github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-12-25 13:23:37 +00:00
Code Issues Projects Releases Wiki Activity
Files
05b6bb52848a9b12c7f0989457b951c4c2c2393f
linuxkit/kernel/Dockerfile
Rolf Neugebauer f7b3eb38ef kernel: Update wireguard to 0.0.20190601 
This skips 0.0.20190531

Changelog for 0.0.20190601

== Changes ==

  * compat: don't call xgetbv on cpus with no XSAVE

  There was an issue with the backport compat layer in yesterday's snapshot,
  causing issues on certain (mostly Atom) Intel chips on kernels older than
  4.2, due to the use of xgetbv without checking cpu flags for xsave support.
  This manifested itself simply at module load time. Indeed it's somewhat tricky
  to support 33 different kernel versions (3.10+), plus weird distro
  frankenkernels.

Changelog for 0.0.20190531

== Changes ==

  * tools: add wincompat layer to wg(8)

  Consistent with a lot of the Windows work we've been doing this last cycle,
  wg(8) now supports the WireGuard for Windows app by talking through a named
  pipe. You can compile this as `PLATFORM=windows make -C src/tools` with mingw.
  Because programming things for Windows is pretty ugly, we've done this via a
  separate standalone wincompat layer, so that we don't pollute our pretty *nix
  utility.

  * compat: udp_tunnel: force cast sk_data_ready

  This is a hack to work around broken Android kernel wrapper scripts.

  * wg-quick: freebsd: workaround SIOCGIFSTATUS race in FreeBSD kernel

  FreeBSD had a number of kernel race conditions, some of which we can vaguely
  work around. These are in the process of being fixed upstream, but probably
  people won't update for a while.

  * wg-quick: make darwin and freebsd path search strict like linux

  Correctness.

  * socket: set ignore_df=1 on xmit

  This was intended from early on but didn't work on IPv6 without the ignore_df
  flag. It allows sending fragments over IPv6.

  * qemu: use newer iproute2 and kernel
  * qemu: build iproute2 with libmnl support
  * qemu: do not check for alignment with ubsan

  The QEMU build system has been improved to compile newer versions. Linking
  against libmnl gives us better error messages. As well, enabling the alignment
  check on x86 UBSAN isn't realistic.

  * wg-quick: look up existing routes properly
  * wg-quick: specify protocol to ip(8), because of inconsistencies

  The route inclusion check was wrong prior, and Linux 5.1 made it break
  entirely. This makes a better invocation of `ip route show match`.

  * netlink: use new strict length types in policy for 5.2
  * kbuild: account for recent upstream changes
  * zinc: arm64: use cpu_get_elf_hwcap accessor for 5.2

  The usual churn of changes required for the upcoming 5.2.

  * timers: add jitter on ack failure reinitiation

  Correctness tweak in the timer system.

  * blake2s,chacha: latency tweak
  * blake2s: shorten ssse3 loop

  In every odd-numbered round, instead of operating over the state
      x00 x01 x02 x03
      x05 x06 x07 x04
      x10 x11 x08 x09
      x15 x12 x13 x14
  we operate over the rotated state
      x03 x00 x01 x02
      x04 x05 x06 x07
      x09 x10 x11 x08
      x14 x15 x12 x13
  The advantage here is that this requires no changes to the 'x04 x05 x06 x07'
  row, which is in the critical path. This results in a noticeable latency
  improvement of roughly R cycles, for R diagonal rounds in the primitive. As
  well, the blake2s AVX implementation is now SSSE3 and considerably shorter.

  * tools: allow setting WG_ENDPOINT_RESOLUTION_RETRIES

  System integrators can now specify things like
  WG_ENDPOINT_RESOLUTION_RETRIES=infinity when building wg(8)-based init
  scripts and services, or 0, or any other integer.

