diff --git a/kernel/Dockerfile b/kernel/Dockerfile index 44b8a6b1d..920304c4f 100644 --- a/kernel/Dockerfile +++ b/kernel/Dockerfile @@ -1,4 +1,4 @@ -FROM linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1 AS kernel-build +FROM linuxkit/alpine:34518265c6cb63ff02074549cc5b64bef40c336f AS kernel-build RUN apk add \ argp-standalone \ automake \ @@ -157,6 +157,18 @@ RUN if [ "${KERNEL_SERIES}" != "4.4.x" ]; then \ cp /build/perf/perf /out; \ fi +# Download Intel ucode and create a CPIO archive for it +ENV UCODE_URL=https://downloadmirror.intel.com/27431/eng/microcode-20180108.tgz +RUN set -e && \ + if [ $(uname -m) == x86_64 ]; then \ + cd /ucode && \ + curl -sSL -o microcode.tar.gz ${UCODE_URL} && \ + md5sum -c intel-ucode-md5sums && \ + tar xf microcode.tar.gz && \ + iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \ + cp intel-ucode-license.txt /out; \ + fi + FROM scratch ENTRYPOINT [] CMD [] diff --git a/kernel/README.md b/kernel/README.md index cc4e8a988..89166fcab 100644 --- a/kernel/README.md +++ b/kernel/README.md @@ -1,23 +1 @@ -See [../docs/kernels.md](../docs/kernels.md) for more -information on kernel builds. - -To build with various debug options enabled, build the kernel with -`make DEBUG=1`. The options enabled are listed in `kernel_config.debug`. -This allocates a significant amount of memory on boot and you may need to -adjust the kernel config on some systems. Specifically: - -```diff ---- a/alpine/kernel/kernel_config -+++ b/alpine/kernel/kernel_config -@@ -415,8 +415,8 @@ CONFIG_DMI=y - # CONFIG_CALGARY_IOMMU is not set - CONFIG_SWIOTLB=y - CONFIG_IOMMU_HELPER=y --CONFIG_MAXSMP=y --CONFIG_NR_CPUS=8192 -+CONFIG_MAXSMP=n -+CONFIG_NR_CPUS=8 - # CONFIG_SCHED_SMT is not set - CONFIG_SCHED_MC=y - # CONFIG_PREEMPT_NONE is not set -``` +See [../docs/kernels.md](../docs/kernels.md) for more information on kernel builds. diff --git a/kernel/ucode/intel-ucode-license.txt b/kernel/ucode/intel-ucode-license.txt new file mode 100644 index 000000000..c2d829a74 --- /dev/null +++ b/kernel/ucode/intel-ucode-license.txt @@ -0,0 +1,219 @@ +The terms of the software license agreement included with any software you download will control your use of the software. + +INTEL SOFTWARE LICENSE AGREEMENT +IMPORTANT - READ BEFORE COPYING, INSTALLING OR USING. + +Do not use or load this software and any associated materials (collectively, + +the "Software") until you have carefully read the following terms and + +conditions. By loading or using the Software, you agree to the terms of this + +Agreement. If you do not wish to so agree, do not install or use the Software. + +LICENSES: Please Note: + +- If you are a network administrator, the "Site License" below shall + +apply to you. + +- If you are an end user, the "Single User License" shall apply to you. + +- If you are an original equipment manufacturer (OEM), the "OEM License" + +shall apply to you. + +SITE LICENSE. You may copy the Software onto your organization's computers + +for your organization's use, and you may make a reasonable number of + +back-up copies of the Software, subject to these conditions: + +1. This Software is licensed for use only in conjunction with Intel + +component products. Use of the Software in conjunction with non-Intel + +component products is not licensed hereunder. + +2. You may not copy, modify, rent, sell, distribute or transfer any part + +of the Software except as provided in this Agreement, and you agree to + +prevent unauthorized copying of the Software. + +3. You may not reverse engineer, decompile, or disassemble the Software. + +4. You may not sublicense or permit simultaneous use of the Software by + +more than one user. + +5. The Software may include portions offered on terms in addition to those + +set out here, as set out in a license accompanying those portions. + +SINGLE USER LICENSE. You may copy the Software onto a single computer for + +your personal, noncommercial use, and you may make one back-up copy of the + +Software, subject to these conditions: + +1. This Software is licensed for use only in conjunction with Intel + +component products. Use of the Software in conjunction with non-Intel + +component products is not licensed hereunder. + +2. You may not copy, modify, rent, sell, distribute or transfer any part + +of the Software except as provided in this Agreement, and you agree to + +prevent unauthorized copying of the Software. + +3. You may not reverse engineer, decompile, or disassemble the Software. + +4. You may not sublicense or permit simultaneous use of the Software by + +more than one user. + +5. The Software may include portions offered on terms in addition to those + +set out here, as set out in a license accompanying those portions. + +OEM LICENSE: You may reproduce and distribute the Software only as an + +integral part of or incorporated in Your product or as a standalone + +Software maintenance update for existing end users of Your products, + +excluding any other standalone products, subject to these conditions: + +1. This Software is licensed for use only in conjunction with Intel + +component products. Use of the Software in conjunction with non-Intel + +component products is not licensed hereunder. + +2. You may not copy, modify, rent, sell, distribute or transfer any part + +of the Software except as provided in this Agreement, and you agree to + +prevent unauthorized copying of the Software. + +3. You may not reverse engineer, decompile, or disassemble the Software. + +4. You may only distribute the Software to your customers pursuant to a + +written license agreement. Such license agreement may be a "break-the- + +seal" license agreement. At a minimum such license shall safeguard + +Intel's ownership rights to the Software. + +5. The Software may include portions offered on terms in addition to those + +set out here, as set out in a license accompanying those portions. + +NO OTHER RIGHTS. No rights or licenses are granted by Intel to You, expressly + +or by implication, with respect to any proprietary information or patent, + +copyright, mask work, trademark, trade secret, or other intellectual property + +right owned or controlled by Intel, except as expressly provided in this + +Agreement. + +OWNERSHIP OF SOFTWARE AND COPYRIGHTS. Title to all copies of the Software + +remains with Intel or its suppliers. The Software is copyrighted and + +protected by the laws of the United States and other countries, and + +international treaty provisions. You may not remove any copyright notices + +from the Software. Intel may make changes to the Software, or to items + +referenced therein, at any time without notice, but is not obligated to + +support or update the Software. Except as otherwise expressly provided, Intel + +grants no express or implied right under Intel patents, copyrights, + +trademarks, or other intellectual property rights. You may transfer the + +Software only if the recipient agrees to be fully bound by these terms and if + +you retain no copies of the Software. + +LIMITED MEDIA WARRANTY. If the Software has been delivered by Intel on + +physical media, Intel warrants the media to be free from material physical + +defects for a period of ninety days after delivery by Intel. If such a defect + +is found, return the media to Intel for replacement or alternate delivery of + +the Software as Intel may select. + +EXCLUSION OF OTHER WARRANTIES. EXCEPT AS PROVIDED ABOVE, THE SOFTWARE IS + +PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND + +INCLUDING WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT, OR FITNESS FOR A + +PARTICULAR PURPOSE. Intel does not warrant or assume responsibility for the + +accuracy or completeness of any information, text, graphics, links or other + +items contained within the Software. + +LIMITATION OF LIABILITY. IN NO EVENT SHALL INTEL OR ITS SUPPLIERS BE LIABLE + +FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROFITS, + +BUSINESS INTERRUPTION, OR LOST INFORMATION) ARISING OUT OF THE USE OF OR + +INABILITY TO USE THE SOFTWARE, EVEN IF INTEL HAS BEEN ADVISED OF THE + +POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS PROHIBIT EXCLUSION OR + +LIMITATION OF LIABILITY FOR IMPLIED WARRANTIES OR CONSEQUENTIAL OR INCIDENTAL + +DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. YOU MAY ALSO HAVE + +OTHER LEGAL RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. + +TERMINATION OF THIS AGREEMENT. Intel may terminate this Agreement at any time + +if you violate its terms. Upon termination, you will immediately destroy the + +Software or return all copies of the Software to Intel. + +APPLICABLE LAWS. Claims arising under this Agreement shall be governed by the + +laws of California, excluding its principles of conflict of laws and the + +United Nations Convention on Contracts for the Sale of Goods. You may not + +export the Software in violation of applicable export laws and regulations. + +Intel is not obligated under any other agreements unless they are in writing + +and signed by an authorized representative of Intel. + +GOVERNMENT RESTRICTED RIGHTS. The Software is provided with "RESTRICTED + +RIGHTS." Use, duplication, or disclosure by the Government is subject to + +restrictions as set forth in FAR52.227-14 and DFAR252.227-7013 et seq. or its + +successor. Use of the Software by the Government constitutes acknowledgment + +of Intel's proprietary rights therein. Contractor or Manufacturer is Intel + +2200 Mission College Blvd., Santa Clara, CA 95052. + +I accept the terms in the license agreement + +I do not accept the terms in the license agreement + diff --git a/kernel/ucode/intel-ucode-md5sums b/kernel/ucode/intel-ucode-md5sums new file mode 100644 index 000000000..f9cc9799f --- /dev/null +++ b/kernel/ucode/intel-ucode-md5sums @@ -0,0 +1 @@ +871df55f0ab010ee384dabfc424f2c12 microcode.tar.gz diff --git a/tools/alpine/Dockerfile b/tools/alpine/Dockerfile index e5a8ccd0e..20af63d27 100644 --- a/tools/alpine/Dockerfile +++ b/tools/alpine/Dockerfile @@ -53,6 +53,26 @@ RUN apk add --no-cache btrfs-progs-dev gcc libc-dev linux-headers make RUN cd $GOPATH/src/github.com/containerd/containerd && \ make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"' BUILD_TAGS="static_build" +# Checkout and compile iucode-tool for Intel CPU microcode +# On non-x86_64 create a dummy file to copy below. +ENV IUCODE_REPO=https://gitlab.com/iucode-tool/iucode-tool +ENV IUCODE_COMMIT=v2.2 +WORKDIR / +ADD iucode-tool.patch / +RUN set -e && \ + mkdir /iucode_tool && \ + if [ $(uname -m) = "x86_64" ]; then \ + apk add --no-cache automake autoconf argp-standalone git gcc make musl-dev patch && \ + git clone ${IUCODE_REPO} && \ + cd /iucode-tool && \ + git checkout ${IUCODE_COMMIT} && \ + patch -p 1 < /iucode-tool.patch && \ + ./autogen.sh && \ + ./configure && \ + make && \ + cp iucode_tool /iucode_tool; \ + fi + FROM alpine:3.7 COPY --from=mirror /etc/apk/repositories /etc/apk/repositories @@ -62,6 +82,7 @@ COPY --from=mirror /mirror /mirror/ COPY --from=mirror /go/bin /go/bin/ COPY --from=mirror /Dockerfile /Dockerfile COPY --from=mirror /go/src/github.com/containerd/containerd /go/src/github.com/containerd/containerd/ +COPY --from=mirror /iucode_tool /usr/bin/ RUN apk update && apk upgrade -a diff --git a/tools/alpine/iucode-tool.patch b/tools/alpine/iucode-tool.patch new file mode 100644 index 000000000..7ef12cd19 --- /dev/null +++ b/tools/alpine/iucode-tool.patch @@ -0,0 +1,12 @@ +diff --git a/iucode_tool.c b/iucode_tool.c +index 460087c..8825ed6 100644 +--- a/iucode_tool.c ++++ b/iucode_tool.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include "intel_microcode.h" + diff --git a/tools/alpine/versions.aarch64 b/tools/alpine/versions.aarch64 index ec81b02e0..4a706f29c 100644 --- a/tools/alpine/versions.aarch64 +++ b/tools/alpine/versions.aarch64 @@ -1,4 +1,4 @@ -# linuxkit/alpine:7dedd0ef748530ece641d931b6f77aa2992d90e5-arm64 +# linuxkit/alpine:5b74d32d7b79489e3b1ea483484e7df1a2fbe759-arm64 # automatically generated list of installed packages abuild-3.1.0-r3 alpine-baselayout-3.0.5-r2 diff --git a/tools/alpine/versions.x86_64 b/tools/alpine/versions.x86_64 index 465a587a1..afeb08a26 100644 --- a/tools/alpine/versions.x86_64 +++ b/tools/alpine/versions.x86_64 @@ -1,4 +1,4 @@ -# linuxkit/alpine:99dec12a5e8524b7a262c6bdfcea733191354883-amd64 +# linuxkit/alpine:34518265c6cb63ff02074549cc5b64bef40c336f-amd64 # automatically generated list of installed packages abuild-3.1.0-r3 alpine-baselayout-3.0.5-r2