feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)
Security hardening: bind kubeconfig server to localhost, mount hardening (noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module loading lock after boot, SHA256 checksum verification for downloads, kernel AppArmor + Audit support, complain-mode AppArmor profiles for containerd and kubelet, and security integration test. ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4- partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting GRUB vs RPi boot environments, architecture-aware build scripts, QEMU aarch64 dev VM and boot test. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -3,6 +3,7 @@
|
||||
# Usage: ./test/qemu/run-vm.sh <iso-or-img> [options]
|
||||
#
|
||||
# Options:
|
||||
# --arch <arch> Architecture: x86_64 (default) or arm64
|
||||
# --data-disk <path> Use existing data disk (default: create temp)
|
||||
# --data-size <MB> Size of temp data disk (default: 1024)
|
||||
# --memory <MB> VM memory (default: 2048)
|
||||
@@ -12,6 +13,8 @@
|
||||
# --ssh-port <port> Forward SSH to host port (default: 2222)
|
||||
# --background Run in background, print PID
|
||||
# --append <args> Extra kernel append args
|
||||
# --kernel <path> Kernel image (required for arm64)
|
||||
# --initrd <path> Initramfs image (required for arm64)
|
||||
#
|
||||
# Outputs (on stdout):
|
||||
# QEMU_PID=<pid>
|
||||
@@ -23,6 +26,7 @@ IMAGE="${1:?Usage: $0 <iso-or-img> [options]}"
|
||||
shift
|
||||
|
||||
# Defaults
|
||||
ARCH="x86_64"
|
||||
DATA_DISK=""
|
||||
DATA_SIZE_MB=1024
|
||||
MEMORY=2048
|
||||
@@ -33,10 +37,13 @@ SSH_PORT=2222
|
||||
BACKGROUND=0
|
||||
EXTRA_APPEND=""
|
||||
CREATED_DATA_DISK=""
|
||||
VM_KERNEL=""
|
||||
VM_INITRD=""
|
||||
|
||||
# Parse options
|
||||
while [ $# -gt 0 ]; do
|
||||
case "$1" in
|
||||
--arch) ARCH="$2"; shift 2 ;;
|
||||
--data-disk) DATA_DISK="$2"; shift 2 ;;
|
||||
--data-size) DATA_SIZE_MB="$2"; shift 2 ;;
|
||||
--memory) MEMORY="$2"; shift 2 ;;
|
||||
@@ -46,6 +53,8 @@ while [ $# -gt 0 ]; do
|
||||
--ssh-port) SSH_PORT="$2"; shift 2 ;;
|
||||
--background) BACKGROUND=1; shift ;;
|
||||
--append) EXTRA_APPEND="$2"; shift 2 ;;
|
||||
--kernel) VM_KERNEL="$2"; shift 2 ;;
|
||||
--initrd) VM_INITRD="$2"; shift 2 ;;
|
||||
*) echo "Unknown option: $1" >&2; exit 1 ;;
|
||||
esac
|
||||
done
|
||||
@@ -63,44 +72,75 @@ if [ -z "$SERIAL_LOG" ]; then
|
||||
SERIAL_LOG=$(mktemp /tmp/kubesolo-serial-XXXXXX.log)
|
||||
fi
|
||||
|
||||
# Detect KVM availability
|
||||
KVM_FLAG=""
|
||||
if [ -w /dev/kvm ] 2>/dev/null; then
|
||||
KVM_FLAG="-enable-kvm"
|
||||
fi
|
||||
# Build QEMU command based on architecture
|
||||
if [ "$ARCH" = "arm64" ] || [ "$ARCH" = "aarch64" ]; then
|
||||
# ARM64: qemu-system-aarch64 with -machine virt
|
||||
# No KVM for cross-arch emulation (TCG only)
|
||||
CONSOLE="ttyAMA0"
|
||||
|
||||
# Build QEMU command
|
||||
QEMU_CMD=(
|
||||
qemu-system-x86_64
|
||||
-m "$MEMORY"
|
||||
-smp "$CPUS"
|
||||
-nographic
|
||||
-net nic,model=virtio
|
||||
-net "user,hostfwd=tcp::${API_PORT}-:6443,hostfwd=tcp::${SSH_PORT}-:22"
|
||||
-drive "file=$DATA_DISK,format=raw,if=virtio"
|
||||
-serial "file:$SERIAL_LOG"
|
||||
)
|
||||
|
||||
[ -n "$KVM_FLAG" ] && QEMU_CMD+=("$KVM_FLAG")
