346 | -CONFIG_BASE64=y | |
| 347 | -CONFIG_UUENCODE=y | |
| 348 | -CONFIG_WC=y | |
| 349 | -CONFIG_FEATURE_WC_LARGE=y | |
| 350 | -CONFIG_WHO=y | |
| 351 | -CONFIG_W=y | |
| 352 | -CONFIG_USERS=y | |
| 353 | -CONFIG_WHOAMI=y | |
| 354 | -CONFIG_YES=y | |
| 355 | - | |
| 356 | -# | |
| 357 | -# Console Utilities | |
| 358 | -# | |
| 359 | -# CONFIG_CHVT is not set | |
| 360 | -CONFIG_CLEAR=y | |
| 361 | -# CONFIG_DEALLOCVT is not set | |
| 362 | -# CONFIG_DUMPKMAP is not set | |
| 363 | -# CONFIG_FGCONSOLE is not set | |
| 364 | -# CONFIG_KBD_MODE is not set | |
| 365 | -# CONFIG_LOADFONT is not set | |
| 366 | -# CONFIG_SETFONT is not set | |
| 367 | -# CONFIG_FEATURE_SETFONT_TEXTUAL_MAP is not set | |
| 368 | -CONFIG_DEFAULT_SETFONT_DIR="" | |
| 369 | -# CONFIG_FEATURE_LOADFONT_PSF2 is not set | |
| 370 | -# CONFIG_FEATURE_LOADFONT_RAW is not set | |
| 371 | -# CONFIG_LOADKMAP is not set | |
| 372 | -# CONFIG_OPENVT is not set | |
| 373 | -# CONFIG_RESET is not set | |
| 374 | -# CONFIG_RESIZE is not set | |
| 375 | -# CONFIG_FEATURE_RESIZE_PRINT is not set | |
| 376 | -# CONFIG_SETCONSOLE is not set | |
| 377 | -# CONFIG_FEATURE_SETCONSOLE_LONG_OPTIONS is not set | |
| 378 | -# CONFIG_SETKEYCODES is not set | |
| 379 | -# CONFIG_SETLOGCONS is not set | |
| 380 | -# CONFIG_SHOWKEY is not set | |
| 381 | - | |
| 382 | -# | |
| 383 | -# Debian Utilities | |
| 384 | -# | |
| 385 | -# CONFIG_PIPE_PROGRESS is not set | |
| 386 | -# CONFIG_RUN_PARTS is not set | |
| 387 | -# CONFIG_FEATURE_RUN_PARTS_LONG_OPTIONS is not set | |
| 388 | -# CONFIG_FEATURE_RUN_PARTS_FANCY is not set | |
| 389 | -# CONFIG_START_STOP_DAEMON is not set | |
| 390 | -# CONFIG_FEATURE_START_STOP_DAEMON_LONG_OPTIONS is not set | |
| 391 | -# CONFIG_FEATURE_START_STOP_DAEMON_FANCY is not set | |
| 392 | -CONFIG_WHICH=y | |
| 393 | - | |
| 394 | -# | |
| 395 | -# klibc-utils | |
| 396 | -# | |
| 397 | -# CONFIG_MINIPS is not set | |
| 398 | -# CONFIG_NUKE is not set | |
| 399 | -# CONFIG_RESUME is not set | |
| 400 | -# CONFIG_RUN_INIT is not set | |
| 401 | - | |
| 402 | -# | |
| 403 | -# Editors | |
| 404 | -# | |
| 405 | -# CONFIG_AWK is not set | |
| 406 | -# CONFIG_FEATURE_AWK_LIBM is not set | |
| 407 | -# CONFIG_FEATURE_AWK_GNU_EXTENSIONS is not set | |
| 408 | -# CONFIG_CMP is not set | |
| 409 | -CONFIG_DIFF=y | |
| 410 | -CONFIG_FEATURE_DIFF_LONG_OPTIONS=y | |
| 411 | -CONFIG_FEATURE_DIFF_DIR=y | |
| 412 | -# CONFIG_ED is not set | |
| 413 | -CONFIG_PATCH=y | |
| 414 | -CONFIG_SED=y | |
| 415 | -CONFIG_VI=y | |
| 416 | -CONFIG_FEATURE_VI_MAX_LEN=4096 | |
| 417 | -# CONFIG_FEATURE_VI_8BIT is not set | |
| 418 | -CONFIG_FEATURE_VI_COLON=y | |
| 419 | -CONFIG_FEATURE_VI_COLON_EXPAND=y | |
| 420 | -CONFIG_FEATURE_VI_YANKMARK=y | |
| 421 | -CONFIG_FEATURE_VI_SEARCH=y | |
| 422 | -# CONFIG_FEATURE_VI_REGEX_SEARCH is not set | |
| 423 | -CONFIG_FEATURE_VI_USE_SIGNALS=y | |
| 424 | -CONFIG_FEATURE_VI_DOT_CMD=y | |
| 425 | -CONFIG_FEATURE_VI_READONLY=y | |
| 426 | -CONFIG_FEATURE_VI_SETOPTS=y | |
| 427 | -CONFIG_FEATURE_VI_SET=y | |
| 428 | -CONFIG_FEATURE_VI_WIN_RESIZE=y | |
| 429 | -CONFIG_FEATURE_VI_ASK_TERMINAL=y | |
| 430 | -CONFIG_FEATURE_VI_UNDO=y | |
| 431 | -CONFIG_FEATURE_VI_UNDO_QUEUE=y | |
| 432 | -CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=256 | |
| 433 | -CONFIG_FEATURE_VI_VERBOSE_STATUS=y | |
| 434 | -CONFIG_FEATURE_ALLOW_EXEC=y | |
| 435 | - | |
| 436 | -# | |
| 437 | -# Finding Utilities | |
| 438 | -# | |
| 439 | -CONFIG_FIND=y | |
| 440 | -CONFIG_FEATURE_FIND_PRINT0=y | |
| 441 | -CONFIG_FEATURE_FIND_MTIME=y | |
| 442 | -CONFIG_FEATURE_FIND_ATIME=y | |
| 443 | -CONFIG_FEATURE_FIND_CTIME=y | |
| 444 | -CONFIG_FEATURE_FIND_MMIN=y | |
| 445 | -CONFIG_FEATURE_FIND_AMIN=y | |
| 446 | -CONFIG_FEATURE_FIND_CMIN=y | |
| 447 | -CONFIG_FEATURE_FIND_PERM=y | |
| 448 | -CONFIG_FEATURE_FIND_TYPE=y | |
| 449 | -CONFIG_FEATURE_FIND_EXECUTABLE=y | |
| 450 | -CONFIG_FEATURE_FIND_XDEV=y | |
| 451 | -CONFIG_FEATURE_FIND_MAXDEPTH=y | |
| 452 | -CONFIG_FEATURE_FIND_NEWER=y | |
| 453 | -CONFIG_FEATURE_FIND_INUM=y | |
| 454 | -CONFIG_FEATURE_FIND_SAMEFILE=y | |
| 455 | -CONFIG_FEATURE_FIND_EXEC=y | |
| 456 | -CONFIG_FEATURE_FIND_EXEC_PLUS=y | |
| 457 | -CONFIG_FEATURE_FIND_USER=y | |
| 458 | -CONFIG_FEATURE_FIND_GROUP=y | |
| 459 | -CONFIG_FEATURE_FIND_NOT=y | |
| 460 | -CONFIG_FEATURE_FIND_DEPTH=y | |
| 461 | -CONFIG_FEATURE_FIND_PAREN=y | |
| 462 | -CONFIG_FEATURE_FIND_SIZE=y | |
| 463 | -CONFIG_FEATURE_FIND_PRUNE=y | |
| 464 | -CONFIG_FEATURE_FIND_QUIT=y | |
| 465 | -CONFIG_FEATURE_FIND_DELETE=y | |
| 466 | -CONFIG_FEATURE_FIND_EMPTY=y | |
| 467 | -CONFIG_FEATURE_FIND_PATH=y | |
| 468 | -CONFIG_FEATURE_FIND_REGEX=y | |
| 469 | -# CONFIG_FEATURE_FIND_CONTEXT is not set | |
| 470 | -CONFIG_FEATURE_FIND_LINKS=y | |
| 471 | -CONFIG_GREP=y | |
| 472 | -# CONFIG_EGREP is not set | |
| 473 | -# CONFIG_FGREP is not set | |
| 474 | -CONFIG_FEATURE_GREP_CONTEXT=y | |
| 475 | -CONFIG_XARGS=y | |
| 476 | -CONFIG_FEATURE_XARGS_SUPPORT_CONFIRMATION=y | |
| 477 | -CONFIG_FEATURE_XARGS_SUPPORT_QUOTES=y | |
| 478 | -CONFIG_FEATURE_XARGS_SUPPORT_TERMOPT=y | |
| 479 | -CONFIG_FEATURE_XARGS_SUPPORT_ZERO_TERM=y | |
| 480 | -CONFIG_FEATURE_XARGS_SUPPORT_REPL_STR=y | |
| 481 | -CONFIG_FEATURE_XARGS_SUPPORT_PARALLEL=y | |
| 482 | -CONFIG_FEATURE_XARGS_SUPPORT_ARGS_FILE=y | |
| 483 | - | |
| 484 | -# | |
| 485 | -# Init Utilities | |
| 486 | -# | |
| 487 | -# CONFIG_BOOTCHARTD is not set | |
| 488 | -# CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER is not set | |
| 489 | -# CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE is not set | |
| 490 | -# CONFIG_HALT is not set | |
| 491 | -# CONFIG_POWEROFF is not set | |
| 492 | -# CONFIG_REBOOT is not set | |
| 493 | -# CONFIG_FEATURE_WAIT_FOR_INIT is not set | |
| 494 | -# CONFIG_FEATURE_CALL_TELINIT is not set | |
| 495 | -CONFIG_TELINIT_PATH="" | |
| 496 | -# CONFIG_INIT is not set | |
| 497 | -# CONFIG_LINUXRC is not set | |
| 498 | -# CONFIG_FEATURE_USE_INITTAB is not set | |
| 499 | -# CONFIG_FEATURE_KILL_REMOVED is not set | |
| 500 | -CONFIG_FEATURE_KILL_DELAY=0 | |
| 501 | -# CONFIG_FEATURE_INIT_SCTTY is not set | |
| 502 | -# CONFIG_FEATURE_INIT_SYSLOG is not set | |
| 503 | -# CONFIG_FEATURE_INIT_QUIET is not set | |
| 504 | -# CONFIG_FEATURE_INIT_COREDUMPS is not set | |
| 505 | -CONFIG_INIT_TERMINAL_TYPE="" | |
| 506 | -# CONFIG_FEATURE_INIT_MODIFY_CMDLINE is not set | |
| 507 | - | |
| 508 | -# | |
| 509 | -# Login/Password Management Utilities | |
| 510 | -# | |
| 511 | -# CONFIG_FEATURE_SHADOWPASSWDS is not set | |
| 512 | -CONFIG_USE_BB_PWD_GRP=y | |
| 513 | -# CONFIG_USE_BB_SHADOW is not set | |
| 514 | -CONFIG_USE_BB_CRYPT=y | |
| 515 | -CONFIG_USE_BB_CRYPT_SHA=y | |
| 516 | -# CONFIG_ADD_SHELL is not set | |
| 517 | -# CONFIG_REMOVE_SHELL is not set | |
| 518 | -CONFIG_ADDGROUP=y | |
| 519 | -# CONFIG_FEATURE_ADDUSER_TO_GROUP is not set | |
| 520 | -CONFIG_ADDUSER=y | |
| 521 | -# CONFIG_FEATURE_CHECK_NAMES is not set | |
| 522 | -CONFIG_LAST_ID=60000 | |
| 523 | -CONFIG_FIRST_SYSTEM_ID=100 | |
| 524 | -CONFIG_LAST_SYSTEM_ID=999 | |
| 525 | -# CONFIG_CHPASSWD is not set | |
| 526 | -CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="" | |
| 527 | -# CONFIG_CRYPTPW is not set | |
| 528 | -# CONFIG_MKPASSWD is not set | |
| 529 | -# CONFIG_DELUSER is not set | |
| 530 | -# CONFIG_DELGROUP is not set | |
| 531 | -# CONFIG_FEATURE_DEL_USER_FROM_GROUP is not set | |
| 532 | -# CONFIG_GETTY is not set | |
| 533 | -# CONFIG_LOGIN is not set | |
| 534 | -# CONFIG_LOGIN_SESSION_AS_CHILD is not set | |
| 535 | -# CONFIG_LOGIN_SCRIPTS is not set | |
| 536 | -# CONFIG_FEATURE_NOLOGIN is not set | |
| 537 | -# CONFIG_FEATURE_SECURETTY is not set | |
| 538 | -# CONFIG_PASSWD is not set | |
| 539 | -# CONFIG_FEATURE_PASSWD_WEAK_CHECK is not set | |
| 540 | -# CONFIG_SU is not set | |
| 541 | -# CONFIG_FEATURE_SU_SYSLOG is not set | |
| 542 | -# CONFIG_FEATURE_SU_CHECKS_SHELLS is not set | |
| 543 | -# CONFIG_FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY is not set | |
| 544 | -# CONFIG_SULOGIN is not set | |
| 545 | -# CONFIG_VLOCK is not set | |
| 546 | - | |
| 547 | -# | |
| 548 | -# Linux Ext2 FS Progs | |
| 549 | -# | |
| 550 | -# CONFIG_CHATTR is not set | |
| 551 | -# CONFIG_FSCK is not set | |
| 552 | -# CONFIG_LSATTR is not set | |
| 553 | -# CONFIG_TUNE2FS is not set | |
| 554 | - | |
| 555 | -# | |
| 556 | -# Linux Module Utilities | |
| 557 | -# | |
| 558 | -# CONFIG_MODPROBE_SMALL is not set | |
| 559 | -# CONFIG_DEPMOD is not set | |
| 560 | -# CONFIG_INSMOD is not set | |
| 561 | -# CONFIG_LSMOD is not set | |
| 562 | -# CONFIG_FEATURE_LSMOD_PRETTY_2_6_OUTPUT is not set | |
| 563 | -# CONFIG_MODINFO is not set | |
| 564 | -# CONFIG_MODPROBE is not set | |
| 565 | -# CONFIG_FEATURE_MODPROBE_BLACKLIST is not set | |
| 566 | -# CONFIG_RMMOD is not set | |
| 567 | - | |
| 568 | -# | |
| 569 | -# Options common to multiple modutils | |
| 570 | -# | |
| 571 | -# CONFIG_FEATURE_CMDLINE_MODULE_OPTIONS is not set | |
| 572 | -# CONFIG_FEATURE_MODPROBE_SMALL_CHECK_ALREADY_LOADED is not set | |
| 573 | -# CONFIG_FEATURE_2_4_MODULES is not set | |
| 574 | -# CONFIG_FEATURE_INSMOD_VERSION_CHECKING is not set | |
| 575 | -# CONFIG_FEATURE_INSMOD_KSYMOOPS_SYMBOLS is not set | |
| 576 | -# CONFIG_FEATURE_INSMOD_LOADINKMEM is not set | |
| 577 | -# CONFIG_FEATURE_INSMOD_LOAD_MAP is not set | |
| 578 | -# CONFIG_FEATURE_INSMOD_LOAD_MAP_FULL is not set | |
| 579 | -# CONFIG_FEATURE_CHECK_TAINTED_MODULE is not set | |
| 580 | -# CONFIG_FEATURE_INSMOD_TRY_MMAP is not set | |
| 581 | -# CONFIG_FEATURE_MODUTILS_ALIAS is not set | |
| 582 | -# CONFIG_FEATURE_MODUTILS_SYMBOLS is not set | |
| 583 | -CONFIG_DEFAULT_MODULES_DIR="" | |
| 584 | -CONFIG_DEFAULT_DEPMOD_FILE="" | |
| 585 | - | |
| 586 | -# | |
| 587 | -# Linux System Utilities | |
| 588 | -# | |
| 589 | -# CONFIG_ACPID is not set | |
| 590 | -# CONFIG_FEATURE_ACPID_COMPAT is not set | |
| 591 | -# CONFIG_BLKDISCARD is not set | |
| 592 | -# CONFIG_BLKID is not set | |
| 593 | -# CONFIG_FEATURE_BLKID_TYPE is not set | |
| 594 | -# CONFIG_BLOCKDEV is not set | |
| 595 | -# CONFIG_CAL is not set | |
| 596 | -# CONFIG_CHRT is not set | |
| 597 | -# CONFIG_DMESG is not set | |
| 598 | -# CONFIG_FEATURE_DMESG_PRETTY is not set | |
| 599 | -# CONFIG_EJECT is not set | |
| 600 | -# CONFIG_FEATURE_EJECT_SCSI is not set | |
| 601 | -# CONFIG_FALLOCATE is not set | |
| 602 | -# CONFIG_FATATTR is not set | |
| 603 | -# CONFIG_FBSET is not set | |
| 604 | -# CONFIG_FEATURE_FBSET_FANCY is not set | |
| 605 | -# CONFIG_FEATURE_FBSET_READMODE is not set | |
| 606 | -# CONFIG_FDFORMAT is not set | |
| 607 | -# CONFIG_FDISK is not set | |
| 608 | -# CONFIG_FDISK_SUPPORT_LARGE_DISKS is not set | |
| 609 | -# CONFIG_FEATURE_FDISK_WRITABLE is not set | |
| 610 | -# CONFIG_FEATURE_AIX_LABEL is not set | |
| 611 | -# CONFIG_FEATURE_SGI_LABEL is not set | |
| 612 | -# CONFIG_FEATURE_SUN_LABEL is not set | |
| 613 | -# CONFIG_FEATURE_OSF_LABEL is not set | |
| 614 | -# CONFIG_FEATURE_GPT_LABEL is not set | |
| 615 | -# CONFIG_FEATURE_FDISK_ADVANCED is not set | |
| 616 | -# CONFIG_FINDFS is not set | |
| 617 | -# CONFIG_FLOCK is not set | |
| 618 | -# CONFIG_FDFLUSH is not set | |
| 619 | -# CONFIG_FREERAMDISK is not set | |
| 620 | -# CONFIG_FSCK_MINIX is not set | |
| 621 | -# CONFIG_FSFREEZE is not set | |
| 622 | -# CONFIG_FSTRIM is not set | |
| 623 | -# CONFIG_GETOPT is not set | |
| 624 | -# CONFIG_FEATURE_GETOPT_LONG is not set | |
| 625 | -CONFIG_HEXDUMP=y | |
| 626 | -CONFIG_HD=y | |
| 627 | -CONFIG_XXD=y | |
| 628 | -# CONFIG_HWCLOCK is not set | |
| 629 | -# CONFIG_FEATURE_HWCLOCK_ADJTIME_FHS is not set | |
| 630 | -# CONFIG_IONICE is not set | |
| 631 | -# CONFIG_IPCRM is not set | |
| 632 | -# CONFIG_IPCS is not set | |
| 633 | -# CONFIG_LAST is not set | |
| 634 | -# CONFIG_FEATURE_LAST_FANCY is not set | |
| 635 | -# CONFIG_LOSETUP is not set | |
| 636 | -# CONFIG_LSPCI is not set | |
| 637 | -# CONFIG_LSUSB is not set | |
| 638 | -# CONFIG_MDEV is not set | |
| 639 | -# CONFIG_FEATURE_MDEV_CONF is not set | |
| 640 | -# CONFIG_FEATURE_MDEV_RENAME is not set | |
| 641 | -# CONFIG_FEATURE_MDEV_RENAME_REGEXP is not set | |
| 642 | -# CONFIG_FEATURE_MDEV_EXEC is not set | |
| 643 | -# CONFIG_FEATURE_MDEV_LOAD_FIRMWARE is not set | |
| 644 | -# CONFIG_FEATURE_MDEV_DAEMON is not set | |
| 645 | -# CONFIG_MESG is not set | |
| 646 | -# CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP is not set | |
| 647 | -# CONFIG_MKE2FS is not set | |
| 648 | -# CONFIG_MKFS_EXT2 is not set | |
| 649 | -# CONFIG_MKFS_MINIX is not set | |
| 650 | -# CONFIG_FEATURE_MINIX2 is not set | |
| 651 | -# CONFIG_MKFS_REISER is not set | |
| 652 | -# CONFIG_MKDOSFS is not set | |
| 653 | -# CONFIG_MKFS_VFAT is not set | |
| 654 | -# CONFIG_MKSWAP is not set | |
| 655 | -# CONFIG_FEATURE_MKSWAP_UUID is not set | |
| 656 | -CONFIG_MORE=y | |
| 657 | -CONFIG_MOUNT=y | |
| 658 | -CONFIG_FEATURE_MOUNT_FAKE=y | |
| 659 | -CONFIG_FEATURE_MOUNT_VERBOSE=y | |
| 660 | -# CONFIG_FEATURE_MOUNT_HELPERS is not set | |
| 661 | -# CONFIG_FEATURE_MOUNT_LABEL is not set | |
| 662 | -# CONFIG_FEATURE_MOUNT_NFS is not set | |
| 663 | -# CONFIG_FEATURE_MOUNT_CIFS is not set | |
| 664 | -CONFIG_FEATURE_MOUNT_FLAGS=y | |
| 665 | -CONFIG_FEATURE_MOUNT_FSTAB=y | |
| 666 | -CONFIG_FEATURE_MOUNT_OTHERTAB=y | |
| 667 | -# CONFIG_MOUNTPOINT is not set | |
| 668 | -CONFIG_NOLOGIN=y | |
| 669 | -# CONFIG_NOLOGIN_DEPENDENCIES is not set | |
| 670 | -# CONFIG_NSENTER is not set | |
| 671 | -# CONFIG_PIVOT_ROOT is not set | |
| 672 | -# CONFIG_RDATE is not set | |
| 673 | -# CONFIG_RDEV is not set | |
| 674 | -# CONFIG_READPROFILE is not set | |
| 675 | -CONFIG_RENICE=y | |
| 676 | -CONFIG_REV=y | |
| 677 | -# CONFIG_RTCWAKE is not set | |
| 678 | -# CONFIG_SCRIPT is not set | |
| 679 | -# CONFIG_SCRIPTREPLAY is not set | |
| 680 | -# CONFIG_SETARCH is not set | |
| 681 | -# CONFIG_LINUX32 is not set | |
| 682 | -# CONFIG_LINUX64 is not set | |
| 683 | -# CONFIG_SETPRIV is not set | |
| 684 | -# CONFIG_FEATURE_SETPRIV_DUMP is not set | |
| 685 | -# CONFIG_FEATURE_SETPRIV_CAPABILITIES is not set | |
| 686 | -# CONFIG_FEATURE_SETPRIV_CAPABILITY_NAMES is not set | |
| 687 | -# CONFIG_SETSID is not set | |
| 688 | -# CONFIG_SWAPON is not set | |
| 689 | -# CONFIG_FEATURE_SWAPON_DISCARD is not set | |
| 690 | -# CONFIG_FEATURE_SWAPON_PRI is not set | |
| 691 | -# CONFIG_SWAPOFF is not set | |
| 692 | -# CONFIG_FEATURE_SWAPONOFF_LABEL is not set | |
| 693 | -# CONFIG_SWITCH_ROOT is not set | |
| 694 | -# CONFIG_TASKSET is not set | |
| 695 | -# CONFIG_FEATURE_TASKSET_FANCY is not set | |
| 696 | -# CONFIG_FEATURE_TASKSET_CPULIST is not set | |
| 697 | -# CONFIG_UEVENT is not set | |
| 698 | -CONFIG_UMOUNT=y | |
| 699 | -CONFIG_FEATURE_UMOUNT_ALL=y | |
| 700 | -# CONFIG_UNSHARE is not set | |
| 701 | -# CONFIG_WALL is not set | |
| 702 | - | |
| 703 | -# | |
| 704 | -# Common options for mount/umount | |
| 705 | -# | |
| 706 | -# CONFIG_FEATURE_MOUNT_LOOP is not set | |
| 707 | -# CONFIG_FEATURE_MOUNT_LOOP_CREATE is not set | |
| 708 | -# CONFIG_FEATURE_MTAB_SUPPORT is not set | |
| 709 | -# CONFIG_VOLUMEID is not set | |
| 710 | -# CONFIG_FEATURE_VOLUMEID_BCACHE is not set | |
| 711 | -# CONFIG_FEATURE_VOLUMEID_BTRFS is not set | |
| 712 | -# CONFIG_FEATURE_VOLUMEID_CRAMFS is not set | |
| 713 | -# CONFIG_FEATURE_VOLUMEID_EROFS is not set | |
| 714 | -# CONFIG_FEATURE_VOLUMEID_EXFAT is not set | |
| 715 | -# CONFIG_FEATURE_VOLUMEID_EXT is not set | |
| 716 | -# CONFIG_FEATURE_VOLUMEID_F2FS is not set | |
| 717 | -# CONFIG_FEATURE_VOLUMEID_FAT is not set | |
| 718 | -# CONFIG_FEATURE_VOLUMEID_HFS is not set | |
| 719 | -# CONFIG_FEATURE_VOLUMEID_ISO9660 is not set | |
| 720 | -# CONFIG_FEATURE_VOLUMEID_JFS is not set | |
| 721 | -# CONFIG_FEATURE_VOLUMEID_LFS is not set | |
| 722 | -# CONFIG_FEATURE_VOLUMEID_LINUXRAID is not set | |
| 723 | -# CONFIG_FEATURE_VOLUMEID_LINUXSWAP is not set | |
| 724 | -# CONFIG_FEATURE_VOLUMEID_LUKS is not set | |
| 725 | -# CONFIG_FEATURE_VOLUMEID_MINIX is not set | |
| 726 | -# CONFIG_FEATURE_VOLUMEID_NILFS is not set | |
| 727 | -# CONFIG_FEATURE_VOLUMEID_NTFS is not set | |
| 728 | -# CONFIG_FEATURE_VOLUMEID_OCFS2 is not set | |
| 729 | -# CONFIG_FEATURE_VOLUMEID_REISERFS is not set | |
| 730 | -# CONFIG_FEATURE_VOLUMEID_ROMFS is not set | |
| 731 | -# CONFIG_FEATURE_VOLUMEID_SQUASHFS is not set | |
| 732 | -# CONFIG_FEATURE_VOLUMEID_SYSV is not set | |
| 733 | -# CONFIG_FEATURE_VOLUMEID_UBIFS is not set | |
| 734 | -# CONFIG_FEATURE_VOLUMEID_UDF is not set | |
| 735 | -# CONFIG_FEATURE_VOLUMEID_XFS is not set | |
| 736 | - | |
| 737 | -# | |
| 738 | -# Miscellaneous Utilities | |
| 739 | -# | |
| 740 | -# CONFIG_ADJTIMEX is not set | |
| 741 | -# CONFIG_ASCII is not set | |
| 742 | -# CONFIG_BBCONFIG is not set | |
| 743 | -# CONFIG_FEATURE_COMPRESS_BBCONFIG is not set | |
| 744 | -CONFIG_BC=y | |
| 745 | -# CONFIG_DC is not set | |
| 746 | -CONFIG_FEATURE_DC_BIG=y | |
| 747 | -# CONFIG_FEATURE_DC_LIBM is not set | |
| 748 | -# CONFIG_FEATURE_BC_INTERACTIVE is not set | |
| 749 | -# CONFIG_FEATURE_BC_LONG_OPTIONS is not set | |
| 750 | -# CONFIG_BEEP is not set | |
| 751 | -CONFIG_FEATURE_BEEP_FREQ=0 | |
| 752 | -CONFIG_FEATURE_BEEP_LENGTH_MS=0 | |
| 753 | -# CONFIG_CHAT is not set | |
| 754 | -# CONFIG_FEATURE_CHAT_NOFAIL is not set | |
| 755 | -# CONFIG_FEATURE_CHAT_TTY_HIFI is not set | |
| 756 | -# CONFIG_FEATURE_CHAT_IMPLICIT_CR is not set | |
| 757 | -# CONFIG_FEATURE_CHAT_SWALLOW_OPTS is not set | |
| 758 | -# CONFIG_FEATURE_CHAT_SEND_ESCAPES is not set | |
| 759 | -# CONFIG_FEATURE_CHAT_VAR_ABORT_LEN is not set | |
| 760 | -# CONFIG_FEATURE_CHAT_CLR_ABORT is not set | |
| 761 | -# CONFIG_CONSPY is not set | |
| 762 | -CONFIG_CROND=y | |
| 763 | -CONFIG_FEATURE_CROND_D=y | |
| 764 | -CONFIG_FEATURE_CROND_CALL_SENDMAIL=y | |
| 765 | -CONFIG_FEATURE_CROND_SPECIAL_TIMES=y | |
| 766 | -CONFIG_FEATURE_CROND_DIR="/var/spool/cron" | |
| 767 | -CONFIG_CRONTAB=y | |
| 768 | -# CONFIG_DEVFSD is not set | |
| 769 | -# CONFIG_DEVFSD_MODLOAD is not set | |
| 770 | -# CONFIG_DEVFSD_FG_NP is not set | |
| 771 | -# CONFIG_DEVFSD_VERBOSE is not set | |
| 772 | -# CONFIG_FEATURE_DEVFS is not set | |
| 773 | -# CONFIG_DEVMEM is not set | |
| 774 | -# CONFIG_FBSPLASH is not set | |
| 775 | -# CONFIG_FLASH_ERASEALL is not set | |
| 776 | -# CONFIG_FLASH_LOCK is not set | |
| 777 | -# CONFIG_FLASH_UNLOCK is not set | |
| 778 | -# CONFIG_FLASHCP is not set | |
| 779 | -# CONFIG_HDPARM is not set | |
| 780 | -# CONFIG_FEATURE_HDPARM_GET_IDENTITY is not set | |
| 781 | -# CONFIG_FEATURE_HDPARM_HDIO_SCAN_HWIF is not set | |
| 782 | -# CONFIG_FEATURE_HDPARM_HDIO_UNREGISTER_HWIF is not set | |
| 783 | -# CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET is not set | |
