cmd/main.go

@@ -93,7 +93,7 @@ func setupEnv() int {
 
 	cfg := firecracker.Config{
 		SocketPath:      socketPath,
-		KernelImagePath: "./out/vmlinux-5.10.204",
+		KernelImagePath: "./out/vmlinux",
 		LogPath:         "./out/firecracker.log",
 		LogLevel:        "Debug",
 		KernelArgs:      "console=ttyS0 reboot=k panic=1 pci=off",

rootfs-kernel/Makefile

@@ -3,6 +3,8 @@
 # aarch64
 # x86_64
 ARCH=x86_64
+KERNEL_VERSION=5.11
+CONFIG_FILE=$(wildcard ./kernel-config/*.config)
 
 use-arch: ../out/arch-rootfs.ext4
 	ln -fs $< ../out/rootfs.ext4
@@ -10,8 +12,14 @@ use-arch: ../out/arch-rootfs.ext4
 use-ubuntu: ../out/ubuntu-22.04.ext4 ../out/ubuntu-22.04.id_rsa
 	ln -fs $< ../out/rootfs.ext4
 
-kernel: ../out/vmlinux-5.10.204
-	@echo "linux kernel retrieve"
+use-kernel-amazon: ../out/vmlinux-5.10.204
+	ln -fs $< ../out/vmlinux
+
+use-kernel-custom: ../out/vmlinux-$(KERNEL_VERSION)
+	ln -fs $< ../out/vmlinux
+
+../out/vmlinux-$(KERNEL_VERSION): ./kernel.sh $(CONFIG_FILE)
+	bash ./kernel.sh $(KERNEL_VERSION)
 
 ../out/vmlinux-5.10.204:
 	wget -O $@ https://s3.amazonaws.com/spec.ccfc.min/firecracker-ci/v1.7/$(ARCH)/vmlinux-5.10.204

rootfs-kernel/kernel-config/fs.config

@@ -0,0 +1,2 @@
+CONFIG_EXT4_FS=y
+CONFIG_OVERLAY_FS=y

rootfs-kernel/kernel-config/net.config

@@ -0,0 +1,158 @@
+CONFIG_VETH=y
+CONFIG_BRIDGE=y
+CONFIG_VXLAN=y
+
+CONFIG_IP_SET=y
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPMARK=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_IPMAC=y
+CONFIG_IP_SET_HASH_MAC=y
+CONFIG_IP_SET_HASH_NETPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETNET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+CONFIG_IP_SET_HASH_NETIFACE=y
+CONFIG_IP_SET_LIST_SET=y
+
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_FAMILY_BRIDGE=y
+CONFIG_NETFILTER_FAMILY_ARP=y
+CONFIG_NETFILTER_NETLINK_ACCT=y
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NETFILTER_NETLINK_OSF=y
+CONFIG_NETFILTER_CONNCOUNT=y
+CONFIG_NETFILTER_NETLINK_GLUE_CT=y
+CONFIG_NETFILTER_SYNPROXY=y
+CONFIG_NETFILTER_XTABLES=y
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+CONFIG_NETFILTER_XT_TARGET_AUDIT=y
+CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+CONFIG_NETFILTER_XT_TARGET_HMARK=y
+CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y
+CONFIG_NETFILTER_XT_TARGET_LED=y
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+CONFIG_NETFILTER_XT_TARGET_RATEEST=y
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+CONFIG_NETFILTER_XT_TARGET_TEE=y
+CONFIG_NETFILTER_XT_TARGET_TPROXY=y
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_BPF=y
+CONFIG_NETFILTER_XT_MATCH_CGROUP=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_CPU=y
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+CONFIG_NETFILTER_XT_MATCH_IPCOMP=y
+CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
+CONFIG_NETFILTER_XT_MATCH_IPVS=y
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+CONFIG_NETFILTER_XT_MATCH_NFACCT=y
+CONFIG_NETFILTER_XT_MATCH_OSF=y
+CONFIG_NETFILTER_XT_MATCH_OWNER=y
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+CONFIG_NETFILTER_XT_MATCH_RATEEST=y
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+CONFIG_NETFILTER_XT_MATCH_RECENT=y
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_SOCKET=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_TIME=y
+CONFIG_NETFILTER_XT_MATCH_U32=y
+
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_TABLES=y
+CONFIG_NF_TABLES_SET=y
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NF_DUP_NETDEV=y
+CONFIG_NF_FLOW_TABLE_INET=y
+CONFIG_NF_FLOW_TABLE=y
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NF_TABLES_ARP=y
+CONFIG_NF_FLOW_TABLE_IPV4=y
+CONFIG_NF_DUP_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+CONFIG_NF_TABLES_BRIDGE=y
+
+CONFIG_NF_CONNTRACK=y
+
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+CONFIG_IP_NF_MATCH_RPFILTER=y
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_SYNPROXY=y
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_SECURITY=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+CONFIG_NFT_BRIDGE_REJECT=y
+
+CONFIG_BRIDGE_NETFILTER=y

