Kernel upgrade

.github/workflows/kernel-ci.yaml

@@ -7,24 +7,11 @@ on:
 jobs:
   kernel-validation:
     runs-on: self-hosted
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Use docker buildx
         run: docker buildx create --use
 
-      - run: echo "REGISTRY=$(ip addr show dev bond0 | awk '$1 == "inet" { sub("/.*", "", $2); print $2 }' | head -n 1)" >> $GITHUB_ENV
-
-      - run: make -C kernel devbuild ORG=${REGISTRY}:5000
-
-    # TODO: add artifacts for the built images
-    #- uses: actions/upload-artifact@v3
-    #  with:
-    #    name: TODO
-    #    path: TODO
+      - run: make build_5.15.x

.github/workflows/kernel-push.yaml

@@ -21,4 +21,4 @@ jobs:
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
 
-      - run: make -C kernel build
+      - run: make build_5.15.x

kernel/Dockerfile

@@ -1,4 +1,6 @@
-FROM linuxkit/alpine:e2391e0b164c57db9f6c4ae110ee84f766edc430 AS kernel-build
+ARG BUILD_IMAGE
+FROM ${BUILD_IMAGE} AS kernel-build
+ARG BUILD_IMAGE
 RUN apk add \
     argp-standalone \
     automake \
@@ -16,10 +18,12 @@ RUN apk add \
     installkernel \
     kmod \
     elfutils-dev \
+    libunwind-dev \
     linux-headers \
     mpc1-dev \
     mpfr-dev \
     ncurses-dev \
+    openssl \
     openssl-dev \
     patch \
     rsync \
@@ -30,23 +34,18 @@ RUN apk add \
     xz-dev \
     zlib-dev
 
-# libunwind-dev pkg is missing for s390x for now. Only install on other arch
-RUN [ $(uname -m) != s390x ] && apk add libunwind-dev || true
-
 ARG KERNEL_VERSION
 ARG KERNEL_SERIES
 ARG EXTRA
 ARG DEBUG
 
-ENV WIREGUARD_VERSION=1.0.20200506
-ENV WIREGUARD_SHA256="98a99f2b825a82d57a7213e666f1ee4f7cc02bddb09bf4908b4b09447a8f121e"
-ENV WIREGUARD_URL=https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WIREGUARD_VERSION}.tar.xz
-
 # We copy the entire directory. This copies some unneeded files, but
 # allows us to check for the existence /patches-${KERNEL_SERIES} to
 # build kernels without patches.
 COPY / /
 
+RUN mkdir -p /out/src
+
 # Download and verify kernel
 # PGP keys: 589DA6B1 ([email protected]) & 6092693E ([email protected]) & 00411886 ([email protected])
 RUN KERNEL_MAJOR=$(echo ${KERNEL_VERSION} | cut -d . -f 1) && \
@@ -60,19 +59,17 @@ RUN KERNEL_MAJOR=$(echo ${KERNEL_VERSION} | cut -d . -f 1) && \
     KERNEL_SHA256=$(grep linux-${KERNEL_VERSION}.tar.xz sha256sums.asc | cut -d ' ' -f 1) && \
     [ -f linux-${KERNEL_VERSION}.tar.xz ] || curl -fsSLO ${KERNEL_SOURCE} && \
     echo "${KERNEL_SHA256}  linux-${KERNEL_VERSION}.tar.xz" | sha256sum -c - && \
-    xz -T 0 -d linux-${KERNEL_VERSION}.tar.xz && \
+    xz -d linux-${KERNEL_VERSION}.tar.xz && \
     curl -fsSLO ${KERNEL_PGP2_SIGN} && \
     gpg2 --verify linux-${KERNEL_VERSION}.tar.sign linux-${KERNEL_VERSION}.tar && \
-    cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux
-
-
-RUN mkdir -p /out/src
+    cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux && \
+    printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
 
 WORKDIR /tmp
 # Download Intel ucode, create a CPIO archive for it, and keep it in the build context
 # so the firmware can also be referenced with CONFIG_EXTRA_FIRMWARE
 ENV UCODE_REPO=https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
-ENV UCODE_COMMIT=microcode-20191115
+ENV UCODE_COMMIT=microcode-20210608
 RUN set -e && \
     if [ $(uname -m) == x86_64 ]; then \
         git clone ${UCODE_REPO} ucode && \
@@ -105,27 +102,17 @@ RUN set -e && \
         done; \
     fi
 
-
-
 # Save kernel source
-RUN tar cJf /out/src/linux.tar.xz /linux
+RUN XZ_DEFAULTS="-T0" tar cJf /out/src/linux.tar.xz /linux
 