| 784 | -# CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF is not set | |
| 785 | -# CONFIG_FEATURE_HDPARM_HDIO_GETSET_DMA is not set | |
| 786 | -CONFIG_HEXEDIT=y | |
| 787 | -# CONFIG_I2CGET is not set | |
| 788 | -# CONFIG_I2CSET is not set | |
| 789 | -# CONFIG_I2CDUMP is not set | |
| 790 | -# CONFIG_I2CDETECT is not set | |
| 791 | -# CONFIG_I2CTRANSFER is not set | |
| 792 | -# CONFIG_INOTIFYD is not set | |
| 793 | -CONFIG_LESS=y | |
| 794 | -CONFIG_FEATURE_LESS_MAXLINES=9999999 | |
| 795 | -CONFIG_FEATURE_LESS_BRACKETS=y | |
| 796 | -CONFIG_FEATURE_LESS_FLAGS=y | |
| 797 | -CONFIG_FEATURE_LESS_TRUNCATE=y | |
| 798 | -CONFIG_FEATURE_LESS_MARKS=y | |
| 799 | -CONFIG_FEATURE_LESS_REGEXP=y | |
| 800 | -CONFIG_FEATURE_LESS_WINCH=y | |
| 801 | -CONFIG_FEATURE_LESS_ASK_TERMINAL=y | |
| 802 | -CONFIG_FEATURE_LESS_DASHCMD=y | |
| 803 | -CONFIG_FEATURE_LESS_LINENUMS=y | |
| 804 | -CONFIG_FEATURE_LESS_RAW=y | |
| 805 | -CONFIG_FEATURE_LESS_ENV=y | |
| 806 | -# CONFIG_LSSCSI is not set | |
| 807 | -# CONFIG_MAKEDEVS is not set | |
| 808 | -# CONFIG_FEATURE_MAKEDEVS_LEAF is not set | |
| 809 | -# CONFIG_FEATURE_MAKEDEVS_TABLE is not set | |
| 810 | -# CONFIG_MAN is not set | |
| 811 | -# CONFIG_MICROCOM is not set | |
| 812 | -# CONFIG_MIM is not set | |
| 813 | -# CONFIG_MT is not set | |
| 814 | -# CONFIG_NANDWRITE is not set | |
| 815 | -# CONFIG_NANDDUMP is not set | |
| 816 | -# CONFIG_PARTPROBE is not set | |
| 817 | -# CONFIG_RAIDAUTORUN is not set | |
| 818 | -# CONFIG_READAHEAD is not set | |
| 819 | -# CONFIG_RFKILL is not set | |
| 820 | -# CONFIG_RUNLEVEL is not set | |
| 821 | -# CONFIG_RX is not set | |
| 822 | -# CONFIG_SETFATTR is not set | |
| 823 | -# CONFIG_SETSERIAL is not set | |
| 824 | -CONFIG_STRINGS=y | |
| 825 | -CONFIG_TIME=y | |
| 826 | -# CONFIG_TS is not set | |
| 827 | -# CONFIG_TTYSIZE is not set | |
| 828 | -# CONFIG_UBIATTACH is not set | |
| 829 | -# CONFIG_UBIDETACH is not set | |
| 830 | -# CONFIG_UBIMKVOL is not set | |
| 831 | -# CONFIG_UBIRMVOL is not set | |
| 832 | -# CONFIG_UBIRSVOL is not set | |
| 833 | -# CONFIG_UBIUPDATEVOL is not set | |
| 834 | -# CONFIG_UBIRENAME is not set | |
| 835 | -# CONFIG_VOLNAME is not set | |
| 836 | -# CONFIG_WATCHDOG is not set | |
| 837 | -# CONFIG_FEATURE_WATCHDOG_OPEN_TWICE is not set | |
| 838 | - | |
| 839 | -# | |
| 840 | -# Networking Utilities | |
| 841 | -# | |
| 842 | -CONFIG_FEATURE_IPV6=y | |
| 843 | -# CONFIG_FEATURE_UNIX_LOCAL is not set | |
| 844 | -CONFIG_FEATURE_PREFER_IPV4_ADDRESS=y | |
| 845 | -# CONFIG_VERBOSE_RESOLUTION_ERRORS is not set | |
| 846 | -# CONFIG_FEATURE_ETC_NETWORKS is not set | |
| 847 | -# CONFIG_FEATURE_ETC_SERVICES is not set | |
| 848 | -# CONFIG_FEATURE_HWIB is not set | |
| 849 | -# CONFIG_FEATURE_TLS_SHA1 is not set | |
| 850 | -# CONFIG_ARP is not set | |
| 851 | -# CONFIG_ARPING is not set | |
| 852 | -# CONFIG_BRCTL is not set | |
| 853 | -# CONFIG_FEATURE_BRCTL_FANCY is not set | |
| 854 | -# CONFIG_FEATURE_BRCTL_SHOW is not set | |
| 855 | -# CONFIG_DNSD is not set | |
| 856 | -# CONFIG_ETHER_WAKE is not set | |
| 857 | -# CONFIG_FTPD is not set | |
| 858 | -# CONFIG_FEATURE_FTPD_WRITE is not set | |
| 859 | -# CONFIG_FEATURE_FTPD_ACCEPT_BROKEN_LIST is not set | |
| 860 | -# CONFIG_FEATURE_FTPD_AUTHENTICATION is not set | |
| 861 | -# CONFIG_FTPGET is not set | |
| 862 | -# CONFIG_FTPPUT is not set | |
| 863 | -# CONFIG_FEATURE_FTPGETPUT_LONG_OPTIONS is not set | |
| 864 | -# CONFIG_HOSTNAME is not set | |
| 865 | -# CONFIG_DNSDOMAINNAME is not set | |
| 866 | -# CONFIG_HTTPD is not set | |
| 867 | -CONFIG_FEATURE_HTTPD_PORT_DEFAULT=0 | |
| 868 | -# CONFIG_FEATURE_HTTPD_RANGES is not set | |
| 869 | -# CONFIG_FEATURE_HTTPD_SETUID is not set | |
| 870 | -# CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set | |
| 871 | -# CONFIG_FEATURE_HTTPD_AUTH_MD5 is not set | |
| 872 | -# CONFIG_FEATURE_HTTPD_CGI is not set | |
| 873 | -# CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR is not set | |
| 874 | -# CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV is not set | |
| 875 | -# CONFIG_FEATURE_HTTPD_ENCODE_URL_STR is not set | |
| 876 | -# CONFIG_FEATURE_HTTPD_ERROR_PAGES is not set | |
| 877 | -# CONFIG_FEATURE_HTTPD_PROXY is not set | |
| 878 | -# CONFIG_FEATURE_HTTPD_GZIP is not set | |
| 879 | -# CONFIG_FEATURE_HTTPD_ETAG is not set | |
| 880 | -# CONFIG_FEATURE_HTTPD_LAST_MODIFIED is not set | |
| 881 | -# CONFIG_FEATURE_HTTPD_DATE is not set | |
| 882 | -# CONFIG_FEATURE_HTTPD_ACL_IP is not set | |
| 883 | -CONFIG_IFCONFIG=y | |
| 884 | -CONFIG_FEATURE_IFCONFIG_STATUS=y | |
| 885 | -# CONFIG_FEATURE_IFCONFIG_SLIP is not set | |
| 886 | -CONFIG_FEATURE_IFCONFIG_MEMSTART_IOADDR_IRQ=y | |
| 887 | -CONFIG_FEATURE_IFCONFIG_HW=y | |
| 888 | -CONFIG_FEATURE_IFCONFIG_BROADCAST_PLUS=y | |
| 889 | -# CONFIG_IFENSLAVE is not set | |
| 890 | -# CONFIG_IFPLUGD is not set | |
| 891 | -# CONFIG_IFUP is not set | |
| 892 | -# CONFIG_IFDOWN is not set | |
| 893 | -CONFIG_IFUPDOWN_IFSTATE_PATH="" | |
| 894 | -# CONFIG_FEATURE_IFUPDOWN_IP is not set | |
| 895 | -# CONFIG_FEATURE_IFUPDOWN_IPV4 is not set | |
| 896 | -# CONFIG_FEATURE_IFUPDOWN_IPV6 is not set | |
| 897 | -# CONFIG_FEATURE_IFUPDOWN_MAPPING is not set | |
| 898 | -# CONFIG_FEATURE_IFUPDOWN_EXTERNAL_DHCP is not set | |
| 899 | -CONFIG_INETD=y | |
| 900 | -# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_ECHO is not set | |
| 901 | -# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DISCARD is not set | |
| 902 | -# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_TIME is not set | |
| 903 | -# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DAYTIME is not set | |
| 904 | -# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_CHARGEN is not set | |
| 905 | -# CONFIG_FEATURE_INETD_RPC is not set | |
| 906 | -CONFIG_IP=y | |
| 907 | -# CONFIG_IPADDR is not set | |
| 908 | -# CONFIG_IPLINK is not set | |
| 909 | -# CONFIG_IPROUTE is not set | |
| 910 | -# CONFIG_IPTUNNEL is not set | |
| 911 | -# CONFIG_IPRULE is not set | |
| 912 | -# CONFIG_IPNEIGH is not set | |
| 913 | -CONFIG_FEATURE_IP_ADDRESS=y | |
| 914 | -CONFIG_FEATURE_IP_LINK=y | |
| 915 | -CONFIG_FEATURE_IP_ROUTE=y | |
| 916 | -CONFIG_FEATURE_IP_ROUTE_DIR="/etc/iproute2" | |
| 917 | -# CONFIG_FEATURE_IP_TUNNEL is not set | |
| 918 | -# CONFIG_FEATURE_IP_RULE is not set | |
| 919 | -CONFIG_FEATURE_IP_NEIGH=y | |
| 920 | -# CONFIG_FEATURE_IP_RARE_PROTOCOLS is not set | |
| 921 | -CONFIG_IPCALC=y | |
| 922 | -CONFIG_FEATURE_IPCALC_LONG_OPTIONS=y | |
| 923 | -CONFIG_FEATURE_IPCALC_FANCY=y | |
| 924 | -# CONFIG_FAKEIDENTD is not set | |
| 925 | -# CONFIG_NAMEIF is not set | |
| 926 | -# CONFIG_FEATURE_NAMEIF_EXTENDED is not set | |
| 927 | -# CONFIG_NBDCLIENT is not set | |
| 928 | -CONFIG_NC=y | |
| 929 | -# CONFIG_NETCAT is not set | |
| 930 | -CONFIG_NC_SERVER=y | |
| 931 | -CONFIG_NC_EXTRA=y | |
| 932 | -CONFIG_NC_110_COMPAT=y | |
| 933 | -# CONFIG_NETSTAT is not set | |
| 934 | -# CONFIG_FEATURE_NETSTAT_WIDE is not set | |
| 935 | -# CONFIG_FEATURE_NETSTAT_PRG is not set | |
| 936 | -# CONFIG_NSLOOKUP is not set | |
| 937 | -# CONFIG_FEATURE_NSLOOKUP_BIG is not set | |
| 938 | -# CONFIG_FEATURE_NSLOOKUP_LONG_OPTIONS is not set | |
| 939 | -# CONFIG_NTPD is not set | |
| 940 | -# CONFIG_FEATURE_NTPD_SERVER is not set | |
| 941 | -# CONFIG_FEATURE_NTPD_CONF is not set | |
| 942 | -# CONFIG_FEATURE_NTP_AUTH is not set | |
| 943 | -# CONFIG_PING is not set | |
| 944 | -# CONFIG_PING6 is not set | |
| 945 | -# CONFIG_FEATURE_FANCY_PING is not set | |
| 946 | -# CONFIG_PSCAN is not set | |
| 947 | -CONFIG_ROUTE=y | |
| 948 | -# CONFIG_SLATTACH is not set | |
| 949 | -CONFIG_SSL_CLIENT=y | |
| 950 | -# CONFIG_TC is not set | |
| 951 | -# CONFIG_FEATURE_TC_INGRESS is not set | |
| 952 | -# CONFIG_TCPSVD is not set | |
| 953 | -# CONFIG_UDPSVD is not set | |
| 954 | -# CONFIG_TELNET is not set | |
| 955 | -# CONFIG_FEATURE_TELNET_TTYPE is not set | |
| 956 | -# CONFIG_FEATURE_TELNET_AUTOLOGIN is not set | |
| 957 | -# CONFIG_FEATURE_TELNET_WIDTH is not set | |
| 958 | -# CONFIG_TELNETD is not set | |
| 959 | -# CONFIG_FEATURE_TELNETD_STANDALONE is not set | |
| 960 | -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0 | |
| 961 | -# CONFIG_FEATURE_TELNETD_INETD_WAIT is not set | |
| 962 | -# CONFIG_TFTP is not set | |
| 963 | -# CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set | |
| 964 | -# CONFIG_FEATURE_TFTP_HPA_COMPAT is not set | |
| 965 | -# CONFIG_TFTPD is not set | |
| 966 | -# CONFIG_FEATURE_TFTP_GET is not set | |
| 967 | -# CONFIG_FEATURE_TFTP_PUT is not set | |
| 968 | -# CONFIG_FEATURE_TFTP_BLOCKSIZE is not set | |
| 969 | -# CONFIG_TFTP_DEBUG is not set | |
| 970 | -CONFIG_TLS=y | |
| 971 | -# CONFIG_TRACEROUTE is not set | |
| 972 | -# CONFIG_TRACEROUTE6 is not set | |
| 973 | -# CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set | |
| 974 | -# CONFIG_FEATURE_TRACEROUTE_USE_ICMP is not set | |
| 975 | -# CONFIG_TUNCTL is not set | |
| 976 | -# CONFIG_FEATURE_TUNCTL_UG is not set | |
| 977 | -# CONFIG_VCONFIG is not set | |
| 978 | -CONFIG_WGET=y | |
| 979 | -CONFIG_FEATURE_WGET_LONG_OPTIONS=y | |
| 980 | -CONFIG_FEATURE_WGET_STATUSBAR=y | |
| 981 | -CONFIG_FEATURE_WGET_FTP=y | |
| 982 | -CONFIG_FEATURE_WGET_AUTHENTICATION=y | |
| 983 | -CONFIG_FEATURE_WGET_TIMEOUT=y | |
| 984 | -CONFIG_FEATURE_WGET_HTTPS=y | |
| 985 | -CONFIG_FEATURE_WGET_OPENSSL=y | |
| 986 | -CONFIG_WHOIS=y | |
| 987 | -# CONFIG_ZCIP is not set | |
| 988 | -# CONFIG_UDHCPD is not set | |
| 989 | -# CONFIG_FEATURE_UDHCPD_BASE_IP_ON_MAC is not set | |
| 990 | -# CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY is not set | |
| 991 | -CONFIG_DHCPD_LEASES_FILE="" | |
| 992 | -# CONFIG_DUMPLEASES is not set | |
| 993 | -# CONFIG_DHCPRELAY is not set | |
| 994 | -# CONFIG_UDHCPC is not set | |
| 995 | -# CONFIG_FEATURE_UDHCPC_ARPING is not set | |
| 996 | -# CONFIG_FEATURE_UDHCPC_SANITIZEOPT is not set | |
| 997 | -CONFIG_UDHCPC_DEFAULT_SCRIPT="" | |
| 998 | -# CONFIG_UDHCPC6 is not set | |
| 999 | -# CONFIG_FEATURE_UDHCPC6_RFC3646 is not set | |
| 1000 | -# CONFIG_FEATURE_UDHCPC6_RFC4704 is not set | |
| 1001 | -# CONFIG_FEATURE_UDHCPC6_RFC4833 is not set | |
| 1002 | -# CONFIG_FEATURE_UDHCPC6_RFC5970 is not set | |
| 1003 | -CONFIG_UDHCPC_DEFAULT_INTERFACE="" | |
| 1004 | -# CONFIG_FEATURE_UDHCP_PORT is not set | |
| 1005 | -CONFIG_UDHCP_DEBUG=0 | |
| 1006 | -CONFIG_UDHCPC_SLACK_FOR_BUGGY_SERVERS=0 | |
| 1007 | -# CONFIG_FEATURE_UDHCP_RFC3397 is not set | |
| 1008 | -# CONFIG_FEATURE_UDHCP_8021Q is not set | |
| 1009 | -CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS="" | |
| 1010 | - | |
| 1011 | -# | |
| 1012 | -# Print Utilities | |
| 1013 | -# | |
| 1014 | -# CONFIG_LPD is not set | |
| 1015 | -# CONFIG_LPR is not set | |
| 1016 | -# CONFIG_LPQ is not set | |
| 1017 | - | |
| 1018 | -# | |
| 1019 | -# Mail Utilities | |
| 1020 | -# | |
| 1021 | -CONFIG_FEATURE_MIME_CHARSET="utf-8" | |
| 1022 | -# CONFIG_MAKEMIME is not set | |
| 1023 | -# CONFIG_POPMAILDIR is not set | |
| 1024 | -# CONFIG_FEATURE_POPMAILDIR_DELIVERY is not set | |
| 1025 | -# CONFIG_REFORMIME is not set | |
| 1026 | -# CONFIG_FEATURE_REFORMIME_COMPAT is not set | |
| 1027 | -CONFIG_SENDMAIL=y | |
| 1028 | - | |
| 1029 | -# | |
| 1030 | -# Process Utilities | |
| 1031 | -# | |
| 1032 | -# CONFIG_FEATURE_FAST_TOP is not set | |
| 1033 | -CONFIG_FEATURE_SHOW_THREADS=y | |
| 1034 | -CONFIG_FREE=y | |
| 1035 | -CONFIG_FUSER=y | |
| 1036 | -CONFIG_IOSTAT=y | |
| 1037 | -CONFIG_KILL=y | |
| 1038 | -CONFIG_KILLALL=y | |
| 1039 | -# CONFIG_KILLALL5 is not set | |
| 1040 | -CONFIG_LSOF=y | |
| 1041 | -CONFIG_MPSTAT=y | |
| 1042 | -CONFIG_NMETER=y | |
| 1043 | -CONFIG_PGREP=y | |
| 1044 | -CONFIG_PKILL=y | |
| 1045 | -CONFIG_PIDOF=y | |
| 1046 | -CONFIG_FEATURE_PIDOF_SINGLE=y | |
| 1047 | -CONFIG_FEATURE_PIDOF_OMIT=y | |
| 1048 | -CONFIG_PMAP=y | |
| 1049 | -# CONFIG_POWERTOP is not set | |
| 1050 | -# CONFIG_FEATURE_POWERTOP_INTERACTIVE is not set | |
| 1051 | -CONFIG_PS=y | |
| 1052 | -# CONFIG_FEATURE_PS_WIDE is not set | |
| 1053 | -# CONFIG_FEATURE_PS_LONG is not set | |
| 1054 | -CONFIG_FEATURE_PS_TIME=y | |
| 1055 | -# CONFIG_FEATURE_PS_UNUSUAL_SYSTEMS is not set | |
| 1056 | -CONFIG_FEATURE_PS_ADDITIONAL_COLUMNS=y | |
| 1057 | -CONFIG_PSTREE=y | |
| 1058 | -CONFIG_PWDX=y | |
| 1059 | -CONFIG_SMEMCAP=y | |
| 1060 | -CONFIG_BB_SYSCTL=y | |
| 1061 | -CONFIG_TOP=y | |
| 1062 | -CONFIG_FEATURE_TOP_INTERACTIVE=y | |
| 1063 | -CONFIG_FEATURE_TOP_CPU_USAGE_PERCENTAGE=y | |
| 1064 | -CONFIG_FEATURE_TOP_CPU_GLOBAL_PERCENTS=y | |
| 1065 | -CONFIG_FEATURE_TOP_SMP_CPU=y | |
| 1066 | -CONFIG_FEATURE_TOP_DECIMALS=y | |
| 1067 | -CONFIG_FEATURE_TOP_SMP_PROCESS=y | |
| 1068 | -CONFIG_FEATURE_TOPMEM=y | |
| 1069 | -CONFIG_UPTIME=y | |
| 1070 | -CONFIG_FEATURE_UPTIME_UTMP_SUPPORT=y | |
| 1071 | -CONFIG_WATCH=y | |
| 1072 | - | |
| 1073 | -# | |
| 1074 | -# Runit Utilities | |
| 1075 | -# | |
| 1076 | -CONFIG_CHPST=y | |
| 1077 | -CONFIG_SETUIDGID=y | |
| 1078 | -CONFIG_ENVUIDGID=y | |
| 1079 | -CONFIG_ENVDIR=y | |
| 1080 | -CONFIG_SOFTLIMIT=y | |
| 1081 | -CONFIG_RUNSV=y | |
| 1082 | -CONFIG_RUNSVDIR=y | |
| 1083 | -# CONFIG_FEATURE_RUNSVDIR_LOG is not set | |
| 1084 | -CONFIG_SV=y | |
| 1085 | -CONFIG_SV_DEFAULT_SERVICE_DIR="/var/service" | |
| 1086 | -CONFIG_SVC=y | |
| 1087 | -CONFIG_SVOK=y | |
| 1088 | -CONFIG_SVLOGD=y | |
| 1089 | -# CONFIG_CHCON is not set | |
| 1090 | -# CONFIG_GETENFORCE is not set | |
| 1091 | -# CONFIG_GETSEBOOL is not set | |
| 1092 | -# CONFIG_LOAD_POLICY is not set | |
| 1093 | -# CONFIG_MATCHPATHCON is not set | |
| 1094 | -# CONFIG_RUNCON is not set | |
| 1095 | -# CONFIG_SELINUXENABLED is not set | |
| 1096 | -# CONFIG_SESTATUS is not set | |
| 1097 | -# CONFIG_SETENFORCE is not set | |
| 1098 | -# CONFIG_SETFILES is not set | |
| 1099 | -# CONFIG_FEATURE_SETFILES_CHECK_OPTION is not set | |
| 1100 | -# CONFIG_RESTORECON is not set | |
| 1101 | -# CONFIG_SETSEBOOL is not set | |
| 1102 | - | |
| 1103 | -# | |
| 1104 | -# Shells | |
| 1105 | -# | |
| 1106 | -CONFIG_SH_IS_ASH=y | |
| 1107 | -# CONFIG_SH_IS_HUSH is not set | |
| 1108 | -# CONFIG_SH_IS_NONE is not set | |
| 1109 | -# CONFIG_BASH_IS_ASH is not set | |
| 1110 | -# CONFIG_BASH_IS_HUSH is not set | |
| 1111 | -CONFIG_BASH_IS_NONE=y | |
| 1112 | -CONFIG_SHELL_ASH=y | |
| 1113 | -CONFIG_ASH=y | |
| 1114 | -CONFIG_ASH_OPTIMIZE_FOR_SIZE=y | |
| 1115 | -CONFIG_ASH_INTERNAL_GLOB=y | |
| 1116 | -CONFIG_ASH_BASH_COMPAT=y | |
| 1117 | -# CONFIG_ASH_BASH_SOURCE_CURDIR is not set | |
| 1118 | -CONFIG_ASH_BASH_NOT_FOUND_HOOK=y | |
| 1119 | -CONFIG_ASH_JOB_CONTROL=y | |
| 1120 | -CONFIG_ASH_ALIAS=y | |
| 1121 | -CONFIG_ASH_RANDOM_SUPPORT=y | |
| 1122 | -CONFIG_ASH_EXPAND_PRMT=y | |
| 1123 | -CONFIG_ASH_IDLE_TIMEOUT=y | |
| 1124 | -CONFIG_ASH_MAIL=y | |
| 1125 | -CONFIG_ASH_ECHO=y | |
| 1126 | -CONFIG_ASH_PRINTF=y | |
| 1127 | -CONFIG_ASH_TEST=y | |
| 1128 | -CONFIG_ASH_HELP=y | |
| 1129 | -CONFIG_ASH_GETOPTS=y | |
| 1130 | -CONFIG_ASH_CMDCMD=y | |
| 1131 | -# CONFIG_CTTYHACK is not set | |
| 1132 | -# CONFIG_HUSH is not set | |
| 1133 | -# CONFIG_SHELL_HUSH is not set | |
| 1134 | -# CONFIG_HUSH_BASH_COMPAT is not set | |
| 1135 | -# CONFIG_HUSH_BRACE_EXPANSION is not set | |
| 1136 | -# CONFIG_HUSH_BASH_SOURCE_CURDIR is not set | |
| 1137 | -# CONFIG_HUSH_LINENO_VAR is not set | |
| 1138 | -# CONFIG_HUSH_INTERACTIVE is not set | |
| 1139 | -# CONFIG_HUSH_SAVEHISTORY is not set | |
| 1140 | -# CONFIG_HUSH_JOB is not set | |
| 1141 | -# CONFIG_HUSH_TICK is not set | |
| 1142 | -# CONFIG_HUSH_IF is not set | |
| 1143 | -# CONFIG_HUSH_LOOPS is not set | |
| 1144 | -# CONFIG_HUSH_CASE is not set | |
| 1145 | -# CONFIG_HUSH_FUNCTIONS is not set | |
| 1146 | -# CONFIG_HUSH_LOCAL is not set | |
| 1147 | -# CONFIG_HUSH_RANDOM_SUPPORT is not set | |
| 1148 | -# CONFIG_HUSH_MODE_X is not set | |
| 1149 | -# CONFIG_HUSH_ECHO is not set | |
| 1150 | -# CONFIG_HUSH_PRINTF is not set | |
| 1151 | -# CONFIG_HUSH_TEST is not set | |
| 1152 | -# CONFIG_HUSH_HELP is not set | |
| 1153 | -# CONFIG_HUSH_EXPORT is not set | |
| 1154 | -# CONFIG_HUSH_EXPORT_N is not set | |
| 1155 | -# CONFIG_HUSH_READONLY is not set | |
| 1156 | -# CONFIG_HUSH_KILL is not set | |
| 1157 | -# CONFIG_HUSH_WAIT is not set | |
| 1158 | -# CONFIG_HUSH_COMMAND is not set | |
| 1159 | -# CONFIG_HUSH_TRAP is not set | |
| 1160 | -# CONFIG_HUSH_TYPE is not set | |
| 1161 | -# CONFIG_HUSH_TIMES is not set | |
| 1162 | -# CONFIG_HUSH_READ is not set | |
| 1163 | -# CONFIG_HUSH_SET is not set | |
| 1164 | -# CONFIG_HUSH_UNSET is not set | |
| 1165 | -# CONFIG_HUSH_ULIMIT is not set | |
| 1166 | -# CONFIG_HUSH_UMASK is not set | |
| 1167 | -# CONFIG_HUSH_GETOPTS is not set | |
| 1168 | -# CONFIG_HUSH_MEMLEAK is not set | |
| 1169 | - | |
| 1170 | -# | |
| 1171 | -# Options common to all shells | |
| 1172 | -# | |
| 1173 | -CONFIG_FEATURE_SH_MATH=y | |
| 1174 | -CONFIG_FEATURE_SH_MATH_64=y | |
| 1175 | -CONFIG_FEATURE_SH_MATH_BASE=y | |
| 1176 | -CONFIG_FEATURE_SH_EXTRA_QUIET=y | |
| 1177 | -# CONFIG_FEATURE_SH_STANDALONE is not set | |
| 1178 | -# CONFIG_FEATURE_SH_NOFORK is not set | |
| 1179 | -CONFIG_FEATURE_SH_READ_FRAC=y | |
| 1180 | -CONFIG_FEATURE_SH_HISTFILESIZE=y | |
| 1181 | -CONFIG_FEATURE_SH_EMBEDDED_SCRIPTS=y | |
| 1182 | - | |
| 1183 | -# | |
| 1184 | -# System Logging Utilities | |
| 1185 | -# | |
| 1186 | -# CONFIG_KLOGD is not set | |
| 1187 | -# CONFIG_FEATURE_KLOGD_KLOGCTL is not set | |
| 1188 | -# CONFIG_LOGGER is not set | |
| 1189 | -# CONFIG_LOGREAD is not set | |
| 1190 | -# CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING is not set | |
| 1191 | -# CONFIG_SYSLOGD is not set | |
| 1192 | -# CONFIG_FEATURE_ROTATE_LOGFILE is not set | |
| 1193 | -# CONFIG_FEATURE_REMOTE_LOG is not set | |
| 1194 | -# CONFIG_FEATURE_SYSLOGD_DUP is not set | |
| 1195 | -# CONFIG_FEATURE_SYSLOGD_CFG is not set | |
| 1196 | -# CONFIG_FEATURE_SYSLOGD_PRECISE_TIMESTAMPS is not set | |
| 1197 | -CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=0 | |
| 1198 | -# CONFIG_FEATURE_IPC_SYSLOG is not set | |
| 1199 | -CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=0 | |
| 1200 | -# CONFIG_FEATURE_KMSG_SYSLOG is not set |
| --- a/containers/busybox-config | |
| +++ b/containers/busybox-config | |
| @@ -1,1200 +0,0 @@ | |
| 1 | # |
| 2 | # Automatically generated make config: don't edit |
| 3 | # Busybox version: 1.35.0 |
| 4 | # Tue Aug 16 02:15:21 2022 |
| 5 | # |
| 6 | CONFIG_HAVE_DOT_CONFIG=y |
| 7 | |
| 8 | # |
| 9 | # Settings |
| 10 | # |
| 11 | CONFIG_DESKTOP=y |
| 12 | # CONFIG_EXTRA_COMPAT is not set |
| 13 | # CONFIG_FEDORA_COMPAT is not set |
| 14 | CONFIG_INCLUDE_SUSv2=y |
| 15 | CONFIG_LONG_OPTS=y |
| 16 | CONFIG_SHOW_USAGE=y |
| 17 | CONFIG_FEATURE_VERBOSE_USAGE=y |
| 18 | CONFIG_FEATURE_COMPRESS_USAGE=y |
| 19 | CONFIG_LFS=y |
| 20 | # CONFIG_PAM is not set |
