github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-21 10:09:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2465 from t-koulouris/ok_build_updates

Browse Source 
Updates to okernel project build files
This commit is contained in:
Rolf Neugebauer 2017-08-31 15:47:22 +01:00 committed by GitHub
commit 2d1242e271
6 changed files with 314 additions and 664 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
projects/okernel/Dockerfile.kvmod
View File

@ -1,5 +1,8 @@
FROM alpine:3.5 ARG IMAGE
FROM ${IMAGE} AS kernel
COPY ./kvmod . FROM scratch
ENTRYPOINT []
CMD ["insmod", "/root/kvmod/kernel_vuln.ko"] WORKDIR /
COPY --from=kernel kernel_vuln.ko .
CMD ["insmod", "/kernel_vuln.ko"]

77
projects/okernel/Dockerfile.okernel
View File

@ -1,4 +1,26 @@
FROM linuxkit/alpine-build-kernel:cfdd576c36a52ed2dd62f237f79eeedc2dd3697b@sha256:3fe08db373a9373ba1616a485858f01ebd2d7a3cb364a099d0ed8b45fa419da2 FROM linuxkit/alpine:a120ad6aead3fe583eaa20e9b75a05ac1b3487da AS kernel-build
RUN apk --no-cache add \
argp-standalone \
automake \
bash \
bc \
binutils-dev \
bison \
build-base \
curl \
diffutils \
git \
installkernel \
kmod \
libelf-dev \
linux-headers \
sed \
tar \
xz \
zlib-dev \
openssl-dev
RUN apk --no-cache add --repository http://dl-cdn.alpinelinux.org/alpine/edge/main openssl
ARG KERNEL_VERSION ARG KERNEL_VERSION
ARG DEBUG=0 ARG DEBUG=0
@ -6,8 +28,6 @@ ARG DEBUG=0
ENV OKERNEL_SOURCE=https://github.com/linux-okernel/linux-okernel/archive/${KERNEL_VERSION}.tar.gz ENV OKERNEL_SOURCE=https://github.com/linux-okernel/linux-okernel/archive/${KERNEL_VERSION}.tar.gz
ENV USPACE_SOURCE=https://github.com/linux-okernel/linux-okernel-components/archive/master.tar.gz ENV USPACE_SOURCE=https://github.com/linux-okernel/linux-okernel-components/archive/master.tar.gz
RUN apk --update add openssl openssl-dev
RUN if [ -n $HTTP_PROXY ]; then \ RUN if [ -n $HTTP_PROXY ]; then \
curl -fsSL -x ${HTTP_PROXY} -o linux-${KERNEL_VERSION}.tar.gz ${OKERNEL_SOURCE}; \ curl -fsSL -x ${HTTP_PROXY} -o linux-${KERNEL_VERSION}.tar.gz ${OKERNEL_SOURCE}; \
else \ else \
@ -16,47 +36,43 @@ RUN if [ -n $HTTP_PROXY ]; then \
RUN cat linux-${KERNEL_VERSION}.tar.gz | tar --absolute-names -xz && mv /linux-okernel-${KERNEL_VERSION} /linux RUN cat linux-${KERNEL_VERSION}.tar.gz | tar --absolute-names -xz && mv /linux-okernel-${KERNEL_VERSION} /linux
COPY kernel_config.okernel /linux/arch/x86/configs/x86_64_defconfig COPY kernel_config.okernel /linux/.config
#COPY kernel_config.debug /linux/debug_config
RUN if [ $DEBUG -ne "0" ]; then \ RUN mkdir /out
sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' /linux/arch/x86/configs/x86_64_defconfig; \
cat /linux/debug_config >> /linux/arch/x86/configs/x86_64_defconfig; \
fi
