The growth of binaries over time and the inclusion of new features
filled the available boot partition space, so that the kernel+initrd
almost couldn't fit twice anymore as required for updates. We employed
workarounds such as wrapper scripts for ignition, afterburn and other
binaries so that they are loaded from /usr. However, this was still not
enough and we would have to do the same for (network) kernel modules and
firmware. To avoid making this ever more complex we can use a dedicated
initrd focused on loading the full initrd from /usr and then this full
initrd can use dracut as before and even drop all the workarounds we
accumulated.
Generate a minimal initrd to use instead of the full bootengine initrd.
The bootengine initrd gets stored as squashfs on /usr. The minimal
initrd still includes the early_cpio for amd64 microcode updates.
We have a fixed list of modules or module directories to include, only
focused on loading /usr and any emergency console interaction. This
requires also checking for module dependencies to copy over.
The busybox, veritysetup, and kmod binaries are needed and get their
required libraries resolved and copied over. They are not static and
use shared libraries which should be ok for now. The resulting vmlinuz
file is 27 MB for amd64, down from ~60 MB, so we have enough room to
include more kernel modules and so on for the next years while we also
grow the boot partition and wait for users to redeploy until we can rely
on a larger boot partition and eventually drop the minimal initrd again.
Pulls in https://github.com/flatcar/bootengine/pull/110 for the
minimal initrd script and https://github.com/flatcar/seismograph/pull/12
for making the device mapper discovery for the "rootdev" command more
reliable.
This also requied a backport of a kernel patch from 2017 that exposes
the PARTUUID in the /sys uevent file.
Co-authored-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: Kai Lueke <kailuke@microsoft.com>
sys-kernel/coreos-modules: Enable CONFIG_INET_DIAG_DESTROY
Enables cilium to work with kubeProxyReplacement using socketLB.
Also helps other tools like ss -K to work.
This change adds inotify-tools to portage-stable, and to the azure OEM
sysext. It also adds urllib3 to the azure OEM sysext.
Both are added to satisfy optional dependencies in Azure cloud.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
This config enables the syscall tracepoints which are mainly used by
different security and observability tools.
The config was moved to common, so it's removed from the AMD64 only
config.
Signed-off-by: Jon Doron <jond@wiz.io>
systemd-journal's Forward Secure Sealing feature requires gcrypt, but
Flatcar doesn't need it.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Again, zstd is faster but we're getting seriously short on space. Unlike
the kernel itself, this applies to both amd64 and arm64.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This is the GPRS Tunneling Protocol datapath for usage in telecoms
scenarios. It has been requested by a user.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Giving the --best or -9 option results in a heavier decompression cost
with no gain on such small files.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Secure Boot prevents you from loading additional modules so remove them
to save space. These modules could be useful for debugging with Secure
Boot disabled, but manually copying the modules with debug symbols is
even more useful and not that difficult.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
edk2-bin now supports multiple platforms, including QEMU on arm64, so we
no longer need to use Fedora's build. Note that the Secure Boot
implementation is currently insecure as it lacks SMM, which is needed to
protect the EFI variable store.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
The new arm64 firmware supporting Secure Boot (see next commit) is in
QCOW2 format only, avoiding the extra space taken up by the 64MB
padding. Supporting both raw and QCOW2 images would be messy, so switch
entirely to QCOW2.
Only the 4MB images are in QCOW2 format on amd64, so also switch away
from the 2MB images. 4MB images are now the default for most
distributions as they are needed to apply certain Windows updates.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We initially thought we would need Red Hat's patch set. Then it looked
like we wouldn't because the TPM Event Log appeared to work without it.
We later discovered that on amd64, it only works with Secure Boot
disabled. The patch set also fixes Secure Boot on arm64, which would
have otherwise needed a couple of patches from Canonical.
We have to drop Gentoo's patches because they conflict, but they don't
affect Flatcar anyway.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
* oem-azure: add hyperv daemons
This change adds hyperv daemons hv_fcopy, hv_kvp, and hv_vss to the
Azure and HyperV OEM sysexts. hv_kvp specifically is needed to submit OS version
information to the Azure hypervisor.
The daemons, tough userspace programs, are built from the kernel sources
as they are included in the Linux kernel.
As the ebuild is (somewhat) kernel specific, it should be updated when the kernel
is updated. Respective additions have been made to the kernel update GitHub actions
automation.
Signed-off-by: Thilo Fromm <thilofromm@microsoft.com>
Co-authored-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Landlock is a feature to create security sandboxes thanks to 3 dedicated
system calls. They are designed to be safe to used by any processes,
which can only drop their privileges, similarly to seccomp.
The new Landlock LSM is build in the kernel (CONFIG_SECURITY_LANDLOCK=y)
but it is not enough to make it usable by default. As a stackable LSM,
it is required to enable it at boot time with the CONFIG_LSM list. See
https://docs.kernel.org/userspace-api/landlock.html#kernel-support
As for other stackable LSMs, prepending Landlock to the default LSM list
enables users to potentially get more protection by default by letting
programs sandbox themselves.
As a dependency, CONFIG_SECURITY_PATH=y will be automatically set.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Catalyst 4 has totally changed the way repositories are handled. It only
works when the name of the directory containing the repository matches
the configured name of that repository. This was not the case for us,
with the coreos repository residing in the coreos-overlay directory. We
wanted to move and rename our repositories anyway, but this is a big
change, so we'll do separately. For now, this just renames coreos to
coreos-overlay.
Catalyst 4 also ingests the main repository snapshot as a squashfs
rather than a tarball. It features a utility to generate such a
snapshot, but it doesn't fit Flatcar well, particularly because it
expects each ebuild repository to reside at the top level of its own git
repository. It was very easy to call tar2sqfs manually though.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