| 21 | CONFIG_FEATURE_DEVPTS=y |
| 22 | CONFIG_FEATURE_UTMP=y |
| 23 | CONFIG_FEATURE_WTMP=y |
| 24 | CONFIG_FEATURE_PIDFILE=y |
| 25 | CONFIG_PID_FILE_PATH="/var/run" |
| 26 | CONFIG_BUSYBOX=y |
| 27 | CONFIG_FEATURE_SHOW_SCRIPT=y |
| 28 | CONFIG_FEATURE_INSTALLER=y |
| 29 | # CONFIG_INSTALL_NO_USR is not set |
| 30 | CONFIG_FEATURE_SUID=y |
| 31 | CONFIG_FEATURE_SUID_CONFIG=y |
| 32 | CONFIG_FEATURE_SUID_CONFIG_QUIET=y |
| 33 | # CONFIG_FEATURE_PREFER_APPLETS is not set |
| 34 | CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe" |
| 35 | # CONFIG_SELINUX is not set |
| 36 | # CONFIG_FEATURE_CLEAN_UP is not set |
| 37 | CONFIG_FEATURE_SYSLOG_INFO=y |
| 38 | CONFIG_FEATURE_SYSLOG=y |
| 39 | |
| 40 | # |
| 41 | # Build Options |
| 42 | # |
| 43 | CONFIG_STATIC=y |
| 44 | # CONFIG_PIE is not set |
| 45 | # CONFIG_NOMMU is not set |
| 46 | # CONFIG_BUILD_LIBBUSYBOX is not set |
| 47 | # CONFIG_FEATURE_LIBBUSYBOX_STATIC is not set |
| 48 | # CONFIG_FEATURE_INDIVIDUAL is not set |
| 49 | # CONFIG_FEATURE_SHARED_BUSYBOX is not set |
| 50 | CONFIG_CROSS_COMPILER_PREFIX="" |
| 51 | CONFIG_SYSROOT="" |
| 52 | CONFIG_EXTRA_CFLAGS="" |
| 53 | CONFIG_EXTRA_LDFLAGS="" |
| 54 | CONFIG_EXTRA_LDLIBS="" |
| 55 | # CONFIG_USE_PORTABLE_CODE is not set |
| 56 | CONFIG_STACK_OPTIMIZATION_386=y |
| 57 | CONFIG_STATIC_LIBGCC=y |
| 58 | |
| 59 | # |
| 60 | # Installation Options ("make install" behavior) |
| 61 | # |
| 62 | CONFIG_INSTALL_APPLET_SYMLINKS=y |
| 63 | # CONFIG_INSTALL_APPLET_HARDLINKS is not set |
| 64 | # CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS is not set |
| 65 | # CONFIG_INSTALL_APPLET_DONT is not set |
| 66 | # CONFIG_INSTALL_SH_APPLET_SYMLINK is not set |
| 67 | # CONFIG_INSTALL_SH_APPLET_HARDLINK is not set |
| 68 | # CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER is not set |
| 69 | CONFIG_PREFIX="./_install" |
| 70 | |
| 71 | # |
| 72 | # Debugging Options |
| 73 | # |
| 74 | # CONFIG_DEBUG is not set |
| 75 | # CONFIG_DEBUG_PESSIMIZE is not set |
| 76 | # CONFIG_DEBUG_SANITIZE is not set |
| 77 | # CONFIG_UNIT_TEST is not set |
| 78 | # CONFIG_WERROR is not set |
| 79 | # CONFIG_WARN_SIMPLE_MSG is not set |
| 80 | CONFIG_NO_DEBUG_LIB=y |
| 81 | # CONFIG_DMALLOC is not set |
| 82 | # CONFIG_EFENCE is not set |
| 83 | |
| 84 | # |
| 85 | # Library Tuning |
| 86 | # |
| 87 | # CONFIG_FEATURE_USE_BSS_TAIL is not set |
| 88 | CONFIG_FLOAT_DURATION=y |
| 89 | CONFIG_FEATURE_RTMINMAX=y |
| 90 | CONFIG_FEATURE_RTMINMAX_USE_LIBC_DEFINITIONS=y |
| 91 | CONFIG_FEATURE_BUFFERS_USE_MALLOC=y |
| 92 | # CONFIG_FEATURE_BUFFERS_GO_ON_STACK is not set |
| 93 | # CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set |
| 94 | CONFIG_PASSWORD_MINLEN=6 |
| 95 | CONFIG_MD5_SMALL=1 |
| 96 | CONFIG_SHA3_SMALL=1 |
| 97 | CONFIG_FEATURE_NON_POSIX_CP=y |
| 98 | # CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set |
| 99 | CONFIG_FEATURE_USE_SENDFILE=y |
| 100 | CONFIG_FEATURE_COPYBUF_KB=4 |
| 101 | CONFIG_MONOTONIC_SYSCALL=y |
| 102 | CONFIG_IOCTL_HEX2STR_ERROR=y |
| 103 | CONFIG_FEATURE_EDITING=y |
| 104 | CONFIG_FEATURE_EDITING_MAX_LEN=1024 |
| 105 | # CONFIG_FEATURE_EDITING_VI is not set |
| 106 | CONFIG_FEATURE_EDITING_HISTORY=255 |
| 107 | CONFIG_FEATURE_EDITING_SAVEHISTORY=y |
| 108 | # CONFIG_FEATURE_EDITING_SAVE_ON_EXIT is not set |
| 109 | CONFIG_FEATURE_REVERSE_SEARCH=y |
| 110 | CONFIG_FEATURE_TAB_COMPLETION=y |
| 111 | CONFIG_FEATURE_USERNAME_COMPLETION=y |
| 112 | CONFIG_FEATURE_EDITING_FANCY_PROMPT=y |
| 113 | CONFIG_FEATURE_EDITING_WINCH=y |
| 114 | # CONFIG_FEATURE_EDITING_ASK_TERMINAL is not set |
| 115 | # CONFIG_LOCALE_SUPPORT is not set |
| 116 | CONFIG_UNICODE_SUPPORT=y |
| 117 | # CONFIG_UNICODE_USING_LOCALE is not set |
| 118 | # CONFIG_FEATURE_CHECK_UNICODE_IN_ENV is not set |
| 119 | CONFIG_SUBST_WCHAR=63 |
| 120 | CONFIG_LAST_SUPPORTED_WCHAR=767 |
| 121 | # CONFIG_UNICODE_COMBINING_WCHARS is not set |
| 122 | # CONFIG_UNICODE_WIDE_WCHARS is not set |
| 123 | # CONFIG_UNICODE_BIDI_SUPPORT is not set |
| 124 | # CONFIG_UNICODE_NEUTRAL_TABLE is not set |
| 125 | # CONFIG_UNICODE_PRESERVE_BROKEN is not set |
| 126 | |
| 127 | # |
| 128 | # Applets |
| 129 | # |
| 130 | |
| 131 | # |
| 132 | # Archival Utilities |
| 133 | # |
| 134 | # CONFIG_FEATURE_SEAMLESS_XZ is not set |
| 135 | # CONFIG_FEATURE_SEAMLESS_LZMA is not set |
| 136 | # CONFIG_FEATURE_SEAMLESS_BZ2 is not set |
| 137 | CONFIG_FEATURE_SEAMLESS_GZ=y |
| 138 | # CONFIG_FEATURE_SEAMLESS_Z is not set |
| 139 | # CONFIG_AR is not set |
| 140 | # CONFIG_FEATURE_AR_LONG_FILENAMES is not set |
| 141 | # CONFIG_FEATURE_AR_CREATE is not set |
| 142 | # CONFIG_UNCOMPRESS is not set |
| 143 | CONFIG_GUNZIP=y |
| 144 | CONFIG_ZCAT=y |
| 145 | CONFIG_FEATURE_GUNZIP_LONG_OPTIONS=y |
| 146 | # CONFIG_BUNZIP2 is not set |
| 147 | # CONFIG_BZCAT is not set |
| 148 | # CONFIG_UNLZMA is not set |
| 149 | # CONFIG_LZCAT is not set |
| 150 | # CONFIG_LZMA is not set |
| 151 | # CONFIG_UNXZ is not set |
| 152 | # CONFIG_XZCAT is not set |
| 153 | # CONFIG_XZ is not set |
| 154 | # CONFIG_BZIP2 is not set |
| 155 | CONFIG_BZIP2_SMALL=0 |
| 156 | # CONFIG_FEATURE_BZIP2_DECOMPRESS is not set |
| 157 | # CONFIG_CPIO is not set |
| 158 | # CONFIG_FEATURE_CPIO_O is not set |
| 159 | # CONFIG_FEATURE_CPIO_P is not set |
| 160 | # CONFIG_FEATURE_CPIO_IGNORE_DEVNO is not set |
| 161 | # CONFIG_FEATURE_CPIO_RENUMBER_INODES is not set |
| 162 | # CONFIG_DPKG is not set |
| 163 | # CONFIG_DPKG_DEB is not set |
| 164 | CONFIG_GZIP=y |
| 165 | CONFIG_FEATURE_GZIP_LONG_OPTIONS=y |
| 166 | CONFIG_GZIP_FAST=0 |
| 167 | # CONFIG_FEATURE_GZIP_LEVELS is not set |
| 168 | CONFIG_FEATURE_GZIP_DECOMPRESS=y |
| 169 | # CONFIG_LZOP is not set |
| 170 | # CONFIG_UNLZOP is not set |
| 171 | # CONFIG_LZOPCAT is not set |
| 172 | # CONFIG_LZOP_COMPR_HIGH is not set |
| 173 | # CONFIG_RPM is not set |
| 174 | # CONFIG_RPM2CPIO is not set |
| 175 | CONFIG_TAR=y |
| 176 | CONFIG_FEATURE_TAR_LONG_OPTIONS=y |
| 177 | CONFIG_FEATURE_TAR_CREATE=y |
| 178 | CONFIG_FEATURE_TAR_AUTODETECT=y |
| 179 | CONFIG_FEATURE_TAR_FROM=y |
| 180 | # CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set |
| 181 | # CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY is not set |
| 182 | CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y |
| 183 | # CONFIG_FEATURE_TAR_TO_COMMAND is not set |
| 184 | CONFIG_FEATURE_TAR_UNAME_GNAME=y |
| 185 | CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y |
| 186 | # CONFIG_FEATURE_TAR_SELINUX is not set |
| 187 | CONFIG_UNZIP=y |
| 188 | CONFIG_FEATURE_UNZIP_CDF=y |
| 189 | CONFIG_FEATURE_UNZIP_BZIP2=y |
| 190 | CONFIG_FEATURE_UNZIP_LZMA=y |
| 191 | CONFIG_FEATURE_UNZIP_XZ=y |
| 192 | # CONFIG_FEATURE_LZMA_FAST is not set |
| 193 | |
| 194 | # |
| 195 | # Coreutils |
| 196 | # |
| 197 | CONFIG_FEATURE_VERBOSE=y |
| 198 | |
| 199 | # |
| 200 | # Common options for date and touch |
| 201 | # |
| 202 | CONFIG_FEATURE_TIMEZONE=y |
| 203 | |
| 204 | # |
| 205 | # Common options for cp and mv |
| 206 | # |
| 207 | CONFIG_FEATURE_PRESERVE_HARDLINKS=y |
| 208 | |
| 209 | # |
| 210 | # Common options for df, du, ls |
| 211 | # |
| 212 | CONFIG_FEATURE_HUMAN_READABLE=y |
| 213 | CONFIG_BASENAME=y |
| 214 | CONFIG_CAT=y |
| 215 | CONFIG_FEATURE_CATN=y |
| 216 | CONFIG_FEATURE_CATV=y |
| 217 | CONFIG_CHGRP=y |
| 218 | CONFIG_CHMOD=y |
| 219 | CONFIG_CHOWN=y |
| 220 | CONFIG_FEATURE_CHOWN_LONG_OPTIONS=y |
| 221 | CONFIG_CHROOT=y |
| 222 | # CONFIG_CKSUM is not set |
| 223 | # CONFIG_CRC32 is not set |
| 224 | CONFIG_COMM=y |
| 225 | CONFIG_CP=y |
| 226 | CONFIG_FEATURE_CP_LONG_OPTIONS=y |
| 227 | CONFIG_FEATURE_CP_REFLINK=y |
| 228 | CONFIG_CUT=y |
| 229 | CONFIG_FEATURE_CUT_REGEX=y |
| 230 | CONFIG_DATE=y |
| 231 | CONFIG_FEATURE_DATE_ISOFMT=y |
| 232 | # CONFIG_FEATURE_DATE_NANO is not set |
| 233 | CONFIG_FEATURE_DATE_COMPAT=y |
| 234 | CONFIG_DD=y |
| 235 | CONFIG_FEATURE_DD_SIGNAL_HANDLING=y |
| 236 | CONFIG_FEATURE_DD_THIRD_STATUS_LINE=y |
| 237 | CONFIG_FEATURE_DD_IBS_OBS=y |
| 238 | CONFIG_FEATURE_DD_STATUS=y |
| 239 | CONFIG_DF=y |
| 240 | CONFIG_FEATURE_DF_FANCY=y |
| 241 | CONFIG_FEATURE_SKIP_ROOTFS=y |
| 242 | CONFIG_DIRNAME=y |
| 243 | CONFIG_DOS2UNIX=y |
| 244 | CONFIG_UNIX2DOS=y |
| 245 | CONFIG_DU=y |
| 246 | CONFIG_FEATURE_DU_DEFAULT_BLOCKSIZE_1K=y |
| 247 | # CONFIG_ECHO is not set |
| 248 | CONFIG_FEATURE_FANCY_ECHO=y |
| 249 | CONFIG_ENV=y |
| 250 | CONFIG_EXPAND=y |
| 251 | CONFIG_UNEXPAND=y |
| 252 | CONFIG_EXPR=y |
| 253 | CONFIG_EXPR_MATH_SUPPORT_64=y |
| 254 | # CONFIG_FACTOR is not set |
| 255 | CONFIG_FALSE=y |
| 256 | CONFIG_FOLD=y |
| 257 | CONFIG_HEAD=y |
| 258 | CONFIG_FEATURE_FANCY_HEAD=y |
| 259 | CONFIG_HOSTID=y |
| 260 | CONFIG_ID=y |
| 261 | CONFIG_GROUPS=y |
| 262 | CONFIG_INSTALL=y |
| 263 | CONFIG_FEATURE_INSTALL_LONG_OPTIONS=y |
| 264 | CONFIG_LINK=y |
| 265 | CONFIG_LN=y |
| 266 | # CONFIG_LOGNAME is not set |
| 267 | CONFIG_LS=y |
| 268 | CONFIG_FEATURE_LS_FILETYPES=y |
| 269 | CONFIG_FEATURE_LS_FOLLOWLINKS=y |
| 270 | CONFIG_FEATURE_LS_RECURSIVE=y |
| 271 | CONFIG_FEATURE_LS_WIDTH=y |
| 272 | CONFIG_FEATURE_LS_SORTFILES=y |
| 273 | CONFIG_FEATURE_LS_TIMESTAMPS=y |
| 274 | CONFIG_FEATURE_LS_USERNAME=y |
| 275 | CONFIG_FEATURE_LS_COLOR=y |
| 276 | CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y |
| 277 | # CONFIG_MD5SUM is not set |
| 278 | # CONFIG_SHA1SUM is not set |
| 279 | # CONFIG_SHA256SUM is not set |
| 280 | # CONFIG_SHA512SUM is not set |
| 281 | # CONFIG_SHA3SUM is not set |
| 282 | # CONFIG_FEATURE_MD5_SHA1_SUM_CHECK is not set |
| 283 | CONFIG_MKDIR=y |
| 284 | CONFIG_MKFIFO=y |
| 285 | CONFIG_MKNOD=y |
| 286 | CONFIG_MKTEMP=y |
| 287 | CONFIG_MV=y |
| 288 | CONFIG_NICE=y |
| 289 | CONFIG_NL=y |
| 290 | CONFIG_NOHUP=y |
| 291 | CONFIG_NPROC=y |
| 292 | CONFIG_OD=y |
| 293 | CONFIG_PASTE=y |
| 294 | # CONFIG_PRINTENV is not set |
| 295 | # CONFIG_PRINTF is not set |
| 296 | CONFIG_PWD=y |
| 297 | CONFIG_READLINK=y |
| 298 | CONFIG_FEATURE_READLINK_FOLLOW=y |
| 299 | CONFIG_REALPATH=y |
| 300 | CONFIG_RM=y |
| 301 | CONFIG_RMDIR=y |
| 302 | CONFIG_SEQ=y |
| 303 | CONFIG_SHRED=y |
| 304 | CONFIG_SHUF=y |
| 305 | CONFIG_SLEEP=y |
| 306 | CONFIG_FEATURE_FANCY_SLEEP=y |
| 307 | CONFIG_SORT=y |
| 308 | # CONFIG_FEATURE_SORT_BIG is not set |
| 309 | # CONFIG_FEATURE_SORT_OPTIMIZE_MEMORY is not set |
| 310 | CONFIG_SPLIT=y |
| 311 | CONFIG_FEATURE_SPLIT_FANCY=y |
| 312 | CONFIG_STAT=y |
| 313 | CONFIG_FEATURE_STAT_FORMAT=y |
| 314 | CONFIG_FEATURE_STAT_FILESYSTEM=y |
| 315 | CONFIG_STTY=y |
| 316 | # CONFIG_SUM is not set |
| 317 | CONFIG_SYNC=y |
| 318 | CONFIG_FEATURE_SYNC_FANCY=y |
| 319 | CONFIG_FSYNC=y |
| 320 | CONFIG_TAC=y |
| 321 | CONFIG_TAIL=y |
| 322 | CONFIG_FEATURE_FANCY_TAIL=y |
| 323 | CONFIG_TEE=y |
| 324 | CONFIG_FEATURE_TEE_USE_BLOCK_IO=y |
| 325 | # CONFIG_TEST is not set |
| 326 | # CONFIG_TEST1 is not set |
| 327 | # CONFIG_TEST2 is not set |
| 328 | # CONFIG_FEATURE_TEST_64 is not set |
| 329 | CONFIG_TIMEOUT=y |
| 330 | CONFIG_TOUCH=y |
| 331 | CONFIG_FEATURE_TOUCH_SUSV3=y |
| 332 | CONFIG_TR=y |
| 333 | CONFIG_FEATURE_TR_CLASSES=y |
| 334 | CONFIG_FEATURE_TR_EQUIV=y |
| 335 | CONFIG_TRUE=y |
| 336 | CONFIG_TRUNCATE=y |
| 337 | CONFIG_TTY=y |
| 338 | CONFIG_UNAME=y |
| 339 | CONFIG_UNAME_OSNAME="GNU/Linux" |
| 340 | CONFIG_BB_ARCH=y |
| 341 | CONFIG_UNIQ=y |
| 342 | CONFIG_UNLINK=y |
| 343 | CONFIG_USLEEP=y |
| 344 | CONFIG_UUDECODE=y |
| 345 | CONFIG_BASE32=y |
| 346 | CONFIG_BASE64=y |
| 347 | CONFIG_UUENCODE=y |
| 348 | CONFIG_WC=y |
| 349 | CONFIG_FEATURE_WC_LARGE=y |
| 350 | CONFIG_WHO=y |
| 351 | CONFIG_W=y |
| 352 | CONFIG_USERS=y |
| 353 | CONFIG_WHOAMI=y |
| 354 | CONFIG_YES=y |
| 355 | |
| 356 | # |
| 357 | # Console Utilities |
| 358 | # |
| 359 | # CONFIG_CHVT is not set |
| 360 | CONFIG_CLEAR=y |
| 361 | # CONFIG_DEALLOCVT is not set |
| 362 | # CONFIG_DUMPKMAP is not set |
| 363 | # CONFIG_FGCONSOLE is not set |
| 364 | # CONFIG_KBD_MODE is not set |
| 365 | # CONFIG_LOADFONT is not set |
| 366 | # CONFIG_SETFONT is not set |
| 367 | # CONFIG_FEATURE_SETFONT_TEXTUAL_MAP is not set |
| 368 | CONFIG_DEFAULT_SETFONT_DIR="" |
| 369 | # CONFIG_FEATURE_LOADFONT_PSF2 is not set |
| 370 | # CONFIG_FEATURE_LOADFONT_RAW is not set |
| 371 | # CONFIG_LOADKMAP is not set |
| 372 | # CONFIG_OPENVT is not set |
| 373 | # CONFIG_RESET is not set |
| 374 | # CONFIG_RESIZE is not set |
| 375 | # CONFIG_FEATURE_RESIZE_PRINT is not set |
| 376 | # CONFIG_SETCONSOLE is not set |
| 377 | # CONFIG_FEATURE_SETCONSOLE_LONG_OPTIONS is not set |
| 378 | # CONFIG_SETKEYCODES is not set |
| 379 | # CONFIG_SETLOGCONS is not set |
| 380 | # CONFIG_SHOWKEY is not set |
| 381 | |
| 382 | # |
| 383 | # Debian Utilities |
| 384 | # |
| 385 | # CONFIG_PIPE_PROGRESS is not set |
| 386 | # CONFIG_RUN_PARTS is not set |
| 387 | # CONFIG_FEATURE_RUN_PARTS_LONG_OPTIONS is not set |
| 388 | # CONFIG_FEATURE_RUN_PARTS_FANCY is not set |
| 389 | # CONFIG_START_STOP_DAEMON is not set |
| 390 | # CONFIG_FEATURE_START_STOP_DAEMON_LONG_OPTIONS is not set |
| 391 | # CONFIG_FEATURE_START_STOP_DAEMON_FANCY is not set |
| 392 | CONFIG_WHICH=y |
| 393 | |
| 394 | # |
| 395 | # klibc-utils |
| 396 | # |
| 397 | # CONFIG_MINIPS is not set |
| 398 | # CONFIG_NUKE is not set |
| 399 | # CONFIG_RESUME is not set |
| 400 | # CONFIG_RUN_INIT is not set |
| 401 | |
| 402 | # |
| 403 | # Editors |
| 404 | # |
| 405 | # CONFIG_AWK is not set |
| 406 | # CONFIG_FEATURE_AWK_LIBM is not set |
| 407 | # CONFIG_FEATURE_AWK_GNU_EXTENSIONS is not set |
| 408 | # CONFIG_CMP is not set |
| 409 | CONFIG_DIFF=y |
| 410 | CONFIG_FEATURE_DIFF_LONG_OPTIONS=y |
| 411 | CONFIG_FEATURE_DIFF_DIR=y |
| 412 | # CONFIG_ED is not set |
| 413 | CONFIG_PATCH=y |
| 414 | CONFIG_SED=y |
| 415 | CONFIG_VI=y |
| 416 | CONFIG_FEATURE_VI_MAX_LEN=4096 |
| 417 | # CONFIG_FEATURE_VI_8BIT is not set |
| 418 | CONFIG_FEATURE_VI_COLON=y |
| 419 | CONFIG_FEATURE_VI_COLON_EXPAND=y |
| 420 | CONFIG_FEATURE_VI_YANKMARK=y |
| 421 | CONFIG_FEATURE_VI_SEARCH=y |
| 422 | # CONFIG_FEATURE_VI_REGEX_SEARCH is not set |
| 423 | CONFIG_FEATURE_VI_USE_SIGNALS=y |
| 424 | CONFIG_FEATURE_VI_DOT_CMD=y |
| 425 | CONFIG_FEATURE_VI_READONLY=y |
| 426 | CONFIG_FEATURE_VI_SETOPTS=y |
| 427 | CONFIG_FEATURE_VI_SET=y |
| 428 | CONFIG_FEATURE_VI_WIN_RESIZE=y |
| 429 | CONFIG_FEATURE_VI_ASK_TERMINAL=y |
| 430 | CONFIG_FEATURE_VI_UNDO=y |
| 431 | CONFIG_FEATURE_VI_UNDO_QUEUE=y |
| 432 | CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=256 |
| 433 | CONFIG_FEATURE_VI_VERBOSE_STATUS=y |
| 434 | CONFIG_FEATURE_ALLOW_EXEC=y |
| 435 | |
| 436 | # |
| 437 | # Finding Utilities |
| 438 | # |
| 439 | CONFIG_FIND=y |
| 440 | CONFIG_FEATURE_FIND_PRINT0=y |
| 441 | CONFIG_FEATURE_FIND_MTIME=y |
| 442 | CONFIG_FEATURE_FIND_ATIME=y |
| 443 | CONFIG_FEATURE_FIND_CTIME=y |
| 444 | CONFIG_FEATURE_FIND_MMIN=y |
| 445 | CONFIG_FEATURE_FIND_AMIN=y |
| 446 | CONFIG_FEATURE_FIND_CMIN=y |
| 447 | CONFIG_FEATURE_FIND_PERM=y |
| 448 | CONFIG_FEATURE_FIND_TYPE=y |
| 449 | CONFIG_FEATURE_FIND_EXECUTABLE=y |
| 450 | CONFIG_FEATURE_FIND_XDEV=y |
| 451 | CONFIG_FEATURE_FIND_MAXDEPTH=y |
| 452 | CONFIG_FEATURE_FIND_NEWER=y |
| 453 | CONFIG_FEATURE_FIND_INUM=y |
| 454 | CONFIG_FEATURE_FIND_SAMEFILE=y |
| 455 | CONFIG_FEATURE_FIND_EXEC=y |
| 456 | CONFIG_FEATURE_FIND_EXEC_PLUS=y |
| 457 | CONFIG_FEATURE_FIND_USER=y |
| 458 | CONFIG_FEATURE_FIND_GROUP=y |
| 459 | CONFIG_FEATURE_FIND_NOT=y |
| 460 | CONFIG_FEATURE_FIND_DEPTH=y |
| 461 | CONFIG_FEATURE_FIND_PAREN=y |
| 462 | CONFIG_FEATURE_FIND_SIZE=y |
| 463 | CONFIG_FEATURE_FIND_PRUNE=y |
| 464 | CONFIG_FEATURE_FIND_QUIT=y |
| 465 | CONFIG_FEATURE_FIND_DELETE=y |
| 466 | CONFIG_FEATURE_FIND_EMPTY=y |
| 467 | CONFIG_FEATURE_FIND_PATH=y |
| 468 | CONFIG_FEATURE_FIND_REGEX=y |
| 469 | # CONFIG_FEATURE_FIND_CONTEXT is not set |
| 470 | CONFIG_FEATURE_FIND_LINKS=y |
| 471 | CONFIG_GREP=y |
| 472 | # CONFIG_EGREP is not set |
| 473 | # CONFIG_FGREP is not set |
| 474 | CONFIG_FEATURE_GREP_CONTEXT=y |
| 475 | CONFIG_XARGS=y |
| 476 | CONFIG_FEATURE_XARGS_SUPPORT_CONFIRMATION=y |
| 477 | CONFIG_FEATURE_XARGS_SUPPORT_QUOTES=y |
| 478 | CONFIG_FEATURE_XARGS_SUPPORT_TERMOPT=y |
| 479 | CONFIG_FEATURE_XARGS_SUPPORT_ZERO_TERM=y |
| 480 | CONFIG_FEATURE_XARGS_SUPPORT_REPL_STR=y |
| 481 | CONFIG_FEATURE_XARGS_SUPPORT_PARALLEL=y |
| 482 | CONFIG_FEATURE_XARGS_SUPPORT_ARGS_FILE=y |
| 483 | |
| 484 | # |
| 485 | # Init Utilities |
| 486 | # |
| 487 | # CONFIG_BOOTCHARTD is not set |
| 488 | # CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER is not set |
| 489 | # CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE is not set |
| 490 | # CONFIG_HALT is not set |
| 491 | # CONFIG_POWEROFF is not set |
| 492 | # CONFIG_REBOOT is not set |
| 493 | # CONFIG_FEATURE_WAIT_FOR_INIT is not set |
| 494 | # CONFIG_FEATURE_CALL_TELINIT is not set |
| 495 | CONFIG_TELINIT_PATH="" |
| 496 | # CONFIG_INIT is not set |
| 497 | # CONFIG_LINUXRC is not set |
| 498 | # CONFIG_FEATURE_USE_INITTAB is not set |
| 499 | # CONFIG_FEATURE_KILL_REMOVED is not set |
| 500 | CONFIG_FEATURE_KILL_DELAY=0 |
| 501 | # CONFIG_FEATURE_INIT_SCTTY is not set |
| 502 | # CONFIG_FEATURE_INIT_SYSLOG is not set |
| 503 | # CONFIG_FEATURE_INIT_QUIET is not set |
| 504 | # CONFIG_FEATURE_INIT_COREDUMPS is not set |
| 505 | CONFIG_INIT_TERMINAL_TYPE="" |
| 506 | # CONFIG_FEATURE_INIT_MODIFY_CMDLINE is not set |
| 507 | |
| 508 | # |
| 509 | # Login/Password Management Utilities |
| 510 | # |
| 511 | # CONFIG_FEATURE_SHADOWPASSWDS is not set |
| 512 | CONFIG_USE_BB_PWD_GRP=y |
| 513 | # CONFIG_USE_BB_SHADOW is not set |
| 514 | CONFIG_USE_BB_CRYPT=y |
| 515 | CONFIG_USE_BB_CRYPT_SHA=y |
| 516 | # CONFIG_ADD_SHELL is not set |
| 517 | # CONFIG_REMOVE_SHELL is not set |
| 518 | CONFIG_ADDGROUP=y |
| 519 | # CONFIG_FEATURE_ADDUSER_TO_GROUP is not set |
| 520 | CONFIG_ADDUSER=y |
| 521 | # CONFIG_FEATURE_CHECK_NAMES is not set |
| 522 | CONFIG_LAST_ID=60000 |
| 523 | CONFIG_FIRST_SYSTEM_ID=100 |
| 524 | CONFIG_LAST_SYSTEM_ID=999 |
| 525 | # CONFIG_CHPASSWD is not set |
| 526 | CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="" |
| 527 | # CONFIG_CRYPTPW is not set |
| 528 | # CONFIG_MKPASSWD is not set |
| 529 | # CONFIG_DELUSER is not set |
| 530 | # CONFIG_DELGROUP is not set |
| 531 | # CONFIG_FEATURE_DEL_USER_FROM_GROUP is not set |
| 532 | # CONFIG_GETTY is not set |
| 533 | # CONFIG_LOGIN is not set |
| 534 | # CONFIG_LOGIN_SESSION_AS_CHILD is not set |
| 535 | # CONFIG_LOGIN_SCRIPTS is not set |
| 536 | # CONFIG_FEATURE_NOLOGIN is not set |
| 537 | # CONFIG_FEATURE_SECURETTY is not set |
| 538 | # CONFIG_PASSWD is not set |
| 539 | # CONFIG_FEATURE_PASSWD_WEAK_CHECK is not set |
| 540 | # CONFIG_SU is not set |
| 541 | # CONFIG_FEATURE_SU_SYSLOG is not set |
| 542 | # CONFIG_FEATURE_SU_CHECKS_SHELLS is not set |
| 543 | # CONFIG_FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY is not set |
