github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2026-04-05 02:14:57 +00:00
Code Issues Projects Releases Wiki Activity
Files
9f6b8ee81d7bb2f1f65285bf885a14203f0d1ed2
linuxkit/kernel/Dockerfile
Rolf Neugebauer 9f6b8ee81d kernel: Update WireGuard to 0.0.20190406 
== Changes ==

  * allowedips: initialize list head when removing intermediate nodes

  Fix for an important regression in removing allowed IPs from the last
  snapshot. We have new test cases to catch these in the future as well.

  * wg-quick: freebsd: rebreak interface loopback, while fixing localhost
  * wg-quick: freebsd: export TMPDIR when restoring and don't make empty

  Two fixes for FreeBSD which have already been backported into ports.

  * tools: genkey: account for short reads of /dev/urandom
  * tools: add support for Haiku

  The tools now support Haiku! Maybe somebody is working on a WireGuard
  implementation for it?

  * tools: warn if an AllowedIP has a nonzero host part

  If you try to run `wg set wg0 peer ... allowed-ips 192.168.1.82/24`, wg(8)
  will now print a warning. Even though we mask this automatically down to
  192.168.1.0/24, usually when people specify it like this, it's a mistake.

  * wg-quick: add 'strip' subcommand

  The new strip subcommand prints the config file to stdout after stripping
  it of all wg-quick-specific options. This enables tricks such as:
  `wg addconf $DEV <(wg-quick strip $DEV)`.

  * tools: avoid unneccessary next_peer assignments in sort_peers()

  Small C optimization the compiler was probably already doing.

  * peerlookup: rename from hashtables
  * allowedips: do not use __always_inline
  * device: use skb accessor functions where possible

  Suggested tweaks from Dave Miller.

  * qemu: set framewarn 1280 for 64bit and 1024 for 32bit

  These should indicate to us more clearly when we cross the most strict stack
  thresholds expected when using recent compilers with the kernel.

  * blake2s: simplify
  * blake2s: remove outlen parameter from final

  The blake2s implementation has been simplified, since we don't use any of the
  fancy tree hashing parameters or the like. We also no longer separate the
  output length at initialization time from the output length at finalization
  time.

  * global: the _bh variety of rcu helpers have been unified
  * compat: nf_nat_core.h was removed upstream
  * compat: backport skb_mark_not_on_list

  The usual assortment of compat fixes for Linux 5.1.

Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
2019-05-25 14:05:51 +01:00

197 lines
7.1 KiB
Docker
Raw Blame History

FROM linuxkit/alpine:86cd4f51b49fb9a078b50201d892a3c7973d48ec AS kernel-build
RUN apk add \
argp-standalone \
automake \
bash \
bc \
binutils-dev \
bison \
build-base \
curl \
diffutils \
flex \
git \
gmp-dev \
gnupg \
installkernel \
kmod \
elfutils-dev \
linux-headers \
mpc1-dev \
mpfr-dev \
ncurses-dev \
patch \
sed \
squashfs-tools \
tar \
xz \
xz-dev \
zlib-dev
# libunwind-dev pkg is missed from arm64 now, below statement will be removed if the pkg is available.
RUN [ $(uname -m) == x86_64 ] && apk add libunwind-dev || true
ARG KERNEL_VERSION
ARG KERNEL_SERIES
ARG EXTRA
ARG DEBUG
ENV WIREGUARD_VERSION=0.0.20190406
ENV WIREGUARD_SHA256="2f06f3adf70b95e74a7736a22dcf6e9ef623b311a15b7d55b5474e57c3d0415b"
ENV WIREGUARD_URL=https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz
# We copy the entire directory. This copies some unneeded files, but
# allows us to check for the existence /patches-${KERNEL_SERIES} to
# build kernels without patches.
COPY / /
# Download and verify kernel
# PGP keys: 589DA6B1 (greg@kroah.com) & 6092693E (autosigner@kernel.org) & 00411886 (torvalds@linux-foundation.org)
RUN KERNEL_MAJOR=$(echo ${KERNEL_VERSION} | cut -d . -f 1) && \
KERNEL_MAJOR=v${KERNEL_MAJOR}.x && \
KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/linux-${KERNEL_VERSION}.tar.xz && \
KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/sha256sums.asc && \
KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/linux-${KERNEL_VERSION}.tar.sign && \
curl -fsSLO ${KERNEL_SHA256_SUMS} && \
gpg2 -q --import keys.asc && \
gpg2 --verify sha256sums.asc && \
KERNEL_SHA256=$(grep linux-${KERNEL_VERSION}.tar.xz sha256sums.asc | cut -d ' ' -f 1) && \
[ -f linux-${KERNEL_VERSION}.tar.xz ] || curl -fsSLO ${KERNEL_SOURCE} && \
echo "${KERNEL_SHA256} linux-${KERNEL_VERSION}.tar.xz" | sha256sum -c - && \
xz -d linux-${KERNEL_VERSION}.tar.xz && \
curl -fsSLO ${KERNEL_PGP2_SIGN} && \
gpg2 --verify linux-${KERNEL_VERSION}.tar.sign linux-${KERNEL_VERSION}.tar && \
cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux
WORKDIR /linux
# Apply local specific patches if present
RUN set -e && \
if [ -n "${EXTRA}" ] && [ -d /patches-${KERNEL_SERIES}${EXTRA} ]; then \
echo "Patching ${EXTRA} kernel"; \
for patch in /patches-${KERNEL_SERIES}${EXTRA}/*.patch; do \
echo "Applying $patch"; \
patch -t -F0 -N -u -p1 < "$patch"; \
done; \
fi
# Apply local common patches if present
RUN set -e && \
if [ -d /patches-${KERNEL_SERIES} ]; then \
for patch in /patches-${KERNEL_SERIES}/*.patch; do \
echo "Applying $patch"; \
patch -t -F0 -N -u -p1 < "$patch"; \
done; \
fi
RUN mkdir -p /out/src
# Save kernel source
RUN tar cJf /out/src/linux.tar.xz /linux
# Kernel config
RUN case $(uname -m) in \
x86_64) \
KERNEL_DEF_CONF=/linux/arch/x86/configs/x86_64_defconfig; \
;; \
aarch64) \
KERNEL_DEF_CONF=/linux/arch/arm64/configs/defconfig; \
;; \
s390x) \
KERNEL_DEF_CONF=/linux/arch/s390/defconfig; \
;; \
esac && \
cp /config-${KERNEL_SERIES}-$(uname -m) ${KERNEL_DEF_CONF}; \
if [ -n "${EXTRA}" ] && [ -f "/config-${KERNEL_SERIES}-$(uname -m)${EXTRA}" ]; then \
cat /config-${KERNEL_SERIES}-$(uname -m)${EXTRA} >> ${KERNEL_DEF_CONF}; \
fi; \
sed -i "s/CONFIG_LOCALVERSION=\"-linuxkit\"/CONFIG_LOCALVERSION=\"-linuxkit${EXTRA}${DEBUG}\"/" ${KERNEL_DEF_CONF}; \
if [ -n "${DEBUG}" ]; then \
sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' ${KERNEL_DEF_CONF}; \
cat /config${DEBUG} >> ${KERNEL_DEF_CONF}; \
fi && \
make defconfig && \
make oldconfig && \
if [ -z "${EXTRA}" ] && [ -z "${DEBUG}" ]; then diff -u .config ${KERNEL_DEF_CONF}; fi
# Kernel
RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
case $(uname -m) in \
x86_64) \
cp arch/x86_64/boot/bzImage /out/kernel; \
;; \
aarch64) \
cp arch/arm64/boot/Image.gz /out/kernel; \
;; \
s390x) \
cp arch/s390/boot/bzImage /out/kernel; \
;; \
esac && \
cp System.map /out && \
([ -n "${DEBUG}" ] && cp vmlinux /out || true)
# WireGuard
RUN set -e && \
if [ "$KERNEL_SERIES" != "5.1.x" ]; then \
curl -fsSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
echo "${WIREGUARD_SHA256} /wireguard.tar.xz" | sha256sum -c - && \
cp /wireguard.tar.xz /out/src/ && \
tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "WireGuard-${WIREGUARD_VERSION}/src" && \
make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules; \
fi
# Modules and Device Tree binaries
RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
make INSTALL_MOD_PATH=/tmp/kernel-modules M="/wireguard" modules_install && \
( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
cd /tmp/kernel-modules/lib/modules/$DVER && \
rm build source && \
ln -s /usr/src/linux-headers-$DVER build ) && \
case $(uname -m) in \
aarch64) \
make INSTALL_DTBS_PATH=/tmp/kernel-modules/boot/dtb dtbs_install; \
;; \
esac && \
( cd /tmp/kernel-modules && tar cf /out/kernel.tar . )
# Headers (userspace API)
RUN mkdir -p /tmp/kernel-headers/usr && \
make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr )
# Headers (kernel development)
RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
dir=/tmp/usr/src/linux-headers-$DVER && \
mkdir -p $dir && \
cp /linux/.config $dir && \
cp /linux/Module.symvers $dir && \
find . -path './include/*' -prune -o \
-path './arch/*/include' -prune -o \
-path './scripts/*' -prune -o \
-type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
-name '*.lds' -o -name '*.pl' -o -name '*.sh' -o \
-name 'objtool' -o -name 'fixdep' -o -name 'randomize_layout_seed.h' \) | \
tar cf - -T - | (cd $dir; tar xf -) && \
( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
# Download Intel ucode and create a CPIO archive for it
ENV UCODE_URL=https://downloadmirror.intel.com/28087/eng/microcode-20180807a.tgz
RUN set -e && \
if [ $(uname -m) == x86_64 ]; then \
cd /ucode && \
curl -fsSL -o microcode.tar.gz ${UCODE_URL} && \
md5sum -c intel-ucode-md5sums && \
tar xf microcode.tar.gz && \
rm -f intel-ucode/list && \
iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \
cp intel-ucode-license.txt /out; \
fi
FROM scratch
ENTRYPOINT []
CMD []
WORKDIR /
COPY --from=kernel-build /out/* /
Reference in New Issue View Git Blame Copy Permalink