CONFIG_BPFILTER is aimed to provide a replacement for netfilter.
When CONFIG_BPFILTER is enabled, the kernel tries to contact a user mode helper
for each iptable rule update. However the implementation of this helper has not
been upstreamed yet. The communication thus fails and the kernel then falls back
to netfilter.
As a result, the rule update takes more than ten times the duration of the
netfilter implementation alone.
This has been reported by Docker Desktop users for whom it can take minutes to
start a container sharing a few hundred ports. https://github.com/for-mac/issues/5668
More details on the situation is described in https://lwn.net/Articles/822744/.
Signed-off-by: Frederic Dalleau <frederic.dalleau@docker.com>
The bcc portion of the build had been disabled because it wasn't
building. Now that bcc is building again, add it back to the list of
default targets in the kernel build.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
This moves up to bcc 0.20.0 and builds on the latest 3.13 Alpine base
image. It uses libelf from Alpine, which allows us to drop a number of
the patches we were carrying and reduce the number of steps taken in the
bcc build.
This builds for me on a branch of tip against 5.11.x, 5.10.x,
5.10.x-dbg, and 5.4.x on x86_65. I have not had a chance to attempt
this on other platforms due to lack of hardware.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
Declare KERNEL_SOURCE as an environment variable so it
get's picked up in kernel-source-info
fixes#3653
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
5.4.x is the only kernel left which does not have
WireGuard in tree and it people should be using more
recent kernels. Remove the now special case for
compiling out of tree WireGuard.
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
The kernel config is derived from 5.6.x by running it through
make oldconfig.
For x86_64 changed manually:
- CONFIG_VIRTIO_MEM=m -> y
- CONFIG_PLDMFW=y -> not set
For aarch64 changed manually:
- CONFIG_SMSC_PHY=m -> not set
- CONFIG_PLDMFW=y -> not set
No adjustment to s390x config
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
This commit removes Notary and Content Trust.
Notary v1 is due to be replaced with Notary v2 soon.
There is no clean migration path from one to the other.
For now, this removes all signing from LinuxKit.
We will look to add this back once a new Notary alternative
becomes available.
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
The patch we carry for 5.4 and 5.6 does not apply to
5.4.28. Disable the -rt kernel until the version has
been bumped.
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
This was previously build for 5.4 and 4.19. Latest LTS is 5.4 and
latest stable is 5.6. Also skip s390x build for perf
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
For some reason, the 'make ARCH=s390 oldconfig' yields
a different config when executing on a real s390c system...
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
A subsequent commit will make the 5.4 kernel the default.
This is primarily to reduce the number of kernels we need
to compile for every upgrade.
Note, we keep the 4.19 config file for arm64 around since the
-rt kernel config needs it.
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
This new snapshot comes from the brand new linux-compat repo, which
follows the recent upstreaming into net-next. When Linux 5.6 lands in
LinuxKit, we'll be able to remove the module entirely.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Allows us to drop some patches we were carrying, since the bugs were
fixed upstream. Gives numerous tooling improvements too.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
Re-enable perf builds for 5.3.x and 4.19.x since they're the latest
stable and LTS, respectively.
Update the bcc build rules to map to these same kernel releases, too.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
The first patch re-adds symbol definitions that were temporarily omitted
from the 4.19 stable branch.
The latter patch corrects the uapi swab.h to that errors about "unknown
type name '__always_inline'" are no longer present in builds. Without
this patch, bcc would build but attempts to compile the internal
programs at runtime would fail.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
KCONFIG_TAG variable can be used to set a custom kconfig tag.
If KCONFIG_TAG is not set, the the image is tagged as linuxkit/kconfig:latest
This is useful for projects requiring to build multiple kernels that have
different patches.
When trying to edit an unpatched kernel config after working on a patched
kernel config (same kernel version), one had to rerun make kconfig first
in order to edit the config of an unpatched kernel.
Now it is possible to generate a tegged kconfig image and then, get the wanted
config by selecting the corresponding linuxkit/kexec:tag.
Signed-off-by: Gabriel Chabot <gabriel.chabot@qarnot-computing.com>
Intel microrode download is moved earlier in the Dockerfile, before the
kernel is actually built, so that it's available in the context of a
build and can be referenced in CONFIG_EXTRA_FIRMWARE for people who want
the microcode to be built-in the kernel.
It is still copied in the out/ directory and so that it is still
available for addition in a 'ucode:' section in linuxkit.yml.
Signed-off-by: Yoann Ricordel <yoann.ricordel@qarnot-computing.com>