| 544 | # CONFIG_SULOGIN is not set |
| 545 | # CONFIG_VLOCK is not set |
| 546 | |
| 547 | # |
| 548 | # Linux Ext2 FS Progs |
| 549 | # |
| 550 | # CONFIG_CHATTR is not set |
| 551 | # CONFIG_FSCK is not set |
| 552 | # CONFIG_LSATTR is not set |
| 553 | # CONFIG_TUNE2FS is not set |
| 554 | |
| 555 | # |
| 556 | # Linux Module Utilities |
| 557 | # |
| 558 | # CONFIG_MODPROBE_SMALL is not set |
| 559 | # CONFIG_DEPMOD is not set |
| 560 | # CONFIG_INSMOD is not set |
| 561 | # CONFIG_LSMOD is not set |
| 562 | # CONFIG_FEATURE_LSMOD_PRETTY_2_6_OUTPUT is not set |
| 563 | # CONFIG_MODINFO is not set |
| 564 | # CONFIG_MODPROBE is not set |
| 565 | # CONFIG_FEATURE_MODPROBE_BLACKLIST is not set |
| 566 | # CONFIG_RMMOD is not set |
| 567 | |
| 568 | # |
| 569 | # Options common to multiple modutils |
| 570 | # |
| 571 | # CONFIG_FEATURE_CMDLINE_MODULE_OPTIONS is not set |
| 572 | # CONFIG_FEATURE_MODPROBE_SMALL_CHECK_ALREADY_LOADED is not set |
| 573 | # CONFIG_FEATURE_2_4_MODULES is not set |
| 574 | # CONFIG_FEATURE_INSMOD_VERSION_CHECKING is not set |
| 575 | # CONFIG_FEATURE_INSMOD_KSYMOOPS_SYMBOLS is not set |
| 576 | # CONFIG_FEATURE_INSMOD_LOADINKMEM is not set |
| 577 | # CONFIG_FEATURE_INSMOD_LOAD_MAP is not set |
| 578 | # CONFIG_FEATURE_INSMOD_LOAD_MAP_FULL is not set |
| 579 | # CONFIG_FEATURE_CHECK_TAINTED_MODULE is not set |
| 580 | # CONFIG_FEATURE_INSMOD_TRY_MMAP is not set |
| 581 | # CONFIG_FEATURE_MODUTILS_ALIAS is not set |
| 582 | # CONFIG_FEATURE_MODUTILS_SYMBOLS is not set |
| 583 | CONFIG_DEFAULT_MODULES_DIR="" |
| 584 | CONFIG_DEFAULT_DEPMOD_FILE="" |
| 585 | |
| 586 | # |
| 587 | # Linux System Utilities |
| 588 | # |
| 589 | # CONFIG_ACPID is not set |
| 590 | # CONFIG_FEATURE_ACPID_COMPAT is not set |
| 591 | # CONFIG_BLKDISCARD is not set |
| 592 | # CONFIG_BLKID is not set |
| 593 | # CONFIG_FEATURE_BLKID_TYPE is not set |
| 594 | # CONFIG_BLOCKDEV is not set |
| 595 | # CONFIG_CAL is not set |
| 596 | # CONFIG_CHRT is not set |
| 597 | # CONFIG_DMESG is not set |
| 598 | # CONFIG_FEATURE_DMESG_PRETTY is not set |
| 599 | # CONFIG_EJECT is not set |
| 600 | # CONFIG_FEATURE_EJECT_SCSI is not set |
| 601 | # CONFIG_FALLOCATE is not set |
| 602 | # CONFIG_FATATTR is not set |
| 603 | # CONFIG_FBSET is not set |
| 604 | # CONFIG_FEATURE_FBSET_FANCY is not set |
| 605 | # CONFIG_FEATURE_FBSET_READMODE is not set |
| 606 | # CONFIG_FDFORMAT is not set |
| 607 | # CONFIG_FDISK is not set |
| 608 | # CONFIG_FDISK_SUPPORT_LARGE_DISKS is not set |
| 609 | # CONFIG_FEATURE_FDISK_WRITABLE is not set |
| 610 | # CONFIG_FEATURE_AIX_LABEL is not set |
| 611 | # CONFIG_FEATURE_SGI_LABEL is not set |
| 612 | # CONFIG_FEATURE_SUN_LABEL is not set |
| 613 | # CONFIG_FEATURE_OSF_LABEL is not set |
| 614 | # CONFIG_FEATURE_GPT_LABEL is not set |
| 615 | # CONFIG_FEATURE_FDISK_ADVANCED is not set |
| 616 | # CONFIG_FINDFS is not set |
| 617 | # CONFIG_FLOCK is not set |
| 618 | # CONFIG_FDFLUSH is not set |
| 619 | # CONFIG_FREERAMDISK is not set |
| 620 | # CONFIG_FSCK_MINIX is not set |
| 621 | # CONFIG_FSFREEZE is not set |
| 622 | # CONFIG_FSTRIM is not set |
| 623 | # CONFIG_GETOPT is not set |
| 624 | # CONFIG_FEATURE_GETOPT_LONG is not set |
| 625 | CONFIG_HEXDUMP=y |
| 626 | CONFIG_HD=y |
| 627 | CONFIG_XXD=y |
| 628 | # CONFIG_HWCLOCK is not set |
| 629 | # CONFIG_FEATURE_HWCLOCK_ADJTIME_FHS is not set |
| 630 | # CONFIG_IONICE is not set |
| 631 | # CONFIG_IPCRM is not set |
| 632 | # CONFIG_IPCS is not set |
| 633 | # CONFIG_LAST is not set |
| 634 | # CONFIG_FEATURE_LAST_FANCY is not set |
| 635 | # CONFIG_LOSETUP is not set |
| 636 | # CONFIG_LSPCI is not set |
| 637 | # CONFIG_LSUSB is not set |
| 638 | # CONFIG_MDEV is not set |
| 639 | # CONFIG_FEATURE_MDEV_CONF is not set |
| 640 | # CONFIG_FEATURE_MDEV_RENAME is not set |
| 641 | # CONFIG_FEATURE_MDEV_RENAME_REGEXP is not set |
| 642 | # CONFIG_FEATURE_MDEV_EXEC is not set |
| 643 | # CONFIG_FEATURE_MDEV_LOAD_FIRMWARE is not set |
| 644 | # CONFIG_FEATURE_MDEV_DAEMON is not set |
| 645 | # CONFIG_MESG is not set |
| 646 | # CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP is not set |
| 647 | # CONFIG_MKE2FS is not set |
| 648 | # CONFIG_MKFS_EXT2 is not set |
| 649 | # CONFIG_MKFS_MINIX is not set |
| 650 | # CONFIG_FEATURE_MINIX2 is not set |
| 651 | # CONFIG_MKFS_REISER is not set |
| 652 | # CONFIG_MKDOSFS is not set |
| 653 | # CONFIG_MKFS_VFAT is not set |
| 654 | # CONFIG_MKSWAP is not set |
| 655 | # CONFIG_FEATURE_MKSWAP_UUID is not set |
| 656 | CONFIG_MORE=y |
| 657 | CONFIG_MOUNT=y |
| 658 | CONFIG_FEATURE_MOUNT_FAKE=y |
| 659 | CONFIG_FEATURE_MOUNT_VERBOSE=y |
| 660 | # CONFIG_FEATURE_MOUNT_HELPERS is not set |
| 661 | # CONFIG_FEATURE_MOUNT_LABEL is not set |
| 662 | # CONFIG_FEATURE_MOUNT_NFS is not set |
| 663 | # CONFIG_FEATURE_MOUNT_CIFS is not set |
| 664 | CONFIG_FEATURE_MOUNT_FLAGS=y |
| 665 | CONFIG_FEATURE_MOUNT_FSTAB=y |
| 666 | CONFIG_FEATURE_MOUNT_OTHERTAB=y |
| 667 | # CONFIG_MOUNTPOINT is not set |
| 668 | CONFIG_NOLOGIN=y |
| 669 | # CONFIG_NOLOGIN_DEPENDENCIES is not set |
| 670 | # CONFIG_NSENTER is not set |
| 671 | # CONFIG_PIVOT_ROOT is not set |
| 672 | # CONFIG_RDATE is not set |
| 673 | # CONFIG_RDEV is not set |
| 674 | # CONFIG_READPROFILE is not set |
| 675 | CONFIG_RENICE=y |
| 676 | CONFIG_REV=y |
| 677 | # CONFIG_RTCWAKE is not set |
| 678 | # CONFIG_SCRIPT is not set |
| 679 | # CONFIG_SCRIPTREPLAY is not set |
| 680 | # CONFIG_SETARCH is not set |
| 681 | # CONFIG_LINUX32 is not set |
| 682 | # CONFIG_LINUX64 is not set |
| 683 | # CONFIG_SETPRIV is not set |
| 684 | # CONFIG_FEATURE_SETPRIV_DUMP is not set |
| 685 | # CONFIG_FEATURE_SETPRIV_CAPABILITIES is not set |
| 686 | # CONFIG_FEATURE_SETPRIV_CAPABILITY_NAMES is not set |
| 687 | # CONFIG_SETSID is not set |
| 688 | # CONFIG_SWAPON is not set |
| 689 | # CONFIG_FEATURE_SWAPON_DISCARD is not set |
| 690 | # CONFIG_FEATURE_SWAPON_PRI is not set |
| 691 | # CONFIG_SWAPOFF is not set |
| 692 | # CONFIG_FEATURE_SWAPONOFF_LABEL is not set |
| 693 | # CONFIG_SWITCH_ROOT is not set |
| 694 | # CONFIG_TASKSET is not set |
| 695 | # CONFIG_FEATURE_TASKSET_FANCY is not set |
| 696 | # CONFIG_FEATURE_TASKSET_CPULIST is not set |
| 697 | # CONFIG_UEVENT is not set |
| 698 | CONFIG_UMOUNT=y |
| 699 | CONFIG_FEATURE_UMOUNT_ALL=y |
| 700 | # CONFIG_UNSHARE is not set |
| 701 | # CONFIG_WALL is not set |
| 702 | |
| 703 | # |
| 704 | # Common options for mount/umount |
| 705 | # |
| 706 | # CONFIG_FEATURE_MOUNT_LOOP is not set |
| 707 | # CONFIG_FEATURE_MOUNT_LOOP_CREATE is not set |
| 708 | # CONFIG_FEATURE_MTAB_SUPPORT is not set |
| 709 | # CONFIG_VOLUMEID is not set |
| 710 | # CONFIG_FEATURE_VOLUMEID_BCACHE is not set |
| 711 | # CONFIG_FEATURE_VOLUMEID_BTRFS is not set |
| 712 | # CONFIG_FEATURE_VOLUMEID_CRAMFS is not set |
| 713 | # CONFIG_FEATURE_VOLUMEID_EROFS is not set |
| 714 | # CONFIG_FEATURE_VOLUMEID_EXFAT is not set |
| 715 | # CONFIG_FEATURE_VOLUMEID_EXT is not set |
| 716 | # CONFIG_FEATURE_VOLUMEID_F2FS is not set |
| 717 | # CONFIG_FEATURE_VOLUMEID_FAT is not set |
| 718 | # CONFIG_FEATURE_VOLUMEID_HFS is not set |
| 719 | # CONFIG_FEATURE_VOLUMEID_ISO9660 is not set |
| 720 | # CONFIG_FEATURE_VOLUMEID_JFS is not set |
| 721 | # CONFIG_FEATURE_VOLUMEID_LFS is not set |
| 722 | # CONFIG_FEATURE_VOLUMEID_LINUXRAID is not set |
| 723 | # CONFIG_FEATURE_VOLUMEID_LINUXSWAP is not set |
| 724 | # CONFIG_FEATURE_VOLUMEID_LUKS is not set |
| 725 | # CONFIG_FEATURE_VOLUMEID_MINIX is not set |
| 726 | # CONFIG_FEATURE_VOLUMEID_NILFS is not set |
| 727 | # CONFIG_FEATURE_VOLUMEID_NTFS is not set |
| 728 | # CONFIG_FEATURE_VOLUMEID_OCFS2 is not set |
| 729 | # CONFIG_FEATURE_VOLUMEID_REISERFS is not set |
| 730 | # CONFIG_FEATURE_VOLUMEID_ROMFS is not set |
| 731 | # CONFIG_FEATURE_VOLUMEID_SQUASHFS is not set |
| 732 | # CONFIG_FEATURE_VOLUMEID_SYSV is not set |
| 733 | # CONFIG_FEATURE_VOLUMEID_UBIFS is not set |
| 734 | # CONFIG_FEATURE_VOLUMEID_UDF is not set |
| 735 | # CONFIG_FEATURE_VOLUMEID_XFS is not set |
| 736 | |
| 737 | # |
| 738 | # Miscellaneous Utilities |
| 739 | # |
| 740 | # CONFIG_ADJTIMEX is not set |
| 741 | # CONFIG_ASCII is not set |
| 742 | # CONFIG_BBCONFIG is not set |
| 743 | # CONFIG_FEATURE_COMPRESS_BBCONFIG is not set |
| 744 | CONFIG_BC=y |
| 745 | # CONFIG_DC is not set |
| 746 | CONFIG_FEATURE_DC_BIG=y |
| 747 | # CONFIG_FEATURE_DC_LIBM is not set |
| 748 | # CONFIG_FEATURE_BC_INTERACTIVE is not set |
| 749 | # CONFIG_FEATURE_BC_LONG_OPTIONS is not set |
| 750 | # CONFIG_BEEP is not set |
| 751 | CONFIG_FEATURE_BEEP_FREQ=0 |
| 752 | CONFIG_FEATURE_BEEP_LENGTH_MS=0 |
| 753 | # CONFIG_CHAT is not set |
| 754 | # CONFIG_FEATURE_CHAT_NOFAIL is not set |
| 755 | # CONFIG_FEATURE_CHAT_TTY_HIFI is not set |
| 756 | # CONFIG_FEATURE_CHAT_IMPLICIT_CR is not set |
| 757 | # CONFIG_FEATURE_CHAT_SWALLOW_OPTS is not set |
| 758 | # CONFIG_FEATURE_CHAT_SEND_ESCAPES is not set |
| 759 | # CONFIG_FEATURE_CHAT_VAR_ABORT_LEN is not set |
| 760 | # CONFIG_FEATURE_CHAT_CLR_ABORT is not set |
| 761 | # CONFIG_CONSPY is not set |
| 762 | CONFIG_CROND=y |
| 763 | CONFIG_FEATURE_CROND_D=y |
| 764 | CONFIG_FEATURE_CROND_CALL_SENDMAIL=y |
| 765 | CONFIG_FEATURE_CROND_SPECIAL_TIMES=y |
| 766 | CONFIG_FEATURE_CROND_DIR="/var/spool/cron" |
| 767 | CONFIG_CRONTAB=y |
| 768 | # CONFIG_DEVFSD is not set |
| 769 | # CONFIG_DEVFSD_MODLOAD is not set |
| 770 | # CONFIG_DEVFSD_FG_NP is not set |
| 771 | # CONFIG_DEVFSD_VERBOSE is not set |
| 772 | # CONFIG_FEATURE_DEVFS is not set |
| 773 | # CONFIG_DEVMEM is not set |
| 774 | # CONFIG_FBSPLASH is not set |
| 775 | # CONFIG_FLASH_ERASEALL is not set |
| 776 | # CONFIG_FLASH_LOCK is not set |
| 777 | # CONFIG_FLASH_UNLOCK is not set |
| 778 | # CONFIG_FLASHCP is not set |
| 779 | # CONFIG_HDPARM is not set |
| 780 | # CONFIG_FEATURE_HDPARM_GET_IDENTITY is not set |
| 781 | # CONFIG_FEATURE_HDPARM_HDIO_SCAN_HWIF is not set |
| 782 | # CONFIG_FEATURE_HDPARM_HDIO_UNREGISTER_HWIF is not set |
| 783 | # CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET is not set |
| 784 | # CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF is not set |
| 785 | # CONFIG_FEATURE_HDPARM_HDIO_GETSET_DMA is not set |
| 786 | CONFIG_HEXEDIT=y |
| 787 | # CONFIG_I2CGET is not set |
| 788 | # CONFIG_I2CSET is not set |
| 789 | # CONFIG_I2CDUMP is not set |
| 790 | # CONFIG_I2CDETECT is not set |
| 791 | # CONFIG_I2CTRANSFER is not set |
| 792 | # CONFIG_INOTIFYD is not set |
| 793 | CONFIG_LESS=y |
| 794 | CONFIG_FEATURE_LESS_MAXLINES=9999999 |
| 795 | CONFIG_FEATURE_LESS_BRACKETS=y |
| 796 | CONFIG_FEATURE_LESS_FLAGS=y |
| 797 | CONFIG_FEATURE_LESS_TRUNCATE=y |
| 798 | CONFIG_FEATURE_LESS_MARKS=y |
| 799 | CONFIG_FEATURE_LESS_REGEXP=y |
| 800 | CONFIG_FEATURE_LESS_WINCH=y |
| 801 | CONFIG_FEATURE_LESS_ASK_TERMINAL=y |
| 802 | CONFIG_FEATURE_LESS_DASHCMD=y |
| 803 | CONFIG_FEATURE_LESS_LINENUMS=y |
| 804 | CONFIG_FEATURE_LESS_RAW=y |
| 805 | CONFIG_FEATURE_LESS_ENV=y |
| 806 | # CONFIG_LSSCSI is not set |
| 807 | # CONFIG_MAKEDEVS is not set |
| 808 | # CONFIG_FEATURE_MAKEDEVS_LEAF is not set |
| 809 | # CONFIG_FEATURE_MAKEDEVS_TABLE is not set |
| 810 | # CONFIG_MAN is not set |
| 811 | # CONFIG_MICROCOM is not set |
| 812 | # CONFIG_MIM is not set |
| 813 | # CONFIG_MT is not set |
| 814 | # CONFIG_NANDWRITE is not set |
| 815 | # CONFIG_NANDDUMP is not set |
| 816 | # CONFIG_PARTPROBE is not set |
| 817 | # CONFIG_RAIDAUTORUN is not set |
| 818 | # CONFIG_READAHEAD is not set |
| 819 | # CONFIG_RFKILL is not set |
| 820 | # CONFIG_RUNLEVEL is not set |
| 821 | # CONFIG_RX is not set |
| 822 | # CONFIG_SETFATTR is not set |
| 823 | # CONFIG_SETSERIAL is not set |
| 824 | CONFIG_STRINGS=y |
| 825 | CONFIG_TIME=y |
| 826 | # CONFIG_TS is not set |
| 827 | # CONFIG_TTYSIZE is not set |
| 828 | # CONFIG_UBIATTACH is not set |
| 829 | # CONFIG_UBIDETACH is not set |
| 830 | # CONFIG_UBIMKVOL is not set |
| 831 | # CONFIG_UBIRMVOL is not set |
| 832 | # CONFIG_UBIRSVOL is not set |
| 833 | # CONFIG_UBIUPDATEVOL is not set |
| 834 | # CONFIG_UBIRENAME is not set |
| 835 | # CONFIG_VOLNAME is not set |
| 836 | # CONFIG_WATCHDOG is not set |
| 837 | # CONFIG_FEATURE_WATCHDOG_OPEN_TWICE is not set |
| 838 | |
| 839 | # |
| 840 | # Networking Utilities |
| 841 | # |
| 842 | CONFIG_FEATURE_IPV6=y |
| 843 | # CONFIG_FEATURE_UNIX_LOCAL is not set |
| 844 | CONFIG_FEATURE_PREFER_IPV4_ADDRESS=y |
| 845 | # CONFIG_VERBOSE_RESOLUTION_ERRORS is not set |
| 846 | # CONFIG_FEATURE_ETC_NETWORKS is not set |
| 847 | # CONFIG_FEATURE_ETC_SERVICES is not set |
| 848 | # CONFIG_FEATURE_HWIB is not set |
| 849 | # CONFIG_FEATURE_TLS_SHA1 is not set |
| 850 | # CONFIG_ARP is not set |
| 851 | # CONFIG_ARPING is not set |
| 852 | # CONFIG_BRCTL is not set |
| 853 | # CONFIG_FEATURE_BRCTL_FANCY is not set |
| 854 | # CONFIG_FEATURE_BRCTL_SHOW is not set |
| 855 | # CONFIG_DNSD is not set |
| 856 | # CONFIG_ETHER_WAKE is not set |
| 857 | # CONFIG_FTPD is not set |
| 858 | # CONFIG_FEATURE_FTPD_WRITE is not set |
| 859 | # CONFIG_FEATURE_FTPD_ACCEPT_BROKEN_LIST is not set |
| 860 | # CONFIG_FEATURE_FTPD_AUTHENTICATION is not set |
| 861 | # CONFIG_FTPGET is not set |
| 862 | # CONFIG_FTPPUT is not set |
| 863 | # CONFIG_FEATURE_FTPGETPUT_LONG_OPTIONS is not set |
| 864 | # CONFIG_HOSTNAME is not set |
| 865 | # CONFIG_DNSDOMAINNAME is not set |
| 866 | # CONFIG_HTTPD is not set |
| 867 | CONFIG_FEATURE_HTTPD_PORT_DEFAULT=0 |
| 868 | # CONFIG_FEATURE_HTTPD_RANGES is not set |
| 869 | # CONFIG_FEATURE_HTTPD_SETUID is not set |
| 870 | # CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set |
| 871 | # CONFIG_FEATURE_HTTPD_AUTH_MD5 is not set |
| 872 | # CONFIG_FEATURE_HTTPD_CGI is not set |
| 873 | # CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR is not set |
| 874 | # CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV is not set |
| 875 | # CONFIG_FEATURE_HTTPD_ENCODE_URL_STR is not set |
| 876 | # CONFIG_FEATURE_HTTPD_ERROR_PAGES is not set |
| 877 | # CONFIG_FEATURE_HTTPD_PROXY is not set |
| 878 | # CONFIG_FEATURE_HTTPD_GZIP is not set |
| 879 | # CONFIG_FEATURE_HTTPD_ETAG is not set |
| 880 | # CONFIG_FEATURE_HTTPD_LAST_MODIFIED is not set |
| 881 | # CONFIG_FEATURE_HTTPD_DATE is not set |
| 882 | # CONFIG_FEATURE_HTTPD_ACL_IP is not set |
| 883 | CONFIG_IFCONFIG=y |
| 884 | CONFIG_FEATURE_IFCONFIG_STATUS=y |
| 885 | # CONFIG_FEATURE_IFCONFIG_SLIP is not set |
| 886 | CONFIG_FEATURE_IFCONFIG_MEMSTART_IOADDR_IRQ=y |
| 887 | CONFIG_FEATURE_IFCONFIG_HW=y |
| 888 | CONFIG_FEATURE_IFCONFIG_BROADCAST_PLUS=y |
| 889 | # CONFIG_IFENSLAVE is not set |
| 890 | # CONFIG_IFPLUGD is not set |
| 891 | # CONFIG_IFUP is not set |
| 892 | # CONFIG_IFDOWN is not set |
| 893 | CONFIG_IFUPDOWN_IFSTATE_PATH="" |
| 894 | # CONFIG_FEATURE_IFUPDOWN_IP is not set |
| 895 | # CONFIG_FEATURE_IFUPDOWN_IPV4 is not set |
| 896 | # CONFIG_FEATURE_IFUPDOWN_IPV6 is not set |
| 897 | # CONFIG_FEATURE_IFUPDOWN_MAPPING is not set |
| 898 | # CONFIG_FEATURE_IFUPDOWN_EXTERNAL_DHCP is not set |
| 899 | CONFIG_INETD=y |
| 900 | # CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_ECHO is not set |
| 901 | # CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DISCARD is not set |
| 902 | # CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_TIME is not set |
| 903 | # CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DAYTIME is not set |
| 904 | # CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_CHARGEN is not set |
| 905 | # CONFIG_FEATURE_INETD_RPC is not set |
| 906 | CONFIG_IP=y |
| 907 | # CONFIG_IPADDR is not set |
| 908 | # CONFIG_IPLINK is not set |
| 909 | # CONFIG_IPROUTE is not set |
| 910 | # CONFIG_IPTUNNEL is not set |
| 911 | # CONFIG_IPRULE is not set |
| 912 | # CONFIG_IPNEIGH is not set |
| 913 | CONFIG_FEATURE_IP_ADDRESS=y |
| 914 | CONFIG_FEATURE_IP_LINK=y |
| 915 | CONFIG_FEATURE_IP_ROUTE=y |
| 916 | CONFIG_FEATURE_IP_ROUTE_DIR="/etc/iproute2" |
| 917 | # CONFIG_FEATURE_IP_TUNNEL is not set |
| 918 | # CONFIG_FEATURE_IP_RULE is not set |
| 919 | CONFIG_FEATURE_IP_NEIGH=y |
| 920 | # CONFIG_FEATURE_IP_RARE_PROTOCOLS is not set |
| 921 | CONFIG_IPCALC=y |
| 922 | CONFIG_FEATURE_IPCALC_LONG_OPTIONS=y |
| 923 | CONFIG_FEATURE_IPCALC_FANCY=y |
| 924 | # CONFIG_FAKEIDENTD is not set |
| 925 | # CONFIG_NAMEIF is not set |
| 926 | # CONFIG_FEATURE_NAMEIF_EXTENDED is not set |
| 927 | # CONFIG_NBDCLIENT is not set |
| 928 | CONFIG_NC=y |
| 929 | # CONFIG_NETCAT is not set |
| 930 | CONFIG_NC_SERVER=y |
| 931 | CONFIG_NC_EXTRA=y |
| 932 | CONFIG_NC_110_COMPAT=y |
| 933 | # CONFIG_NETSTAT is not set |
| 934 | # CONFIG_FEATURE_NETSTAT_WIDE is not set |
| 935 | # CONFIG_FEATURE_NETSTAT_PRG is not set |
| 936 | # CONFIG_NSLOOKUP is not set |
| 937 | # CONFIG_FEATURE_NSLOOKUP_BIG is not set |
| 938 | # CONFIG_FEATURE_NSLOOKUP_LONG_OPTIONS is not set |
| 939 | # CONFIG_NTPD is not set |
| 940 | # CONFIG_FEATURE_NTPD_SERVER is not set |
| 941 | # CONFIG_FEATURE_NTPD_CONF is not set |
| 942 | # CONFIG_FEATURE_NTP_AUTH is not set |
| 943 | # CONFIG_PING is not set |
| 944 | # CONFIG_PING6 is not set |
| 945 | # CONFIG_FEATURE_FANCY_PING is not set |
| 946 | # CONFIG_PSCAN is not set |
| 947 | CONFIG_ROUTE=y |
| 948 | # CONFIG_SLATTACH is not set |
| 949 | CONFIG_SSL_CLIENT=y |
| 950 | # CONFIG_TC is not set |
| 951 | # CONFIG_FEATURE_TC_INGRESS is not set |
| 952 | # CONFIG_TCPSVD is not set |
| 953 | # CONFIG_UDPSVD is not set |
| 954 | # CONFIG_TELNET is not set |
| 955 | # CONFIG_FEATURE_TELNET_TTYPE is not set |
| 956 | # CONFIG_FEATURE_TELNET_AUTOLOGIN is not set |
| 957 | # CONFIG_FEATURE_TELNET_WIDTH is not set |
| 958 | # CONFIG_TELNETD is not set |
| 959 | # CONFIG_FEATURE_TELNETD_STANDALONE is not set |
| 960 | CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0 |
| 961 | # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set |
| 962 | # CONFIG_TFTP is not set |
| 963 | # CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set |
| 964 | # CONFIG_FEATURE_TFTP_HPA_COMPAT is not set |
| 965 | # CONFIG_TFTPD is not set |
| 966 | # CONFIG_FEATURE_TFTP_GET is not set |
| 967 | # CONFIG_FEATURE_TFTP_PUT is not set |
| 968 | # CONFIG_FEATURE_TFTP_BLOCKSIZE is not set |
| 969 | # CONFIG_TFTP_DEBUG is not set |
| 970 | CONFIG_TLS=y |
| 971 | # CONFIG_TRACEROUTE is not set |
| 972 | # CONFIG_TRACEROUTE6 is not set |
| 973 | # CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set |
| 974 | # CONFIG_FEATURE_TRACEROUTE_USE_ICMP is not set |
| 975 | # CONFIG_TUNCTL is not set |
| 976 | # CONFIG_FEATURE_TUNCTL_UG is not set |
| 977 | # CONFIG_VCONFIG is not set |
| 978 | CONFIG_WGET=y |
| 979 | CONFIG_FEATURE_WGET_LONG_OPTIONS=y |
| 980 | CONFIG_FEATURE_WGET_STATUSBAR=y |
| 981 | CONFIG_FEATURE_WGET_FTP=y |
| 982 | CONFIG_FEATURE_WGET_AUTHENTICATION=y |
| 983 | CONFIG_FEATURE_WGET_TIMEOUT=y |
| 984 | CONFIG_FEATURE_WGET_HTTPS=y |
