diff --git a/projects/landlock/kernel-landlock/.gitignore b/projects/landlock/kernel-landlock/.gitignore new file mode 100644 index 000000000..6405fb210 --- /dev/null +++ b/projects/landlock/kernel-landlock/.gitignore @@ -0,0 +1,6 @@ +x86_64/ +etc/ +lib/ +usr/ +sbin/ +bzImage diff --git a/projects/landlock/kernel-landlock/Dockerfile b/projects/landlock/kernel-landlock/Dockerfile new file mode 100644 index 000000000..3372f38e6 --- /dev/null +++ b/projects/landlock/kernel-landlock/Dockerfile @@ -0,0 +1,53 @@ +FROM mobylinux/alpine-build-kernel:0e893fbf6fa7638d2f23354de03ea11017bb8065@sha256:3ef3f9d11f0802b759dbd9c43a7706cf0ec37263c99ae90e2b10c29ea85739fa + +ARG KERNEL_VERSION +ARG DEBUG=0 + +ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz + +RUN curl -fsSL -o linux-${KERNEL_VERSION}.tar.xz ${KERNEL_SOURCE} + +RUN cat linux-${KERNEL_VERSION}.tar.xz | tar --absolute-names -xJ && mv /linux-${KERNEL_VERSION} /linux + +COPY kernel_config /linux/arch/x86/configs/x86_64_defconfig +COPY kernel_config.debug /linux/debug_config + +RUN if [ $DEBUG -ne "0" ]; then \ + sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' /linux/arch/x86/configs/x86_64_defconfig; \ + cat /linux/debug_config >> /linux/arch/x86/configs/x86_64_defconfig; \ + fi + +# Apply local patches +COPY patches-4.9 /patches +RUN cd /linux && \ + set -e && for patch in /patches/*.patch; do \ + echo "Applying $patch"; \ + patch -p1 < "$patch"; \ + done + +RUN cd /linux && \ + make defconfig && \ + make oldconfig && \ + make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" +RUN cd /linux && \ + make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \ + ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \ + cd /tmp/kernel-modules/lib/modules/$DVER && \ + rm build source && \ + ln -s /usr/src/linux-headers-$DVER build ) && \ + mkdir -p /tmp/kernel-headers/usr && \ + make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \ + ( cd /tmp/kernel-headers && tar cf /kernel-headers.tar usr ) && \ + ( cd /tmp/kernel-modules && tar cf /kernel-modules.tar lib ) && \ + cp vmlinux arch/x86_64/boot/bzImage / + +RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \ + dir=/tmp/usr/src/linux-headers-$DVER && \ + mkdir -p $dir && \ + cp /linux/.config $dir && \ + cd /linux && \ + cp -a include "$dir" && \ + mkdir -p "$dir"/arch/x86 && cp -a arch/x86/include "$dir"/arch/x86/ && \ + ( cd /tmp && tar cf /kernel-dev.tar usr/src ) + +RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /kernel-source-info diff --git a/projects/landlock/kernel-landlock/Makefile b/projects/landlock/kernel-landlock/Makefile new file mode 100644 index 000000000..beab3a898 --- /dev/null +++ b/projects/landlock/kernel-landlock/Makefile @@ -0,0 +1,70 @@ +DEBUG ?= 0 + +all: bzImage push + +# We push the image to hub twice, once with the full kernel version of +# "mobylinux/kernel:..-", +# where "" is a monotonically increasing config number, and as +# "mobylinux/kernel:..x". This version +# number is stored in IMAGE_VERSION. +# +# We expect most users to us the "..x" +# variant as this simply is the latest version of a given major kernel +# version. This version number is stored in IMAGE_MAJOR_VERSION. +# +# For IMAGE_VERSION, the "" must be increased whenever +# the kernel config or the patches change. We don't expect this to +# happen very often as the minor version number gets update quite +# frequently. +# +# IMAGE_VERSION is used to determine if a new image should be pushed to hub. +KERNEL_VERSION=4.9.20 +IMAGE_VERSION=$(KERNEL_VERSION)-1 +IMAGE_MAJOR_VERSION=4.9.x +DEPS=Dockerfile Makefile kernel_config kernel_config.debug patches-4.9 + +kernel.tag: $(DEPS) + BUILD=$$( tar cf - $^ | docker build -f $< --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@ + +bzImage: kernel.tag + rm -rf etc/kernel-patches + mkdir -p x86_64 etc lib usr sbin etc/kernel-patches + docker run --rm --net=none --log-driver=none $(shell cat kernel.tag) tar cf - bzImage kernel-dev.tar kernel-headers.tar vmlinux kernel-modules.tar | tar xf - -C x86_64 + cp x86_64/kernel-modules.tar kernel.tar + cp x86_64/bzImage $@ + +.PHONY: image push tag + +MEDIA_TOYBOX=mobylinux/toybox-media:0a26fe5f574e444849983f9c4148ef74b3804d55@sha256:5ac38f77b66deb194c9016591b9b096e81fcdc9f7c3e6d01566294a6b4b4ebd2 + +BASE="$MEDIA_TOYBOX" +IMAGE=kernel-landlock + +default: push + +Dockerfile.media: + printf "FROM $(MEDIA_TOYBOX)\nADD . /\n" > $@ + +image: Dockerfile.media bzImage kernel.tar $(DEPS) + tar cf - $^ | docker build --no-cache -t $(IMAGE):build -f Dockerfile.media - + +push: image + docker pull mobylinux/$(IMAGE):$(IMAGE_VERSION) || \ + (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \ + docker push mobylinux/$(IMAGE):$(IMAGE_VERSION) && \ + docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION) && \ + docker push mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION)) + docker rmi $(IMAGE):build + rm -f hash + +tag: image + (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \ + docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION)) + docker rmi $(IMAGE):build + rm -f hash + +.PHONY: clean +clean: + rm -rf x86_64 lib usr sbin kernel.tag Dockerfile.media bzImage kernel.tar + +.DELETE_ON_ERROR: diff --git a/projects/landlock/landlock.yml b/projects/landlock/landlock.yml new file mode 100644 index 000000000..9beb544c6 --- /dev/null +++ b/projects/landlock/landlock.yml @@ -0,0 +1,31 @@ +kernel: + image: "mobylinux/kernel-landlock:4.9.x" + cmdline: "console=ttyS0 page_poison=1" +init: + - mobylinux/init:4a731380d1d9b29472c7de165a1cdf93136ab1e7 + - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9 + - mobylinux/containerd:c7f6ecdcbcb615a53edee556ba03c7c873bc8488 + - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935 +onboot: + - name: sysctl + image: "mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c" + net: host + pid: host + ipc: host + capabilities: + - CAP_SYS_ADMIN + readonly: true +services: + - name: rngd + image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9@sha256:1c93c1db7196f6f71f8e300bc1d15f0376dd18e8891c8789d77c8ff19f3a9a92" + capabilities: + - CAP_SYS_ADMIN + oomScoreAdj: -800 + readonly: true +files: + - path: etc/docker/daemon.json + contents: '{"debug": true}' +outputs: + - format: kernel+initrd + - format: iso-bios + - format: iso-efi