The new Dockerfile.kconfig can be used, via the 'kconfig' make target
to build a 'linuxkit/kconfig' images. This images contains the patched
source and default kernel configs for all supported kernels.
It's useful to updating the kernel config files.
While at it, also update the alpine base.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The kernel build currently downloads the source tar ball every
time, which is a little tedious when experimenting with kernel
configs or when compiling the kernel multiple times.
This commit adds a new 'fetch' make target which downloads the
kernel sources into ./sources. Then in the Dockerfile we add
the directory and only download the source if it is not present.
The tarballs signature is till checked on each build.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Since we supply a full .config file we can check that after
make defconfig/oldconfig it hasn't changed. This should catch
cases where a config option has changed between releases.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This is a recommended security measure to protect the low portion
of virtual memory. On x86_64 the recommended value is 65536 while
for arm it shouldn't be higher than 32768.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The resulting kernel boots fine on qemu and on Cavium Thunder,
though the latter still has some issues.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Enable DEVPTS_MULTIPLE_INSTANCES in kernel configuration file
to avoid the devpts mounting hang issue during bootup when
running LinuxKit.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
It has been EOLed today and won't receive any further updates.
The images are still on hub so can be continued to be used
for the time being.
4.12 support is coming soon.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Adding NFS debug modules to kernel_config.debug
- Also updating some dead links in the kernels.md doc file
Signed-off-by: Dave Freitag <dcfreita@us.ibm.com>
This is a semi-educated guess of which kernel config options
may be needed to run LCOW based on the config file posted here:
2e5c2fac44/kernelconfig/4.11/kconfig_for_4_11
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Enables module for some common 10/40G NICs
from Broadcom, Intel, and Mellanox
- Enable KVM and related modules
These are targeted to support more bare metal
configuration with LinuxKit.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The original kernel Dockerfile hardcodes the amd64 as the
only arch supported, this patch removes this kind of hardcode
and make the Dockerfile is ready to support both amd64 and
arm64 by using the runtime arch type.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Added a new patch to the 4.11 and 4.9 kernels based on a patch
submitted to stable: https://patchwork.kernel.org/patch/9829039/
This patch fixes a off-by-one error in the VMBus code.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Otherwise files which have an updated timestamp but no actual changes are
marked as changes because `git diff-index` only uses the `lstat` result and not
the actual file contents. Running `git update-index --refresh` updates the
cache.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
The definition of `$(TAG)` differs from pkg/package.mk and is only the
HASH+DIRTY since the full tag is defined by the kernel macro and varies for
each kernel.
Also `show-tag` is `show-tags` here due to the multiple builds. Individual
`show-tag_FOO` rules are provided similar to the `build_FOO` rules.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
- Combine 'sign' and 'push' targets like it is done for
package builds.
- Append '-dirty' to the tag if the repository is dirty.
- Don't push to hub if the repository is dirty.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In particular this contains 1be7107fbe18eed3e319 ("mm: larger stack
guard gap, between vmas") which is a fix for CVE-2017-1000364.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Module loading on hotplug and boot seems to work now, so
move some less commonly used kernel features and drivers
out of the kernel into drivers. Specifically:
- Devices: All non-virtual network device drivers
- Networking: GRE, GENEVE, PPP, non-essential IPv6 protos,
L2TP, MPLS_GSO, bonding, IPSec (XFRM), openvswitch,
queueing/schedulers
- FS: SUNRPC, NFS, NFSD, LOCKD, NTFS
- Misc: ATA over Ethernet
Remove Nozomi serial driver. It doesn't seem to be used
on any of our platforms.
The config files were also run through 'make defconfig &&
make oldconfig' to update any missing options.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
It clashes with libelf-dev but libelf-dev is sufficient
to compile the kernel. This also allows us to remove the
'|| true' from the 'apk add', catching errors with the
tools installation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The binary is used in tandem with CONFIG_STATIC_USERMODEHELPER=y in 4.11+,
see the big comment in the binary for the current whitelist of binaries.
