From 214bc7473157012d229045ce50b15c66ef586f9d Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Mon, 9 Dec 2024 12:45:45 +0400 Subject: [PATCH 1/4] feat: update Go to 1.23.4 Via tools update. Signed-off-by: Andrey Smirnov --- .conform.yaml | 4 ++-- .kres.yaml | 4 ++++ Pkgfile | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.conform.yaml b/.conform.yaml index 25c9785a9..4d171294d 100644 --- a/.conform.yaml +++ b/.conform.yaml @@ -1,6 +1,6 @@ # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. # -# Generated on 2024-03-27T11:04:35Z by kres latest. +# Generated on 2024-12-09T08:50:34Z by kres 1ebe796. policies: - type: commit @@ -12,7 +12,7 @@ policies: gitHubOrganization: siderolabs spellcheck: locale: US - maximumOfOneCommit: true + maximumOfOneCommit: false header: length: 89 imperative: true diff --git a/.kres.yaml b/.kres.yaml index 5be510da4..c5bca17a6 100644 --- a/.kres.yaml +++ b/.kres.yaml @@ -84,3 +84,7 @@ spec: $(MAKE) docker-kernel-prepare PLATFORM=$$platform BUILDKIT_MULTI_PLATFORM=0 TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch --load"; \ docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/build/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \ done +--- +kind: common.Repository +spec: + conformMaximumOfOneCommit: false diff --git a/Pkgfile b/Pkgfile index b3532438b..33802203d 100644 --- a/Pkgfile +++ b/Pkgfile @@ -3,7 +3,7 @@ format: v1alpha2 vars: - TOOLS_IMAGE: ghcr.io/siderolabs/tools:v1.9.0 + TOOLS_IMAGE: ghcr.io/siderolabs/tools:v1.9.0-1-geaad82f # renovate: datasource=github-releases depName=containernetworking/plugins cni_version: v1.6.0 From 41ace864625db9df0cced15050c7686517abc066 Mon Sep 17 00:00:00 2001 From: Noel Georgi Date: Mon, 2 Dec 2024 20:46:26 +0530 Subject: [PATCH 2/4] chore: bring in KSPP recommendations Bring in new KSPP recommendations. Ref: https://github.com/a13xp0p0v/kernel-hardening-checker/commit/12eb32d21203bd164271281c6266f161a300c40c Signed-off-by: Noel Georgi (cherry picked from commit b330af9b95d9115382c81f88b55c17b99f7ef355) --- kernel/build/config-arm64 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64 index f9a7185c4..581e6f434 100644 --- a/kernel/build/config-arm64 +++ b/kernel/build/config-arm64 @@ -1122,7 +1122,7 @@ CONFIG_PCP_BATCH_SCALE_MAX=5 CONFIG_PHYS_ADDR_T_64BIT=y CONFIG_MMU_NOTIFIER=y CONFIG_KSM=y -CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y # CONFIG_MEMORY_FAILURE is not set CONFIG_ARCH_WANTS_THP_SWAP=y From d7d890c0f44cca49d8fea16c2341b2b6765543e0 Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Fri, 6 Dec 2024 15:45:07 +0400 Subject: [PATCH 3/4] feat: build host iptables with nftables support Build iptables with nftables support, and force to use nft version. See https://github.com/siderolabs/talos/issues/9883 Signed-off-by: Andrey Smirnov (cherry picked from commit 9cf35bef274bb445e578f858a0a595b05b44a01f) --- .kres.yaml | 2 ++ Makefile | 4 +++- Pkgfile | 10 ++++++++++ iptables/pkg.yaml | 18 +++++++++++++++++- libmnl/pkg.yaml | 26 ++++++++++++++++++++++++++ libnftnl/pkg.yaml | 29 +++++++++++++++++++++++++++++ 6 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 libmnl/pkg.yaml create mode 100644 libnftnl/pkg.yaml diff --git a/.kres.yaml b/.kres.yaml index c5bca17a6..119a670d1 100644 --- a/.kres.yaml +++ b/.kres.yaml @@ -24,6 +24,8 @@ spec: - libinih - libjson-c - liblzma + - libmnl + - libnftnl - libpopt - libseccomp - libselinux diff --git a/Makefile b/Makefile index 81c1fde1b..bb7c40733 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. # -# Generated on 2024-11-20T04:30:14Z by kres a8af16d. +# Generated on 2024-12-06T11:24:18Z