Merge pull request #2579 from carmstrong/coreos_beta_channel

chore(*): bump CoreOS to 509.1.0 for Docker vulnerability

Author: carmstrong

Vagrantfile

@@ -35,7 +35,7 @@ else
   $vb_cpus = 1
 end
 
-COREOS_VERSION = "494.0.0"
+COREOS_VERSION = "509.1.0"
 
 if File.exist?(CONFIG)
   require CONFIG

builder/Dockerfile

@@ -21,7 +21,7 @@ RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 36A1D7869245C8950F9
 RUN apt-get update && apt-get install -yq \
     openssh-server git \
     aufs-tools iptables lxc \
-    lxc-docker-1.3.0
+    lxc-docker-1.3.2
 
 # install jq for parsing json
 RUN curl http://stedolan.github.io/jq/download/linux64/jq > /usr/bin/jq && chmod 755 /usr/bin/jq

builder/bin/boot

@@ -51,7 +51,7 @@ CONFD_PID=$!
 test -e /var/run/docker.sock && rm -f /var/run/docker.sock
 
 # spawn a docker daemon to run builds
-docker -d --storage-driver=$STORAGE_DRIVER --bip=172.19.42.1/16 &
+docker -d --storage-driver=$STORAGE_DRIVER --bip=172.19.42.1/16 --insecure-registry 10.0.0.0/8 --insecure-registry 172.16.0.0/12 --insecure-registry 192.168.0.0/16 &
 DOCKER_PID=$!
 
 # wait for docker to start

builder/templates/builder

@@ -118,7 +118,7 @@ if [ ! -f Dockerfile ]; then
     docker attach $JOB
 
     # copy out the compiled slug
-    docker cp $JOB:/tmp/slug.tgz .
+    docker cp $JOB:/tmp/slug.tgz $TMP_DIR
     # copy over the Dockerfile shim to the build dir
     cp $DOCKERFILE_SHIM ./Dockerfile
 fi

contrib/coreos/user-data.example

@@ -53,6 +53,10 @@ write_files:
       function nse() {
         docker exec -it $1 bash
       }
+  - path: /etc/systemd/system/docker.service.d/50-insecure-registry.conf
+    content: |
+        [Service]
+        Environment="DOCKER_OPTS=--insecure-registry 10.0.0.0/8 --insecure-registry 172.16.0.0/12 --insecure-registry 192.168.0.0/16"
   - path: /run/deis/bin/get_image
     permissions: '0755'
     content: |

contrib/ec2/deis.template.json

@@ -84,15 +84,15 @@
 
   "Mappings" : {
     "CoreOSAMIs" : {
-      "eu-central-1"   : { "PV" : "ami-0cae9811", "HVM" : "ami-12ae980f" },
-      "ap-northeast-1" : { "PV" : "ami-9f60599e", "HVM" : "ami-9d60599c" },
-      "sa-east-1"      : { "PV" : "ami-21ca7c3c", "HVM" : "ami-23ca7c3e" },
-      "ap-southeast-2" : { "PV" : "ami-adb9d697", "HVM" : "ami-afb9d695" },
-      "ap-southeast-1" : { "PV" : "ami-0eebc85c", "HVM" : "ami-0cebc85e" },
-      "us-east-1"      : { "PV" : "ami-30058d58", "HVM" : "ami-3e058d56" },
-      "us-west-2"      : { "PV" : "ami-b34f0483", "HVM" : "ami-b14f0481" },
-      "us-west-1"      : { "PV" : "ami-ff7264ba", "HVM" : "ami-f97264bc" },
-      "eu-west-1"      : { "PV" : "ami-1e47f269", "HVM" : "ami-1c47f26b" }
+      "eu-central-1"   : { "PV" : "ami-9623128b", "HVM" : "ami-94231289" },
+      "ap-northeast-1" : { "PV" : "ami-d6999dd7", "HVM" : "ami-d8999dd9" },
+      "sa-east-1"      : { "PV" : "ami-79a41564", "HVM" : "ami-7fa41562" },
+      "ap-southeast-2" : { "PV" : "ami-e1dfb1db", "HVM" : "ami-e3dfb1d9" },
+      "ap-southeast-1" : { "PV" : "ami-7598ba27", "HVM" : "ami-7b98ba29" },
+      "us-east-1"      : { "PV" : "ami-00158768", "HVM" : "ami-0215876a" },
+      "us-west-2"      : { "PV" : "ami-d92377e9", "HVM" : "ami-d72377e7" },
+      "us-west-1"      : { "PV" : "ami-a7adbce2", "HVM" : "ami-a5adbce0" },
+      "eu-west-1"      : { "PV" : "ami-c6e858b1", "HVM" : "ami-d8e858af" }
 
     },
     "RootDevices" : {

contrib/rackspace/provision-rackspace-cluster.sh

@@ -48,9 +48,9 @@ $CONTRIB_DIR/util/check-user-data.sh
 
 i=1 ; while [[ $i -le $DEIS_NUM_INSTANCES ]] ; do \
     echo_yellow "Provisioning deis-$i..."
-    # TODO: update to CoreOS 494.0.0 when it is available at Rackspace
-    # This image is CoreOS 490.0.0
-    supernova $ENV boot --image 3c7e97fa-a9f5-4b09-97aa-c94e66dbbfeb --flavor $FLAVOR --key-name $1 --user-data ../coreos/user-data --no-service-net --nic net-id=$NETWORK_ID --config-drive true deis-$i ; \
+    # TODO: update to CoreOS 509.1.0 when it is available at Rackspace
+    # This image is CoreOS 494.0.0
+    supernova $ENV boot --image 1c423602-ea76-4263-b56b-0a2fa3e8c663 --flavor $FLAVOR --key-name $1 --user-data ../coreos/user-data --no-service-net --nic net-id=$NETWORK_ID --config-drive true deis-$i ; \
     ((i = i + 1)) ; \
 done
 

docs/_includes/_private-network.rst

@@ -0,0 +1,3 @@
+Due to changes introduced in Docker 1.3.1 related to insecure Docker registries, the hosts running
+Deis must be able to communicate via a private network in one of the RFC1918 private address spaces:
+``10.0.0.0/8``, ``172.16.0.0/12``, or ``192.168.0.0/16``.

docs/contributing/hacking.rst

@@ -103,6 +103,12 @@ Make sure it meets the following requirements:
  #. You can push Docker images from your workstation
  #. Hosts in the cluster can pull images with the same URL
 
+.. note::
+
+    If the development registry is insecure and has an IP address in a range other than ``10.0.0.0/8``,
+    ``172.16.0.0/12``, or ``192.168.0.0/16``, you'll have to modify ``contrib/coreos/user-data.example``
+    and whitelist your development registry so the daemons can pull your custom components.
+
 Development Workflow
 --------------------
 

docs/installing_deis/baremetal.rst

@@ -60,6 +60,8 @@ Update $private_ipv4
 the user-data with the (private) IP address of the node.
 
 
+.. include:: ../_includes/_private-network.rst
+
 Add Environment
 ^^^^^^^^^^^^^^^
 
@@ -96,8 +98,9 @@ Start the installation
     coreos-install -C alpha -c /tmp/config -d /dev/sda
 
 
-This will install the latest `CoreOS`_ alpha release to disk. To specify a specific CoreOS version,
-append the ``-V`` parameter to the install command, e.g. ``-V 494.0.0``.
+This will install the latest `CoreOS`_ alpha release to disk. The Deis provision scripts for other
+platforms typically specify a CoreOS version - currently, ``509.1.0``. To specify a specific CoreOS
+version, append the ``-V`` parameter to the install command, e.g. ``-V 509.1.0``.
 
 After the installation has finished, reboot your server. Once your machine is back up, you should
 be able to log in as the `core` user using the `deis` ssh key.