Signed-off-by: Tycho Andersen <tycho@docker.com>
Extract the perf binary from the kernel package and create
a new perf package for each kernel. The perf package uses the
same tags as the kernel package and only contains the perf
binary under /usr/bin. The perf package can be added to the
init section or included as a stage in a multi-stage build
for other packages.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The perf utility is somewhat kernel specific so might as well
compile it when we compile the kernel. The resulting binary
is statically linked (and stripped for size) and is added the
resulting kernel packages.
Although we add alpine packages such as libunwind and other,
it seems that the config detection code for perf/tools does
not detect them.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This cherry-picks 120010cb1eea151d38a3e66f5ffc79a0c3110292 ("tools build:
Add test for sched_getcpu()") which replaces a #ifdef based test with
a proper test for the sched_getcpu() function. The macro based condition
does not work on Alpine as it is conditional on GLIBC.
For 4.9 the cherry-pick needed some manual adjustment and also required
commit ef2c3e76d98dfb69a46d870b47656e8e5bac6e2b ("perf jit: Avoid returning
garbage for a ret variable")
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Also add additional tools and libraries useful/needed for
compiling some of the ./tools in the kernel source.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The vmlinux image is the un-stripped kernel image containing
full debug information which is useful for kernel debugging.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
For local testinf it is useful to store packages under a different
organisation on the hub (or indeed to select a different registry).
This is enabled by making the ORG configurable when calling make.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
While testing the patches on Windows we found some issues
which commit d0e6020dd2b25f8880 ("hvsock: fix a race in
hvs_stream_dequeue()") (cherry-picked as 0009) attempts to
fix.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In order to enable Hyper-V sockets, the CONFIG_HYPERV_VSOCKETS
option must be set. This is different to the older kernel patches.
In order for the Hyper-V socket code to compile, f3dd3f4797652c311df
("vmbus: introduce in-place packet iterator") needed cherry-picking.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This add a new version of the Hyper-V socket support based on
https://github.com/dcui/linux/commits/decui/hv_sock/next-20170504
Note, this changes the Linux side API to Hyper-V sockets as the
support is now based on the VMware/virtio socket implementation.
This means that the Address Family and the addressing changes.
Other patches from the 4.10 kernel are no longer needed as they
were already upstream.
The new Hyper-V socket code has not been tested, but the kernel
boots fine on HyperKit and Hyper-V.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Note, the bugfix for the memory leak on a missing disk on Hyper-V
has been incorporated into 4.9 and 4.10 so has been removed from
our patch queue.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This also adds the cherry-picked commit f1c635b439a5c017 ("scsi: storvsc: Workaround
for virtual DVD SCSI version") from 4.11 for the 4.9 and 4.10 kernels. This commit
fixes a crash/memory leak on Hyper-V when no disk drives are attached and if one
boots of a CD-ROM drive.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Building debug kernels (with additional run time checks and debugging)
was broken a few commits back. This adds back support for building debug
kernels.
In addition, it builds and uploads debug kernels for selected kernel
series (4.9.x LTS and latest stable). The tag for these kernels has
a "_dbg" suffix.
Update documentation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Use a RUN command per artefact created
- Use WORKDIR to avoid "cd /linux" on every RUN command
- Copy all relevant build artefacts to /out
- Only create one additional layer in final stage
- Add System.map to output image
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Previously we hardcoded `bzImage` which is not used for all
use cases or architectures.
fix#1630
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- Use multi-stage builds
- Use a single Dockerfile for all kernels
Kernel version and series are passed in as arguments
- Use a separate kernel config per kernel version
These have been copied from kernel_config and ran
through oldconfig to tidy them up
- Rename patch directories
- Refactor the Makefile to use a template
- Allows building of all kernels without arguments to make
- Use git tree hash as the image tag
- Don't build the image if the tag already exists
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- XFS filesystem support, as we plan to support this
- Quota support, as XFS has good support
- NVMe PCI support
- Per file encryption
- Device Mapper support, with main options
- BTRFS support (as a module, as it slows boot otherwise by several seconds).
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This was missed when things were renamed.
