From a53e251908ef24e1557c51632ad282ba4b2c9d6d Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho@docker.com>
Date: Fri, 26 May 2017 15:25:49 -0600
Subject: [PATCH] wireguard: update kernel build

We were pointing to the old mobylinux docker hub repo. Let's update the
kernel build to be the new style one.

Note that I didn't bump the kernel version or update the patches at all. We
should do this soon, but for the purposes of our probational channel PoC,
I'm leaving wireguard at the old version for now.

Signed-off-by: Tycho Andersen <tycho@docker.com>
---
 projects/wireguard/kernel/Dockerfile          |  64 ++++++---
 projects/wireguard/kernel/Makefile            | 130 +++++++++---------
 .../{kernel_config => kernel_config-4.9.x}    |   0
 .../WireGuard.patch                           |   0
 projects/wireguard/wireguard.yml              |   2 +-
 5 files changed, 106 insertions(+), 90 deletions(-)
 rename projects/wireguard/kernel/{kernel_config => kernel_config-4.9.x} (100%)
 rename projects/wireguard/kernel/{patches-4.9 => patches-4.9.x}/WireGuard.patch (100%)

diff --git a/projects/wireguard/kernel/Dockerfile b/projects/wireguard/kernel/Dockerfile
index 3fad08f84..40c36ca8b 100644
--- a/projects/wireguard/kernel/Dockerfile
+++ b/projects/wireguard/kernel/Dockerfile
@@ -1,7 +1,8 @@
-FROM linuxkit/alpine-build-kernel:cfdd576c36a52ed2dd62f237f79eeedc2dd3697b@sha256:3fe08db373a9373ba1616a485858f01ebd2d7a3cb364a099d0ed8b45fa419da2
+FROM linuxkit/kernel-compile:1b396c221af673757703258159ddc8539843b02b@sha256:6b32d205bfc6407568324337b707d195d027328dbfec554428ea93e7b0a8299b AS kernel-build
 
 ARG KERNEL_VERSION
-ARG DEBUG=0
+ARG KERNEL_SERIES
+ARG DEBUG
 
 ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz
 
@@ -9,45 +10,64 @@ RUN curl -fsSL -o linux-${KERNEL_VERSION}.tar.xz ${KERNEL_SOURCE}
 
 RUN cat linux-${KERNEL_VERSION}.tar.xz | tar --absolute-names -xJ &&  mv /linux-${KERNEL_VERSION} /linux
 
-COPY kernel_config /linux/arch/x86/configs/x86_64_defconfig
+COPY kernel_config-${KERNEL_SERIES} /linux/arch/x86/configs/x86_64_defconfig
 COPY kernel_config.debug /linux/debug_config
 
-RUN if [ $DEBUG -ne "0" ]; then \
+RUN if [ -n "${DEBUG}" ]; then \
     sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' /linux/arch/x86/configs/x86_64_defconfig; \
     cat /linux/debug_config >> /linux/arch/x86/configs/x86_64_defconfig; \
     fi
 
 # Apply local patches
-COPY patches-4.9 /patches
-RUN cd /linux && \
-    set -e && for patch in /patches/*.patch; do \
+COPY patches-${KERNEL_SERIES} /patches
+WORKDIR /linux
+RUN set -e && for patch in /patches/*.patch; do \
         echo "Applying $patch"; \
         patch -p1 < "$patch"; \
     done
 
-RUN cd /linux && \
-    make defconfig && \
+RUN mkdir /out
+
+# Kernel
+RUN make defconfig && \
     make oldconfig && \
-    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie"
-RUN cd /linux && \
-    make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
+    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
+    cp arch/x86_64/boot/bzImage /out/kernel && \
+    cp System.map /out && \
+    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
+
+# Modules
+RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
     ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
       cd /tmp/kernel-modules/lib/modules/$DVER && \
       rm build source && \
       ln -s /usr/src/linux-headers-$DVER build ) && \
-    mkdir -p /tmp/kernel-headers/usr && \
-    make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
-    ( cd /tmp/kernel-headers && tar cf /kernel-headers.tar usr ) && \
-    ( cd /tmp/kernel-modules && tar cf /kernel-modules.tar lib ) && \
-    cp vmlinux arch/x86_64/boot/bzImage /
+    ( cd /tmp/kernel-modules && tar cf /out/kernel.tar lib )
 