| 985 | CONFIG_FEATURE_WGET_OPENSSL=y |
| 986 | CONFIG_WHOIS=y |
| 987 | # CONFIG_ZCIP is not set |
| 988 | # CONFIG_UDHCPD is not set |
| 989 | # CONFIG_FEATURE_UDHCPD_BASE_IP_ON_MAC is not set |
| 990 | # CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY is not set |
| 991 | CONFIG_DHCPD_LEASES_FILE="" |
| 992 | # CONFIG_DUMPLEASES is not set |
| 993 | # CONFIG_DHCPRELAY is not set |
| 994 | # CONFIG_UDHCPC is not set |
| 995 | # CONFIG_FEATURE_UDHCPC_ARPING is not set |
| 996 | # CONFIG_FEATURE_UDHCPC_SANITIZEOPT is not set |
| 997 | CONFIG_UDHCPC_DEFAULT_SCRIPT="" |
| 998 | # CONFIG_UDHCPC6 is not set |
| 999 | # CONFIG_FEATURE_UDHCPC6_RFC3646 is not set |
| 1000 | # CONFIG_FEATURE_UDHCPC6_RFC4704 is not set |
| 1001 | # CONFIG_FEATURE_UDHCPC6_RFC4833 is not set |
| 1002 | # CONFIG_FEATURE_UDHCPC6_RFC5970 is not set |
| 1003 | CONFIG_UDHCPC_DEFAULT_INTERFACE="" |
| 1004 | # CONFIG_FEATURE_UDHCP_PORT is not set |
| 1005 | CONFIG_UDHCP_DEBUG=0 |
| 1006 | CONFIG_UDHCPC_SLACK_FOR_BUGGY_SERVERS=0 |
| 1007 | # CONFIG_FEATURE_UDHCP_RFC3397 is not set |
| 1008 | # CONFIG_FEATURE_UDHCP_8021Q is not set |
| 1009 | CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS="" |
| 1010 | |
| 1011 | # |
| 1012 | # Print Utilities |
| 1013 | # |
| 1014 | # CONFIG_LPD is not set |
| 1015 | # CONFIG_LPR is not set |
| 1016 | # CONFIG_LPQ is not set |
| 1017 | |
| 1018 | # |
| 1019 | # Mail Utilities |
| 1020 | # |
| 1021 | CONFIG_FEATURE_MIME_CHARSET="utf-8" |
| 1022 | # CONFIG_MAKEMIME is not set |
| 1023 | # CONFIG_POPMAILDIR is not set |
| 1024 | # CONFIG_FEATURE_POPMAILDIR_DELIVERY is not set |
| 1025 | # CONFIG_REFORMIME is not set |
| 1026 | # CONFIG_FEATURE_REFORMIME_COMPAT is not set |
| 1027 | CONFIG_SENDMAIL=y |
| 1028 | |
| 1029 | # |
| 1030 | # Process Utilities |
| 1031 | # |
| 1032 | # CONFIG_FEATURE_FAST_TOP is not set |
| 1033 | CONFIG_FEATURE_SHOW_THREADS=y |
| 1034 | CONFIG_FREE=y |
| 1035 | CONFIG_FUSER=y |
| 1036 | CONFIG_IOSTAT=y |
| 1037 | CONFIG_KILL=y |
| 1038 | CONFIG_KILLALL=y |
| 1039 | # CONFIG_KILLALL5 is not set |
| 1040 | CONFIG_LSOF=y |
| 1041 | CONFIG_MPSTAT=y |
| 1042 | CONFIG_NMETER=y |
| 1043 | CONFIG_PGREP=y |
| 1044 | CONFIG_PKILL=y |
| 1045 | CONFIG_PIDOF=y |
| 1046 | CONFIG_FEATURE_PIDOF_SINGLE=y |
| 1047 | CONFIG_FEATURE_PIDOF_OMIT=y |
| 1048 | CONFIG_PMAP=y |
| 1049 | # CONFIG_POWERTOP is not set |
| 1050 | # CONFIG_FEATURE_POWERTOP_INTERACTIVE is not set |
| 1051 | CONFIG_PS=y |
| 1052 | # CONFIG_FEATURE_PS_WIDE is not set |
| 1053 | # CONFIG_FEATURE_PS_LONG is not set |
| 1054 | CONFIG_FEATURE_PS_TIME=y |
| 1055 | # CONFIG_FEATURE_PS_UNUSUAL_SYSTEMS is not set |
| 1056 | CONFIG_FEATURE_PS_ADDITIONAL_COLUMNS=y |
| 1057 | CONFIG_PSTREE=y |
| 1058 | CONFIG_PWDX=y |
| 1059 | CONFIG_SMEMCAP=y |
| 1060 | CONFIG_BB_SYSCTL=y |
| 1061 | CONFIG_TOP=y |
| 1062 | CONFIG_FEATURE_TOP_INTERACTIVE=y |
| 1063 | CONFIG_FEATURE_TOP_CPU_USAGE_PERCENTAGE=y |
| 1064 | CONFIG_FEATURE_TOP_CPU_GLOBAL_PERCENTS=y |
| 1065 | CONFIG_FEATURE_TOP_SMP_CPU=y |
| 1066 | CONFIG_FEATURE_TOP_DECIMALS=y |
| 1067 | CONFIG_FEATURE_TOP_SMP_PROCESS=y |
| 1068 | CONFIG_FEATURE_TOPMEM=y |
| 1069 | CONFIG_UPTIME=y |
| 1070 | CONFIG_FEATURE_UPTIME_UTMP_SUPPORT=y |
| 1071 | CONFIG_WATCH=y |
| 1072 | |
| 1073 | # |
| 1074 | # Runit Utilities |
| 1075 | # |
| 1076 | CONFIG_CHPST=y |
| 1077 | CONFIG_SETUIDGID=y |
| 1078 | CONFIG_ENVUIDGID=y |
| 1079 | CONFIG_ENVDIR=y |
| 1080 | CONFIG_SOFTLIMIT=y |
| 1081 | CONFIG_RUNSV=y |
| 1082 | CONFIG_RUNSVDIR=y |
| 1083 | # CONFIG_FEATURE_RUNSVDIR_LOG is not set |
| 1084 | CONFIG_SV=y |
| 1085 | CONFIG_SV_DEFAULT_SERVICE_DIR="/var/service" |
| 1086 | CONFIG_SVC=y |
| 1087 | CONFIG_SVOK=y |
| 1088 | CONFIG_SVLOGD=y |
| 1089 | # CONFIG_CHCON is not set |
| 1090 | # CONFIG_GETENFORCE is not set |
| 1091 | # CONFIG_GETSEBOOL is not set |
| 1092 | # CONFIG_LOAD_POLICY is not set |
| 1093 | # CONFIG_MATCHPATHCON is not set |
| 1094 | # CONFIG_RUNCON is not set |
| 1095 | # CONFIG_SELINUXENABLED is not set |
| 1096 | # CONFIG_SESTATUS is not set |
| 1097 | # CONFIG_SETENFORCE is not set |
| 1098 | # CONFIG_SETFILES is not set |
| 1099 | # CONFIG_FEATURE_SETFILES_CHECK_OPTION is not set |
| 1100 | # CONFIG_RESTORECON is not set |
| 1101 | # CONFIG_SETSEBOOL is not set |
| 1102 | |
| 1103 | # |
| 1104 | # Shells |
| 1105 | # |
| 1106 | CONFIG_SH_IS_ASH=y |
| 1107 | # CONFIG_SH_IS_HUSH is not set |
| 1108 | # CONFIG_SH_IS_NONE is not set |
| 1109 | # CONFIG_BASH_IS_ASH is not set |
| 1110 | # CONFIG_BASH_IS_HUSH is not set |
| 1111 | CONFIG_BASH_IS_NONE=y |
| 1112 | CONFIG_SHELL_ASH=y |
| 1113 | CONFIG_ASH=y |
| 1114 | CONFIG_ASH_OPTIMIZE_FOR_SIZE=y |
| 1115 | CONFIG_ASH_INTERNAL_GLOB=y |
| 1116 | CONFIG_ASH_BASH_COMPAT=y |
| 1117 | # CONFIG_ASH_BASH_SOURCE_CURDIR is not set |
| 1118 | CONFIG_ASH_BASH_NOT_FOUND_HOOK=y |
| 1119 | CONFIG_ASH_JOB_CONTROL=y |
| 1120 | CONFIG_ASH_ALIAS=y |
| 1121 | CONFIG_ASH_RANDOM_SUPPORT=y |
| 1122 | CONFIG_ASH_EXPAND_PRMT=y |
| 1123 | CONFIG_ASH_IDLE_TIMEOUT=y |
| 1124 | CONFIG_ASH_MAIL=y |
| 1125 | CONFIG_ASH_ECHO=y |
| 1126 | CONFIG_ASH_PRINTF=y |
| 1127 | CONFIG_ASH_TEST=y |
| 1128 | CONFIG_ASH_HELP=y |
| 1129 | CONFIG_ASH_GETOPTS=y |
| 1130 | CONFIG_ASH_CMDCMD=y |
| 1131 | # CONFIG_CTTYHACK is not set |
| 1132 | # CONFIG_HUSH is not set |
| 1133 | # CONFIG_SHELL_HUSH is not set |
| 1134 | # CONFIG_HUSH_BASH_COMPAT is not set |
| 1135 | # CONFIG_HUSH_BRACE_EXPANSION is not set |
| 1136 | # CONFIG_HUSH_BASH_SOURCE_CURDIR is not set |
| 1137 | # CONFIG_HUSH_LINENO_VAR is not set |
| 1138 | # CONFIG_HUSH_INTERACTIVE is not set |
| 1139 | # CONFIG_HUSH_SAVEHISTORY is not set |
| 1140 | # CONFIG_HUSH_JOB is not set |
| 1141 | # CONFIG_HUSH_TICK is not set |
| 1142 | # CONFIG_HUSH_IF is not set |
| 1143 | # CONFIG_HUSH_LOOPS is not set |
| 1144 | # CONFIG_HUSH_CASE is not set |
| 1145 | # CONFIG_HUSH_FUNCTIONS is not set |
| 1146 | # CONFIG_HUSH_LOCAL is not set |
| 1147 | # CONFIG_HUSH_RANDOM_SUPPORT is not set |
| 1148 | # CONFIG_HUSH_MODE_X is not set |
| 1149 | # CONFIG_HUSH_ECHO is not set |
| 1150 | # CONFIG_HUSH_PRINTF is not set |
| 1151 | # CONFIG_HUSH_TEST is not set |
| 1152 | # CONFIG_HUSH_HELP is not set |
| 1153 | # CONFIG_HUSH_EXPORT is not set |
| 1154 | # CONFIG_HUSH_EXPORT_N is not set |
| 1155 | # CONFIG_HUSH_READONLY is not set |
| 1156 | # CONFIG_HUSH_KILL is not set |
| 1157 | # CONFIG_HUSH_WAIT is not set |
| 1158 | # CONFIG_HUSH_COMMAND is not set |
| 1159 | # CONFIG_HUSH_TRAP is not set |
| 1160 | # CONFIG_HUSH_TYPE is not set |
| 1161 | # CONFIG_HUSH_TIMES is not set |
| 1162 | # CONFIG_HUSH_READ is not set |
| 1163 | # CONFIG_HUSH_SET is not set |
| 1164 | # CONFIG_HUSH_UNSET is not set |
| 1165 | # CONFIG_HUSH_ULIMIT is not set |
| 1166 | # CONFIG_HUSH_UMASK is not set |
| 1167 | # CONFIG_HUSH_GETOPTS is not set |
| 1168 | # CONFIG_HUSH_MEMLEAK is not set |
| 1169 | |
| 1170 | # |
| 1171 | # Options common to all shells |
| 1172 | # |
| 1173 | CONFIG_FEATURE_SH_MATH=y |
| 1174 | CONFIG_FEATURE_SH_MATH_64=y |
| 1175 | CONFIG_FEATURE_SH_MATH_BASE=y |
| 1176 | CONFIG_FEATURE_SH_EXTRA_QUIET=y |
| 1177 | # CONFIG_FEATURE_SH_STANDALONE is not set |
| 1178 | # CONFIG_FEATURE_SH_NOFORK is not set |
| 1179 | CONFIG_FEATURE_SH_READ_FRAC=y |
| 1180 | CONFIG_FEATURE_SH_HISTFILESIZE=y |
| 1181 | CONFIG_FEATURE_SH_EMBEDDED_SCRIPTS=y |
| 1182 | |
| 1183 | # |
| 1184 | # System Logging Utilities |
| 1185 | # |
| 1186 | # CONFIG_KLOGD is not set |
| 1187 | # CONFIG_FEATURE_KLOGD_KLOGCTL is not set |
| 1188 | # CONFIG_LOGGER is not set |
| 1189 | # CONFIG_LOGREAD is not set |
| 1190 | # CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING is not set |
| 1191 | # CONFIG_SYSLOGD is not set |
| 1192 | # CONFIG_FEATURE_ROTATE_LOGFILE is not set |
| 1193 | # CONFIG_FEATURE_REMOTE_LOG is not set |
| 1194 | # CONFIG_FEATURE_SYSLOGD_DUP is not set |
| 1195 | # CONFIG_FEATURE_SYSLOGD_CFG is not set |
| 1196 | # CONFIG_FEATURE_SYSLOGD_PRECISE_TIMESTAMPS is not set |
| 1197 | CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=0 |
| 1198 | # CONFIG_FEATURE_IPC_SYSLOG is not set |
| 1199 | CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=0 |
| 1200 | # CONFIG_FEATURE_KMSG_SYSLOG is not set |
| --- a/containers/busybox-config | |
| +++ b/containers/busybox-config | |
| @@ -1,1200 +0,0 @@ | |
+2
-1
| --- www/changes.wiki | ||
| +++ www/changes.wiki | ||
| @@ -1,9 +1,10 @@ | ||
| 1 | 1 | <title>Change Log</title> |
| 2 | 2 | |
| 3 | 3 | <h2 id='v2_22'>Changes for version 2.22 (pending)</h2> |
| 4 | - | |
| 4 | + * The stock OCI container no longer includes BusyBox, thus no longer | |
| 5 | + needs to start as root to chroot that power away. | |
| 5 | 6 | |
| 6 | 7 | <h2 id='v2_21'>Changes for version 2.21 (2023-02-25)</h2> |
| 7 | 8 | * Users can request a password reset. This feature is disabledby default. Use |
| 8 | 9 | the new [/help?cmd=self-pw-reset|self-pw-reset property] to enable it. |
| 9 | 10 | New web pages [/help?cmd=/resetpw|/resetpw] and |
| 10 | 11 |
| --- www/changes.wiki | |
| +++ www/changes.wiki | |
| @@ -1,9 +1,10 @@ | |
| 1 | <title>Change Log</title> |
| 2 | |
| 3 | <h2 id='v2_22'>Changes for version 2.22 (pending)</h2> |
| 4 | |
| 5 | |
| 6 | <h2 id='v2_21'>Changes for version 2.21 (2023-02-25)</h2> |
| 7 | * Users can request a password reset. This feature is disabledby default. Use |
| 8 | the new [/help?cmd=self-pw-reset|self-pw-reset property] to enable it. |
| 9 | New web pages [/help?cmd=/resetpw|/resetpw] and |
| 10 |
| --- www/changes.wiki | |
| +++ www/changes.wiki | |
| @@ -1,9 +1,10 @@ | |
| 1 | <title>Change Log</title> |
| 2 | |
| 3 | <h2 id='v2_22'>Changes for version 2.22 (pending)</h2> |
| 4 | * The stock OCI container no longer includes BusyBox, thus no longer |
| 5 | needs to start as root to chroot that power away. |
| 6 | |
| 7 | <h2 id='v2_21'>Changes for version 2.21 (2023-02-25)</h2> |
| 8 | * Users can request a password reset. This feature is disabledby default. Use |
| 9 | the new [/help?cmd=self-pw-reset|self-pw-reset property] to enable it. |
| 10 | New web pages [/help?cmd=/resetpw|/resetpw] and |
| 11 |
+163
-203
| --- www/containers.md | ||
| +++ www/containers.md | ||
| @@ -30,17 +30,10 @@ | ||
| 30 | 30 | host. This feature of OCI runtimes means there’s little point to using |
| 31 | 31 | the “`fossil server --port`” feature inside the container. We can let |
| 32 | 32 | Fossil default to 8080 internally, then remap it to wherever we want it |
| 33 | 33 | on the host instead. |
| 34 | 34 | |
| 35 | -For debugging the live container while it runs, you can get an interactive | |
| 36 | -shell like so: | |
| 37 | - | |
| 38 | -``` | |
| 39 | - $ docker exec -it -u fossil fossil sh | |
| 40 | -``` | |
| 41 | - | |
| 42 | 35 | Our stock `Dockerfile` configures Fossil with the default feature set, |
| 43 | 36 | so you may wish to modify the `Dockerfile` to add configuration options, |
| 44 | 37 | add APK packages to support those options, and so forth. |
| 45 | 38 | |
| 46 | 39 | The Fossil `Makefile` provides two convenience targets, |
| @@ -89,13 +82,13 @@ | ||
| 89 | 82 | |
| 90 | 83 | The simplest method is to stop the container if it was running, then |
| 91 | 84 | say: |
| 92 | 85 | |
| 93 | 86 | ``` |
| 94 | - $ docker cp /path/to/my-project.fossil fossil:/jail/museum/repo.fossil | |
| 87 | + $ docker cp /path/to/my-project.fossil fossil:/museum/repo.fossil | |
| 95 | 88 | $ docker start fossil |
| 96 | - $ docker exec fossil chown -R 499 /jail/museum | |
| 89 | + $ docker exec fossil chown -R 499 /museum | |
| 97 | 90 | ``` |
| 98 | 91 | |
| 99 | 92 | That copies the local Fossil repo into the container where the server |
| 100 | 93 | expects to find it, so that the “start” command causes it to serve from |
| 101 | 94 | that copied-in file instead. Since it lives atop the immutable base |
| @@ -131,11 +124,11 @@ | ||
| 131 | 124 | |
| 132 | 125 | ``` |
| 133 | 126 | $ docker run \ |
| 134 | 127 | --publish 9999:8080 \ |
| 135 | 128 | --name fossil-bind-mount \ |
| 136 | - --volume ~/museum:/jail/museum \ | |
| 129 | + --volume ~/museum:/museum \ | |
| 137 | 130 | fossil |
| 138 | 131 | ``` |
| 139 | 132 | |
| 140 | 133 | Because this bind mount maps a host-side directory (`~/museum`) into the |
| 141 | 134 | container, you don’t need to `docker cp` the repo into the container at |
| @@ -159,11 +152,11 @@ | ||
| 159 | 152 | the repository rather than a whole directory. Since Fossil repositories |
| 160 | 153 | are specially-formatted SQLite databases, you might be wondering why we |
| 161 | 154 | don’t say things like: |
| 162 | 155 | |
| 163 | 156 | ``` |
| 164 | - --volume ~/museum/my-project.fossil:/jail/museum/repo.fossil | |
| 157 | + --volume ~/museum/my-project.fossil:/museum/repo.fossil | |
| 165 | 158 | ``` |
| 166 | 159 | |
| 167 | 160 | That lets us have a convenient file name for the project outside the |
| 168 | 161 | container while letting the configuration inside the container refer to |
| 169 | 162 | the generic “`/museum/repo.fossil`” name. Why should we have to name |
| @@ -188,60 +181,107 @@ | ||
| 188 | 181 | [wal]: https://www.sqlite.org/wal.html |
| 189 | 182 | |
| 190 | 183 | |
| 191 | 184 | ## 3. <a id="security"></a>Security |
| 192 | 185 | |
| 193 | -### 3.1 <a id="chroot"></a>Why Chroot? | |
| 194 | - | |
| 195 | -A potentially surprising feature of this container is that it runs | |
| 196 | -Fossil as root. Since that causes [the chroot jail feature](./chroot.md) | |
| 197 | -to kick in, and a Docker container is a type of über-jail already, you | |
| 198 | -may be wondering why we bother. Instead, why not either: | |
| 199 | - | |
| 200 | -* run `fossil server --nojail` to skip the internal chroot; or | |
| 201 | -* set “`USER fossil`” in the `Dockerfile` so it starts Fossil as | |
| 202 | - that user instead | |
| 203 | - | |
| 204 | -The reason is, although this container is quite stripped-down by today’s | |
| 205 | -standards, it’s based on the [surprisingly powerful Busybox | |
| 206 | -project](https://www.busybox.net/BusyBox.html). (This author made a | |
| 207 | -living for years in the early 1990s using Unix systems that were less | |
| 208 | -powerful than this container.) If someone ever figured out how to make a | |
| 209 | -Fossil binary execute arbitrary commands on the host or to open up a | |
| 210 | -remote shell, the power available to them at that point would make it | |
| 211 | -likely that they’d be able to island-hop from there into the rest of | |
| 212 | -your network. That power is there for you as the system administrator | |
| 213 | -alone, to let you inspect the container’s runtime behavior, change | |
| 214 | -things on the fly, and so forth. Fossil proper doesn’t need that power; | |
| 215 | -if we take it away via this cute double-jail dance, we keep any | |
| 216 | -potential attacker from making use of it should they ever get in. | |
| 217 | - | |
| 218 | -Having said this, know that we deem this risk low since a) it’s never | |
| 219 | -happened, that we know of; and b) we haven’t enabled any of the risky | |
| 220 | -features of Fossil such as [TH1 docs][th1docrisk]. Nevertheless, we | |
| 221 | -believe defense-in-depth strategies are wise. | |
| 222 | - | |
| 223 | -If you say something like “`docker exec fossil ps`” while the system is | |
| 224 | -idle, it’s likely to report a single `fossil` process running as `root` | |
| 225 | -even though the chroot feature is documented as causing Fossil to drop | |
| 226 | -its privileges in favor of the owner of the repository database or its | |
| 227 | -containing folder. If the repo file is owned by the in-container user | |
| 228 | -“`fossil`”, why is the server still running as root? | |
| 229 | - | |
| 230 | -It’s because you’re seeing only the parent process, which assumes it’s | |
| 231 | -running on bare metal or a VM and thus may need to do rootly things like | |
| 232 | -listening on port 80 or 443 before forking off any children to handle | |
| 233 | -HTTP hits. Fossil’s chroot feature only takes effect in these child | |
| 234 | -processes. This is why you can fix broken permissions with `chown` | |
| 235 | -after the container is already running, without restarting it: each hit | |
| 236 | -reevaluates the repository file permissions when deciding what user to | |
| 237 | -become when dropping root privileges. | |
| 238 | - | |
| 186 | +### 3.1 <a id="chroot"></a>Why Not Chroot? | |
| 187 | + | |
| 188 | +Prior to 2023.03.26, the stock Fossil container made use of [the chroot | |
| 189 | +jail feature](./chroot.md) in order to wall away the shell and other | |
| 190 | +tools provided by [BusyBox](https://www.busybox.net/BusyBox.html). This | |
| 191 | +author made a living for years in the early 1990s using Unix systems | |
| 192 | +that offered less power, so there was a legitimate worry that if someone | |
| 193 | +ever figured out how to get a shell on one of these Fossil containers, | |
| 194 | +it would constitute a powerful island from which to attack the rest of | |
| 195 | +the network. | |
| 196 | + | |
| 197 | +The thing is, Fossil is self-contained, needing none of that power in | |
| 198 | +the main-line use cases. The only reason we included BusyBox in the | |
| 199 | +container at all was on the off chance that someone needed it for | |
| 200 | +debugging. | |
| 201 | + | |
| 202 | +That justification collapsed when we realized you could restore this | |
| 203 | +basic shell environment on an as-needed basis with a one-line change to | |
| 204 | +the `Dockerfile`, as we show in the next section. | |
| 205 | + | |
| 206 | + | |
| 207 | +### 3.2 <a id="run"></a>Swapping Out the Run Layer | |
| 208 | + | |
| 209 | +If you want a basic shell environment for temporary debugging of the | |
| 210 | +running container, that’s easily added. Simply change this line in the | |
| 211 | +`Dockerfile`… | |
| 212 | + | |
| 213 | + FROM scratch AS run | |
| 214 | + | |
| 215 | +…to this: | |
| 216 | + | |
| 217 | + FROM busybox AS run | |
| 218 | + | |
| 219 | +Rebuild, redeploy, and your Fossil container now has a BusyBox based | |
| 220 | +shell environment that you can get into via: | |
| 221 | + | |
| 222 | + $ docker exec -it -u fossil $(make container-version) sh | |
| 223 | + | |
| 224 | +(That command assumes you built the container via “`make container`” and | |
| 225 | +are therefore using its versioning scheme.) | |
| 226 | + | |
| 227 | +Another case where you might need to replace this bare-bones “`run`” | |
| 228 | +layer with something more functional is that you’ve installed a [server | |
| 229 | +extension](./serverext.wiki) and you need an interpreter for that | |
| 230 | +script. The advice above won’t work except in the unlikely case that | |
| 231 | +it’s written in one of the bare-bones script interpreters that BusyBox | |
