There are too many kernels to compile and arm64 takes a bit
too long to compile even on a beefy arm64 server.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@gmail.com>
These fix some issues around hot-unplugging devices which may be the cause
of some LCOW issues we are seeing.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@gmail.com>
Enable the Integrity Measurement Architecture (IMA) for 4.14.x
and 4.15.x kernels. This pretty much uses the defaults except we
also enable INTEGRITY_ASYMMETRIC_KEYS and IMA_READ_POLICY. The
latter may be useful for debugging.
For s390x we also needed to enable TPM support.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Disable all network device driver apart from Mellanox, which
is the only support NIC on s390x
- Disable Fusion MPT
- Disable DAX/NVMEM/NVME
- Disable USB
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
While this now has some duplication, it is clearer as to which
kernels are compiled for each architecture.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Update building process to add s390 support.
The patch serial-forbid-8250-on-s390.patch has been added to disable
8250 serial for s390.
The patch is available upstream https://patchwork.kernel.org/patch/10106437/
but it is not backported.
Signed-off-by: Alice Frosi <alice@linux.vnet.ibm.com>
Also remove the 4.4 patch which should have been removed by
231cead2cc ("kernel: Update to 4.15.4/4.14.20/4.9.82/4.4.116")
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
We may soon get another arch, so wanted to set the template
for having per arch list of kernels to compile.
While at it also drop the 4.4.x kernel for arm64. We never really
tested it and folks should be on 4.9 or 4.14 anyway. I'll leave
4.4.x for x86 for now as it might be useful to test for regressions.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In order to cut the number of kernels we build, remove the debug
kernel for the now non-default 4.9.x series.
Also remove the -rt debug kernel. Users who need it can build
it themselves with 'make EXTRA=-rt DEBUG=-dbg build_4.14.x'
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
These are part of the Meltdown/Spectre mitigations for arm64
now available for 4.14 and 4.15
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.14.20 update has Meltdown/Spectre fixes for arm64
The 4.4.116 update incorporates the proper fix for the
div by zero crash in the firmware loader, so the patch
with the hackish workaround was dropped.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
In order to get such a preempt-rt Linux kerne, we grab -rt patch via
https://www.kernel.org/pub/linux/kernel/projects/rt/. So far we just enable it
over 4.14.x.
Signed-off-by: Tiejun Chen <tiejun.china@gmail.com>
This should make debugging a lot easier. Note, 991f8f1c6eb6
("hyper-v: trace channel events"), patch 18, required some
minor modifications from upstream as another patch was not easy
to cherry-pick.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Drop the hack for the microcode division by 0 on GCP as
a proper fix is in upstream as:
2760f452a718 ("x86/microcode: Do the family check first")
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
These kernels have significant changes/addition for Spectre
mitigation as well as the usual other set of fixes.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The CONFIG_BPF_JIT_ALWAYS_ON option has now been back-ported
to 4.4.115 as well. Enable it.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This adds a patch to avoid a division by zero panic for 4.4.x
and 4.9.x kernels on single vCPU machine types on Google Cloud.
4.14.x and 4.15.x kernels seem to work fine.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This option is not enabled by default, but disables the
BPF interpreter which can be used to inject speculative
execution into the kernel. Enabled it as it seems
like a good security measure.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The 4.14 and 4.9 kernels have a significant number of
fixes to eBPF and also a fix for kernel level sockets
and namespace removals, ie fixes some aspects of
https://github.com/moby/moby/issues/5618
"unregister_netdevice: waiting for lo to become free"
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>