The intention with this code was (apparently) to provide a (pseudo)unique
hostname in the case where something more specific was not provided (e.g. by
DHCP). Make this a little clearer by using '(none)' rather than 'linuxkit' as
the default, in the normal case this will be overwritten by something more
specific and if it isn't we will change it to something somewhat unique derived
from the MAC address (as before). nb: '(none)' is already used by Debian so I
think it is a safe choice as the sentinel value.
The use of both CONFIG_DEFAULT_HOSTNAME and the explicit /etc/hostname from
mkimage.sh is likely to be redundant in some cases, but neither seems to
completely cover all cases so keep both.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
This is the default NIC provided by virt-install, I think it is also pretty
common on other virtualisation platforms since both the drivers and the
emulation are pretty widespread (IIRC Xen HVM guests used to get this by
default, and may still do).
Personally I'd probably try and remember to switch to virtio (or even e1000) in
preference, but that's one more thing to do.
Bump the image number.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
... and accept the defaults. Doing so enables some hw monitoring on Intel
(which enables some I2C thing) and explicitly disables a few Mellanox options.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
On some hv_sock workloads which quickly open/close many connections
occasionally, channel IDs would get re-used while still having work
pending. This can cause a kernel crash on a NULL pointer exception.
The three patches added to the 4.9.x and 4.10.x kernels fixes
these bugs. The patches are being prepared to be upstreamed, but for
now we cherry-picked them from the developers tree.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.9.19/4.10.7 kernels include the fix for the VMBus
memory leak, so we don't need to carry these patches anymore.
The patches against 4.9.x/4.10.x now also all have added a
"Origin" line pointing to the git tree the patches were cherry
picked from.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This adds a timestamp to the start of the kernel command line. Like this (from
a random system I have lying around, line truncated by me):
[ 0.000000] tsc: Detected 2665.038 MHz processor
[ 0.000021] Calibrating delay loop (skipped), value calculated using tim...
[ 0.000023] pid_max: default: 32768 minimum: 301
[ 0.000041] ACPI: Core revision 20160831
[ 0.003782] ACPI: 2 ACPI AML tables successfully acquired and loaded
This would be handy in relation to #1403.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
For 4.9.18 and 4.10.6 cherry-picked the VMBus leak fix
from Linus' tree instead of char-misc.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Unused. This should not affect anything, and I didnt actually bump
the kernel version; am working on te build in CI for this...
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Note, this also removes the LTS4.4 build options and replaces
it with a KERNEL= build option to select the kernel to build.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Commit c3fc6faa35 removed AUFS support bit missed the kernel
config and a mentioned in the main Makefile.
This commit removes these also.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This builds a family of drivers for various Mellonox
cards, sufficient to get a DHCP lease on packet.net
Type2/3 machines (see #1245).
Signed-off-by: Anil Madhavapeddy <anil@docker.com>
This is a stop-gap to prevent accidental push of kernel
images to hub until we sort out doing this from CI.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This lets us boot on packet.net machines and successfully gives
a DHCP lease when installed via iPXE. See #1245
Signed-off-by: Anil Madhavapeddy <anil@docker.com>
A given image is pushed to hub twice, once as
kernel:<kernel version>.<major version>.x and once as
kernel:<kernel version>.<major version>.<minor version>-<n>.
The latter is used to decide if a new kernel image is pushed to hub.
Most users should use the former to pick up the latest kernel.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Remove patch to prevent non-host network namespace to use VSOCK
This is now handled by SECOMP profiles by docker
- rebase the VMBUS version cherry-picks to Linus' tree.
This will make it easier to get them into stable
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The mobylinux/kernel image now has the bzImage (no longer named vmlinuz64)
and a tarball of the files needed for the initrd, ie modules etc.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This change (5ca3726 added in v4.7-rc1) exposed issues described in
https://github.com/docker/docker/issues/28941, since we don't support CPU
hotplug anyway revert the change while we decide on a proper fix.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Regenerate the kernel patches from
https://github.com/rneugeba/linux-stable/
Note, the last two 4.9 patches are no properly
cherry-picked from linux-next. We previously had
0011-Drivers-hv-vmbus-Use-all... from an email.
0012-Drivers-hv-Log-the... is new, but may further aid
debugging version mismatch issues.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
