| Message ID | 20250108100755.55673-2-michael.adler@siemens.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | linux-cip: add kernel config snippet for container compatibility | expand |
On Wed, 2025-01-08 at 11:07 +0100, Michael Adler via lists.cip- project.org wrote: > Obtaining a fully functional kernel configuration as required by popular > container engines such as Docker or Podman can be challenging. By > setting the Bitbake variable USE_CIP_KERNEL_CONTAINER_CONFIG to 1, a > kernel config snippet is included to ensure compatibility with these > container engines. > > Note: This feature is designed to be separate from the cip-kernel-config > project to allow for custom kernel configurations. > > Signed-off-by: Michael Adler <michael.adler@siemens.com> > --- > conf/machine/qemu-amd64.conf | 1 + > conf/machine/qemu-arm64.conf | 1 + > recipes-kernel/linux/files/container.cfg | 114 ++++++++++++++++++++++ > recipes-kernel/linux/linux-cip-common.inc | 5 + > 4 files changed, 121 insertions(+) > create mode 100644 recipes-kernel/linux/files/container.cfg > > diff --git a/conf/machine/qemu-amd64.conf b/conf/machine/qemu-amd64.conf > index d786646..dad6504 100644 > --- a/conf/machine/qemu-amd64.conf > +++ b/conf/machine/qemu-amd64.conf > @@ -10,4 +10,5 @@ DISTRO_ARCH = "amd64" > > IMAGE_FSTYPES ?= "ext4" > USE_CIP_KERNEL_CONFIG = "1" > +USE_CIP_KERNEL_CONTAINER_CONFIG = "1" > KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/x86/cip_merged_defconfig" > diff --git a/conf/machine/qemu-arm64.conf b/conf/machine/qemu-arm64.conf > index a2c5e53..8fd824c 100644 > --- a/conf/machine/qemu-arm64.conf > +++ b/conf/machine/qemu-arm64.conf > @@ -10,6 +10,7 @@ DISTRO_ARCH = "arm64" > > IMAGE_FSTYPES ?= "ext4" > USE_CIP_KERNEL_CONFIG = "1" > +USE_CIP_KERNEL_CONTAINER_CONFIG = "1" I get the idea, but the user / downstream could append your kconfig file to the SRC_URI directly. No need for the variable. Files ending in .cfg are "auto detected" as kernel configuration files. > KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig" > > # watchdog is not yet supported in our QEMU executor for this platform, disable it > diff --git a/recipes-kernel/linux/files/container.cfg b/recipes-kernel/linux/files/container.cfg > new file mode 100644 > index 0000000..18f8b2b > --- /dev/null > +++ b/recipes-kernel/linux/files/container.cfg > @@ -0,0 +1,114 @@ > +# Copyright (c) Siemens AG, 2025 > +# > +# Authors: > +# Michael Adler <michael.adler@siemens.com> > +# > +# SPDX-License-Identifier: MIT > + > +# Kernel configuration required by container runtimes such as Docker. > +# Based on the following scripts: > +# > +# - https://github.com/moby/moby/blob/master/contrib/check-config.sh > +# - https://github.com/opencontainers/runc/blob/main/script/check-config.sh > +# > +# NOTE: CONFIG_SECURITY_SELINUX and CONFIG_SECURITY_APPARMOR are intentionally > +# not enabled. > + > +CONFIG_NAMESPACES=y > +CONFIG_NET_NS=y > +CONFIG_PID_NS=y > +CONFIG_IPC_NS=y > +CONFIG_UTS_NS=y > + > +CONFIG_CPUSETS=y > +CONFIG_CRYPTO=y > +CONFIG_CRYPTO_AEAD=y > +CONFIG_CRYPTO_GCM=y > +CONFIG_CRYPTO_GHASH=y > +CONFIG_CRYPTO_SEQIV=y > +CONFIG_KEYS=y > +CONFIG_MEMCG=y > +CONFIG_CHECKPOINT_RESTORE=y > + > +CONFIG_OVERLAY_FS=m > + > +CONFIG_CGROUPS=y > +CONFIG_CGROUP_CPUACCT=y > +CONFIG_CGROUP_DEVICE=y > +CONFIG_CGROUP_FREEZER=y > +CONFIG_CGROUP_NET_PRIO=y > +CONFIG_CGROUP_PERF=y > +CONFIG_CGROUP_PIDS=y > +CONFIG_CGROUP_SCHED=y > +CONFIG_FAIR_GROUP_SCHED=y > +CONFIG_CGROUP_BPF=y > +CONFIG_BPF_SYSCALL=y > +CONFIG_CFS_BANDWIDTH=y > +CONFIG_RT_GROUP_SCHED=y > + > +CONFIG_HUGETLBFS=y > +CONFIG_CGROUP_HUGETLB=y > + > +CONFIG_BLK_CGROUP=y > +CONFIG_BLK_CGROUP_IOCOST=y > +CONFIG_BLK_DEV_THROTTLING=y > + > +CONFIG_NET=y > +CONFIG_NET_CLS_CGROUP=y > +CONFIG_NET_CLS_ACT=y > +CONFIG_NET_EMATCH=y > +CONFIG_NET_SCHED=y > +CONFIG_NETLABEL=y > +CONFIG_INET=y > +CONFIG_POSIX_MQUEUE=y > + > +CONFIG_NETDEVICES=y > +CONFIG_NET_CORE=y > +CONFIG_VETH=m > +CONFIG_BRIDGE=m > +CONFIG_BRIDGE_NETFILTER=m > +CONFIG_BRIDGE_VLAN_FILTERING=m > +CONFIG_VXLAN=m > +CONFIG_IPVLAN=m > +CONFIG_MACVLAN=m > + > +CONFIG_NETFILTER=y > +CONFIG_NETFILTER_ADVANCED=y > +CONFIG_NETFILTER_XT_MARK=m > +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m > +CONFIG_NETFILTER_XT_MATCH_BPF=m > +CONFIG_NETFILTER_XT_MATCH_COMMENT=m > +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m > +CONFIG_NETFILTER_XT_MATCH_IPVS=m > +CONFIG_IP_NF_FILTER=m > +CONFIG_IP_NF_IPTABLES=m > +CONFIG_IP_NF_MANGLE=m > +CONFIG_IP_NF_NAT=m > +CONFIG_IP_NF_TARGET_MASQUERADE=m > +CONFIG_IP_NF_TARGET_REDIRECT=m > +CONFIG_IP_VS=m > +CONFIG_IP_VS_NFCT=y > +CONFIG_IP_VS_PROTO_TCP=y > +CONFIG_IP_VS_PROTO_UDP=y > +CONFIG_IP_VS_RR=m > + > +CONFIG_NF_TABLES=m > +CONFIG_NF_TABLES_INET=y > +CONFIG_NF_TABLES_NETDEV=y > +CONFIG_NF_CONNTRACK=m > +CONFIG_NF_CONNTRACK_FTP=m > +CONFIG_NF_CT_NETLINK=m > +CONFIG_NF_NAT=m > +CONFIG_NF_NAT_IPV4=m > +CONFIG_NF_NAT_MASQUERADE=m > +CONFIG_NF_NAT_NEEDED=m > + > +CONFIG_NFT_COMPAT=m > +CONFIG_NFT_CT=m > +CONFIG_NFT_HASH=m > +CONFIG_NFT_LIMIT=m > +CONFIG_NFT_LOG=m > +CONFIG_NFT_MASQ=m > +CONFIG_NFT_NAT=m > +CONFIG_NFT_REDIR=m > +CONFIG_NFT_REJECT=m All CIP kernels are building fine with this config enabled? I'm missing the testing part... > diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc > index 5d1b8ac..437ee17 100644 > --- a/recipes-kernel/linux/linux-cip-common.inc > +++ b/recipes-kernel/linux/linux-cip-common.inc > @@ -23,4 +23,9 @@ SRC_URI += " \ > https://cdn.kernel.org/pub/linux/kernel/projects/cip/${KERNEL_MAJOR_MINOR}/linux-cip-${PV}.tar.xz \ > " > > +SRC_URI:append = " ${@ \ > + 'file://container.cfg' \ > + if d.getVar('USE_CIP_KERNEL_CONTAINER_CONFIG') == '1' else '' \ > + }" > + As said, could be moved to the user. > S = "${WORKDIR}/linux-cip-${PV}" > -- > 2.47.1
diff --git a/conf/machine/qemu-amd64.conf b/conf/machine/qemu-amd64.conf index d786646..dad6504 100644 --- a/conf/machine/qemu-amd64.conf +++ b/conf/machine/qemu-amd64.conf @@ -10,4 +10,5 @@ DISTRO_ARCH = "amd64" IMAGE_FSTYPES ?= "ext4" USE_CIP_KERNEL_CONFIG = "1" +USE_CIP_KERNEL_CONTAINER_CONFIG = "1" KERNEL_DEFCONFIG = "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/x86/cip_merged_defconfig" diff --git a/conf/machine/qemu-arm64.conf b/conf/machine/qemu-arm64.conf index a2c5e53..8fd824c 100644 --- a/conf/machine/qemu-arm64.conf +++ b/conf/machine/qemu-arm64.conf @@ -10,6 +10,7 @@ DISTRO_ARCH = "arm64" IMAGE_FSTYPES ?= "ext4" USE_CIP_KERNEL_CONFIG = "1" +USE_CIP_KERNEL_CONTAINER_CONFIG = "1" KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/cip_merged_defconfig" # watchdog is not yet supported in our QEMU executor for this platform, disable it diff --git a/recipes-kernel/linux/files/container.cfg b/recipes-kernel/linux/files/container.cfg new file mode 100644 index 0000000..18f8b2b --- /dev/null +++ b/recipes-kernel/linux/files/container.cfg @@ -0,0 +1,114 @@ +# Copyright (c) Siemens AG, 2025 +# +# Authors: +# Michael Adler <michael.adler@siemens.com> +# +# SPDX-License-Identifier: MIT + +# Kernel configuration required by container runtimes such as Docker. +# Based on the following scripts: +# +# - https://github.com/moby/moby/blob/master/contrib/check-config.sh +# - https://github.com/opencontainers/runc/blob/main/script/check-config.sh +# +# NOTE: CONFIG_SECURITY_SELINUX and CONFIG_SECURITY_APPARMOR are intentionally +# not enabled. + +CONFIG_NAMESPACES=y +CONFIG_NET_NS=y +CONFIG_PID_NS=y +CONFIG_IPC_NS=y +CONFIG_UTS_NS=y + +CONFIG_CPUSETS=y +CONFIG_CRYPTO=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_KEYS=y +CONFIG_MEMCG=y +CONFIG_CHECKPOINT_RESTORE=y + +CONFIG_OVERLAY_FS=m + +CONFIG_CGROUPS=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CGROUP_BPF=y +CONFIG_BPF_SYSCALL=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_RT_GROUP_SCHED=y + +CONFIG_HUGETLBFS=y +CONFIG_CGROUP_HUGETLB=y + +CONFIG_BLK_CGROUP=y +CONFIG_BLK_CGROUP_IOCOST=y +CONFIG_BLK_DEV_THROTTLING=y + +CONFIG_NET=y +CONFIG_NET_CLS_CGROUP=y +CONFIG_NET_CLS_ACT=y +CONFIG_NET_EMATCH=y +CONFIG_NET_SCHED=y +CONFIG_NETLABEL=y +CONFIG_INET=y +CONFIG_POSIX_MQUEUE=y + +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +CONFIG_VETH=m +CONFIG_BRIDGE=m +CONFIG_BRIDGE_NETFILTER=m +CONFIG_BRIDGE_VLAN_FILTERING=m +CONFIG_VXLAN=m +CONFIG_IPVLAN=m +CONFIG_MACVLAN=m + +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y +CONFIG_NETFILTER_XT_MARK=m +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m +CONFIG_NETFILTER_XT_MATCH_BPF=m +CONFIG_NETFILTER_XT_MATCH_COMMENT=m +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m +CONFIG_NETFILTER_XT_MATCH_IPVS=m +CONFIG_IP_NF_FILTER=m +CONFIG_IP_NF_IPTABLES=m +CONFIG_IP_NF_MANGLE=m +CONFIG_IP_NF_NAT=m +CONFIG_IP_NF_TARGET_MASQUERADE=m +CONFIG_IP_NF_TARGET_REDIRECT=m +CONFIG_IP_VS=m +CONFIG_IP_VS_NFCT=y +CONFIG_IP_VS_PROTO_TCP=y +CONFIG_IP_VS_PROTO_UDP=y +CONFIG_IP_VS_RR=m + +CONFIG_NF_TABLES=m +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y +CONFIG_NF_CONNTRACK=m +CONFIG_NF_CONNTRACK_FTP=m +CONFIG_NF_CT_NETLINK=m +CONFIG_NF_NAT=m +CONFIG_NF_NAT_IPV4=m +CONFIG_NF_NAT_MASQUERADE=m +CONFIG_NF_NAT_NEEDED=m + +CONFIG_NFT_COMPAT=m +CONFIG_NFT_CT=m +CONFIG_NFT_HASH=m +CONFIG_NFT_LIMIT=m +CONFIG_NFT_LOG=m +CONFIG_NFT_MASQ=m +CONFIG_NFT_NAT=m +CONFIG_NFT_REDIR=m +CONFIG_NFT_REJECT=m diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc index 5d1b8ac..437ee17 100644 --- a/recipes-kernel/linux/linux-cip-common.inc +++ b/recipes-kernel/linux/linux-cip-common.inc @@ -23,4 +23,9 @@ SRC_URI += " \ https://cdn.kernel.org/pub/linux/kernel/projects/cip/${KERNEL_MAJOR_MINOR}/linux-cip-${PV}.tar.xz \ " +SRC_URI:append = " ${@ \ + 'file://container.cfg' \ + if d.getVar('USE_CIP_KERNEL_CONTAINER_CONFIG') == '1' else '' \ + }" + S = "${WORKDIR}/linux-cip-${PV}"
Obtaining a fully functional kernel configuration as required by popular container engines such as Docker or Podman can be challenging. By setting the Bitbake variable USE_CIP_KERNEL_CONTAINER_CONFIG to 1, a kernel config snippet is included to ensure compatibility with these container engines. Note: This feature is designed to be separate from the cip-kernel-config project to allow for custom kernel configurations. Signed-off-by: Michael Adler <michael.adler@siemens.com> --- conf/machine/qemu-amd64.conf | 1 + conf/machine/qemu-arm64.conf | 1 + recipes-kernel/linux/files/container.cfg | 114 ++++++++++++++++++++++ recipes-kernel/linux/linux-cip-common.inc | 5 + 4 files changed, 121 insertions(+) create mode 100644 recipes-kernel/linux/files/container.cfg