-
Notifications
You must be signed in to change notification settings - Fork 522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for kernel 5.10 #1526
Conversation
413a377
to
9f49115
Compare
All the builds for arm64 failed, so I'm trying something different to see if I can placate CI. |
77ba6e5
to
a9fc538
Compare
tools/buildsys/src/builder.rs
Outdated
@@ -390,6 +394,15 @@ fn getenv(var: &str) -> Result<String> { | |||
env::var(var).context(error::Environment { var }) | |||
} | |||
|
|||
/// Map a Linux architecture into the corresponding Docker architecture. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An enum with fn goarch(&self) -> &'static str
might be nice.
[[package.metadata.build-package.external-files]] | ||
# Use latest-srpm-url.sh to get this. | ||
url = "https://cdn.amazonlinux.com/blobstore/fa04b98fc067a4943beac60d0c2971e2fbef1a29faed4bac1c4096abe4ad4c12/kernel-5.10.29-27.126.amzn2.src.rpm" | ||
sha512 = "47341f4a1c13ba7e5ea72bad13fe689eefd22cc7547aea08a08fe47238b4a3fe1659786a406b84a1d1508143be20d9be2fae6fe3e7a6924bc85043bf61d4bfce" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be missing the [dependencies]
and [build-dependencies]
. I would say all (external) dependencies should be represented even if some are commented out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The kernel doesn't have any dependencies within the project, since it's a freestanding artifact that doesn't pull in any libraries.
I'll remove the filesystem
dependency from the kernel.spec & Cargo.toml to help clarify this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I see.
[[package.metadata.build-package.external-files]] | ||
# Use latest-srpm-url.sh to get this. | ||
url = "https://cdn.amazonlinux.com/blobstore/fa04b98fc067a4943beac60d0c2971e2fbef1a29faed4bac1c4096abe4ad4c12/kernel-5.10.29-27.126.amzn2.src.rpm" | ||
sha512 = "47341f4a1c13ba7e5ea72bad13fe689eefd22cc7547aea08a08fe47238b4a3fe1659786a406b84a1d1508143be20d9be2fae6fe3e7a6924bc85043bf61d4bfce" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I see.
This allows us to add other kernels to the packages tree. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Signed-off-by: Ben Cressey <bcressey@amazon.com>
Since we have multiple kernel versions available, variants must now define the version they want to include. Signed-off-by: Ben Cressey <bcressey@amazon.com>
The "filesystem" package is an implicit dependency for all packages, and it's pulled in by release. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Enable the new "genfs_seclabel_symlinks" capability to label symlinks on kernel filesystems in the same way that files and directories are labeled. Add the new "perfmon", "bpf", and "checkpoint_restore" actions to the "capability2" and "cap2_userns" classes. Add the new "perf_event" and "lockdown" classes and the corresponding actions. Add the new permissions into the blanket "systems" permission set, so that we continue to rely on the existing kernel access checks without adding new SELinux restrictions. Signed-off-by: Ben Cressey <bcressey@amazon.com>
Now that the installed kernel is a property of the variant, we need to ensure that the kmod kit includes the development files that match the chosen kernel. By creating it as another stage in the variant build, it's easier to find the right files, and to guarantee that the kmod kit is recreated whenever the image changes. Signed-off-by: Ben Cressey <bcressey@amazon.com>
In the 5.10 kernel, the settings for `net.ipv4.ip_default_ttl` and `net.ipv4.tcp_wmem` are no longer applied by patching the kernel. Add them to sysctl defaults to keep the same values for both kernels. Signed-off-by: Ben Cressey <bcressey@amazon.com>
a9fc538
to
cfb32fc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👢
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎸
Issue number:
Fixes #1349
Fixes #1454
Description of changes:
Rename the kernel package to kernel-5.4, and add kernel-5.10. Move kernel selection to variant definitions, and adjust kmod-kit builds to support different kernels.
Add sysctl settings to
release
to keep defaults the same for both kernels.Add new classes and permissions to the SELinux policy.
Testing done:
The kernel spec files have only minor differences. The Lustre patch is no longer needed, and a few extra files are required in the devel archive.
For the 5.10 kernel, I confirmed that kmod-kits worked for both targets using artifacts built on both hosts. I built ZFS, copied modules to running hosts, and confirmed that they would load. For x86_64, I also installed Falco using helm, and confirmed that the kernel module loaded.
For
aws-k8s-1.19
(kernel 5.4) andaws-k8s-1.20
(kernel 5.10) I confirmed that the sysctl values were set as expected:I also confirmed that the SELinux policy loaded correctly on 5.10, and with an informational message on kernel 5.4.
aws-k8s-1.20
aws-k8s-1.19
kmod-kits were correctly linked in by
cargo make repo
:Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.