forked from linuxkit/linuxkit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
193 lines (174 loc) · 6.97 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
FROM linuxkit/alpine:86cd4f51b49fb9a078b50201d892a3c7973d48ec AS kernel-build
RUN apk add \
argp-standalone \
automake \
bash \
bc \
binutils-dev \
bison \
build-base \
curl \
diffutils \
flex \
git \
gmp-dev \
gnupg \
installkernel \
kmod \
elfutils-dev \
linux-headers \
mpc1-dev \
mpfr-dev \
ncurses-dev \
openssl-dev \
patch \
sed \
squashfs-tools \
tar \
xz \
xz-dev \
zlib-dev
# libunwind-dev pkg is missed from arm64 now, below statement will be removed if the pkg is available.
RUN [ $(uname -m) == x86_64 ] && apk add libunwind-dev || true
ARG KERNEL_VERSION
ARG KERNEL_SERIES
ARG EXTRA
ARG DEBUG
ENV WIREGUARD_VERSION=0.0.20190601
ENV WIREGUARD_SHA256="7528461824a0174bd7d4f15e68d8f0ce9a8ea318411502b80759438e8ef65568"
ENV WIREGUARD_URL=https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz
# We copy the entire directory. This copies some unneeded files, but
# allows us to check for the existence /patches-${KERNEL_SERIES} to
# build kernels without patches.
COPY / /
# Download and verify kernel
# PGP keys: 589DA6B1 ([email protected]) & 6092693E ([email protected]) & 00411886 ([email protected])
RUN KERNEL_MAJOR=$(echo ${KERNEL_VERSION} | cut -d . -f 1) && \
KERNEL_MAJOR=v${KERNEL_MAJOR}.x && \
KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/linux-${KERNEL_VERSION}.tar.xz && \
KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/sha256sums.asc && \
KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR}/linux-${KERNEL_VERSION}.tar.sign && \
curl -fsSLO ${KERNEL_SHA256_SUMS} && \
gpg2 -q --import keys.asc && \
gpg2 --verify sha256sums.asc && \
KERNEL_SHA256=$(grep linux-${KERNEL_VERSION}.tar.xz sha256sums.asc | cut -d ' ' -f 1) && \
[ -f linux-${KERNEL_VERSION}.tar.xz ] || curl -fsSLO ${KERNEL_SOURCE} && \
echo "${KERNEL_SHA256} linux-${KERNEL_VERSION}.tar.xz" | sha256sum -c - && \
xz -d linux-${KERNEL_VERSION}.tar.xz && \
curl -fsSLO ${KERNEL_PGP2_SIGN} && \
gpg2 --verify linux-${KERNEL_VERSION}.tar.sign linux-${KERNEL_VERSION}.tar && \
cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux
WORKDIR /linux
# Apply local specific patches if present
RUN set -e && \
if [ -n "${EXTRA}" ] && [ -d /patches-${KERNEL_SERIES}${EXTRA} ]; then \
echo "Patching ${EXTRA} kernel"; \
for patch in /patches-${KERNEL_SERIES}${EXTRA}/*.patch; do \
echo "Applying $patch"; \
patch -t -F0 -N -u -p1 < "$patch"; \
done; \
fi
# Apply local common patches if present
RUN set -e && \
if [ -d /patches-${KERNEL_SERIES} ]; then \
for patch in /patches-${KERNEL_SERIES}/*.patch; do \
echo "Applying $patch"; \
patch -t -F0 -N -u -p1 < "$patch"; \
done; \
fi
RUN mkdir -p /out/src
# Save kernel source
RUN tar cJf /out/src/linux.tar.xz /linux
# Kernel config
RUN case $(uname -m) in \
x86_64) \
KERNEL_DEF_CONF=/linux/arch/x86/configs/x86_64_defconfig; \
;; \
aarch64) \
KERNEL_DEF_CONF=/linux/arch/arm64/configs/defconfig; \
;; \
s390x) \
KERNEL_DEF_CONF=/linux/arch/s390/defconfig; \
;; \
esac && \
cp /config-${KERNEL_SERIES}-$(uname -m) ${KERNEL_DEF_CONF}; \
if [ -n "${EXTRA}" ] && [ -f "/config-${KERNEL_SERIES}-$(uname -m)${EXTRA}" ]; then \
cat /config-${KERNEL_SERIES}-$(uname -m)${EXTRA} >> ${KERNEL_DEF_CONF}; \
fi; \
sed -i "s/CONFIG_LOCALVERSION=\"-linuxkit\"/CONFIG_LOCALVERSION=\"-linuxkit${EXTRA}${DEBUG}\"/" ${KERNEL_DEF_CONF}; \
if [ -n "${DEBUG}" ]; then \
sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' ${KERNEL_DEF_CONF}; \
cat /config${DEBUG} >> ${KERNEL_DEF_CONF}; \
fi && \
make defconfig && \
make oldconfig && \
if [ -z "${EXTRA}" ] && [ -z "${DEBUG}" ]; then diff -u .config ${KERNEL_DEF_CONF}; fi
# Kernel
RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
case $(uname -m) in \
x86_64) \
cp arch/x86_64/boot/bzImage /out/kernel; \
;; \
aarch64) \
cp arch/arm64/boot/Image.gz /out/kernel; \
;; \
s390x) \
cp arch/s390/boot/bzImage /out/kernel; \
;; \
esac && \
cp System.map /out && \
([ -n "${DEBUG}" ] && cp vmlinux /out || true)
# WireGuard
RUN curl -fsSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
echo "${WIREGUARD_SHA256} /wireguard.tar.xz" | sha256sum -c - && \
cp /wireguard.tar.xz /out/src/ && \
tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "WireGuard-${WIREGUARD_VERSION}/src" && \
make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules
# Modules and Device Tree binaries
RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
make INSTALL_MOD_PATH=/tmp/kernel-modules M="/wireguard" modules_install && \
( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
cd /tmp/kernel-modules/lib/modules/$DVER && \
rm build source && \
ln -s /usr/src/linux-headers-$DVER build ) && \
case $(uname -m) in \
aarch64) \
make INSTALL_DTBS_PATH=/tmp/kernel-modules/boot/dtb dtbs_install; \
;; \
esac && \
( cd /tmp/kernel-modules && tar cf /out/kernel.tar . )
# Headers (userspace API)
RUN mkdir -p /tmp/kernel-headers/usr && \
make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr )
# Headers (kernel development)
RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
dir=/tmp/usr/src/linux-headers-$DVER && \
mkdir -p $dir && \
cp /linux/.config $dir && \
cp /linux/Module.symvers $dir && \
find . -path './include/*' -prune -o \
-path './arch/*/include' -prune -o \
-path './scripts/*' -prune -o \
-type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
-name '*.lds' -o -name '*.pl' -o -name '*.sh' -o \
-name 'objtool' -o -name 'fixdep' -o -name 'randomize_layout_seed.h' \) | \
tar cf - -T - | (cd $dir; tar xf -) && \
( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
# Download Intel ucode and create a CPIO archive for it
ENV UCODE_REPO=https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
ENV UCODE_COMMIT=1dd14da6d1ea5cfbd95923653f31c04aac3aa655
RUN set -e && \
if [ $(uname -m) == x86_64 ]; then \
git clone ${UCODE_REPO} ucode && \
cd ucode && \
git checkout ${UCODE_COMMIT} && \
iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \
cp license /out/intel-ucode-license.txt; \
fi
FROM scratch
ENTRYPOINT []
CMD []
WORKDIR /
COPY --from=kernel-build /out/* /