rootfs-kernel/kernel-config/virtio.config

@@ -0,0 +1,16 @@
+CONFIG_BLK_MQ_VIRTIO=y
+CONFIG_VIRTIO_BLK=y
+CONFIG_VIRTIO_BLK_SCSI=y
+CONFIG_SCSI_VIRTIO=y
+CONFIG_VIRTIO_NET=y
+CONFIG_VIRTIO_CONSOLE=y
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_MENU=y
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_INPUT=y
+CONFIG_VIRTIO_MMIO=y
+CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
+CONFIG_CRYPTO_DEV_VIRTIO=y

rootfs-kernel/kernel.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# inspired by https://github.com/oraoto/archlinux-firecracker/blob/master/scripts/build-arch-kernel.sh
+
+set -ex
+
+KERNEL_VERSION=$1
+WD=../out
+NPROC=8
+
+## Install build tools
+# pacman -Syu base-devel bc pahole --ignore linux-firmware
+# disabling CONFIG_DEBUG_INFO_BTF so no pahole required
+
+sudo rm -rf "$WD"/linux
+## Get kernel source
+git clone --depth 1 --branch v$KERNEL_VERSION https://github.com/torvalds/linux.git "$WD"/linux
+
+## Get Archlinux kernel config
+curl -o "$WD"/linux/.config https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/raw/main/config?ref_type=heads
+
+CONFIG_PATH="$WD"/linux/.config
+
+## Disable modules
+sed 's/\(.*\)=m/#\1 is not set/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)MOUSE\(.*\)=y/\1MOUSE\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)USB\(.*\)=y/\1USB\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)TOUCHSCREEN\(.*\)=y/\1TOUCHSCREEN\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)HID\(.*\)=y/\1HID\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)GPU\(.*\)=y/\1GPU\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)GPIO\(.*\)=y/\1GPIO\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)NVDIMM\(.*\)=y/\1NVDIMM\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)MFD\(.*\)=y/\1MFD\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)XEN\(.*\)=y/\1XEN\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)VIDEO\(.*\)=y/\1VIDEO\2=n/g' -i "$CONFIG_PATH"
+# sed 's/\(.*\)PCI\(.*\)=y/\1PCI\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)WLAN\(.*\)=y/\1WLAN\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)DRM\(.*\)=y/\1DRM\2=n/g' -i "$CONFIG_PATH"
+sed 's/\(.*\)BTF\(.*\)=y/\1BTF\2=n/g' -i "$CONFIG_PATH"
+
+cat kernel-config/virtio.config >> "$CONFIG_PATH"
+cat kernel-config/fs.config >> "$CONFIG_PATH"
+cat kernel-config/net.config >> "$CONFIG_PATH"
+
+## Add KVM guest support
+make -C "$WD"/linux/ kvm_guest.config
+
+#make -C "$WD"/linux/ -j$NPROC EXTRA_CFLAGS=-Wno-error=use-after-free
+make -C "$WD"/linux/ -j$NPROC WERROR=0
+
+cp "$WD"/linux/vmlinux "$WD"/vmlinux-$KERNEL_VERSION