| 232 | +ships.(^BusyBox’s `/bin/sh` is based on the old 4.4BSD Lite Almquist | |
| 233 | +shell, implementing little more than what POSIX specified in 1989, plus | |
| 234 | +equally stripped-down versions of AWK and `sed`.) | |
| 235 | + | |
| 236 | +Let’s say the extension is written in Python. You could inject that into | |
| 237 | +the stock container via one of “[distroless]” images. Because this will | |
| 238 | +conflict with the bare-bones “`os`” layer we create, the method is more | |
| 239 | +complicated. Essentially, you replace everything in STAGE 2 and 3 inside | |
| 240 | +the `Dockerfile` with: | |
| 241 | + | |
| 242 | + FROM grc.io/distroless/python3-debian11 AS run | |
| 243 | + ARG UID=499 | |
| 244 | + RUN set -x \ | |
| 245 | + && install -d -m 700 -o fossil -g fossil log museum \ | |
| 246 | + && echo "fossil:x:${UID}:${UID}:User:/museum:/false" >> /etc/passwd \ | |
| 247 | + && echo "fossil:x:${UID}:fossil" >> /etc/group | |
| 248 | + COPY --from=builder /tmp/fossil /bin/ | |
| 249 | + | |
| 250 | +Another case is that you’re setting up [email alerts](./alerts.md) and | |
| 251 | +need some way to integrate with the host’s [MTA]. There are a number of | |
| 252 | +alternatives in that linked document, so for the sake of discussion, | |
| 253 | +we’ll say you’ve chosen Method 2, which requires a Tcl interpreter to | |
| 254 | +push messages into the outbound email queue DB, presumably bind-mounted | |
| 255 | +into the container. As of this writing, Google offers no “distroless” | |
| 256 | +container images for Tcl, but you *could* replace the `FROM` line above | |
| 257 | +with: | |
| 258 | + | |
| 259 | + FROM alpine AS run | |
| 260 | + RUN apk add --no-cache tcl | |
| 261 | + | |
| 262 | +Everything else remains the same as in the distroless Python example | |
| 263 | +because even Alpine will conflict with the way we set up core Linux | |
| 264 | +directories like `/etc` and `/tmp` in the absence of any OS image. | |
| 265 | + | |
| 266 | +Beware that there’s a limit to how much the über-jail nature of | |
| 267 | +containers can save you when you go and provide a more capable OS layer | |
| 268 | +like this. For instance, you might have enabled Fossil’s [risky TH1 docs | |
| 269 | +feature][th1docrisk] along with the Tcl integration feature, which | |
| 270 | +effectively gives anyone with check-in rights on your repo the ability | |
| 271 | +to run arbitrary Tcl code on the host when that document is rendered. | |
| 272 | +The container layer should stop that script from accessing any files out | |
| 273 | +on the host that you haven’t explicitly mounted into the container’s | |
| 274 | +namespace, but it *can* still make network connections, modify the repo | |
| 275 | +DB inside the container, and who knows what else. | |
| 276 | + | |
| 277 | +[distroless]: https://github.com/GoogleContainerTools/distroless | |
| 278 | +[MTA]: https://en.wikipedia.org/wiki/Message_transfer_agent | |
| 239 | 279 | [th1docrisk]: https://fossil-scm.org/forum/forumpost/42e0c16544 |
| 240 | 280 | |
| 241 | 281 | |
| 242 | -### 3.2 <a id="caps"></a>Dropping Unnecessary Capabilities | |
| 282 | +### 3.3 <a id="caps"></a>Dropping Unnecessary Capabilities | |
| 243 | 283 | |
| 244 | 284 | The example commands above create the container with [a default set of |
| 245 | 285 | Linux kernel capabilities][defcap]. Although Docker strips away almost |
| 246 | 286 | all of the traditional root capabilities by default, and Fossil doesn’t |
| 247 | 287 | need any of those it does take away, Docker does leave some enabled that |
| @@ -260,11 +300,11 @@ | ||
| 260 | 300 | image build process sets up all file ownership properly, to the |
| 261 | 301 | extent that this is possible under the limitations of our |
| 262 | 302 | automation. |
| 263 | 303 | |
| 264 | 304 | Curiously, stripping this capability doesn’t affect your ability to |
| 265 | - run commands like “`chown -R fossil:fossil /jail/museum`” when | |
| 305 | + run commands like “`chown -R fossil:fossil /museum`” when | |
| 266 | 306 | you’re using bind mounts or external volumes — as we recommend |
| 267 | 307 | [above](#bind-mount) — because it’s the host OS’s kernel |
| 268 | 308 | capabilities that affect the underlying `chown(2)` call in that |
| 269 | 309 | case, not those of the container. |
| 270 | 310 | |
| @@ -288,16 +328,16 @@ | ||
| 288 | 328 | users. You might wish for this ability as an administrator shelled |
| 289 | 329 | into the container, but you can pass the “`docker exec --user`” |
| 290 | 330 | option to run commands within your container as the legitimate owner |
| 291 | 331 | of the process, removing the need for this capability. |
| 292 | 332 | |
| 293 | -* **`MKNOD`**: All device nodes are created at build time and are | |
| 294 | - never changed at run time. Realize that the virtualized device nodes | |
| 295 | - inside the container get mapped onto real devices on the host, so if | |
| 296 | - an attacker ever got a root shell on the container, they might be | |
| 297 | - able to do actual damage to the host if we didn’t preemptively strip | |
| 298 | - this capability away. | |
| 333 | +* **`MKNOD`**: As of 2023.03.26, the stock container uses the | |
| 334 | + runtime’s default `/dev` node tree. Prior to this, we had to create | |
| 335 | + `/dev/null` and `/dev/urandom` inside [the chroot jail](#chroot), | |
| 336 | + but even then, these device nodes were created at build time and | |
| 337 | + were never changed at run time, so we didn’t need this run-time | |
| 338 | + capability even then. | |
| 299 | 339 | |
| 300 | 340 | * **`NET_BIND_SERVICE`**: With containerized deployment, Fossil never |
| 301 | 341 | needs the ability to bind the server to low-numbered TCP ports, not |
| 302 | 342 | even if you’re running the server in production with TLS enabled and |
| 303 | 343 | want the service bound to port 443. It’s perfectly fine to let the |
| @@ -311,11 +351,11 @@ | ||
| 311 | 351 | more likely to say something like “`-p localhost:12345:8080`” and then |
| 312 | 352 | configure the reverse proxy to translate external HTTPS calls into |
| 313 | 353 | HTTP directed at this internal port 12345.) |
| 314 | 354 | |
| 315 | 355 | * **`NET_RAW`**: Fossil itself doesn’t use raw sockets, and our build |
| 316 | - process leaves out all the Busybox utilities that require them. | |
| 356 | + process leaves out all the BusyBox utilities that require them. | |
| 317 | 357 | Although that set includes common tools like `ping`, we foresee no |
| 318 | 358 | compelling reason to use that or any of these other elided utilities |
| 319 | 359 | — `ether-wake`, `netstat`, `traceroute`, and `udhcp` — inside the |
| 320 | 360 | container. If you need to ping something, do it on the host. |
| 321 | 361 | |
| @@ -367,11 +407,11 @@ | ||
| 367 | 407 | this: |
| 368 | 408 | |
| 369 | 409 | ``` |
| 370 | 410 | $ docker build -t fossil . |
| 371 | 411 | $ docker create --name fossil-static-tmp fossil |
| 372 | - $ docker cp fossil-static-tmp:/jail/bin/fossil . | |
| 412 | + $ docker cp fossil-static-tmp:/bin/fossil . | |
| 373 | 413 | $ docker container rm fossil-static-tmp |
| 374 | 414 | ``` |
| 375 | 415 | |
| 376 | 416 | The resulting binary is the single largest file inside that container, |
| 377 | 417 | at about 6 MiB. (It’s built stripped.) |
| @@ -561,11 +601,11 @@ | ||
| 561 | 601 | [runc]: https://github.com/opencontainers/runc |
| 562 | 602 | |
| 563 | 603 | |
| 564 | 604 | ### 6.2 <a id="podman"></a>Podman |
| 565 | 605 | |
| 566 | -A lighter-weight alternative to either of the prior options that doesn’t | |
| 606 | +A lighter-weight alternative that doesn’t | |
| 567 | 607 | give up the image builder is [Podman]. Initially created by |
| 568 | 608 | Red Hat and thus popular on that family of OSes, it will run on |
| 569 | 609 | any flavor of Linux. It can even be made to run [on macOS via Homebrew][pmmac] |
| 570 | 610 | or [on Windows via WSL2][pmwin]. |
| 571 | 611 | |
| @@ -573,149 +613,71 @@ | ||
| 573 | 613 | tenth the size of Docker Engine. |
| 574 | 614 | |
| 575 | 615 | Although Podman [bills itself][whatis] as a drop-in replacement for the |
| 576 | 616 | `docker` command and everything that sits behind it, some of the tool’s |
| 577 | 617 | design decisions affect how our Fossil containers run, as compared to |
| 578 | -using Docker. The most important of these is that, by default, Podman | |
| 579 | -wants to run your container “rootless,” meaning that it runs as a | |
| 580 | -regular user. This is generally better for security, but [we dealt with | |
| 581 | -that risk differently above](#chroot) already. Since neither choice is | |
| 582 | -unassailably correct in all conditions, we’ll document both options | |
| 583 | -here. | |
| 584 | - | |
| 585 | -[pmmac]: https://podman.io/getting-started/installation.html#macos | |
| 586 | -[pmwin]: https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md | |
| 587 | -[Podman]: https://podman.io/ | |
| 588 | -[whatis]: https://podman.io/whatis.html | |
| 589 | - | |
| 590 | - | |
| 591 | -#### 6.2.1 <a id="podman-rootless"></a>Fossil in a Rootless Podman Container | |
| 592 | - | |
| 593 | -If you build the stock Fossil container under `podman`, it will fail at | |
| 594 | -two key steps: | |
| 595 | - | |
| 596 | -1. The `mknod` calls in the second stage, which create the `/jail/dev` | |
| 597 | - nodes. For a rootless container, we want it to use the “real” `/dev` | |
| 598 | - tree mounted into the container’s root filesystem instead. | |
| 599 | - | |
| 600 | -2. Anything that depends on the `/jail` directory and the fact that it | |
| 601 | - becomes the file system’s root once the Fossil server is up and running. | |
| 602 | - | |
| 603 | -[The changes to fix this](/file/containers/Dockerfile-nojail.patch) | |
| 604 | -aren’t complicated. Simply apply that patch to our stock `Dockerfile` | |
| 605 | -and rebuild: | |
| 606 | - | |
| 607 | -``` | |
| 608 | - $ patch -p0 < containers/Dockerfile-nojail.patch | |
| 609 | - $ podman build -t fossil:nojail . | |
| 610 | - $ podman create \ | |
| 611 | - --name fossil-nojail \ | |
| 612 | - --publish 127.0.0.1:9999:8080 \ | |
| 613 | - --volume ~/museum:/museum \ | |
| 614 | - fossil:nojail | |
| 615 | -``` | |
| 616 | - | |
| 617 | -Do realize that by doing this, if an attacker ever managed to get shell | |
| 618 | -access on your container, they’d have a BusyBox installation to play | |
| 619 | -around in. That shouldn’t be enough to let them break out of the | |
| 620 | -container entirely, but they’ll have powerful tools like `wget`, and | |
| 621 | -they’ll be connected to the network the container runs on. Once the bad | |
| 622 | -guy is inside the house, he doesn’t necessarily have to go after the | |
| 623 | -residents directly to cause problems for them. | |
| 624 | - | |
| 625 | - | |
| 626 | -#### 6.2.2 <a id="podman-rootful"></a>Fossil in a Rootful Podman Container | |
| 627 | - | |
| 628 | -##### Simple Method | |
| 629 | - | |
| 630 | -Fortunately, it’s easy enough to have it both ways. Simply run your | |
| 631 | -`podman` commands as root: | |
| 632 | - | |
| 633 | -``` | |
| 634 | - $ sudo podman build -t fossil --cap-add MKNOD . | |
| 618 | +using Docker. | |
| 619 | + | |
| 620 | +The most important of these is that, by default, Podman wants to build | |
| 621 | +and run your container “[rootless].” This is generally better for | |
| 622 | +security, but there’s something you need to be aware of: each user has | |
| 623 | +their own local container registry. Let’s say you’re following good | |
| 624 | +security practice by building the container on the server as a regular | |
| 625 | +user, but you then want to start it as root because your server OS of | |
| 626 | +choice won’t start user-level `systemd` units until and unless that user | |
| 627 | +logs in first. The problem is, the root user can’t see the unprivileged | |
| 628 | +user’s container registry, so even though it did build the image, you | |
| 629 | +can’t create the actual container from that image since that needs to be | |
| 630 | +done as root. | |
| 631 | + | |
| 632 | +The simple way to deal with this is to bounce the container through a | |
| 633 | +registry that both users can see, such as [Docker | |
| 634 | +Hub](https://hub.docker.com): | |
| 635 | + | |
| 636 | +``` | |
| 637 | + $ podman login | |
| 638 | + $ podman build -t fossil . | |
| 639 | + $ podman tag fossil:latest mydockername/fossil:latest | |
| 640 | + $ podman image push mydockername/fossil:latest | |
| 641 | +``` | |
| 642 | + | |
| 643 | +That will push the image up to your account, so that you can then say: | |
| 644 | + | |
| 645 | +``` | |
| 635 | 646 | $ sudo podman create \ |
| 647 | + --any-options-you-like \ | |
| 648 | + docker.io/mydockername/fossil | |
| 649 | +``` | |
| 650 | + | |
| 651 | +This round-trip through the public image registry has another side | |
| 652 | +benefit: it lets you build on a local system that might be a lot faster | |
| 653 | +than your remote one, as when the remote is a small VPS. Even with the | |
| 654 | +overhead of schlepping container images across the Internet, it can be a | |
| 655 | +net win in terms of build time. | |
| 656 | + | |
| 657 | +Another oddity compared to Docker is that Podman doesn’t have the same | |
| 658 | +[default Linux kernel capability set](#caps). The changes distill to: | |
| 659 | + | |
| 660 | +``` | |
| 661 | + $ podman create \ | |
| 636 | 662 | --name fossil \ |
| 637 | 663 | --cap-drop CHOWN \ |
| 638 | 664 | --cap-drop FSETID \ |
| 639 | 665 | --cap-drop KILL \ |
| 640 | 666 | --cap-drop NET_BIND_SERVICE \ |
| 641 | 667 | --cap-drop SETFCAP \ |
| 642 | 668 | --cap-drop SETPCAP \ |
| 643 | 669 | --publish 127.0.0.1:9999:8080 \ |
| 644 | 670 | localhost/fossil |
| 645 | - $ sudo podman start fossil | |
| 646 | -``` | |
| 647 | - | |
| 648 | -It’s obvious why we have to start the container as root, but why create | |
| 649 | -and build it as root, too? Isn’t that a regression from the modern | |
| 650 | -practice of doing as much as possible with a normal user? | |
| 651 | - | |
| 652 | -We have to do the build under `sudo` in part because we’re doing rootly | |
| 653 | -things with the file system image layers we’re building up. Just because | |
| 654 | -it’s done inside a container runtime’s build environment doesn’t mean we | |
| 655 | -can get away without root privileges to do things like create the | |
| 656 | -`/jail/dev/null` node. | |
| 657 | - | |
| 658 | -The other reason we need “`sudo podman build`” is because it puts the result | |
| 659 | -into root’s Podman image registry, where the next steps look for it. | |
| 660 | - | |
| 661 | -That in turn explains why we need “`sudo podman create`:” because it’s | |
| 662 | -creating a container based on an image that was created by root. If you | |
| 663 | -ran that step without `sudo`, it wouldn’t be able to find the image. | |
| 664 | - | |
| 665 | -If Docker is looking better and better to you as a result of all this, | |
| 666 | -realize that it’s doing the same thing. It just hides it better by | |
| 667 | -creating the `docker` group, so that when your user gets added to that | |
| 668 | -group, you get silent root privilege escalation on your build machine. | |
| 669 | -This is why Podman defaults to rootless containers. If you can get away | |
| 670 | -with it, it’s a better way to work. We would not be recommending | |
| 671 | -running `podman` under `sudo` if it didn’t buy us [something we wanted | |
| 672 | -badly](#chroot). | |
| 673 | - | |
| 674 | -Notice that we had to add the ability to run `mknod(8)` during the | |
| 675 | -build. [Podman sensibly denies this by default][nomknod], which lets us | |
| 676 | -leave off the corresponding `--cap-drop` option. Podman also denies | |
| 677 | -`CAP_NET_RAW` and `CAP_AUDIT_WRITE` by default, which we don’t need, so | |
| 678 | -we’ve simply removed them from the `--cap-drop` list relative to the | |
| 679 | -commands for Docker above. | |
| 680 | - | |
| 681 | -[nomknod]: https://github.com/containers/podman/issues/15626 | |
| 682 | - | |
| 683 | - | |
| 684 | -##### <a id="pm-root-workaround"></a>Building Under Docker, Running Under Podman | |
| 685 | - | |
| 686 | -If you have a remote host where the Fossil instance needs to run, it’s | |
| 687 | -possible to get around this need to build the image as root on the | |
| 688 | -remote system. You still have to build as root on the local system, but | |
| 689 | -as I said above, Docker already does this. What we’re doing is shifting | |
| 690 | -the risk of running as root from the public host to the local one. | |
| 691 | - | |
| 692 | -Once you have the image built on the local machine, create a “`fossil`” | |
| 693 | -repository on your container repository of choice such as [Docker | |
| 694 | -Hub](https://hub.docker.com), then say: | |
| 695 | - | |
| 696 | -``` | |
| 697 | - $ docker login | |
| 698 | - $ docker tag fossil:latest mydockername/fossil:latest | |
| 699 | - $ docker image push mydockername/fossil:latest | |
| 700 | -``` | |
| 701 | - | |
| 702 | -That will push the image up to your account, so that you can then switch | |
| 703 | -to the remote machine and say: | |
| 704 | - | |
| 705 | -``` | |
| 706 | - $ sudo podman create \ | |
| 707 | - --any-options-you-like \ | |
| 708 | - docker.io/mydockername/fossil | |
| 709 | -``` | |
| 710 | - | |
| 711 | -This round-trip through the public image registry has another side | |
| 712 | -benefit: your local system might be a lot faster than your remote one, | |
| 713 | -as when the remote is a small VPS. Even with the overhead of schlepping | |
| 714 | -container images across the Internet, it can be a net win in terms of | |
| 715 | -build time. | |
| 716 | - | |
| 671 | + $ podman start fossil | |
| 672 | +``` | |
| 673 | + | |
| 674 | +[pmmac]: https://podman.io/getting-started/installation.html#macos | |
| 675 | +[pmwin]: https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md | |
| 676 | +[Podman]: https://podman.io/ | |
| 677 | +[rootless]: https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md | |
| 678 | +[whatis]: https://podman.io/whatis.html | |
| 717 | 679 | |
| 718 | 680 | |
| 719 | 681 | ### 6.3 <a id="nspawn"></a>`systemd-container` |
| 720 | 682 | |
| 721 | 683 | If even the Podman stack is too big for you, the next-best option I’m |
| @@ -763,14 +725,13 @@ | ||
| 763 | 725 | |
| 764 | 726 | ---- |
| 765 | 727 | |
| 766 | 728 | ``` |
| 767 | 729 | [Exec] |
| 768 | -WorkingDirectory=/jail | |
| 730 | +WorkingDirectory=/ | |
| 769 | 731 | Parameters=bin/fossil server \ |
| 770 | 732 | --baseurl https://example.com/myproject \ |
| 771 | - --chroot /jail \ | |
| 772 | 733 | --create \ |
| 773 | 734 | --jsmode bundled \ |
| 774 | 735 | --localhost \ |
| 775 | 736 | --port 9000 \ |
