Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for kernel 5.10 #1526

Merged
merged 7 commits into from
Apr 28, 2021
Merged

add support for kernel 5.10 #1526

merged 7 commits into from
Apr 28, 2021

Conversation

bcressey
Copy link
Contributor

Issue number:
Fixes #1349
Fixes #1454

Description of changes:
Rename the kernel package to kernel-5.4, and add kernel-5.10. Move kernel selection to variant definitions, and adjust kmod-kit builds to support different kernels.

Add sysctl settings to release to keep defaults the same for both kernels.

Add new classes and permissions to the SELinux policy.

Testing done:
The kernel spec files have only minor differences. The Lustre patch is no longer needed, and a few extra files are required in the devel archive.

For the 5.10 kernel, I confirmed that kmod-kits worked for both targets using artifacts built on both hosts. I built ZFS, copied modules to running hosts, and confirmed that they would load. For x86_64, I also installed Falco using helm, and confirmed that the kernel module loaded.

For aws-k8s-1.19 (kernel 5.4) and aws-k8s-1.20 (kernel 5.10) I confirmed that the sysctl values were set as expected:

$ sysctl net.ipv4.tcp_wmem net.ipv4.ip_default_ttl
net.ipv4.tcp_wmem = 4096	20480	4194304
net.ipv4.ip_default_ttl = 255

I also confirmed that the SELinux policy loaded correctly on 5.10, and with an informational message on kernel 5.4.

aws-k8s-1.20

[    0.381563] SELinux:  policy capability network_peer_controls=1
[    0.382039] SELinux:  policy capability open_perms=1
[    0.382418] SELinux:  policy capability extended_socket_class=1
[    0.382868] SELinux:  policy capability always_check_network=0
[    0.383313] SELinux:  policy capability cgroup_seclabel=1
[    0.383725] SELinux:  policy capability nnp_nosuid_transition=1
[    0.384176] SELinux:  policy capability genfs_seclabel_symlinks=1

aws-k8s-1.19

[    1.376085] SELinux:  policy capability network_peer_controls=1
[    1.376727] SELinux:  policy capability open_perms=1
[    1.377245] SELinux:  policy capability extended_socket_class=1
[    1.377847] SELinux:  policy capability always_check_network=0
[    1.378454] SELinux:  policy capability cgroup_seclabel=1
[    1.379015] SELinux:  policy capability nnp_nosuid_transition=1
[    1.379617] SELinux:  unknown policy capability 6

kmod-kits were correctly linked in by cargo make repo:

❯ ls -l build/repos/default/bottlerocket-1.0.8-*/targets/*kmod-kit*
lrwxrwxrwx. 1 fedora fedora 110 Apr 27 00:08 build/repos/default/bottlerocket-1.0.8-413a3778/targets/344af7281c2daa3ceec9b798a20edb323e8ddddd75bd319efe5fda04baf1e6d4.aws-k8s-1.19-aarch64-kmod-kit-v1.0.8.tar.xz -> /home/fedora/bottlerocket/build/images/aarch64-aws-k8s-1.19/latest/aws-k8s-1.19-aarch64-kmod-kit-v1.0.8.tar.xz

❯ ls -l build/repos/default/bottlerocket-1.0.8-*/targets/*kmod-kit*
lrwxrwxrwx. 1 fedora fedora 108 Apr 27 00:18 build/repos/default/bottlerocket-1.0.8-413a3778/targets/ed7d014aefe7143565daabcfb277e1df01eb2a7d45214dbbc6ad22aa704fe969.aws-k8s-1.19-x86_64-kmod-kit-v1.0.8.tar.xz -> /home/fedora/bottlerocket/build/images/x86_64-aws-k8s-1.19/latest/aws-k8s-1.19-x86_64-kmod-kit-v1.0.8.tar.xz

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
Copy link
Contributor Author

All the builds for arm64 failed, so I'm trying something different to see if I can placate CI.