by kres 232fe63. # common variables @@ -67,6 +67,8 @@ TARGETS += libcap TARGETS += libinih TARGETS += libjson-c TARGETS += liblzma +TARGETS += libmnl +TARGETS += libnftnl TARGETS += libpopt TARGETS += libseccomp TARGETS += libselinux diff --git a/Pkgfile b/Pkgfile index 33802203d..e70477b05 100644 --- a/Pkgfile +++ b/Pkgfile @@ -102,6 +102,16 @@ vars: libjson_c_sha256: 876ab046479166b869afc6896d288183bbc0e5843f141200c677b3e8dfb11724 libjson_c_sha512: 4763f2352414dac3599bc2183b4fa57dbfaac0ca24de890097bd7d0bdda93c91efa280f6566e949e6d94212ef39a63fc76c5f9d0c54ff3d04b13c859717dba5a + # renovate: datasource=git-tags extractVersion=^v(?.*)$ depName=git://git.netfilter.org/libmnl + libmnl_version: 1.0.5 + libmnl_sha256: 274b9b919ef3152bfb3da3a13c950dd60d6e2bcd54230ffeca298d03b40d0525 + libmnl_sha512: 16fa48e74c9da7724a85c655dfb0abd8369392627934639d65de951543e1447ac3e048d231248f1ce8861443c2ef62654a85a81feeedbbffaf2e5744f6cf4c9f + + # renovate: datasource=git-tags extractVersion=^v(?.*)$ depName=git://git.netfilter.org/libnftnl + libnftnl_version: 1.2.8 + libnftnl_sha256: 37fea5d6b5c9b08de7920d298de3cdc942e7ae64b1a3e8b880b2d390ae67ad95 + libnftnl_sha512: c57030f34c50b09ae2fbf8dac5d9cf431eaaa5a5a08098e3e4c146a8bd4ae9b7753f5d2de5f2d0a6c15e5ba0c39f51275c9d8b03bdedeaadbafa6c96f9a972b6 + # renovate: datasource=github-releases depName=tukaani-project/xz # NOTE: using 5.4.5 the version debian downgraded to. Ref: https://www.openwall.com/lists/oss-security/2024/03/29/4 xz_version: v5.4.5 diff --git a/iptables/pkg.yaml b/iptables/pkg.yaml index c34f70582..afdf1296b 100644 --- a/iptables/pkg.yaml +++ b/iptables/pkg.yaml @@ -3,6 +3,8 @@ variant: scratch shell: /toolchain/bin/bash dependencies: - stage: base + - stage: libmnl + - stage: libnftnl steps: - sources: - url: https://fossies.org/linux/misc/iptables-{{ .iptables_version }}.tar.xz @@ -13,12 +15,13 @@ steps: - | tar -xf iptables.tar.xz --strip-components=1 + export PKG_CONFIG_PATH=/usr/lib/pkgconfig + ./configure \ --prefix=/usr \ --libexecdir=/usr/libexec \ --disable-static \ --sbindir=/sbin \ - --disable-nftables \ --enable-libipq \ --with-xtlibdir=/lib/xtables @@ -30,6 +33,19 @@ steps: install: - | make install DESTDIR=/rootfs + - | + # fix up symlinks which point to legacy version to point to nft version + for f in /rootfs/sbin/*; do + # if name doesn't contain 'legacy': + if [[ $f == *legacy* ]]; then + continue + fi + + # if it's a symlink: + if [ -L "$f" ]; then + ln -sf $(readlink $f | sed 's/legacy/nft/') $f + fi + done finalize: - from: /rootfs to: / diff --git a/libmnl/pkg.yaml b/libmnl/pkg.yaml new file mode 100644 index 000000000..ea2786c9a --- /dev/null +++ b/libmnl/pkg.yaml @@ -0,0 +1,26 @@ +name: libmnl +variant: scratch +shell: /toolchain/bin/bash +dependencies: + - stage: base +steps: + - sources: + - url: https://www.netfilter.org/projects/libmnl/files/libmnl-{{ .libmnl_version }}.tar.bz2 + destination: libmnl.tar.bz2 + sha256: "{{ .libmnl_sha256 }}" + sha512: "{{ .libmnl_sha512 }}" + prepare: + - | + tar -xjf libmnl.tar.bz2 --strip-components=1 + + ./configure \ + --prefix=/usr + build: + - | + make -j $(nproc) + install: + - | + make install DESTDIR=/rootfs +finalize: + - from: /rootfs + to: / diff --git a/libnftnl/pkg.yaml b/libnftnl/pkg.yaml new file mode 100644 index 000000000..d39371193 --- /dev/null +++ b/libnftnl/pkg.yaml @@ -0,0 +1,29 @@ +name: libnftnl +variant: scratch +shell: /toolchain/bin/bash +dependencies: + - stage: base + - stage: libmnl +steps: + - sources: + - url: https://netfilter.org/projects/libnftnl/files/libnftnl-{{ .libnftnl_version }}.tar.xz + destination: libnftnl.tar.bz2 + sha256: "{{ .libnftnl_sha256 }}" + sha512: "{{ .libnftnl_sha512 }}" + prepare: + - | + tar -xf libnftnl.tar.bz2 --strip-components=1 + + export PKG_CONFIG_PATH=/usr/lib/pkgconfig + + ./configure \ + --prefix=/usr + build: + - | + make -j $(nproc) + install: + - | + make install DESTDIR=/rootfs +finalize: + - from: /rootfs + to: / From 5d559d010439259acf3a51f4c0fe4ddd617aa9eb Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Fri, 6 Dec 2024 17:01:50 +0400 Subject: [PATCH 4/4] feat: update Linux 6.12.3 Latest Linux 6.12.x. Signed-off-by: Andrey Smirnov (cherry picked from commit 52ba9a57358ef37ce3e4aa4033991dc77ad17fbb) --- Pkgfile | 6 +++--- kernel/build/config-amd64 | 3 +-- kernel/build/config-arm64 | 6 +----- 3 files changed, 5 insertions(+), 10 deletions(-) diff --git a/Pkgfile b/Pkgfile index e70477b05..f4b199ccd 100644 --- a/Pkgfile +++ b/Pkgfile @@ -73,9 +73,9 @@ vars: ipxe_sha512: c5b8ec789fad016d3dfa325a601857e357ecd26fd353d8d657901898817ee1d7dc76d513811c81fdee2a9dc001af4c6d7285f736db9a1d6abd890e8e09b57c27 # renovate: datasource=git-tags extractVersion=^v(?.*)$ depName=git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git - linux_version: 6.12.1 - linux_sha256: 0193b1d86dd372ec891bae799f6da20deef16fc199f30080a4ea9de8cef0c619 - linux_sha512: c7523dc5b012367301ab43a685b766dce025c4993041acd3dacd085b052b3fccc7f50c892357acf481e24ccad512770ef46a13d2da16c2a178c44a27f7022932 + linux_version: 6.12.3 + linux_sha256: c89809cc777d50f1ea484a118630281a26383707a0e752c96fd834f6e765deae + linux_sha512: a87aadeec3d65d7e9aaa63affdd74e31bc94e84fb153e633a2e6bb2be62e0c6d5b195dc7a1db8666216308b640db577a75e05bb7aeb91db646f3fdfdec51f1aa # renovate: datasource=git-tags extractVersion=^v(?.*)$ depName=git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git kmod_version: 33 diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64 index 959fb64cc..b7661f5cb 100644 --- a/kernel/build/config-amd64 +++ b/kernel/build/config-amd64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 6.12.1 Kernel Configuration +# Linux/x86 6.12.3 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 14.2.0" CONFIG_CC_IS_GCC=y @@ -2129,7 +2129,6 @@ CONFIG_BLK_DEV=y CONFIG_CDROM=y # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_ZRAM is not set -CONFIG_ZRAM_DEF_COMP="unset-value" CONFIG_BLK_DEV_LOOP=y CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64 index 581e6f434..1913bb683 100644 --- a/kernel/build/config-arm64 +++ b/kernel/build/config-arm64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 6.12.1 Kernel Configuration +# Linux/arm64 6.12.3 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 14.2.0" CONFIG_CC_IS_GCC=y @@ -2376,7 +2376,6 @@ CONFIG_BLK_DEV=y CONFIG_CDROM=y # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_ZRAM is not set -CONFIG_ZRAM_DEF_COMP="unset-value" CONFIG_BLK_DEV_LOOP=y CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set @@ -7006,10 +7005,8 @@ CONFIG_COMMON_CLK_MT8192=y # CONFIG_COMMON_CLK_MT8192_VENCSYS is not set CONFIG_COMMON_CLK_MT8195=y CONFIG_COMMON_CLK_MT8195_APUSYS=y -CONFIG_COMMON_CLK_MT8195_AUDSYS=y CONFIG_COMMON_CLK_MT8195_IMP_IIC_WRAP=y CONFIG_COMMON_CLK_MT8195_MFGCFG=y -CONFIG_COMMON_CLK_MT8195_MSDC=y CONFIG_COMMON_CLK_MT8195_SCP_ADSP=y CONFIG_COMMON_CLK_MT8195_VDOSYS=y CONFIG_COMMON_CLK_MT8195_VPPSYS=y @@ -7166,7 +7163,6 @@ CONFIG_SC_LPASS_CORECC_7180=y # CONFIG_SM_VIDEOCC_8150 is not set # CONFIG_SM_VIDEOCC_8250 is not set # CONFIG_SM_VIDEOCC_8350 is not set -# CONFIG_SM_VIDEOCC_8550 is not set # CONFIG_SPMI_PMIC_CLKDIV is not set # CONFIG_QCOM_HFPLL is not set # CONFIG_KPSS_XCC is not set