diff --git a/projects/wireguard/kernel/Dockerfile b/projects/wireguard/kernel/Dockerfile index 3fad08f84..40c36ca8b 100644 --- a/projects/wireguard/kernel/Dockerfile +++ b/projects/wireguard/kernel/Dockerfile @@ -1,7 +1,8 @@ -FROM linuxkit/alpine-build-kernel:cfdd576c36a52ed2dd62f237f79eeedc2dd3697b@sha256:3fe08db373a9373ba1616a485858f01ebd2d7a3cb364a099d0ed8b45fa419da2 +FROM linuxkit/kernel-compile:1b396c221af673757703258159ddc8539843b02b@sha256:6b32d205bfc6407568324337b707d195d027328dbfec554428ea93e7b0a8299b AS kernel-build ARG KERNEL_VERSION -ARG DEBUG=0 +ARG KERNEL_SERIES +ARG DEBUG ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz @@ -9,45 +10,64 @@ RUN curl -fsSL -o linux-${KERNEL_VERSION}.tar.xz ${KERNEL_SOURCE} RUN cat linux-${KERNEL_VERSION}.tar.xz | tar --absolute-names -xJ && mv /linux-${KERNEL_VERSION} /linux -COPY kernel_config /linux/arch/x86/configs/x86_64_defconfig +COPY kernel_config-${KERNEL_SERIES} /linux/arch/x86/configs/x86_64_defconfig COPY kernel_config.debug /linux/debug_config -RUN if [ $DEBUG -ne "0" ]; then \ +RUN if [ -n "${DEBUG}" ]; then \ sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' /linux/arch/x86/configs/x86_64_defconfig; \ cat /linux/debug_config >> /linux/arch/x86/configs/x86_64_defconfig; \ fi # Apply local patches -COPY patches-4.9 /patches -RUN cd /linux && \ - set -e && for patch in /patches/*.patch; do \ +COPY patches-${KERNEL_SERIES} /patches +WORKDIR /linux +RUN set -e && for patch in /patches/*.patch; do \ echo "Applying $patch"; \ patch -p1 < "$patch"; \ done -RUN cd /linux && \ - make defconfig && \ +RUN mkdir /out + +# Kernel +RUN make defconfig && \ make oldconfig && \ - make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" -RUN cd /linux && \ - make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \ + make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \ + cp arch/x86_64/boot/bzImage /out/kernel && \ + cp System.map /out && \ + ([ -n "${DEBUG}" ] && cp vmlinux /out || true) + +# Modules +RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \ ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \ cd /tmp/kernel-modules/lib/modules/$DVER && \ rm build source && \ ln -s /usr/src/linux-headers-$DVER build ) && \ - mkdir -p /tmp/kernel-headers/usr && \ - make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \ - ( cd /tmp/kernel-headers && tar cf /kernel-headers.tar usr ) && \ - ( cd /tmp/kernel-modules && tar cf /kernel-modules.tar lib ) && \ - cp vmlinux arch/x86_64/boot/bzImage / + ( cd /tmp/kernel-modules && tar cf /out/kernel.tar lib ) +# Headers (userspace API) +RUN mkdir -p /tmp/kernel-headers/usr && \ + make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \ + ( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr ) + +# Headers (kernel development) RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \ dir=/tmp/usr/src/linux-headers-$DVER && \ mkdir -p $dir && \ cp /linux/.config $dir && \ - cd /linux && \ - cp -a include "$dir" && \ - mkdir -p "$dir"/arch/x86 && cp -a arch/x86/include "$dir"/arch/x86/ && \ - ( cd /tmp && tar cf /kernel-dev.tar usr/src ) + cp /linux/Module.symvers $dir && \ + find . -path './include/*' -prune -o \ + -path './arch/*/include' -prune -o \ + -path './scripts/*' -prune -o \ + -type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \ + -name '*.lds' -o -name '*.pl' -o -name '*.sh' \) | \ + tar cf - -T - | (cd $dir; tar xf -) && \ + ( cd /tmp && tar cf /out/kernel-dev.tar usr/src ) -RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /kernel-source-info +RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info + + +FROM scratch +ENTRYPOINT [] +CMD [] +WORKDIR / +COPY --from=kernel-build /out/* / diff --git a/projects/wireguard/kernel/Makefile b/projects/wireguard/kernel/Makefile index 9799d5d53..c313b40e1 100644 --- a/projects/wireguard/kernel/Makefile +++ b/projects/wireguard/kernel/Makefile @@ -1,70 +1,66 @@ -DEBUG ?= 0 - -all: bzImage push - -# We push the image to hub twice, once with the full kernel version of -# "mobylinux/kernel:..-", -# where "" is a monotonically increasing config number, and as -# "mobylinux/kernel:..x". This version -# number is stored in IMAGE_VERSION. +# This builds the supported LinuxKit kernels. Kernels are wrapped up +# in a minimal toybox container, which contains the bzImage, a tar +# ball with modules and the kernel source. # -# We expect most users to us the "..x" -# variant as this simply is the latest version of a given major kernel -# version. This version number is stored in IMAGE_MAJOR_VERSION. +# Each kernel is pushed to hub twice, once as +# linuxkit/kernel:..- and once as +# inuxkit/kernel:..x. The is the git tree hash +# of the current directory. The build will only rebuild the kernel +# image if the git tree hash changed. + +# Git tree hash of this directory. Override to force build +HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}') +# Name and Org on Hub +ORG?