|
||||
|
||||
case "$IMAGE" in
|
||||
*.iso)
|
||||
QEMU_CMD+=(
|
||||
-cdrom "$IMAGE"
|
||||
-boot d
|
||||
-append "console=ttyS0,115200n8 kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND"
|
||||
)
|
||||
;;
|
||||
*.img)
|
||||
QEMU_CMD+=(
|
||||
-drive "file=$IMAGE,format=raw,if=virtio"
|
||||
)
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unrecognized image format: $IMAGE" >&2
|
||||
# ARM64 requires explicit kernel + initrd (no -cdrom support with -machine virt)
|
||||
if [ -z "$VM_KERNEL" ] || [ -z "$VM_INITRD" ]; then
|
||||
echo "ERROR: ARM64 mode requires --kernel and --initrd options" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
QEMU_CMD=(
|
||||
qemu-system-aarch64
|
||||
-machine virt
|
||||
-cpu cortex-a72
|
||||
-m "$MEMORY"
|
||||
-smp "$CPUS"
|
||||
-nographic
|
||||
-net nic,model=virtio
|
||||
-net "user,hostfwd=tcp::${API_PORT}-:6443,hostfwd=tcp::${SSH_PORT}-:22"
|
||||
-drive "file=$DATA_DISK,format=raw,if=virtio"
|
||||
-serial "file:$SERIAL_LOG"
|
||||
-kernel "$VM_KERNEL"
|
||||
-initrd "$VM_INITRD"
|
||||
-append "console=${CONSOLE} kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND"
|
||||
)
|
||||
else
|
||||
# x86_64: standard QEMU
|
||||
CONSOLE="ttyS0,115200n8"
|
||||
|
||||
# Detect KVM availability
|
||||
KVM_FLAG=""
|
||||
if [ -w /dev/kvm ] 2>/dev/null; then
|
||||
KVM_FLAG="-enable-kvm"
|
||||
fi
|
||||
|
||||
QEMU_CMD=(
|
||||
qemu-system-x86_64
|
||||
-m "$MEMORY"
|
||||
-smp "$CPUS"
|
||||
-nographic
|
||||
-net nic,model=virtio
|
||||
-net "user,hostfwd=tcp::${API_PORT}-:6443,hostfwd=tcp::${SSH_PORT}-:22"
|
||||
-drive "file=$DATA_DISK,format=raw,if=virtio"
|
||||
-serial "file:$SERIAL_LOG"
|
||||
)
|
||||
|
||||
[ -n "$KVM_FLAG" ] && QEMU_CMD+=("$KVM_FLAG")
|
||||
|
||||
case "$IMAGE" in
|
||||
*.iso)
|
||||
QEMU_CMD+=(
|
||||
-cdrom "$IMAGE"
|
||||
-boot d
|
||||
-append "console=${CONSOLE} kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND"
|
||||
)
|
||||
;;
|
||||
*.img)
|
||||
QEMU_CMD+=(
|
||||
-drive "file=$IMAGE,format=raw,if=virtio"
|
||||
)
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unrecognized image format: $IMAGE" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# Launch
|
||||
"${QEMU_CMD[@]}" &
|
||||
|
||||
117
test/qemu/test-boot-arm64.sh
Executable file
117
test/qemu/test-boot-arm64.sh
Executable file
@@ -0,0 +1,117 @@
|
||||
#!/bin/bash
|
||||
# test-boot-arm64.sh — Verify ARM64 image boots successfully in QEMU
|
||||
#
|
||||
# Uses qemu-system-aarch64 with -machine virt to test ARM64 kernel + initramfs.
|
||||
# Exit 0 = PASS, Exit 1 = FAIL
|
||||
#
|
||||
# Usage: ./test/qemu/test-boot-arm64.sh [kernel] [initramfs]
|
||||
set -euo pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
|
||||
|
||||
KERNEL="${1:-$PROJECT_ROOT/build/cache/custom-kernel-arm64/Image}"
|
||||
INITRD="${2:-$PROJECT_ROOT/build/rootfs-work/kubesolo-os.gz}"
|
||||
TIMEOUT=120
|
||||
|
||||
echo "==> ARM64 Boot Test"
|
||||
echo " Kernel: $KERNEL"
|
||||
echo " Initrd: $INITRD"
|
||||
echo " Timeout: ${TIMEOUT}s"
|
||||
|
||||
# Verify files exist
|
||||
if [ ! -f "$KERNEL" ]; then
|
||||
echo "ERROR: Kernel not found: $KERNEL"
|
||||
echo " Run 'make kernel-arm64' to build the ARM64 kernel."