# Apply local patches
# COPY patches-4.10 /patches
#RUN cd /linux && \
# set -e && for patch in /patches/*.patch; do \
# echo "Applying $patch"; \
# patch -p1 < "$patch"; \
# done
# Kernel
RUN cd /linux && \ RUN cd /linux && \
make defconfig && \
make oldconfig && \ make oldconfig && \
make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
cp arch/x86_64/boot/bzImage /out/kernel && \
cp System.map /out && \
cp vmlinux /out
# Modules & Headers (userspace API)
RUN cd /linux && \ RUN cd /linux && \
make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \ make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \ ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
cd /tmp/kernel-modules/lib/modules/$DVER && \ cd /tmp/kernel-modules/lib/modules/$DVER && \
rm build source && \ rm build source && \
ln -s /usr/src/linux-headers-$DVER build ) && \ ln -s /usr/src/linux-headers-$DVER build ) && \
( cd /tmp/kernel-modules && tar cf /out/kernel.tar lib ) && \
mkdir -p /tmp/kernel-headers/usr && \ mkdir -p /tmp/kernel-headers/usr && \
make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \ make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
( cd /tmp/kernel-headers && tar cf /kernel-headers.tar usr ) && \ ( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr )
( cd /tmp/kernel-modules && tar cf /kernel-modules.tar lib ) && \
cp vmlinux arch/x86_64/boot/bzImage /
# Headers (kernel development)
RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \ RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
dir=/tmp/usr/src/linux-headers-$DVER && \ dir=/tmp/usr/src/linux-headers-$DVER && \
mkdir -p $dir && \ mkdir -p $dir && \
cp /linux/.config $dir && \ cp /linux/.config $dir && \
cd /linux && \ cp /linux/Module.symvers $dir && \
cp -a include "$dir" && \ find . -path './include/*' -prune -o \
mkdir -p "$dir"/arch/x86 && cp -a arch/x86/include "$dir"/arch/x86/ && \ -path './arch/*/include' -prune -o \
( cd /tmp && tar cf /kernel-dev.tar usr/src ) -path './scripts/*' -prune -o \
-type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
-name '*.lds' -o -name '*.pl' -o -name '*.sh' \) | \
tar cf - -T - | (cd $dir; tar xf -) && \
( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
RUN printf "KERNEL_SOURCE=${OKERNEL_SOURCE}\n" > /kernel-source-info RUN printf "KERNEL_SOURCE=${OKERNEL_SOURCE}\n" > /kernel-source-info
@ -73,8 +89,11 @@ WORKDIR /ok_components/test_mappings/kvmod
RUN sed -i 's_~/linux-okernel_/linux_' Makefile && \ RUN sed -i 's_~/linux-okernel_/linux_' Makefile && \
make && \ make && \
mkdir -p /tmp/root/kvmod && cp kernel_vuln.ko /tmp/root/kvmod && \ cp kernel_vuln.ko /out/
cd /tmp && \
tar cf /kernel_vuln.tar root
FROM scratch
ENTRYPOINT []
CMD []
WORKDIR / WORKDIR /
COPY --from=kernel-build /out/* /