| 776 | 737 | --scgi \ |
| @@ -789,11 +750,11 @@ | ||
| 789 | 750 | ProcessTwo=yes |
| 790 | 751 | LinkJournal=no |
| 791 | 752 | Timezone=no |
| 792 | 753 | |
| 793 | 754 | [Files] |
| 794 | -Bind=/home/fossil/museum/myproject:/jail/museum | |
| 755 | +Bind=/home/fossil/museum/myproject:/museum | |
| 795 | 756 | |
| 796 | 757 | [Network] |
| 797 | 758 | VirtualEthernet=no |
| 798 | 759 | ``` |
| 799 | 760 | |
| @@ -813,11 +774,11 @@ | ||
| 813 | 774 | it’ll work with the other repository service methods we’ve |
| 814 | 775 | [documented][srv]. |
| 815 | 776 | |
| 816 | 777 | * The path in the host-side part of the `Bind` value must point at the |
| 817 | 778 | directory containing the `repo.fossil` file referenced in said |
| 818 | - command so that `/jail/museum/repo.fossil` refers to your repo out | |
| 779 | + command so that `/museum/repo.fossil` refers to your repo out | |
| 819 | 780 | on the host for the reasons given [above](#bind-mount). |
| 820 | 781 | |
| 821 | 782 | That being done, we also need a generic systemd unit file called |
| 822 | 783 | `/etc/systemd/system/[email protected]`, containing: |
| 823 | 784 | |
| @@ -859,11 +820,10 @@ | ||
| 859 | 820 | the `*.nspawn` file: |
| 860 | 821 | |
| 861 | 822 | ``` |
| 862 | 823 | Parameters=bin/fossil server \ |
| 863 | 824 | --cert /path/to/cert.pem \ |
| 864 | - --chroot /jail \ | |
| 865 | 825 | --create \ |
| 866 | 826 | --jsmode bundled \ |
| 867 | 827 | --port 443 \ |
| 868 | 828 | --user admin \ |
| 869 | 829 | museum/repo.fossil |
| @@ -1033,11 +993,11 @@ | ||
| 1033 | 993 | * **`machinectl poweroff`** will fail because the container |
| 1034 | 994 | isn’t running dbus. |
| 1035 | 995 | |
| 1036 | 996 | * **`machinectl start`** will try to find an `/sbin/init` |
| 1037 | 997 | program in the rootfs, which we haven’t got. We could |
| 1038 | - rename `/jail/bin/fossil` to `/sbin/init` and then hack | |
| 998 | + rename `/bin/fossil` to `/sbin/init` and then hack | |
| 1039 | 999 | the chroot scheme to match, but ick. (This, incidentally, |
| 1040 | 1000 | is why we set `ProcessTwo=yes` above even though Fossil is |
| 1041 | 1001 | perfectly capable of running as PID 1, a fact we depend on |
| 1042 | 1002 | in the other methods above.) |
| 1043 | 1003 | |
| 1044 | 1004 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -30,17 +30,10 @@ | |
| 30 | host. This feature of OCI runtimes means there’s little point to using |
| 31 | the “`fossil server --port`” feature inside the container. We can let |
| 32 | Fossil default to 8080 internally, then remap it to wherever we want it |
| 33 | on the host instead. |
| 34 | |
| 35 | For debugging the live container while it runs, you can get an interactive |
| 36 | shell like so: |
| 37 | |
| 38 | ``` |
| 39 | $ docker exec -it -u fossil fossil sh |
| 40 | ``` |
| 41 | |
| 42 | Our stock `Dockerfile` configures Fossil with the default feature set, |
| 43 | so you may wish to modify the `Dockerfile` to add configuration options, |
| 44 | add APK packages to support those options, and so forth. |
| 45 | |
| 46 | The Fossil `Makefile` provides two convenience targets, |
| @@ -89,13 +82,13 @@ | |
| 89 | |
| 90 | The simplest method is to stop the container if it was running, then |
| 91 | say: |
| 92 | |
| 93 | ``` |
| 94 | $ docker cp /path/to/my-project.fossil fossil:/jail/museum/repo.fossil |
| 95 | $ docker start fossil |
| 96 | $ docker exec fossil chown -R 499 /jail/museum |
| 97 | ``` |
| 98 | |
| 99 | That copies the local Fossil repo into the container where the server |
| 100 | expects to find it, so that the “start” command causes it to serve from |
| 101 | that copied-in file instead. Since it lives atop the immutable base |
| @@ -131,11 +124,11 @@ | |
| 131 | |
| 132 | ``` |
| 133 | $ docker run \ |
| 134 | --publish 9999:8080 \ |
| 135 | --name fossil-bind-mount \ |
| 136 | --volume ~/museum:/jail/museum \ |
| 137 | fossil |
| 138 | ``` |
| 139 | |
| 140 | Because this bind mount maps a host-side directory (`~/museum`) into the |
| 141 | container, you don’t need to `docker cp` the repo into the container at |
| @@ -159,11 +152,11 @@ | |
| 159 | the repository rather than a whole directory. Since Fossil repositories |
| 160 | are specially-formatted SQLite databases, you might be wondering why we |
| 161 | don’t say things like: |
| 162 | |
| 163 | ``` |
| 164 | --volume ~/museum/my-project.fossil:/jail/museum/repo.fossil |
| 165 | ``` |
| 166 | |
| 167 | That lets us have a convenient file name for the project outside the |
| 168 | container while letting the configuration inside the container refer to |
| 169 | the generic “`/museum/repo.fossil`” name. Why should we have to name |
| @@ -188,60 +181,107 @@ | |
| 188 | [wal]: https://www.sqlite.org/wal.html |
| 189 | |
| 190 | |
| 191 | ## 3. <a id="security"></a>Security |
| 192 | |
| 193 | ### 3.1 <a id="chroot"></a>Why Chroot? |
| 194 | |
| 195 | A potentially surprising feature of this container is that it runs |
| 196 | Fossil as root. Since that causes [the chroot jail feature](./chroot.md) |
| 197 | to kick in, and a Docker container is a type of über-jail already, you |
| 198 | may be wondering why we bother. Instead, why not either: |
| 199 | |
| 200 | * run `fossil server --nojail` to skip the internal chroot; or |
| 201 | * set “`USER fossil`” in the `Dockerfile` so it starts Fossil as |
| 202 | that user instead |
| 203 | |
| 204 | The reason is, although this container is quite stripped-down by today’s |
| 205 | standards, it’s based on the [surprisingly powerful Busybox |
| 206 | project](https://www.busybox.net/BusyBox.html). (This author made a |
| 207 | living for years in the early 1990s using Unix systems that were less |
| 208 | powerful than this container.) If someone ever figured out how to make a |
| 209 | Fossil binary execute arbitrary commands on the host or to open up a |
| 210 | remote shell, the power available to them at that point would make it |
| 211 | likely that they’d be able to island-hop from there into the rest of |
| 212 | your network. That power is there for you as the system administrator |
| 213 | alone, to let you inspect the container’s runtime behavior, change |
| 214 | things on the fly, and so forth. Fossil proper doesn’t need that power; |
| 215 | if we take it away via this cute double-jail dance, we keep any |
| 216 | potential attacker from making use of it should they ever get in. |
| 217 | |
| 218 | Having said this, know that we deem this risk low since a) it’s never |
| 219 | happened, that we know of; and b) we haven’t enabled any of the risky |
| 220 | features of Fossil such as [TH1 docs][th1docrisk]. Nevertheless, we |
| 221 | believe defense-in-depth strategies are wise. |
| 222 | |
| 223 | If you say something like “`docker exec fossil ps`” while the system is |
| 224 | idle, it’s likely to report a single `fossil` process running as `root` |
| 225 | even though the chroot feature is documented as causing Fossil to drop |
| 226 | its privileges in favor of the owner of the repository database or its |
| 227 | containing folder. If the repo file is owned by the in-container user |
| 228 | “`fossil`”, why is the server still running as root? |
| 229 | |
| 230 | It’s because you’re seeing only the parent process, which assumes it’s |
| 231 | running on bare metal or a VM and thus may need to do rootly things like |
| 232 | listening on port 80 or 443 before forking off any children to handle |
| 233 | HTTP hits. Fossil’s chroot feature only takes effect in these child |
| 234 | processes. This is why you can fix broken permissions with `chown` |
| 235 | after the container is already running, without restarting it: each hit |
| 236 | reevaluates the repository file permissions when deciding what user to |
| 237 | become when dropping root privileges. |
| 238 | |
| 239 | [th1docrisk]: https://fossil-scm.org/forum/forumpost/42e0c16544 |
| 240 | |
| 241 | |
| 242 | ### 3.2 <a id="caps"></a>Dropping Unnecessary Capabilities |
| 243 | |
| 244 | The example commands above create the container with [a default set of |
| 245 | Linux kernel capabilities][defcap]. Although Docker strips away almost |
| 246 | all of the traditional root capabilities by default, and Fossil doesn’t |
| 247 | need any of those it does take away, Docker does leave some enabled that |
| @@ -260,11 +300,11 @@ | |
| 260 | image build process sets up all file ownership properly, to the |
| 261 | extent that this is possible under the limitations of our |
| 262 | automation. |
| 263 | |
| 264 | Curiously, stripping this capability doesn’t affect your ability to |
| 265 | run commands like “`chown -R fossil:fossil /jail/museum`” when |
| 266 | you’re using bind mounts or external volumes — as we recommend |
| 267 | [above](#bind-mount) — because it’s the host OS’s kernel |
| 268 | capabilities that affect the underlying `chown(2)` call in that |
| 269 | case, not those of the container. |
| 270 | |
| @@ -288,16 +328,16 @@ | |
| 288 | users. You might wish for this ability as an administrator shelled |
| 289 | into the container, but you can pass the “`docker exec --user`” |
| 290 | option to run commands within your container as the legitimate owner |
| 291 | of the process, removing the need for this capability. |
| 292 | |
| 293 | * **`MKNOD`**: All device nodes are created at build time and are |
| 294 | never changed at run time. Realize that the virtualized device nodes |
| 295 | inside the container get mapped onto real devices on the host, so if |
| 296 | an attacker ever got a root shell on the container, they might be |
| 297 | able to do actual damage to the host if we didn’t preemptively strip |
| 298 | this capability away. |
| 299 | |
| 300 | * **`NET_BIND_SERVICE`**: With containerized deployment, Fossil never |
| 301 | needs the ability to bind the server to low-numbered TCP ports, not |
| 302 | even if you’re running the server in production with TLS enabled and |
| 303 | want the service bound to port 443. It’s perfectly fine to let the |
| @@ -311,11 +351,11 @@ | |
| 311 | more likely to say something like “`-p localhost:12345:8080`” and then |
| 312 | configure the reverse proxy to translate external HTTPS calls into |
| 313 | HTTP directed at this internal port 12345.) |
| 314 | |
| 315 | * **`NET_RAW`**: Fossil itself doesn’t use raw sockets, and our build |
| 316 | process leaves out all the Busybox utilities that require them. |
| 317 | Although that set includes common tools like `ping`, we foresee no |
| 318 | compelling reason to use that or any of these other elided utilities |
| 319 | — `ether-wake`, `netstat`, `traceroute`, and `udhcp` — inside the |
| 320 | container. If you need to ping something, do it on the host. |
| 321 | |
| @@ -367,11 +407,11 @@ | |
| 367 | this: |
| 368 | |
| 369 | ``` |
| 370 | $ docker build -t fossil . |
| 371 | $ docker create --name fossil-static-tmp fossil |
| 372 | $ docker cp fossil-static-tmp:/jail/bin/fossil . |
| 373 | $ docker container rm fossil-static-tmp |
| 374 | ``` |
| 375 | |
| 376 | The resulting binary is the single largest file inside that container, |
| 377 | at about 6 MiB. (It’s built stripped.) |
| @@ -561,11 +601,11 @@ | |
| 561 | [runc]: https://github.com/opencontainers/runc |
| 562 | |
| 563 | |
| 564 | ### 6.2 <a id="podman"></a>Podman |
| 565 | |
| 566 | A lighter-weight alternative to either of the prior options that doesn’t |
| 567 | give up the image builder is [Podman]. Initially created by |
| 568 | Red Hat and thus popular on that family of OSes, it will run on |
| 569 | any flavor of Linux. It can even be made to run [on macOS via Homebrew][pmmac] |
| 570 | or [on Windows via WSL2][pmwin]. |
| 571 | |
| @@ -573,149 +613,71 @@ | |
| 573 | tenth the size of Docker Engine. |
| 574 | |
| 575 | Although Podman [bills itself][whatis] as a drop-in replacement for the |
| 576 | `docker` command and everything that sits behind it, some of the tool’s |
| 577 | design decisions affect how our Fossil containers run, as compared to |
| 578 | using Docker. The most important of these is that, by default, Podman |
| 579 | wants to run your container “rootless,” meaning that it runs as a |
| 580 | regular user. This is generally better for security, but [we dealt with |
| 581 | that risk differently above](#chroot) already. Since neither choice is |
| 582 | unassailably correct in all conditions, we’ll document both options |
| 583 | here. |
| 584 | |
| 585 | [pmmac]: https://podman.io/getting-started/installation.html#macos |
| 586 | [pmwin]: https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md |
| 587 | [Podman]: https://podman.io/ |
| 588 | [whatis]: https://podman.io/whatis.html |
| 589 | |
| 590 | |
| 591 | #### 6.2.1 <a id="podman-rootless"></a>Fossil in a Rootless Podman Container |
| 592 | |
| 593 | If you build the stock Fossil container under `podman`, it will fail at |
| 594 | two key steps: |
| 595 | |
| 596 | 1. The `mknod` calls in the second stage, which create the `/jail/dev` |
| 597 | nodes. For a rootless container, we want it to use the “real” `/dev` |
| 598 | tree mounted into the container’s root filesystem instead. |
| 599 | |
| 600 | 2. Anything that depends on the `/jail` directory and the fact that it |
| 601 | becomes the file system’s root once the Fossil server is up and running. |
| 602 | |
| 603 | [The changes to fix this](/file/containers/Dockerfile-nojail.patch) |
| 604 | aren’t complicated. Simply apply that patch to our stock `Dockerfile` |
| 605 | and rebuild: |
| 606 | |
| 607 | ``` |
| 608 | $ patch -p0 < containers/Dockerfile-nojail.patch |
| 609 | $ podman build -t fossil:nojail . |
| 610 | $ podman create \ |
| 611 | --name fossil-nojail \ |
| 612 | --publish 127.0.0.1:9999:8080 \ |
| 613 | --volume ~/museum:/museum \ |
| 614 | fossil:nojail |
| 615 | ``` |
| 616 | |
| 617 | Do realize that by doing this, if an attacker ever managed to get shell |
| 618 | access on your container, they’d have a BusyBox installation to play |
| 619 | around in. That shouldn’t be enough to let them break out of the |
| 620 | container entirely, but they’ll have powerful tools like `wget`, and |
| 621 | they’ll be connected to the network the container runs on. Once the bad |
| 622 | guy is inside the house, he doesn’t necessarily have to go after the |
| 623 | residents directly to cause problems for them. |
| 624 | |
| 625 | |
| 626 | #### 6.2.2 <a id="podman-rootful"></a>Fossil in a Rootful Podman Container |
| 627 | |
| 628 | ##### Simple Method |
| 629 | |
| 630 | Fortunately, it’s easy enough to have it both ways. Simply run your |
| 631 | `podman` commands as root: |
| 632 | |
| 633 | ``` |
| 634 | $ sudo podman build -t fossil --cap-add MKNOD . |
| 635 | $ sudo podman create \ |
| 636 | --name fossil \ |
| 637 | --cap-drop CHOWN \ |
| 638 | --cap-drop FSETID \ |
| 639 | --cap-drop KILL \ |
| 640 | --cap-drop NET_BIND_SERVICE \ |
| 641 | --cap-drop SETFCAP \ |
| 642 | --cap-drop SETPCAP \ |
| 643 | --publish 127.0.0.1:9999:8080 \ |
| 644 | localhost/fossil |
| 645 | $ sudo podman start fossil |
| 646 | ``` |
| 647 | |
| 648 | It’s obvious why we have to start the container as root, but why create |
| 649 | and build it as root, too? Isn’t that a regression from the modern |
| 650 | practice of doing as much as possible with a normal user? |
| 651 | |
| 652 | We have to do the build under `sudo` in part because we’re doing rootly |
| 653 | things with the file system image layers we’re building up. Just because |
| 654 | it’s done inside a container runtime’s build environment doesn’t mean we |
| 655 | can get away without root privileges to do things like create the |
| 656 | `/jail/dev/null` node. |
| 657 | |
| 658 | The other reason we need “`sudo podman build`” is because it puts the result |
| 659 | into root’s Podman image registry, where the next steps look for it. |
| 660 | |
| 661 | That in turn explains why we need “`sudo podman create`:” because it’s |
| 662 | creating a container based on an image that was created by root. If you |
| 663 | ran that step without `sudo`, it wouldn’t be able to find the image. |
| 664 | |
| 665 | If Docker is looking better and better to you as a result of all this, |
| 666 | realize that it’s doing the same thing. It just hides it better by |
| 667 | creating the `docker` group, so that when your user gets added to that |
| 668 | group, you get silent root privilege escalation on your build machine. |
| 669 | This is why Podman defaults to rootless containers. If you can get away |
| 670 | with it, it’s a better way to work. We would not be recommending |
| 671 | running `podman` under `sudo` if it didn’t buy us [something we wanted |
| 672 | badly](#chroot). |
| 673 | |
| 674 | Notice that we had to add the ability to run `mknod(8)` during the |
| 675 | build. [Podman sensibly denies this by default][nomknod], which lets us |
| 676 | leave off the corresponding `--cap-drop` option. Podman also denies |
| 677 | `CAP_NET_RAW` and `CAP_AUDIT_WRITE` by default, which we don’t need, so |
| 678 | we’ve simply removed them from the `--cap-drop` list relative to the |
| 679 | commands for Docker above. |
| 680 | |
| 681 | [nomknod]: https://github.com/containers/podman/issues/15626 |
| 682 | |
| 683 | |
| 684 | ##### <a id="pm-root-workaround"></a>Building Under Docker, Running Under Podman |
| 685 | |
| 686 | If you have a remote host where the Fossil instance needs to run, it’s |
| 687 | possible to get around this need to build the image as root on the |
| 688 | remote system. You still have to build as root on the local system, but |
| 689 | as I said above, Docker already does this. What we’re doing is shifting |
| 690 | the risk of running as root from the public host to the local one. |
| 691 | |
| 692 | Once you have the image built on the local machine, create a “`fossil`” |
| 693 | repository on your container repository of choice such as [Docker |
| 694 | Hub](https://hub.docker.com), then say: |
| 695 | |
| 696 | ``` |
| 697 | $ docker login |
| 698 | $ docker tag fossil:latest mydockername/fossil:latest |
| 699 | $ docker image push mydockername/fossil:latest |
| 700 | ``` |
| 701 | |
| 702 | That will push the image up to your account, so that you can then switch |
| 703 | to the remote machine and say: |
| 704 | |
| 705 | ``` |
| 706 | $ sudo podman create \ |
| 707 | --any-options-you-like \ |
| 708 | docker.io/mydockername/fossil |
| 709 | ``` |
| 710 | |
| 711 | This round-trip through the public image registry has another side |
| 712 | benefit: your local system might be a lot faster than your remote one, |
| 713 | as when the remote is a small VPS. Even with the overhead of schlepping |
| 714 | container images across the Internet, it can be a net win in terms of |
| 715 | build time. |
| 716 | |
| 717 | |
| 718 | |
| 719 | ### 6.3 <a id="nspawn"></a>`systemd-container` |