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -f "$INITRD" ]; then
|
||||
echo "ERROR: Initrd not found: $INITRD"
|
||||
echo " Run 'make initramfs' to build the initramfs."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Verify qemu-system-aarch64 is available
|
||||
if ! command -v qemu-system-aarch64 >/dev/null 2>&1; then
|
||||
echo "ERROR: qemu-system-aarch64 not found."
|
||||
echo " Install QEMU with ARM64 support:"
|
||||
echo " apt install qemu-system-arm # Debian/Ubuntu"
|
||||
echo " dnf install qemu-system-aarch64 # Fedora/RHEL"
|
||||
echo " brew install qemu # macOS"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create temp data disk
|
||||
DATA_DISK=$(mktemp /tmp/kubesolo-arm64-test-XXXXXX.img)
|
||||
dd if=/dev/zero of="$DATA_DISK" bs=1M count=512 2>/dev/null
|
||||
mkfs.ext4 -q -L KSOLODATA "$DATA_DISK" 2>/dev/null
|
||||
|
||||
SERIAL_LOG=$(mktemp /tmp/kubesolo-arm64-serial-XXXXXX.log)
|
||||
QEMU_PID=""
|
||||
|
||||
cleanup() {
|
||||
[ -n "$QEMU_PID" ] && kill "$QEMU_PID" 2>/dev/null || true
|
||||
rm -f "$DATA_DISK" "$SERIAL_LOG"
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
# Launch QEMU in background
|
||||
qemu-system-aarch64 \
|
||||
-machine virt \
|
||||
-cpu cortex-a72 \
|
||||
-m 2048 \
|
||||
-smp 2 \
|
||||
-nographic \
|
||||
-kernel "$KERNEL" \
|
||||
-initrd "$INITRD" \
|
||||
-append "console=ttyAMA0 kubesolo.data=/dev/vda kubesolo.debug" \
|
||||
-drive "file=$DATA_DISK,format=raw,if=virtio" \
|
||||
-net nic,model=virtio \
|
||||
-net user \
|
||||
-serial "file:$SERIAL_LOG" &
|
||||
QEMU_PID=$!
|
||||
|
||||
# Wait for boot success marker
|
||||
echo " Waiting for boot..."
|
||||
ELAPSED=0
|
||||
SUCCESS=0
|
||||
while [ "$ELAPSED" -lt "$TIMEOUT" ]; do
|
||||
# Check for stage 90 completion (same marker as x86_64 test)
|
||||
if grep -q "\[kubesolo-init\] \[OK\] Stage 90-kubesolo.sh complete" "$SERIAL_LOG" 2>/dev/null; then
|
||||
SUCCESS=1
|
||||
break
|
||||
fi
|
||||
# Also check for generic KubeSolo running message
|
||||
if grep -q "KubeSolo is running" "$SERIAL_LOG" 2>/dev/null; then
|
||||
SUCCESS=1
|
||||
break
|
||||
fi
|
||||
# Check if QEMU exited prematurely
|
||||
if ! kill -0 "$QEMU_PID" 2>/dev/null; then
|
||||
echo ""
|
||||
echo "==> FAIL: QEMU exited prematurely"
|
||||
echo " Last 20 lines of serial output:"
|
||||
tail -20 "$SERIAL_LOG" 2>/dev/null || echo " (no output)"
|
||||
exit 1
|
||||
fi
|
||||
sleep 2
|
||||
ELAPSED=$((ELAPSED + 2))
|
||||
printf "\r Elapsed: %ds / %ds" "$ELAPSED" "$TIMEOUT"
|
||||
done
|
||||
echo ""
|
||||
|
||||
# Kill QEMU
|
||||
kill "$QEMU_PID" 2>/dev/null || true
|
||||
wait "$QEMU_PID" 2>/dev/null || true
|
||||
QEMU_PID=""
|
||||
|
||||
if [ "$SUCCESS" = "1" ]; then
|
||||
echo "==> ARM64 Boot Test PASSED (${ELAPSED}s)"
|
||||
exit 0
|
||||
else
|
||||
echo "==> ARM64 Boot Test FAILED (timeout ${TIMEOUT}s)"
|
||||
echo ""
|
||||
echo "==> Last 30 lines of serial output:"
|
||||
tail -30 "$SERIAL_LOG" 2>/dev/null || echo " (no output)"
|
||||
exit 1
|
||||
fi
|
||||
Reference in New Issue
Block a user