The kernel now includes a script for installing the files needed to
build out-of-tree modules, rendering our existing code obsolete. The
layout is different, but we were following Ubuntu's non-standard layout
when there was no need to. Ubuntu's approach is seemingly designed to
save space by symlinking common files across different platforms, but
Flatcar doesn't need to do this.
More importantly, our previous approach relied on a kernel patch we have
carried for years that no longer applies from v6.13. The patch cannot
simply be reworked as the underlying mechanism has changed.
This clears the last major blocker for the arm64 SDK as the previous
approach also relied on implicit execution by QEMU.
There has been concern that this may break compatibility with some
modules, but I have not seen any issues in practise. I have symlinked
`source` to `build` even though we don't install the full kernel sources
because this is what Fedora does, and it makes the layout resemble
Ubuntu a little more. Should any issues arise, I will gladly work with
upstreams to resolve them or otherwise make adjustments.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This reverts commit 363f2810702b71e17cba5c543dc9568451e0b1a5.
This unfortunately breaks the /boot size limit.
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
sys-kernel/coreos-modules: Enable CONFIG_INET_DIAG_DESTROY
Enables cilium to work with kubeProxyReplacement using socketLB.
Also helps other tools like ss -K to work.
This change adds inotify-tools to portage-stable, and to the azure OEM
sysext. It also adds urllib3 to the azure OEM sysext.
Both are added to satisfy optional dependencies in Azure cloud.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
This config enables the syscall tracepoints which are mainly used by
different security and observability tools.
The config was moved to common, so it's removed from the AMD64 only
config.
Signed-off-by: Jon Doron <jond@wiz.io>
systemd-journal's Forward Secure Sealing feature requires gcrypt, but
Flatcar doesn't need it.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Again, zstd is faster but we're getting seriously short on space. Unlike
the kernel itself, this applies to both amd64 and arm64.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This is the GPRS Tunneling Protocol datapath for usage in telecoms
scenarios. It has been requested by a user.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Giving the --best or -9 option results in a heavier decompression cost
with no gain on such small files.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Secure Boot prevents you from loading additional modules so remove them
to save space. These modules could be useful for debugging with Secure
Boot disabled, but manually copying the modules with debug symbols is
even more useful and not that difficult.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
edk2-bin now supports multiple platforms, including QEMU on arm64, so we
no longer need to use Fedora's build. Note that the Secure Boot
implementation is currently insecure as it lacks SMM, which is needed to
protect the EFI variable store.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The new arm64 firmware supporting Secure Boot (see next commit) is in
QCOW2 format only, avoiding the extra space taken up by the 64MB
padding. Supporting both raw and QCOW2 images would be messy, so switch
entirely to QCOW2.
Only the 4MB images are in QCOW2 format on amd64, so also switch away
from the 2MB images. 4MB images are now the default for most
distributions as they are needed to apply certain Windows updates.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We initially thought we would need Red Hat's patch set. Then it looked
like we wouldn't because the TPM Event Log appeared to work without it.
We later discovered that on amd64, it only works with Secure Boot
disabled. The patch set also fixes Secure Boot on arm64, which would
have otherwise needed a couple of patches from Canonical.
We have to drop Gentoo's patches because they conflict, but they don't
affect Flatcar anyway.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
* oem-azure: add hyperv daemons
This change adds hyperv daemons hv_fcopy, hv_kvp, and hv_vss to the
Azure and HyperV OEM sysexts. hv_kvp specifically is needed to submit OS version
information to the Azure hypervisor.
The daemons, tough userspace programs, are built from the kernel sources
as they are included in the Linux kernel.
As the ebuild is (somewhat) kernel specific, it should be updated when the kernel
is updated. Respective additions have been made to the kernel update GitHub actions
automation.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
Co-authored-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