+# Headers (userspace API)
+RUN mkdir -p /tmp/kernel-headers/usr && \
+    make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
+    ( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr )
+
+# Headers (kernel development)
 RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
     dir=/tmp/usr/src/linux-headers-$DVER && \
     mkdir -p $dir && \
     cp /linux/.config $dir && \
-    cd /linux && \
-    cp -a include "$dir" && \
-    mkdir -p "$dir"/arch/x86 && cp -a arch/x86/include "$dir"/arch/x86/ && \
-    ( cd /tmp && tar cf /kernel-dev.tar usr/src )
+    cp /linux/Module.symvers $dir && \
+    find . -path './include/*' -prune -o \
+           -path './arch/*/include' -prune -o \
+           -path './scripts/*' -prune -o \
+           -type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
+                      -name '*.lds' -o -name '*.pl' -o -name '*.sh' \) | \
+         tar cf - -T - | (cd $dir; tar xf -) && \
+    ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
 
-RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /kernel-source-info
+RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
+
+
+FROM scratch
+ENTRYPOINT []
+CMD []
+WORKDIR /
+COPY --from=kernel-build /out/* /
diff --git a/projects/wireguard/kernel/Makefile b/projects/wireguard/kernel/Makefile
index 9799d5d53..c313b40e1 100644
--- a/projects/wireguard/kernel/Makefile
+++ b/projects/wireguard/kernel/Makefile
@@ -1,70 +1,66 @@
-DEBUG ?= 0
-
-all:	bzImage push
-
-# We push the image to hub twice, once with the full kernel version of
-# "mobylinux/kernel:<kernel version>.<major version>.<minor version>-<n>",
-# where "<n>" is a monotonically increasing config number, and as
-# "mobylinux/kernel:<kernel version>.<major version>.x". This version
-# number is stored in IMAGE_VERSION.
+# This builds the supported LinuxKit kernels. Kernels are wrapped up
+# in a minimal toybox container, which contains the bzImage, a tar
+# ball with modules and the kernel source.
 #
-# We expect most users to us the "<kernel version>.<major version>.x"
-# variant as this simply is the latest version of a given major kernel
-# version. This version number is stored in IMAGE_MAJOR_VERSION.
+# Each kernel is pushed to hub twice, once as
+# linuxkit/kernel:<kernel>.<major>.<minor>-<hash> and once as
+# inuxkit/kernel:<kernel>.<major>.x. The <hash> is the git tree hash
+# of the current directory. The build will only rebuild the kernel
+# image if the git tree hash changed.
+
+# Git tree hash of this directory. Override to force build
+HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
+# Name and Org on Hub
+ORG?=linuxkit
+IMAGE:=kernel-wireguard
+
+.PHONY: check tag push sign
+# Targets:
+# build: builds all kernels
+# push:  pushes all tagged kernel images to hub
+# sign:  sign and push all kernel images to hub
+build:
+push:
+sign:
+
+# A template for defining kernel build
+# Arguments:
+# $1: Full kernel version, e.g., 4.9.22
+# $2: Kernel "series", e.g., 4.9.x
+# $3: Build a debug kernel (used as suffix for image)
+# This defines targets like:
+# build_4.9.x, push_4.9.x and sign_4.9.x and adds them as dependencies
+# to the global targets
+# Set $3 to "_dbg", to build debug kernels. This defines targets like
+# build_4.9.x_dbg and adds "_dbg" to the hub image name.
+define kernel
+build_$(2)$(3): Dockerfile Makefile $(wildcard patches-$(2)/*) kernel_config-$(2) kernel_config.debug
+	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
+		docker build \
+			--build-arg KERNEL_VERSION=$(1) \
+			--build-arg KERNEL_SERIES=$(2) \
+			--build-arg DEBUG=$(3) \
+			--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) .