89
projects/okernel/Makefile
View File

@ -1,90 +1,67 @@
all: image tag
IMAGE=okernel
OKERNEL_REPO=https://github.com/linux-okernel/linux-okernel
DEPS=Dockerfile.okernel Makefile kernel_config.okernel Dockerfile.kvmod
DEBUG ?= 0 DEBUG ?= 0
all: bzImage tag
# We push the image to hub twice, once with the full kernel version of
# "linuxkit/kernel:<kernel version>.<major version>.<minor version>-<n>",
# where "<n>" is a monotonically increasing config number, and as
# "linuxkit/kernel:<kernel version>.<major version>.x". This version
# number is stored in IMAGE_VERSION.
#
# We expect most users to us the "<kernel version>.<major version>.x"
# variant as this simply is the latest version of a given major kernel
# version. This version number is stored in IMAGE_MAJOR_VERSION.
#
# For IMAGE_VERSION, the "<n>" must be increased whenever
# the kernel config or the patches change. We don't expect this to
# happen very often as the minor version number gets update quite
# frequently.
#
# IMAGE_VERSION is used to determine if a new image should be pushed to hub.
ifdef KERNEL ifdef KERNEL
ifneq ($(KERNEL),latest) ifneq ($(KERNEL),latest)
ifneq (,$(findstring ok-,$(KERNEL)))
KERNEL_VERSION=$(KERNEL) KERNEL_VERSION=$(KERNEL)
IMAGE_VERSION=$(KERNEL_VERSION)-0 IMAGE_VERSION=$(KERNEL_VERSION)
LATEST=0
else else
KERNEL_VERSION=linux-okernel $(error Error, valid okernel kernel versions begin with "ok-")
IMAGE_VERSION=latest
endif endif
else else
KERNEL_VERSION=linux-okernel KERNEL_VERSION=linux-okernel
IMAGE_VERSION=latest IMAGE_VERSION=$(shell git ls-remote --tags $(OKERNEL_REPO) ok-\* | awk -F"/" '{print $$3}' | tail -1)
LATEST=1
endif
else
KERNEL_VERSION=linux-okernel
IMAGE_VERSION=$(shell git ls-remote --tags $(OKERNEL_REPO) ok-\* | awk -F"/" '{print $$3}' | tail -1)
LATEST=1
endif endif
IMAGE=okernel
IMAGE_MAJOR_VERSION=4.11.x
DEPS=Dockerfile.okernel Makefile kernel_config.okernel Dockerfile.kvmod
MEDIA_TOYBOX=linuxkit/toybox-media:d7e82a7d19ccc84c9071fa7a88ecaa58ae958f7c@sha256:4c7d25f2be2429cd08417c36e04161cb924e46f3e419ee33a0aa9ff3a0942e02
kernel.tag: $(DEPS)
ifdef HTTP_PROXY ifdef HTTP_PROXY
BUILD=$$( tar cf - $^ | docker build -f $< --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) --build-arg HTTP_PROXY=$(HTTP_PROXY) -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@ PROXY_ARG = --build-arg HTTP_PROXY=$(HTTP_PROXY)
else
BUILD=$$( tar cf - $^ | docker build -f $< --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@
endif endif
bzImage: kernel.tag ifdef HTTPS_PROXY
rm -rf etc/kernel-patches PROXY_ARG += --build-arg HTTPS_PROXY=$(HTTPS_PROXY)
mkdir -p x86_64 etc lib usr sbin etc/kernel-patches kvmod endif
docker run --rm --net=none --log-driver=none $(shell cat kernel.tag) tar cf - bzImage kernel-dev.tar kernel-headers.tar vmlinux kernel-modules.tar kernel_vuln.tar | tar xf - -C x86_64
cp x86_64/kernel-modules.tar kernel.tar
cp x86_64/kernel_vuln.tar kernel_vuln.tar
tar xf kernel_vuln.tar -C kvmod
cp x86_64/bzImage $@
.PHONY: image push tag kvmod .PHONY: image push tag kvmod
image: $(DEPS)
BUILD=$$( tar cf - $^ | docker build -f $< $(PROXY_ARG) --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) -q -t $(IMAGE):build - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > build_info
default: push
Dockerfile.media: default: tag
printf "FROM $(MEDIA_TOYBOX)\nCOPY bzImage kernel.tar /\n" > $@
image: Dockerfile.media bzImage kernel.tar Dockerfile.kvmod kvmod/root/kvmod/kernel_vuln.ko $(DEPS) kvmod:
tar cf - $^ | docker build --no-cache -t $(IMAGE):build -f Dockerfile.media - docker build --no-cache --build-arg IMAGE=$(IMAGE):$(IMAGE_VERSION) -t okernel-kvmod:$(IMAGE_VERSION) - < Dockerfile.kvmod
kvmod: Dockerfile.kvmod kvmod/root/kvmod/kernel_vuln.ko $(DEPS)
tar cf - $^ | docker build --no-cache -t okernel-kvmod:$(IMAGE_VERSION) -f Dockerfile.kvmod -
push: image push: image
docker pull linuxkit/$(IMAGE):$(IMAGE_VERSION) || \ (docker tag $(IMAGE):build $(IMAGE):$(IMAGE_VERSION) && \
(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(IMAGE_VERSION) && \ docker push $(IMAGE):$(IMAGE_VERSION))
docker push linuxkit/$(IMAGE):$(IMAGE_VERSION) && \
docker tag $(IMAGE):build linuxkit/$(IMAGE):$(IMAGE_MAJOR_VERSION) && \
docker push linuxkit/$(IMAGE):$(IMAGE_MAJOR_VERSION))
docker rmi $(IMAGE):build docker rmi $(IMAGE):build
rm -f hash rm -f hash
tag: image tag: image
(docker tag $(IMAGE):build linuxkit/$(IMAGE):$(IMAGE_VERSION) && \ docker tag $(IMAGE):build $(IMAGE):$(IMAGE_VERSION)
docker tag $(IMAGE):build linuxkit/$(IMAGE):$(IMAGE_MAJOR_VERSION)) ifeq (1,$(LATEST))
docker tag $(IMAGE):build $(IMAGE):latest
endif
docker rmi $(IMAGE):build docker rmi $(IMAGE):build
rm -f hash rm -f hash
.PHONY: clean .PHONY: clean
clean: clean:
rm -rf x86_64 lib usr sbin kernel.tag Dockerfile.media bzImage kernel.tar kernel_vuln.tar kvmod rm -f build_info
.DELETE_ON_ERROR: .DELETE_ON_ERROR:

