From 641603957b073e275efcaf4d2a4540abd6250a93 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Wed, 4 Apr 2018 18:55:04 +0100 Subject: [PATCH 1/5] doc: Remove security notice from README We had the relevant fixes in all kernels for quite some time, so no need to call it out explicitly at the top level. Signed-off-by: Rolf Neugebauer --- README.md | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/README.md b/README.md index bc381a48b..c1b1d8eec 100644 --- a/README.md +++ b/README.md @@ -2,25 +2,6 @@ [![CircleCI](https://circleci.com/gh/linuxkit/linuxkit.svg?style=svg)](https://circleci.com/gh/linuxkit/linuxkit) -**Security Update 17/01/2018: All current LinuxKit `x86_64` kernels -have KPTI/KAISER enabled by default. This protects against -[Meltdown](https://meltdownattack.com/meltdown.pdf). Defences against -[Spectre](https://spectreattack.com/spectre.pdf) are work in progress -upstream and some have been incorporated into 4.14.14/4.9.77 onwards -but work is still ongoing. The kernels 4.14.14/4.9.77 onwards also -include various eBPF and KVM fixes to mitigate some aspects of -Spectre. The `arm64` kernels are not yet fixed. See [Greg KH's -excellent -blogpost](http://kroah.com/log/blog/2018/01/06/meltdown-status/) and -this [LWN.net -article](https://lwn.net/SubscriberLink/744287/1fc3c18173f732e7/) for -details.** - -**If you run LinuxKit kernels on x86 baremetal we also strongly -recommend to add `ucode: intel-ucode.cpio` to the kernel section of -your YAML if you are using Intel CPUs and `linuxkit/firmware:` if -you are using AMD CPUs.** - LinuxKit, a toolkit for building custom minimal, immutable Linux distributions. - Secure defaults without compromising usability From 25e69c340c758554452a059bce56bb6b0101dc44 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Wed, 4 Apr 2018 19:08:07 +0100 Subject: [PATCH 2/5] doc: Make supported architectures more explicit Signed-off-by: Rolf Neugebauer --- README.md | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index c1b1d8eec..d7401fc39 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,8 @@ LinuxKit, a toolkit for building custom minimal, immutable Linux distributions. - Designed to be managed by external tooling, such as [Infrakit](https://github.com/docker/infrakit) or similar tools - Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security +LinuxKit currently supports the `x86_64`, `arm64`, and `s390x` architectures on a variety of platforms, both as virtual machines and baremetal (see [below](#booting-and-testing) for details. + ## Subprojects - [LinuxKit kubernetes](https://github.com/linuxkit/kubernetes) aims to build minimal and immutable Kubernetes images. (previously `projects/kubernetes` in this repository). @@ -56,25 +58,25 @@ Since `linuxkit build` is built around the [Moby tool](https://github.com/moby/t ### Booting and Testing -You can use `linuxkit run ` or `linuxkit run .` to execute the image you created with `linuxkit build .yml`. -This will use a suitable backend for your platform or you can choose one, for example VMWare. -See `linuxkit run --help`. +You can use `linuxkit run ` or `linuxkit run .` to +execute the image you created with `linuxkit build .yml`. This +will use a suitable backend for your platform or you can choose one, +for example VMWare. See `linuxkit run --help`. Currently supported platforms are: - Local hypervisors - - [HyperKit (macOS)](docs/platform-hyperkit.md) - - [Hyper-V (Windows)](docs/platform-hyperv.md) - - [qemu (macOS, Linux, Windows)](docs/platform-qemu.md) - - [VMware (macOS, Windows)](docs/platform-vmware.md) + - [HyperKit (macOS)](docs/platform-hyperkit.md) `[x86_64]` + - [Hyper-V (Windows)](docs/platform-hyperv.md) `[x86_64]` + - [qemu (macOS, Linux, Windows)](docs/platform-qemu.md) `[x86_64, arm64, s390x]` + - [VMware (macOS, Windows)](docs/platform-vmware.md) `[x86_64]` - Cloud based platforms: - - [Amazon Web Services](docs/platform-aws.md) - - [Google Cloud](docs/platform-gcp.md) - - [Microsoft Azure](docs/platform-azure.md) - - [OpenStack](docs/platform-openstack.md) - - [packet.net](docs/platform-packet.md) + - [Amazon Web Services](docs/platform-aws.md) `[x86_64]` + - [Google Cloud](docs/platform-gcp.md) `[x86_64]` + - [Microsoft Azure](docs/platform-azure.md) `[x86_64]` + - [OpenStack](docs/platform-openstack.md) `[x86_64]` - Baremetal: - - x86 and arm64 servers on [packet.net](docs/platform-packet.md) - - [Raspberry Pi Model 