 # Kernel config
-# The s390x defconfig moved with 5.2.x
 RUN case $(uname -m) in \
     x86_64) \
         KERNEL_DEF_CONF=/linux/arch/x86/configs/x86_64_defconfig; \
         ;; \
     aarch64) \
         KERNEL_DEF_CONF=/linux/arch/arm64/configs/defconfig; \
         ;; \
-    s390x) \
-        if [ -f /linux/arch/s390/defconfig ]; then \
-            KERNEL_DEF_CONF=/linux/arch/s390/defconfig; \
-        else \
-            KERNEL_DEF_CONF=/linux/arch/s390/configs/defconfig; \
-        fi; \
-        ;; \
     esac  && \
     cp /config-${KERNEL_SERIES}-$(uname -m) ${KERNEL_DEF_CONF}; \
     if [ -n "${EXTRA}" ] && [ -f "/config-${KERNEL_SERIES}-$(uname -m)${EXTRA}" ]; then \
@@ -142,41 +129,20 @@ RUN case $(uname -m) in \
 
 
 # Kernel
-RUN case $(uname -m) in \
-    s390x) \
-        KCFLAGS="-fno-pie -fPIC"; \
-        ;; \
-    *) \
-        KCFLAGS="-fno-pie"; \
-        ;; \
-    esac && \
-    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="$KCFLAGS" && \
+RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
     case $(uname -m) in \
     x86_64) \
         cp arch/x86_64/boot/bzImage /out/kernel; \
         ;; \
     aarch64) \
-        cp arch/arm64/boot/Image /out/kernel; \
-        ;; \
-    s390x) \
-        cp arch/s390/boot/bzImage /out/kernel; \
+        cp arch/arm64/boot/Image.gz /out/kernel; \
         ;; \
     esac && \
     cp System.map /out && \
     ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
 
-# WireGuard (skip kernels which have it in tree)
-RUN if [  ! -d /linux/drivers/net/wireguard ]; then \
-        curl -fsSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
-        echo "${WIREGUARD_SHA256}  /wireguard.tar.xz" | sha256sum -c - && \
-        cp /wireguard.tar.xz /out/src/ && \
-        tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "wireguard-linux-compat-${WIREGUARD_VERSION}/src" && \
-        make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules; \
-     fi
-
 # Modules and Device Tree binaries
 RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
-    make INSTALL_MOD_PATH=/tmp/kernel-modules M="/wireguard" modules_install && \
     ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
       cd /tmp/kernel-modules/lib/modules/$DVER && \
       rm build source && \
@@ -208,8 +174,7 @@ RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdept
          tar cf - -T - | (cd $dir; tar xf -) && \
     ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
 
-RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
-
+RUN printf "${BUILD_IMAGE}" > /out/kernel-builder
 
 FROM scratch
 ENTRYPOINT []

kernel/Dockerfile.bcc

@@ -1,7 +1,9 @@
 ARG IMAGE
+ARG BUILD_IMAGE
+
 FROM ${IMAGE} as ksrc
 
-FROM linuxkit/alpine:e2391e0b164c57db9f6c4ae110ee84f766edc430 AS build
+FROM ${BUILD_IMAGE} AS build
 RUN apk update && apk upgrade -a && \
   apk add --no-cache \
   argp-standalone \
@@ -14,8 +16,8 @@ RUN apk update && apk upgrade -a && \
   clang-static \
   cmake \
   curl \
+  elfutils-dev \
   flex-dev \
-  fts-dev \
   gettext-dev \
   git \
   iperf3 \
@@ -26,39 +28,22 @@ RUN apk update && apk upgrade -a && \
   llvm-static \
   luajit-dev \
   m4 \
-  python \
+  musl-fts-dev \
+  python3 \
   zlib-dev \
   && true
 
-RUN ln -s /usr/lib/cmake/llvm5/ /usr/lib/cmake/llvm && \
-    ln -s /usr/include/llvm5/llvm-c/ /usr/include/llvm-c && \
-    ln -s /usr/include/llvm5/llvm/ /usr/include/llvm
+RUN ln -s /usr/lib/cmake/llvm10/ /usr/lib/cmake/llvm && \
+    ln -s /usr/include/llvm10/llvm-c/ /usr/include/llvm-c && \
+    ln -s /usr/include/llvm10/llvm/ /usr/include/llvm
 
 WORKDIR /build
 
-COPY ./bcc.patches/ ./
-RUN mv error.h /usr/include/ && \
-    mv cdefs.h /usr/include/sys/
-
-ENV ELFUTILS_VERSION=0.165
-ENV ELFUTILS_SHA256="a7fc9277192caaa5f30b47e8c0518dbcfd8c4a19c6493a63d511d804290ce972"
-RUN curl -sSL -O https://fedorahosted.org/releases/e/l/elfutils/0.165/elfutils-$ELFUTILS_VERSION.tar.bz2 && \
-    echo "${ELFUTILS_SHA256}  /build/elfutils-$ELFUTILS_VERSION.tar.bz2" | sha256sum -c - && \
-    tar xjf elfutils-$ELFUTILS_VERSION.tar.bz2 && \
-    cd elfutils-$ELFUTILS_VERSION && \
-    patch -p1 < ../100-musl-compat.patch && \
-    patch -p0 < ../decl.patch && \
-    patch -p0 < ../intl.patch
-
-ENV BCC_COMMIT=0fa419a64e71984d42f107c210d3d3f0cc82d59a
+ENV BCC_COMMIT=14278bf1a52dd76ff66eed02cc9db7c7ec240da6
 RUN git clone https://github.com/iovisor/bcc.git && \
     cd bcc && \
-    git checkout $BCC_COMMIT
-
-ENV LJSYSCALL_COMMIT=e587f8c55aad3955dddab3a4fa6c1968037b5c6e
-RUN git clone https://github.com/justincormack/ljsyscall.git && \
-    cd ljsyscall && \
-    git checkout $LJSYSCALL_COMMIT
+    git checkout $BCC_COMMIT && \
+    sed -i 's/<error.h>/<errno.h>/' examples/cpp/KModRetExample.cc
 
