These are part of the Meltdown/Spectre mitigations for arm64
now available for 4.14 and 4.15
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.14.20 update has Meltdown/Spectre fixes for arm64
The 4.4.116 update incorporates the proper fix for the
div by zero crash in the firmware loader, so the patch
with the hackish workaround was dropped.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In order to get such a preempt-rt Linux kerne, we grab -rt patch via
https://www.kernel.org/pub/linux/kernel/projects/rt/. So far we just enable it
over 4.14.x.
Signed-off-by: Tiejun Chen <tiejun.china@gmail.com>
Pulls in a bumper crop of updates from last year and some recent improvements:
$ git log --oneline 3e8ed35ca934..f2409214ca3b | cat
f240921 Merge pull request #38 from ijc/timestamp-precision
f626ffe Preserve full precision in nanoseconds part of log timestamp
29c89e8 Merge pull request #37 from rn/ps1
600ea59 Update documentation with new powershell features
9fed685 Add powershell test and group templates and a stub library
3ada6bd Don't use '#!/bin/sh' in tests or group initialisers
dd187b4 Add test cases for powershell scripts
4892754 Add support for writing tests in powershell (on Windows)
00cdd1f Add the ability to execute powershell scripts
00906da Add TestFilePath to the Test struct
e6fdcb7 Add GroupFilePath to the Group struct
c590dbc Make group member names for Pre/Post test scripts clearer
5ca3d4f Add setEnv test
d178af2 Improve environment variable setting in executeScript
9c7cc94 Merge pull request #35 from rn/circle
d464092 Use container builds on CircleCI and stash artefacts
9a09cd5 Move CircleCI config file to .circleci
9429279 Merge pull request #33 from rn/poule
4de1f2c Add poule config
88dcc27 Merge pull request #32 from mor1/extra-extra
bfabb8a flags: update README for `-x` now as a local flag
3f574c7 flags: make `-x` work
ba442d6 Merge pull request #31 from dave-tucker/fix-panic
6c7f09b local: Fix panic when no pattern is supplied
617e977 Merge pull request #30 from dnephin/add-latest-link
5829b2b Merge pull request #29 from dnephin/fix-command-descriptions
d09a317 Add a link to the latest directory within results.
c9a9a2a Remove some duplication between commands.
7904cc7 Remove unused flags, and move run flags to run command.
94e56a7 Update command descriptions
faedeef Merge pull request #28 from dave-tucker/prepost
a5f92ae local: Fix panic in PostTest
23fbbea Merge pull request #26 from dave-tucker/fix-osx-vers
156281e sysinfo: Fix OSX version parsing
Signed-off-by: Ian Campbell <ijc@docker.com>
This should make debugging a lot easier. Note, 991f8f1c6eb6
("hyper-v: trace channel events"), patch 18, required some
minor modifications from upstream as another patch was not easy
to cherry-pick.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Drop the hack for the microcode division by 0 on GCP as
a proper fix is in upstream as:
2760f452a718 ("x86/microcode: Do the family check first")
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
These kernels have significant changes/addition for Spectre
mitigation as well as the usual other set of fixes.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The YAMLs in ./test/hack enumerated the images to pull with
content trust. All images in the 'linuxkit' org should
now have trust enabled.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The CONFIG_BPF_JIT_ALWAYS_ON option has now been back-ported
to 4.4.115 as well. Enable it.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This adds a patch to avoid a division by zero panic for 4.4.x
and 4.9.x kernels on single vCPU machine types on Google Cloud.
4.14.x and 4.15.x kernels seem to work fine.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This option is not enabled by default, but disables the
BPF interpreter which can be used to inject speculative
execution into the kernel. Enabled it as it seems
like a good security measure.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.14 and 4.9 kernels have a significant number of
fixes to eBPF and also a fix for kernel level sockets
and namespace removals, ie fixes some aspects of
https://github.com/moby/moby/issues/5618
"unregister_netdevice: waiting for lo to become free"
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