3b](docs/platform-rpi3.md) + - [packet.net](docs/platform-packet.md) `[x86_64, arm64]` + - [Raspberry Pi Model 3b](docs/platform-rpi3.md) `[arm64]` #### Running the Tests From b014388148788f764cddc4f39101187ff559f728 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Wed, 4 Apr 2018 19:13:11 +0100 Subject: [PATCH 3/5] doc: Add links to more subprojects. Signed-off-by: Rolf Neugebauer --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index d7401fc39..177a1bd44 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,10 @@ LinuxKit currently supports the `x86_64`, `arm64`, and `s390x` architectures on ## Subprojects - [LinuxKit kubernetes](https://github.com/linuxkit/kubernetes) aims to build minimal and immutable Kubernetes images. (previously `projects/kubernetes` in this repository). +- [LinuxKit LCOW](https://github.com/linuxkit/lcow) LinuxKit images and utilities for Microsoft's Linux Containers on Windows. +- [linux](https://github.com/linuxkit/linux) A copy of the Linux stable tree with branches LinuxKit kernels. +- [virtsock](https://github.com/linuxkit/virtsock) A `go` library and test utilities for `virtio` and Hyper-V sockets. +- [rtf](https://github.com/linuxkit/rtf) A regression test framework used for the LinuxKit CI tests (and other projects). ## Getting Started From 8f4f51c47fa2176c59fd8d3c3ccfcb23dbe685c9 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Wed, 4 Apr 2018 19:27:59 +0100 Subject: [PATCH 4/5] docs: Clarify s390x support and add details for hvf mode on macOS Signed-off-by: Rolf Neugebauer --- docs/platform-qemu.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/platform-qemu.md b/docs/platform-qemu.md index 94ac325ff..c5a64b4e0 100644 --- a/docs/platform-qemu.md +++ b/docs/platform-qemu.md @@ -4,19 +4,26 @@ The `qemu` backend is the most versatile `run` backend for `linuxkit`. It can boot both `x86_64` and `arm64` images, runs on macOS and Linux (and possibly Windows), and can boot most types of output formats. On Linux, `kvm` acceleration is enabled by default if -available. +available. On macOS, `hvf` acceleration (using the Hypervisor +framework) is used if your `qemu` version supports it (versions +released after Jan/Feb 2018 should support it). `s390x` is currently +only supported in `kvm` mode as the emulated `s390x` architecture (aka +`tcg` mode) does not seem to support several required platform +features. Further, on `s390x` platforms you need to set +`vm.allocate_pgste=1` via `sysctl` (or use `echo 1 > +/proc/sys/vm/allocate_pgste`). ## Boot By default `linuxkit run qemu` will boot with the host architecture -(`x86_64` on `x86_64` machines and `aarch64` on `arm64` systems). The -architecture can be specified with `-arch` and currently accepts -`x86_64` and `aarch64` as arguments. +(e.g., `aarch64` on `arm64` systems). The architecture can be +specified with `-arch` and currently accepts `x86_64`, `aarch64`, and +`s390x` as arguments. `linuxkit run qemu` can boot in different types of images: -- `kernel+initrd`: This is the default mode of `linuxkit run qemu` [`x86_64`, `arm64`] +- `kernel+initrd`: This is the default mode of `linuxkit run qemu` [`x86_64`, `arm64`, `s390x`] - `iso-bios`: `linuxkit run qemu -iso ` [`x86_64`] - `iso-efi`: `linuxkit run qemu -iso -uefi `. This looks in `/usr/share/ovmf/bios.bin` for the EFI firmware by default. Can be overwritten with `-fw`. [`x86_64`, `arm64`] - `qcow-bios`: `linuxkit run qemu disk.qcow2` [`x86_64`] From 074ad8391c1ae9fdd532932a9eb9c54e6b49cb60 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Wed, 4 Apr 2018 19:29:22 +0100 Subject: [PATCH 5/5] doc: Add s390x to packages doc Signed-off-by: Rolf Neugebauer --- docs/packages.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/packages.md b/docs/packages.md index 2cb7a65b2..87bc9911b 100644 --- a/docs/packages.md +++ b/docs/packages.md @@ -72,9 +72,9 @@ should also be set up with signing keys for packages and your signing key should have a passphrase, which we call `` throughout. All official LinuxKit packages are multi-arch manifests and most of -them are available for amd64 and aarm64. Official images *must* be -build on both architectures and they must be build *in sequence*, i.e., -they can't be build in parallel. +them are available for `amd64`, `arm64`, and `s390x`. Official images +*must* be build on both architectures and they must be build *in +sequence*, i.e., they can't be build in parallel. To build a package on an architecture: