wireguard: update kernel build

We were pointing to the old mobylinux docker hub repo. Let's update the
kernel build to be the new style one.

Note that I didn't bump the kernel version or update the patches at all. We
should do this soon, but for the purposes of our probational channel PoC,
I'm leaving wireguard at the old version for now.

Signed-off-by: Tycho Andersen <tycho@docker.com>

projects/wireguard/kernel/Dockerfile

@@ -1,7 +1,8 @@
-FROM linuxkit/alpine-build-kernel:cfdd576c36a52ed2dd62f237f79eeedc2dd3697b@sha256:3fe08db373a9373ba1616a485858f01ebd2d7a3cb364a099d0ed8b45fa419da2
+FROM linuxkit/kernel-compile:1b396c221af673757703258159ddc8539843b02b@sha256:6b32d205bfc6407568324337b707d195d027328dbfec554428ea93e7b0a8299b AS kernel-build
 
 ARG KERNEL_VERSION
-ARG DEBUG=0
+ARG KERNEL_SERIES
+ARG DEBUG
 
 ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz
 
@@ -9,45 +10,64 @@ RUN curl -fsSL -o linux-${KERNEL_VERSION}.tar.xz ${KERNEL_SOURCE}
 
 RUN cat linux-${KERNEL_VERSION}.tar.xz | tar --absolute-names -xJ &&  mv /linux-${KERNEL_VERSION} /linux
 
-COPY kernel_config /linux/arch/x86/configs/x86_64_defconfig
+COPY kernel_config-${KERNEL_SERIES} /linux/arch/x86/configs/x86_64_defconfig
 COPY kernel_config.debug /linux/debug_config
 
-RUN if [ $DEBUG -ne "0" ]; then \
+RUN if [ -n "${DEBUG}" ]; then \
     sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' /linux/arch/x86/configs/x86_64_defconfig; \
     cat /linux/debug_config >> /linux/arch/x86/configs/x86_64_defconfig; \
     fi
 
 # Apply local patches
-COPY patches-4.9 /patches
+COPY patches-${KERNEL_SERIES} /patches
-RUN cd /linux && \
+WORKDIR /linux
-    set -e && for patch in /patches/*.patch; do \
+RUN set -e && for patch in /patches/*.patch; do \
         echo "Applying $patch"; \
         patch -p1 < "$patch"; \
     done
 
-RUN cd /linux && \
+RUN mkdir /out
-    make defconfig && \
+
+# Kernel
+RUN make defconfig && \
     make oldconfig && \
-    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie"
+    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
-RUN cd /linux && \
+    cp arch/x86_64/boot/bzImage /out/kernel && \
-    make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
+    cp System.map /out && \
+    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
+
+# Modules
+RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
     ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
       cd /tmp/kernel-modules/lib/modules/$DVER && \
       rm build source && \
       ln -s /usr/src/linux-headers-$DVER build ) && \
-    mkdir -p /tmp/kernel-headers/usr && \
+    ( cd /tmp/kernel-modules && tar cf /out/kernel.tar lib )
-    make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
-    ( cd /tmp/kernel-headers && tar cf /kernel-headers.tar usr ) && \
-    ( cd /tmp/kernel-modules && tar cf /kernel-modules.tar lib ) && \
-    cp vmlinux arch/x86_64/boot/bzImage /
 
+# Headers (userspace API)
+RUN mkdir -p /tmp/kernel-headers/usr && \
+    make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
+    ( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr )
+
+# Headers (kernel development)
 RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
     dir=/tmp/usr/src/linux-headers-$DVER && \
     mkdir -p $dir && \
     cp /linux/.config $dir && \
-    cd /linux && \
+    cp /linux/Module.symvers $dir && \
-    cp -a include "$dir" && \
+    find . -path './include/*' -prune -o \
-    mkdir -p "$dir"/arch/x86 && cp -a arch/x86/include "$dir"/arch/x86/ && \
+           -path './arch/*/include' -prune -o \
-    ( cd /tmp && tar cf /kernel-dev.tar usr/src )
+           -path './scripts/*' -prune -o \
+           -type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
+                      -name '*.lds' -o -name '*.pl' -o -name '*.sh' \) | \
+         tar cf - -T - | (cd $dir; tar xf -) && \
+    ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
 
-RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /kernel-source-info
+RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
+
+
+FROM scratch
+ENTRYPOINT []
+CMD []
+WORKDIR /
+COPY --from=kernel-build /out/* /

projects/wireguard/kernel/Makefile

@@ -1,70 +1,66 @@
-DEBUG ?= 0
+# This builds the supported LinuxKit kernels. Kernels are wrapped up
-
+# in a minimal toybox container, which contains the bzImage, a tar
-all:	bzImage push
+# ball with modules and the kernel source.
-
-# We push the image to hub twice, once with the full kernel version of
-# "mobylinux/kernel:<kernel version>.<major version>.<minor version>-<n>",
-# where "<n>" is a monotonically increasing config number, and as
-# "mobylinux/kernel:<kernel version>.<major version>.x". This version
-# number is stored in IMAGE_VERSION.
 #
-# We expect most users to us the "<kernel version>.<major version>.x"
+# Each kernel is pushed to hub twice, once as
-# variant as this simply is the latest version of a given major kernel
+# linuxkit/kernel:<kernel>.<major>.<minor>-<hash> and once as
-# version. This version number is stored in IMAGE_MAJOR_VERSION.
+# inuxkit/kernel:<kernel>.<major>.x. The <hash> is the git tree hash
+# of the current directory. The build will only rebuild the kernel
+# image if the git tree hash changed.
+
+# Git tree hash of this directory. Override to force build
+HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
+# Name and Org on Hub
+ORG?=linuxkit
+IMAGE:=kernel-wireguard
+
+.PHONY: check tag push sign
+# Targets:
+# build: builds all kernels
+# push:  pushes all tagged kernel images to hub
+# sign:  sign and push all kernel images to hub
+build:
+push:
+sign:
+
+# A template for defining kernel build
+# Arguments:
+# $1: Full kernel version, e.g., 4.9.22
+# $2: Kernel "series", e.g., 4.9.x
+# $3: Build a debug kernel (used as suffix for image)
+# This defines targets like:
+# build_4.9.x, push_4.9.x and sign_4.9.x and adds them as dependencies
+# to the global targets
+# Set $3 to "_dbg", to build debug kernels. This defines targets like
+# build_4.9.x_dbg and adds "_dbg" to the hub image name.
+define kernel
+build_$(2)$(3): Dockerfile Makefile $(wildcard patches-$(2)/*) kernel_config-$(2) kernel_config.debug
+	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
+		docker build \
+			--build-arg KERNEL_VERSION=$(1) \
+			--build-arg KERNEL_SERIES=$(2) \
+			--build-arg DEBUG=$(3) \
+			--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) .
+
+push_$(2)$(3): build_$(2)$(3)
+	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
+		(docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
+		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
+		 docker push $(ORG)/$(IMAGE):$(2)$(3))
+
+sign_$(2)$(3): build_$(2)$(3)
+	DOCKER_CONTENT_TRUST=1 docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
+		(DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
+		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
+		 DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(2)$(3))
+
+build: build_$(2)$(3)
+push: push_$(2)$(3)
+sign: sign_$(2)$(3)
+endef
+
 #
-# For IMAGE_VERSION, the "<n>" must be increased whenever
+# Build Targets
-# the kernel config or the patches change. We don't expect this to
+# Debug targets only for latest stable and LTS stable
-# happen very often as the minor version number gets update quite
-# frequently.
 #
-# IMAGE_VERSION is used to determine if a new image should be pushed to hub.
+$(eval $(call kernel,4.9.15,4.9.x))
-KERNEL_VERSION=4.9.15
-IMAGE_VERSION=$(KERNEL_VERSION)-1
-IMAGE_MAJOR_VERSION=4.9.x
-DEPS=Dockerfile Makefile kernel_config kernel_config.debug patches-4.9
-
-kernel.tag: $(DEPS)
-	BUILD=$$( tar cf - $^ | docker build -f $< --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@
-
-bzImage: kernel.tag
-	rm -rf etc/kernel-patches
-	mkdir -p x86_64 etc lib usr sbin etc/kernel-patches
-	docker run --rm --net=none --log-driver=none $(shell cat kernel.tag) tar cf - bzImage kernel-dev.tar kernel-headers.tar vmlinux kernel-modules.tar | tar xf - -C x86_64
-	cp x86_64/kernel-modules.tar kernel.tar
-	cp x86_64/bzImage $@
-
-.PHONY: image push tag
-
-MEDIA_TOYBOX=linuxkit/toybox-media:d7e82a7d19ccc84c9071fa7a88ecaa58ae958f7c@sha256:4c7d25f2be2429cd08417c36e04161cb924e46f3e419ee33a0aa9ff3a0942e02
-
-BASE="$MEDIA_TOYBOX"
-IMAGE=kernel-wireguard
-
-default: push
-
-Dockerfile.media:
-	printf "FROM $(MEDIA_TOYBOX)\nADD . /\n" > $@
-
-image: Dockerfile.media bzImage kernel.tar $(DEPS)
-	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -f Dockerfile.media -
-
-push: image
-	docker pull mobylinux/$(IMAGE):$(IMAGE_VERSION) || \
-		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \
-		 docker push mobylinux/$(IMAGE):$(IMAGE_VERSION) && \
-		 docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION) && \
-		 docker push mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-tag: image
-	(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \
-	docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION))
-	docker rmi $(IMAGE):build
-	rm -f hash
-
-.PHONY: clean
-clean:
-	rm -rf x86_64 lib usr sbin kernel.tag Dockerfile.media bzImage kernel.tar
-
-.DELETE_ON_ERROR:

projects/wireguard/wireguard.yml

@@ -1,5 +1,5 @@
 kernel:
-  image: "mobylinux/kernel-wireguard:4.9.x"
+  image: "linuxkit/kernel-wireguard:4.9.15-2ca28b7589b673373a33274023ca870a3a77e081"
   cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
   - linuxkit/init:cbd7ae748f0a082516501a3e914fa0c924ee941e