39
projects/okernel/README.md
View File

@ -73,18 +73,18 @@ then entered where the permission violation can be handled.
# Integration with LinuxKit # Integration with LinuxKit
Custom Linux distributions utilizing the split kernel can be readily built Custom Linux distributions utilizing the split kernel can be readily built
using LinuxKit by simply specifying an okernel Docker image in the `kernel` using LinuxKit by simply specifying an okernel image in the `kernel` section
section of the OS image YAML specification. See the sample YAML files provided of the LinuxKit OS image YAML specification. See the sample YAML files provided
in [examples](https://github.com/linuxkit/linuxkit/tree/master/projects/okernel/examples). in [examples/](https://github.com/linuxkit/linuxkit/tree/master/projects/okernel/examples) for more details.
## Building the split kernel image for LinuxKit ## Building the split kernel image for LinuxKit
- `make` will build and package the latest version of the split kernel, by - `make` will build and package the latest version of the split kernel
pulling sources from the top-of-tree of the okernel project GitHub for LinuxKit, by pulling sources from the top-of-tree of the
(https://github.com/linux-okernel/linux-okernel). okernel project GitHub (https://github.com/linux-okernel/linux-okernel).
- Additionally, a specific version of the kernel can be built - Alternatively, a specific version of the kernel can be built
by setting the 'KERNEL' environment variable to the appropriate by setting the 'KERNEL' environment variable to the appropriate
value, e.g.: `make KERNEL=ok-4.11-rc2`. The value MUST correspond value, e.g.: `make KERNEL=ok-4.13-rc7`. The value MUST correspond
to a legitimate okernel tag present in the project GitHub to a legitimate okernel tag present in the project GitHub
(https://github.com/linux-okernel/linux-okernel/tags) beginning (https://github.com/linux-okernel/linux-okernel/tags) beginning
with __"ok-"__. with __"ok-"__.
@ -94,6 +94,29 @@ in [examples](https://github.com/linuxkit/linuxkit/tree/master/projects/okernel/
string corresponding to a kernel version, will build the kernel string corresponding to a kernel version, will build the kernel
vulnerability emulation kernel module for that kernel, useful for testing. vulnerability emulation kernel module for that kernel, useful for testing.
## Enabling NR-mode protections in LinuxKit
By default, okernel will treat processes like any standard Linux kernel, i.e. no
R-mode/NR-mode split is applied when processes are created. This is by design to
assist development and enable coexistence of normal and protected processes in
the same environment. A consequence of that is that processes must be explicitly
launched in NR-mode.
In early versions of LinuxKit we provided a lightly-modified version of the
default 'init' container to ensure runc launched in NR-mode and by extension all
its children processes/containers got instantiated in NR-mode as well.
Recent changes to how LinuxKit implements init made this approach obsolete. We
are in the process of developing an alternative (and hopefully more elegant)
way to launch containers in NR-mode (Aug 2017).
Note that because okernel utilizes the processor's VMX facilities, okernel
LinuxKit images with full NR-mode operation can only be run in baremetal
environments. If no processes are switched to NR-mode, okernel will boot and
operate normally inside a VM, however in this scenario it offers no benefits
compared to a standard Linux kernel.
We are investigating nested virtualization support to enable running okernel
inside VMs.
# Limitations and Caveats # Limitations and Caveats

20
projects/okernel/examples/okernel_simple.yaml
View File

@ -1,6 +1,6 @@
kernel: kernel:
image: linuxkit/okernel:latest image: okernel:latest
cmdline: "console=ttyS0 console=tty0 page_poison=1" cmdline: "console=tty0 page_poison=1"
init: init:
- linuxkit/init:6d11a1f9d299d3425e78cce80dfba8b236d20412 - linuxkit/init:6d11a1f9d299d3425e78cce80dfba8b236d20412
- linuxkit/runc:a1b564248a0d0b118c11e61db9f84ecf41dd2d2a - linuxkit/runc:a1b564248a0d0b118c11e61db9f84ecf41dd2d2a
@ -10,14 +10,12 @@ onboot:
- name: sysctl - name: sysctl
image: linuxkit/sysctl:154913b72c6f1f33eb408609fca9963628e8c051 image: linuxkit/sysctl:154913b72c6f1f33eb408609fca9963628e8c051
services: services:
- name: rngd
image: linuxkit/rngd:558e86a36242bb74353bc9287b715ddb8567357e
- name: dhcpcd - name: dhcpcd
image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7 image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7
- name: sshd - name: getty
image: linuxkit/sshd:505a985d7bd7a90f15eca9cb4dc6ec92789d51a0 image: linuxkit/getty:797cb79e0a229fcd16ebf44a0da74bcec03968ec
files: env:
- path: root/.ssh/authorized_keys - INSECURE=true
source: ~/.ssh/id_rsa.pub trust:
mode: "0600" org:
optional: true - linuxkit

742
projects/okernel/kernel_config.okernel
View File

File diff suppressed because it is too large Load Diff