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2019-06-28 00:39:23 +01:00

194 lines
7.0 KiB
Docker
Raw Blame History

FROM linuxkit/alpine:86cd4f51b49fb9a078b50201d892a3c7973d48ec AS kernel-build
RUN apk add \
argp-standalone \
automake \
bash \
bc \
binutils-dev \
bison \
build-base \
curl \
diffutils \
flex \
git \
gmp-dev \
gnupg \
installkernel \
kmod \
elfutils-dev \
linux-headers \
mpc1-dev \
mpfr-dev \
ncurses-dev \
openssl-dev \
patch \
sed \
squashfs-tools \
tar \
xz \
xz-dev \
zlib-dev
# libunwind-dev pkg is missed from arm64 now, below statement will be removed if the pkg is available.
RUN [ $(uname -m) == x86_64 ] && apk add libunwind-dev || true
ARG KERNEL_VERSION
ARG KERNEL_SERIES
ARG EXTRA
ARG DEBUG
ENV WIREGUARD_VERSION=0.0.20190601
ENV WIREGUARD_SHA256="7528461824a0174bd7d4f15e68d8f0ce9a8ea318411502b80759438e8ef65568"
ENV WIREGUARD_URL=https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz
# We copy the entire directory. This copies some unneeded files, but
# allows us to check for the existence /patches-${KERNEL_SERIES} to
# build kernels without patches.
COPY / /
# Download and verify kernel
# PGP keys: 589DA6B1 (greg@kroah.com) & 6092693E (autosigner@kernel.org) & 00411886 (torvalds@linux-foundation.org)
RUN KERNEL_MAJOR=$(echo ${KERNEL_VERSION} | cut -d . -f 1) && \
KERNEL_MAJOR=v${KERNEL_MAJOR}.x && \
KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/linux-${KERNEL_VERSION}.tar.xz && \
KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/sha256sums.asc && \
KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/linux-${KERNEL_VERSION}.tar.sign && \
curl -fsSLO ${KERNEL_SHA256_SUMS} && \
gpg2 -q --import keys.asc && \
gpg2 --verify sha256sums.asc && \
KERNEL_SHA256=$(grep linux-${KERNEL_VERSION}.tar.xz sha256sums.asc | cut -d ' ' -f 1) && \
[ -f linux-${KERNEL_VERSION}.tar.xz ] || curl -fsSLO ${KERNEL_SOURCE} && \
echo "${KERNEL_SHA256} linux-${KERNEL_VERSION}.tar.xz" | sha256sum -c - && \
xz -d linux-${KERNEL_VERSION}.tar.xz && \
curl -fsSLO ${KERNEL_PGP2_SIGN} && \
gpg2 --verify linux-${KERNEL_VERSION}.tar.sign linux-${KERNEL_VERSION}.tar && \
cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux
WORKDIR /linux
# Apply local specific patches if present
RUN set -e && \
if [ -n "${EXTRA}" ] && [ -d /patches-${KERNEL_SERIES}${EXTRA} ]; then \
echo "Patching ${EXTRA} kernel"; \
for patch in /patches-${KERNEL_SERIES}${EXTRA}/*.patch; do \
echo "Applying $patch"; \
patch -t -F0 -N -u -p1 < "$patch"; \
done; \
fi
# Apply local common patches if present
RUN set -e && \
if [ -d /patches-${KERNEL_SERIES} ]; then \
for patch in /patches-${KERNEL_SERIES}/*.patch; do \
echo "Applying $patch"; \
patch -t -F0 -N -u -p1 < "$patch"; \
done; \
fi
RUN mkdir -p /out/src
# Save kernel source
RUN tar cJf /out/src/linux.tar.xz /linux
# Kernel config
RUN case $(uname -m) in \
x86_64) \
KERNEL_DEF_CONF=/linux/arch/x86/configs/x86_64_defconfig; \
;; \
aarch64) \
KERNEL_DEF_CONF=/linux/arch/arm64/configs/defconfig; \
;; \
s390x) \
KERNEL_DEF_CONF=/linux/arch/s390/defconfig; \
;; \
esac && \
cp /config-${KERNEL_SERIES}-$(uname -m) ${KERNEL_DEF_CONF}; \
if [ -n "${EXTRA}" ] && [ -f "/config-${KERNEL_SERIES}-$(uname -m)${EXTRA}" ]; then \
cat /config-${KERNEL_SERIES}-$(uname -m)${EXTRA} >> ${KERNEL_DEF_CONF}; \
fi; \
sed -i "s/CONFIG_LOCALVERSION=\"-linuxkit\"/CONFIG_LOCALVERSION=\"-linuxkit${EXTRA}${DEBUG}\"/" ${KERNEL_DEF_CONF}; \
if [ -n "${DEBUG}" ]; then \
sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' ${KERNEL_DEF_CONF}; \
cat /config${DEBUG} >> ${KERNEL_DEF_CONF}; \
fi && \
make defconfig && \
make oldconfig && \
if [ -z "${EXTRA}" ] && [ -z "${DEBUG}" ]; then diff -u .config ${KERNEL_DEF_CONF}; fi
# Kernel
RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
case $(uname -m) in \
x86_64) \
cp arch/x86_64/boot/bzImage /out/kernel; \
;; \
aarch64) \
cp arch/arm64/boot/Image.gz /out/kernel; \
;; \
s390x) \
cp arch/s390/boot/bzImage /out/kernel; \
;; \
esac && \
cp System.map /out && \
([ -n "${DEBUG}" ] && cp vmlinux /out || true)
# WireGuard
RUN curl -fsSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
echo "${WIREGUARD_SHA256} /wireguard.tar.xz" | sha256sum -c - && \
cp /wireguard.tar.xz /out/src/ && \
tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "WireGuard-${WIREGUARD_VERSION}/src" && \
make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules
# Modules and Device Tree binaries
RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
make INSTALL_MOD_PATH=/tmp/kernel-modules M="/wireguard" modules_install && \
( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
cd /tmp/kernel-modules/lib/modules/$DVER && \
rm build source && \
ln -s /usr/src/linux-headers-$DVER build ) && \
case $(uname -m) in \
aarch64) \
make INSTALL_DTBS_PATH=/tmp/kernel-modules/boot/dtb dtbs_install; \
;; \
esac && \
( cd /tmp/kernel-modules && tar cf /out/kernel.tar . )
# Headers (userspace API)
RUN mkdir -p /tmp/kernel-headers/usr && \
make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr )
# Headers (kernel development)
RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
dir=/tmp/usr/src/linux-headers-$DVER && \
mkdir -p $dir && \
cp /linux/.config $dir && \
cp /linux/Module.symvers $dir && \
find . -path './include/*' -prune -o \
-path './arch/*/include' -prune -o \
-path './scripts/*' -prune -o \
-type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
-name '*.lds' -o -name '*.pl' -o -name '*.sh' -o \
-name 'objtool' -o -name 'fixdep' -o -name 'randomize_layout_seed.h' \) | \
tar cf - -T - | (cd $dir; tar xf -) && \
( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
# Download Intel ucode and create a CPIO archive for it
ENV UCODE_REPO=https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
ENV UCODE_COMMIT=1dd14da6d1ea5cfbd95923653f31c04aac3aa655
RUN set -e && \
if [ $(uname -m) == x86_64 ]; then \
git clone ${UCODE_REPO} ucode && \
cd ucode && \
git checkout ${UCODE_COMMIT} && \
iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \
cp license /out/intel-ucode-license.txt; \
fi
FROM scratch
ENTRYPOINT []
CMD []
WORKDIR /
COPY --from=kernel-build /out/* /
Reference in New Issue View Git Blame Copy Permalink