+
+push_$(2)$(3): build_$(2)$(3)
+	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
+		(docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
+		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
+		 docker push $(ORG)/$(IMAGE):$(2)$(3))
+
+sign_$(2)$(3): build_$(2)$(3)
+	DOCKER_CONTENT_TRUST=1 docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
+		(DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
+		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
+		 DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(2)$(3))
+
+build: build_$(2)$(3)
+push: push_$(2)$(3)
+sign: sign_$(2)$(3)
+endef
+
 #
-# For IMAGE_VERSION, the "<n>" must be increased whenever
-# the kernel config or the patches change. We don't expect this to
-# happen very often as the minor version number gets update quite
-# frequently.
+# Build Targets
+# Debug targets only for latest stable and LTS stable
 #
-# IMAGE_VERSION is used to determine if a new image should be pushed to hub.
-KERNEL_VERSION=4.9.15
-IMAGE_VERSION=$(KERNEL_VERSION)-1
-IMAGE_MAJOR_VERSION=4.9.x
-DEPS=Dockerfile Makefile kernel_config kernel_config.debug patches-4.9
-
-kernel.tag: $(DEPS)
-	BUILD=$$( tar cf - $^ | docker build -f $< --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@
-
-bzImage: kernel.tag
-	rm -rf etc/kernel-patches
-	mkdir -p x86_64 etc lib usr sbin etc/kernel-patches
-	docker run --rm --net=none --log-driver=none $(shell cat kernel.tag) tar cf - bzImage kernel-dev.tar kernel-headers.tar vmlinux kernel-modules.tar | tar xf - -C x86_64
-	cp x86_64/kernel-modules.tar kernel.tar
-	cp x86_64/bzImage $@
-
-.PHONY: image push tag
-
-MEDIA_TOYBOX=linuxkit/toybox-media:d7e82a7d19ccc84c9071fa7a88ecaa58ae958f7c@sha256:4c7d25f2be2429cd08417c36e04161cb924e46f3e419ee33a0aa9ff3a0942e02
-
-BASE="$MEDIA_TOYBOX"
-IMAGE=kernel-wireguard
-
-default: push
-
-Dockerfile.media:
-	printf "FROM $(MEDIA_TOYBOX)\nADD . /\n" > $@
-
-image: Dockerfile.media bzImage kernel.tar $(DEPS)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -f Dockerfile.media -
-
-push: image
-	docker pull mobylinux/$(IMAGE):$(IMAGE_VERSION) || \
-		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \
-		 docker push mobylinux/$(IMAGE):$(IMAGE_VERSION) && \
-		 docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION) && \
-		 docker push mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: image
-	(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \
-	docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-.PHONY: clean
-clean:
-	rm -rf x86_64 lib usr sbin kernel.tag Dockerfile.media bzImage kernel.tar
-
-.DELETE_ON_ERROR:
+$(eval $(call kernel,4.9.15,4.9.x))
diff --git a/projects/wireguard/kernel/kernel_config b/projects/wireguard/kernel/kernel_config-4.9.x
similarity index 100%
rename from projects/wireguard/kernel/kernel_config
rename to projects/wireguard/kernel/kernel_config-4.9.x
diff --git a/projects/wireguard/kernel/patches-4.9/WireGuard.patch b/projects/wireguard/kernel/patches-4.9.x/WireGuard.patch
similarity index 100%
rename from projects/wireguard/kernel/patches-4.9/WireGuard.patch
rename to projects/wireguard/kernel/patches-4.9.x/WireGuard.patch
diff --git a/projects/wireguard/wireguard.yml b/projects/wireguard/wireguard.yml
index 70e40a33f..a814aeae5 100644
--- a/projects/wireguard/wireguard.yml
+++ b/projects/wireguard/wireguard.yml
@@ -1,5 +1,5 @@
 kernel:
-  image: "mobylinux/kernel-wireguard:4.9.x"
+  image: "linuxkit/kernel-wireguard:4.9.15-2ca28b7589b673373a33274023ca870a3a77e081"
   cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
   - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e