=linuxkit +IMAGE:=kernel-wireguard + +.PHONY: check tag push sign +# Targets: +# build: builds all kernels +# push: pushes all tagged kernel images to hub +# sign: sign and push all kernel images to hub +build: +push: +sign: + +# A template for defining kernel build +# Arguments: +# $1: Full kernel version, e.g., 4.9.22 +# $2: Kernel "series", e.g., 4.9.x +# $3: Build a debug kernel (used as suffix for image) +# This defines targets like: +# build_4.9.x, push_4.9.x and sign_4.9.x and adds them as dependencies +# to the global targets +# Set $3 to "_dbg", to build debug kernels. This defines targets like +# build_4.9.x_dbg and adds "_dbg" to the hub image name. +define kernel +build_$(2)$(3): Dockerfile Makefile $(wildcard patches-$(2)/*) kernel_config-$(2) kernel_config.debug + docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \ + docker build \ + --build-arg KERNEL_VERSION=$(1) \ + --build-arg KERNEL_SERIES=$(2) \ + --build-arg DEBUG=$(3) \ + --no-cache -t $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) . + +push_$(2)$(3): build_$(2)$(3) + docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \ + (docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \ + docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \ + docker push $(ORG)/$(IMAGE):$(2)$(3)) + +sign_$(2)$(3): build_$(2)$(3) + DOCKER_CONTENT_TRUST=1 docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \ + (DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \ + docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \ + DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(2)$(3)) + +build: build_$(2)$(3) +push: push_$(2)$(3) +sign: sign_$(2)$(3) +endef + # -# For IMAGE_VERSION, the "" must be increased whenever -# the kernel config or the patches change. We don't expect this to -# happen very often as the minor version number gets update quite -# frequently. +# Build Targets +# Debug targets only for latest stable and LTS stable # -# IMAGE_VERSION is used to determine if a new image should be pushed to hub. -KERNEL_VERSION=4.9.15 -IMAGE_VERSION=$(KERNEL_VERSION)-1 -IMAGE_MAJOR_VERSION=4.9.x -DEPS=Dockerfile Makefile kernel_config kernel_config.debug patches-4.9 - -kernel.tag: $(DEPS) - BUILD=$$( tar cf - $^ | docker build -f $< --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@ - -bzImage: kernel.tag - rm -rf etc/kernel-patches - mkdir -p x86_64 etc lib usr sbin etc/kernel-patches - docker run --rm --net=none --log-driver=none $(shell cat kernel.tag) tar cf - bzImage kernel-dev.tar kernel-headers.tar vmlinux kernel-modules.tar | tar xf - -C x86_64 - cp x86_64/kernel-modules.tar kernel.tar - cp x86_64/bzImage $@ - -.PHONY: image push tag - -MEDIA_TOYBOX=linuxkit/toybox-media:d7e82a7d19ccc84c9071fa7a88ecaa58ae958f7c@sha256:4c7d25f2be2429cd08417c36e04161cb924e46f3e419ee33a0aa9ff3a0942e02 - -BASE="$MEDIA_TOYBOX" -IMAGE=kernel-wireguard - -default: push - -Dockerfile.media: - printf "FROM $(MEDIA_TOYBOX)\nADD . /\n" > $@ - -image: Dockerfile.media bzImage kernel.tar $(DEPS) - tar cf - $^ | docker build --no-cache -t $(IMAGE):build -f Dockerfile.media - - -push: image - docker pull mobylinux/$(IMAGE):$(IMAGE_VERSION) || \ - (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \ - docker push mobylinux/$(IMAGE):$(IMAGE_VERSION) && \ - docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION) && \ - docker push mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION)) - docker rmi $(IMAGE):build - rm -f hash - -tag: image - (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \ - docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION)) - docker rmi $(IMAGE):build - rm -f hash - -.PHONY: clean -clean: - rm -rf x86_64 lib usr sbin kernel.tag Dockerfile.media bzImage kernel.tar - -.DELETE_ON_ERROR: +$(eval $(call kernel,4.9.15,4.9.x)) diff --git a/projects/wireguard/kernel/kernel_config b/projects/wireguard/kernel/kernel_config-4.9.x similarity index 100% rename from projects/wireguard/kernel/kernel_config rename to projects/wireguard/kernel/kernel_config-4.9.x diff --git a/projects/wireguard/kernel/patches-4.9/WireGuard.patch b/projects/wireguard/kernel/patches-4.9.x/WireGuard.patch similarity index 100% rename from projects/wireguard/kernel/patches-4.9/WireGuard.patch rename to projects/wireguard/kernel/patches-4.9.x/WireGuard.patch diff --git a/projects/wireguard/wireguard.yml b/projects/wireguard/wireguard.yml index 70e40a33f..a814aeae5 100644 --- a/projects/wireguard/wireguard.yml +++ b/projects/wireguard/wireguard.yml @@ -1,5 +1,5 @@ kernel: - image: "mobylinux/kernel-wireguard:4.9.x" + image: "linuxkit/kernel-wireguard:4.9.15-2ca28b7589b673373a33274023ca870a3a77e081" cmdline: "console=ttyS0 console=tty0 page_poison=1" init: - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e