@bcressey bcressey marked this pull request as draft April 27, 2021 04:52
@bcressey bcressey force-pushed the kernel-five-ten branch 2 times, most recently from 77ba6e5 to a9fc538 Compare April 27, 2021 05:18
@bcressey bcressey marked this pull request as ready for review April 27, 2021 05:18
webern
webern reviewed Apr 27, 2021
View reviewed changes
tools/buildsys/src/builder.rs Outdated
@@ -390,6 +394,15 @@ fn getenv(var: &str) -> Result<String> {
env::var(var).context(error::Environment { var })
}

/// Map a Linux architecture into the corresponding Docker architecture.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An enum with fn goarch(&self) -> &'static str might be nice.

packages/kernel-5.10/Cargo.toml
[[package.metadata.build-package.external-files]]
# Use latest-srpm-url.sh to get this.
url = "https://cdn.amazonlinux.com/blobstore/fa04b98fc067a4943beac60d0c2971e2fbef1a29faed4bac1c4096abe4ad4c12/kernel-5.10.29-27.126.amzn2.src.rpm"
sha512 = "47341f4a1c13ba7e5ea72bad13fe689eefd22cc7547aea08a08fe47238b4a3fe1659786a406b84a1d1508143be20d9be2fae6fe3e7a6924bc85043bf61d4bfce"
Copy link
Contributor

@webern webern Apr 27, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to be missing the [dependencies] and [build-dependencies]. I would say all (external) dependencies should be represented even if some are commented out.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The kernel doesn't have any dependencies within the project, since it's a freestanding artifact that doesn't pull in any libraries.

I'll remove the filesystem dependency from the kernel.spec & Cargo.toml to help clarify this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I see.

tjkirch
tjkirch reviewed Apr 27, 2021
View reviewed changes
Dockerfile Show resolved Hide resolved
packages/kernel-5.10/latest-srpm-url.sh Show resolved Hide resolved
tools/rpm2kmodkit Outdated Show resolved Hide resolved
Makefile.toml Show resolved Hide resolved
webern
webern approved these changes Apr 27, 2021
View reviewed changes
packages/kernel-5.10/Cargo.toml
[[package.metadata.build-package.external-files]]
# Use latest-srpm-url.sh to get this.
url = "https://cdn.amazonlinux.com/blobstore/fa04b98fc067a4943beac60d0c2971e2fbef1a29faed4bac1c4096abe4ad4c12/kernel-5.10.29-27.126.amzn2.src.rpm"
sha512 = "47341f4a1c13ba7e5ea72bad13fe689eefd22cc7547aea08a08fe47238b4a3fe1659786a406b84a1d1508143be20d9be2fae6fe3e7a6924bc85043bf61d4bfce"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I see.

bcressey added 7 commits April 28, 2021 14:32
@bcressey
rename kernel package to kernel-5.4
55d30fa 
This allows us to add other kernels to the packages tree.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
add kernel 5.10 package
e218e79 
Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
move kernel dependency to variant definitions
55f3ad4 
Since we have multiple kernel versions available, variants must now
define the version they want to include.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
kernel: omit filesystem package dependency
45dfb75 
The "filesystem" package is an implicit dependency for all packages,
and it's pulled in by release.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
selinux-policy: update for kernel 5.10
be005b6 
Enable the new "genfs_seclabel_symlinks" capability to label symlinks
on kernel filesystems in the same way that files and directories are
labeled.

Add the new "perfmon", "bpf", and "checkpoint_restore" actions to the
"capability2" and "cap2_userns" classes. Add the new "perf_event" and
"lockdown" classes and the corresponding actions.

Add the new permissions into the blanket "systems" permission set, so
that we continue to rely on the existing kernel access checks without
adding new SELinux restrictions.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
refactor kmod kit creation
e0af06e 
Now that the installed kernel is a property of the variant, we need
to ensure that the kmod kit includes the development files that match
the chosen kernel.

By creating it as another stage in the variant build, it's easier to
find the right files, and to guarantee that the kmod kit is recreated
whenever the image changes.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
release: update sysctl defaults to match AL2
cfb32fc 
In the 5.10 kernel, the settings for `net.ipv4.ip_default_ttl` and
`net.ipv4.tcp_wmem` are no longer applied by patching the kernel.

Add them to sysctl defaults to keep the same values for both kernels.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
arnaldo2792
arnaldo2792 approved these changes Apr 28, 2021
View reviewed changes
Copy link
Contributor

@arnaldo2792 arnaldo2792 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👢

webern
webern approved these changes Apr 28, 2021
View reviewed changes
Copy link
Contributor

@webern webern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎸

@bcressey bcressey merged commit bab170a into bottlerocket-os:develop Apr 28, 2021
@bcressey bcressey deleted the kernel-five-ten branch April 28, 2021 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@webern webern webern approved these changes

@tjkirch tjkirch tjkirch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

build: support kmod kits for kernel 5.10 update default sysctls for 5.10 kernel
4 participants
@bcressey @tjkirch @webern @arnaldo2792