| 720 | |
| 721 | If even the Podman stack is too big for you, the next-best option I’m |
| @@ -763,14 +725,13 @@ | |
| 763 | |
| 764 | ---- |
| 765 | |
| 766 | ``` |
| 767 | [Exec] |
| 768 | WorkingDirectory=/jail |
| 769 | Parameters=bin/fossil server \ |
| 770 | --baseurl https://example.com/myproject \ |
| 771 | --chroot /jail \ |
| 772 | --create \ |
| 773 | --jsmode bundled \ |
| 774 | --localhost \ |
| 775 | --port 9000 \ |
| 776 | --scgi \ |
| @@ -789,11 +750,11 @@ | |
| 789 | ProcessTwo=yes |
| 790 | LinkJournal=no |
| 791 | Timezone=no |
| 792 | |
| 793 | [Files] |
| 794 | Bind=/home/fossil/museum/myproject:/jail/museum |
| 795 | |
| 796 | [Network] |
| 797 | VirtualEthernet=no |
| 798 | ``` |
| 799 | |
| @@ -813,11 +774,11 @@ | |
| 813 | it’ll work with the other repository service methods we’ve |
| 814 | [documented][srv]. |
| 815 | |
| 816 | * The path in the host-side part of the `Bind` value must point at the |
| 817 | directory containing the `repo.fossil` file referenced in said |
| 818 | command so that `/jail/museum/repo.fossil` refers to your repo out |
| 819 | on the host for the reasons given [above](#bind-mount). |
| 820 | |
| 821 | That being done, we also need a generic systemd unit file called |
| 822 | `/etc/systemd/system/[email protected]`, containing: |
| 823 | |
| @@ -859,11 +820,10 @@ | |
| 859 | the `*.nspawn` file: |
| 860 | |
| 861 | ``` |
| 862 | Parameters=bin/fossil server \ |
| 863 | --cert /path/to/cert.pem \ |
| 864 | --chroot /jail \ |
| 865 | --create \ |
| 866 | --jsmode bundled \ |
| 867 | --port 443 \ |
| 868 | --user admin \ |
| 869 | museum/repo.fossil |
| @@ -1033,11 +993,11 @@ | |
| 1033 | * **`machinectl poweroff`** will fail because the container |
| 1034 | isn’t running dbus. |
| 1035 | |
| 1036 | * **`machinectl start`** will try to find an `/sbin/init` |
| 1037 | program in the rootfs, which we haven’t got. We could |
| 1038 | rename `/jail/bin/fossil` to `/sbin/init` and then hack |
| 1039 | the chroot scheme to match, but ick. (This, incidentally, |
| 1040 | is why we set `ProcessTwo=yes` above even though Fossil is |
| 1041 | perfectly capable of running as PID 1, a fact we depend on |
| 1042 | in the other methods above.) |
| 1043 | |
| 1044 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -30,17 +30,10 @@ | |
| 30 | host. This feature of OCI runtimes means there’s little point to using |
| 31 | the “`fossil server --port`” feature inside the container. We can let |
| 32 | Fossil default to 8080 internally, then remap it to wherever we want it |
| 33 | on the host instead. |
| 34 | |
| 35 | Our stock `Dockerfile` configures Fossil with the default feature set, |
| 36 | so you may wish to modify the `Dockerfile` to add configuration options, |
| 37 | add APK packages to support those options, and so forth. |
| 38 | |
| 39 | The Fossil `Makefile` provides two convenience targets, |
| @@ -89,13 +82,13 @@ | |
| 82 | |
| 83 | The simplest method is to stop the container if it was running, then |
| 84 | say: |
| 85 | |
| 86 | ``` |
| 87 | $ docker cp /path/to/my-project.fossil fossil:/museum/repo.fossil |
| 88 | $ docker start fossil |
| 89 | $ docker exec fossil chown -R 499 /museum |
| 90 | ``` |
| 91 | |
| 92 | That copies the local Fossil repo into the container where the server |
| 93 | expects to find it, so that the “start” command causes it to serve from |
| 94 | that copied-in file instead. Since it lives atop the immutable base |
| @@ -131,11 +124,11 @@ | |
| 124 | |
| 125 | ``` |
| 126 | $ docker run \ |
| 127 | --publish 9999:8080 \ |
| 128 | --name fossil-bind-mount \ |
| 129 | --volume ~/museum:/museum \ |
| 130 | fossil |
| 131 | ``` |
| 132 | |
| 133 | Because this bind mount maps a host-side directory (`~/museum`) into the |
| 134 | container, you don’t need to `docker cp` the repo into the container at |
| @@ -159,11 +152,11 @@ | |
| 152 | the repository rather than a whole directory. Since Fossil repositories |
| 153 | are specially-formatted SQLite databases, you might be wondering why we |
| 154 | don’t say things like: |
| 155 | |
| 156 | ``` |
| 157 | --volume ~/museum/my-project.fossil:/museum/repo.fossil |
| 158 | ``` |
| 159 | |
| 160 | That lets us have a convenient file name for the project outside the |
| 161 | container while letting the configuration inside the container refer to |
| 162 | the generic “`/museum/repo.fossil`” name. Why should we have to name |
| @@ -188,60 +181,107 @@ | |
| 181 | [wal]: https://www.sqlite.org/wal.html |
| 182 | |
| 183 | |
| 184 | ## 3. <a id="security"></a>Security |
| 185 | |
| 186 | ### 3.1 <a id="chroot"></a>Why Not Chroot? |
| 187 | |
| 188 | Prior to 2023.03.26, the stock Fossil container made use of [the chroot |
| 189 | jail feature](./chroot.md) in order to wall away the shell and other |
| 190 | tools provided by [BusyBox](https://www.busybox.net/BusyBox.html). This |
| 191 | author made a living for years in the early 1990s using Unix systems |
| 192 | that offered less power, so there was a legitimate worry that if someone |
| 193 | ever figured out how to get a shell on one of these Fossil containers, |
| 194 | it would constitute a powerful island from which to attack the rest of |
| 195 | the network. |
| 196 | |
| 197 | The thing is, Fossil is self-contained, needing none of that power in |
| 198 | the main-line use cases. The only reason we included BusyBox in the |
| 199 | container at all was on the off chance that someone needed it for |
| 200 | debugging. |
| 201 | |
| 202 | That justification collapsed when we realized you could restore this |
| 203 | basic shell environment on an as-needed basis with a one-line change to |
| 204 | the `Dockerfile`, as we show in the next section. |
| 205 | |
| 206 | |
| 207 | ### 3.2 <a id="run"></a>Swapping Out the Run Layer |
| 208 | |
| 209 | If you want a basic shell environment for temporary debugging of the |
| 210 | running container, that’s easily added. Simply change this line in the |
| 211 | `Dockerfile`… |
| 212 | |
| 213 | FROM scratch AS run |
| 214 | |
| 215 | …to this: |
| 216 | |
| 217 | FROM busybox AS run |
| 218 | |
| 219 | Rebuild, redeploy, and your Fossil container now has a BusyBox based |
| 220 | shell environment that you can get into via: |
| 221 | |
| 222 | $ docker exec -it -u fossil $(make container-version) sh |
| 223 | |
| 224 | (That command assumes you built the container via “`make container`” and |
| 225 | are therefore using its versioning scheme.) |
| 226 | |
| 227 | Another case where you might need to replace this bare-bones “`run`” |
| 228 | layer with something more functional is that you’ve installed a [server |
| 229 | extension](./serverext.wiki) and you need an interpreter for that |
| 230 | script. The advice above won’t work except in the unlikely case that |
| 231 | it’s written in one of the bare-bones script interpreters that BusyBox |
| 232 | ships.(^BusyBox’s `/bin/sh` is based on the old 4.4BSD Lite Almquist |
| 233 | shell, implementing little more than what POSIX specified in 1989, plus |
| 234 | equally stripped-down versions of AWK and `sed`.) |
| 235 | |
| 236 | Let’s say the extension is written in Python. You could inject that into |
| 237 | the stock container via one of “[distroless]” images. Because this will |
| 238 | conflict with the bare-bones “`os`” layer we create, the method is more |
| 239 | complicated. Essentially, you replace everything in STAGE 2 and 3 inside |
| 240 | the `Dockerfile` with: |
| 241 | |
| 242 | FROM grc.io/distroless/python3-debian11 AS run |
| 243 | ARG UID=499 |
| 244 | RUN set -x \ |
| 245 | && install -d -m 700 -o fossil -g fossil log museum \ |
| 246 | && echo "fossil:x:${UID}:${UID}:User:/museum:/false" >> /etc/passwd \ |
| 247 | && echo "fossil:x:${UID}:fossil" >> /etc/group |
| 248 | COPY --from=builder /tmp/fossil /bin/ |
| 249 | |
| 250 | Another case is that you’re setting up [email alerts](./alerts.md) and |
| 251 | need some way to integrate with the host’s [MTA]. There are a number of |
| 252 | alternatives in that linked document, so for the sake of discussion, |
| 253 | we’ll say you’ve chosen Method 2, which requires a Tcl interpreter to |
| 254 | push messages into the outbound email queue DB, presumably bind-mounted |
| 255 | into the container. As of this writing, Google offers no “distroless” |
| 256 | container images for Tcl, but you *could* replace the `FROM` line above |
| 257 | with: |
| 258 | |
| 259 | FROM alpine AS run |
| 260 | RUN apk add --no-cache tcl |
| 261 | |
| 262 | Everything else remains the same as in the distroless Python example |
| 263 | because even Alpine will conflict with the way we set up core Linux |
| 264 | directories like `/etc` and `/tmp` in the absence of any OS image. |
| 265 | |
| 266 | Beware that there’s a limit to how much the über-jail nature of |
| 267 | containers can save you when you go and provide a more capable OS layer |
| 268 | like this. For instance, you might have enabled Fossil’s [risky TH1 docs |
| 269 | feature][th1docrisk] along with the Tcl integration feature, which |
| 270 | effectively gives anyone with check-in rights on your repo the ability |
| 271 | to run arbitrary Tcl code on the host when that document is rendered. |
| 272 | The container layer should stop that script from accessing any files out |
| 273 | on the host that you haven’t explicitly mounted into the container’s |
| 274 | namespace, but it *can* still make network connections, modify the repo |
| 275 | DB inside the container, and who knows what else. |
| 276 | |
| 277 | [distroless]: https://github.com/GoogleContainerTools/distroless |
| 278 | [MTA]: https://en.wikipedia.org/wiki/Message_transfer_agent |
| 279 | [th1docrisk]: https://fossil-scm.org/forum/forumpost/42e0c16544 |
| 280 | |
| 281 | |
| 282 | ### 3.3 <a id="caps"></a>Dropping Unnecessary Capabilities |
| 283 | |
| 284 | The example commands above create the container with [a default set of |
| 285 | Linux kernel capabilities][defcap]. Although Docker strips away almost |
| 286 | all of the traditional root capabilities by default, and Fossil doesn’t |
| 287 | need any of those it does take away, Docker does leave some enabled that |
| @@ -260,11 +300,11 @@ | |
| 300 | image build process sets up all file ownership properly, to the |
| 301 | extent that this is possible under the limitations of our |
| 302 | automation. |
| 303 | |
| 304 | Curiously, stripping this capability doesn’t affect your ability to |
| 305 | run commands like “`chown -R fossil:fossil /museum`” when |
| 306 | you’re using bind mounts or external volumes — as we recommend |
| 307 | [above](#bind-mount) — because it’s the host OS’s kernel |
| 308 | capabilities that affect the underlying `chown(2)` call in that |
| 309 | case, not those of the container. |
| 310 | |
| @@ -288,16 +328,16 @@ | |
| 328 | users. You might wish for this ability as an administrator shelled |
| 329 | into the container, but you can pass the “`docker exec --user`” |
| 330 | option to run commands within your container as the legitimate owner |
| 331 | of the process, removing the need for this capability. |
| 332 | |
| 333 | * **`MKNOD`**: As of 2023.03.26, the stock container uses the |
| 334 | runtime’s default `/dev` node tree. Prior to this, we had to create |
| 335 | `/dev/null` and `/dev/urandom` inside [the chroot jail](#chroot), |
| 336 | but even then, these device nodes were created at build time and |
| 337 | were never changed at run time, so we didn’t need this run-time |
| 338 | capability even then. |
| 339 | |
| 340 | * **`NET_BIND_SERVICE`**: With containerized deployment, Fossil never |
| 341 | needs the ability to bind the server to low-numbered TCP ports, not |
| 342 | even if you’re running the server in production with TLS enabled and |
| 343 | want the service bound to port 443. It’s perfectly fine to let the |
| @@ -311,11 +351,11 @@ | |
| 351 | more likely to say something like “`-p localhost:12345:8080`” and then |
| 352 | configure the reverse proxy to translate external HTTPS calls into |
| 353 | HTTP directed at this internal port 12345.) |
| 354 | |
| 355 | * **`NET_RAW`**: Fossil itself doesn’t use raw sockets, and our build |
| 356 | process leaves out all the BusyBox utilities that require them. |
| 357 | Although that set includes common tools like `ping`, we foresee no |
| 358 | compelling reason to use that or any of these other elided utilities |
| 359 | — `ether-wake`, `netstat`, `traceroute`, and `udhcp` — inside the |
| 360 | container. If you need to ping something, do it on the host. |
| 361 | |
| @@ -367,11 +407,11 @@ | |
| 407 | this: |
| 408 | |
| 409 | ``` |
| 410 | $ docker build -t fossil . |
| 411 | $ docker create --name fossil-static-tmp fossil |
| 412 | $ docker cp fossil-static-tmp:/bin/fossil . |
| 413 | $ docker container rm fossil-static-tmp |
| 414 | ``` |
| 415 | |
| 416 | The resulting binary is the single largest file inside that container, |
| 417 | at about 6 MiB. (It’s built stripped.) |
| @@ -561,11 +601,11 @@ | |
| 601 | [runc]: https://github.com/opencontainers/runc |
| 602 | |
| 603 | |
| 604 | ### 6.2 <a id="podman"></a>Podman |
| 605 | |
| 606 | A lighter-weight alternative that doesn’t |
| 607 | give up the image builder is [Podman]. Initially created by |
| 608 | Red Hat and thus popular on that family of OSes, it will run on |
| 609 | any flavor of Linux. It can even be made to run [on macOS via Homebrew][pmmac] |
| 610 | or [on Windows via WSL2][pmwin]. |
| 611 | |
| @@ -573,149 +613,71 @@ | |
| 613 | tenth the size of Docker Engine. |
| 614 | |
| 615 | Although Podman [bills itself][whatis] as a drop-in replacement for the |
| 616 | `docker` command and everything that sits behind it, some of the tool’s |
| 617 | design decisions affect how our Fossil containers run, as compared to |
| 618 | using Docker. |
| 619 | |
| 620 | The most important of these is that, by default, Podman wants to build |
| 621 | and run your container “[rootless].” This is generally better for |
| 622 | security, but there’s something you need to be aware of: each user has |
| 623 | their own local container registry. Let’s say you’re following good |
| 624 | security practice by building the container on the server as a regular |
| 625 | user, but you then want to start it as root because your server OS of |
| 626 | choice won’t start user-level `systemd` units until and unless that user |
| 627 | logs in first. The problem is, the root user can’t see the unprivileged |
| 628 | user’s container registry, so even though it did build the image, you |
| 629 | can’t create the actual container from that image since that needs to be |
| 630 | done as root. |
| 631 | |
| 632 | The simple way to deal with this is to bounce the container through a |
| 633 | registry that both users can see, such as [Docker |
| 634 | Hub](https://hub.docker.com): |
| 635 | |
| 636 | ``` |
| 637 | $ podman login |
| 638 | $ podman build -t fossil . |
| 639 | $ podman tag fossil:latest mydockername/fossil:latest |
| 640 | $ podman image push mydockername/fossil:latest |
| 641 | ``` |
| 642 | |
| 643 | That will push the image up to your account, so that you can then say: |
| 644 | |
| 645 | ``` |
| 646 | $ sudo podman create \ |
| 647 | --any-options-you-like \ |
| 648 | docker.io/mydockername/fossil |
| 649 | ``` |
| 650 | |
| 651 | This round-trip through the public image registry has another side |
| 652 | benefit: it lets you build on a local system that might be a lot faster |
| 653 | than your remote one, as when the remote is a small VPS. Even with the |
| 654 | overhead of schlepping container images across the Internet, it can be a |
| 655 | net win in terms of build time. |
| 656 | |
| 657 | Another oddity compared to Docker is that Podman doesn’t have the same |
| 658 | [default Linux kernel capability set](#caps). The changes distill to: |
| 659 | |
| 660 | ``` |
| 661 | $ podman create \ |
| 662 | --name fossil \ |
| 663 | --cap-drop CHOWN \ |
| 664 | --cap-drop FSETID \ |
| 665 | --cap-drop KILL \ |
| 666 | --cap-drop NET_BIND_SERVICE \ |
| 667 | --cap-drop SETFCAP \ |
| 668 | --cap-drop SETPCAP \ |
| 669 | --publish 127.0.0.1:9999:8080 \ |
| 670 | localhost/fossil |
| 671 | $ podman start fossil |
| 672 | ``` |
| 673 | |
| 674 | [pmmac]: https://podman.io/getting-started/installation.html#macos |
| 675 | [pmwin]: https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md |
| 676 | [Podman]: https://podman.io/ |
| 677 | [rootless]: https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md |
| 678 | [whatis]: https://podman.io/whatis.html |
| 679 | |
| 680 | |
| 681 | ### 6.3 <a id="nspawn"></a>`systemd-container` |
| 682 | |
| 683 | If even the Podman stack is too big for you, the next-best option I’m |
| @@ -763,14 +725,13 @@ | |
| 725 | |
| 726 | ---- |
| 727 | |
| 728 | ``` |
| 729 | [Exec] |
| 730 | WorkingDirectory=/ |
| 731 | Parameters=bin/fossil server \ |
| 732 | --baseurl https://example.com/myproject \ |
| 733 | --create \ |
| 734 | --jsmode bundled \ |
| 735 | --localhost \ |
| 736 | --port 9000 \ |
| 737 | --scgi \ |
| @@ -789,11 +750,11 @@ | |
| 750 | ProcessTwo=yes |
| 751 | LinkJournal=no |
| 752 | Timezone=no |
| 753 | |
| 754 | [Files] |
| 755 | Bind=/home/fossil/museum/myproject:/museum |
| 756 | |
| 757 | [Network] |
| 758 | VirtualEthernet=no |
| 759 | ``` |
| 760 | |
| @@ -813,11 +774,11 @@ | |
| 774 | it’ll work with the other repository service methods we’ve |
| 775 | [documented][srv]. |
| 776 | |
| 777 | * The path in the host-side part of the `Bind` value must point at the |
| 778 | directory containing the `repo.fossil` file referenced in said |
| 779 | command so that `/museum/repo.fossil` refers to your repo out |
| 780 | on the host for the reasons given [above](#bind-mount). |
| 781 | |
| 782 | That being done, we also need a generic systemd unit file called |
| 783 | `/etc/systemd/system/[email protected]`, containing: |
| 784 | |
| @@ -859,11 +820,10 @@ | |
| 820 | the `*.nspawn` file: |
| 821 | |
| 822 | ``` |
| 823 | Parameters=bin/fossil server \ |
| 824 | --cert /path/to/cert.pem \ |
| 825 | --create \ |
| 826 | --jsmode bundled \ |
| 827 | --port 443 \ |
| 828 | --user admin \ |
| 829 | museum/repo.fossil |
| @@ -1033,11 +993,11 @@ | |
| 993 | * **`machinectl poweroff`** will fail because the container |
| 994 | isn’t running dbus. |
| 995 | |
| 996 | * **`machinectl start`** will try to find an `/sbin/init` |
| 997 | program in the rootfs, which we haven’t got. We could |
| 998 | rename `/bin/fossil` to `/sbin/init` and then hack |
| 999 | the chroot scheme to match, but ick. (This, incidentally, |
| 1000 | is why we set `ProcessTwo=yes` above even though Fossil is |
| 1001 | perfectly capable of running as PID 1, a fact we depend on |
| 1002 | in the other methods above.) |
| 1003 | |
| 1004 |