 COPY --from=ksrc /kernel-headers.tar /build
 COPY --from=ksrc /kernel-dev.tar /build
@@ -67,24 +52,15 @@ RUN tar xf /build/kernel-headers.tar && \
     tar xf /build/kernel-dev.tar && \
     tar xf /build/kernel.tar
 
-RUN cd elfutils-$ELFUTILS_VERSION && \
-    aclocal && \
-    automake && \
-    ./configure --prefix=/usr CFLAGS="-Wno-strict-aliasing -Wno-error" && \
-    make -C libelf && make -C libelf install
-
 RUN mkdir -p bcc/build && cd bcc/build && \
     cmake .. -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON \
              -DCMAKE_C_FLAGS="-I/build/usr/include" \
+             -DPYTHON_CMD=python3 \
              -DCMAKE_CXX_FLAGS="-I/build/usr/include" \
-             -DCMAKE_INSTALL_PREFIX=/usr \
-             -DLUAJIT_INCLUDE_DIR=/usr/include/luajit-2.1 && \
+             -DCMAKE_INSTALL_PREFIX=/usr && \
     make && \
     make install
 
-RUN mkdir -p /usr/local/share/lua/5.1/ && \
-    cd ljsyscall && \
-    cp -a *.lua syscall /usr/local/share/lua/5.1/
 RUN mkdir -p /out/usr/ && \
     cp -a /build/usr/src /out/usr/ && \
     cp -a /build/usr/include /out/usr
@@ -93,22 +69,20 @@ RUN mkdir -p /out/usr/lib && \
     cp -a /usr/lib/libstdc* /out/usr/lib/ && \
     cp -a /usr/lib/libintl* /out/usr/lib/ && \
     cp -a /usr/lib64/* /out/usr/lib/
-RUN mkdir -p /out/usr/lib/python2.7 && \
-    cp -a /usr/lib/python2.7/site-packages /out/usr/lib/python2.7/
+RUN mkdir -p /out/usr/lib/python3.8 && \
+    cp -a /usr/lib/python3.8/site-packages /out/usr/lib/python3.8/
 RUN mkdir -p /out/usr/share && \
     cp -a /usr/share/bcc /out/usr/share/
 RUN mkdir -p /out/usr/bin && \
     cp -a /usr/bin/bcc-lua /out/usr/bin/
-RUN mkdir -p /out/usr/local/share/ && \
-    cp -a /usr/local/share/lua /out/usr/local/share/
 
-FROM linuxkit/alpine:e2391e0b164c57db9f6c4ae110ee84f766edc430 as mirror
+FROM ${BUILD_IMAGE} as mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk update && apk upgrade -a && \
   apk add --no-cache --initdb -p /out \
   busybox \
   luajit \
-  python \
+  python3 \
   zlib \
   && true
 

kernel/Dockerfile.kconfig

@@ -1,4 +1,8 @@
-FROM linuxkit/alpine:e2391e0b164c57db9f6c4ae110ee84f766edc430 AS kernel-build
+ARG BUILD_IMAGE
+FROM ${BUILD_IMAGE} AS kernel-build
+
+ARG KERNEL_VERSIONS
+
 RUN apk add \
     argp-standalone \
     bison \
@@ -14,8 +18,6 @@ RUN apk add \
     patch \
     xz
 
-ARG KERNEL_VERSIONS
-
 COPY / /
 
 # Unpack kernels (download if not present)
@@ -43,13 +45,6 @@ RUN set -e && \
         fi && \
         [ ! -f /config-${SERIES}-x86_64 ] || mv /config-${SERIES}-x86_64 arch/x86/configs/x86_64_defconfig && \
         [ ! -f /config-${SERIES}-aarch64 ] || mv /config-${SERIES}-aarch64 arch/arm64/configs/defconfig ; \
-        if [ -f /config-${SERIES}-s390x ]; then \
-            if [ -f /linux/arch/s390/defconfig ]; then \
-                mv /config-${SERIES}-s390x arch/s390/defconfig; \
-            else \
-                mv /config-${SERIES}-s390x arch/s390/configs/defconfig; \
-            fi; \
-        fi; \
     done
 
 ENTRYPOINT ["/bin/sh"]