feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)
Security hardening: bind kubeconfig server to localhost, mount hardening (noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module loading lock after boot, SHA256 checksum verification for downloads, kernel AppArmor + Audit support, complain-mode AppArmor profiles for containerd and kubelet, and security integration test. ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4- partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting GRUB vs RPi boot environments, architecture-aware build scripts, QEMU aarch64 dev VM and boot test. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -3,6 +3,7 @@
|
||||
# Usage: ./test/qemu/run-vm.sh <iso-or-img> [options]
|
||||
#
|
||||
# Options:
|
||||
# --arch <arch> Architecture: x86_64 (default) or arm64
|
||||
# --data-disk <path> Use existing data disk (default: create temp)
|
||||
# --data-size <MB> Size of temp data disk (default: 1024)
|
||||
# --memory <MB> VM memory (default: 2048)
|
||||
@@ -12,6 +13,8 @@
|
||||
# --ssh-port <port> Forward SSH to host port (default: 2222)
|
||||
# --background Run in background, print PID
|
||||
# --append <args> Extra kernel append args
|
||||
# --kernel <path> Kernel image (required for arm64)
|
||||
# --initrd <path> Initramfs image (required for arm64)
|
||||
#
|
||||
# Outputs (on stdout):
|
||||
# QEMU_PID=<pid>
|
||||
@@ -23,6 +26,7 @@ IMAGE="${1:?Usage: $0 <iso-or-img> [options]}"
|
||||
shift
|
||||
|
||||
# Defaults
|
||||
ARCH="x86_64"
|
||||
DATA_DISK=""
|
||||
DATA_SIZE_MB=1024
|
||||
MEMORY=2048
|
||||
@@ -33,10 +37,13 @@ SSH_PORT=2222
|
||||
BACKGROUND=0
|
||||
EXTRA_APPEND=""
|
||||
CREATED_DATA_DISK=""
|
||||
VM_KERNEL=""
|
||||
VM_INITRD=""
|
||||
|
||||
# Parse options
|
||||
while [ $# -gt 0 ]; do
|
||||
case "$1" in
|
||||
--arch) ARCH="$2"; shift 2 ;;
|
||||
--data-disk) DATA_DISK="$2"; shift 2 ;;
|
||||
--data-size) DATA_SIZE_MB="$2"; shift 2 ;;
|
||||
--memory) MEMORY="$2"; shift 2 ;;
|
||||
@@ -46,6 +53,8 @@ while [ $# -gt 0 ]; do
|
||||
--ssh-port) SSH_PORT="$2"; shift 2 ;;
|
||||
--background) BACKGROUND=1; shift ;;
|
||||
--append) EXTRA_APPEND="$2"; shift 2 ;;
|
||||
--kernel) VM_KERNEL="$2"; shift 2 ;;
|
||||
--initrd) VM_INITRD="$2"; shift 2 ;;
|
||||
*) echo "Unknown option: $1" >&2; exit 1 ;;
|
||||
esac
|
||||
done
|
||||
@@ -63,44 +72,75 @@ if [ -z "$SERIAL_LOG" ]; then
|
||||
SERIAL_LOG=$(mktemp /tmp/kubesolo-serial-XXXXXX.log)
|
||||
fi
|
||||
|
||||
# Detect KVM availability
|
||||
KVM_FLAG=""
|
||||
if [ -w /dev/kvm ] 2>/dev/null; then
|
||||
KVM_FLAG="-enable-kvm"
|
||||
fi
|
||||
# Build QEMU command based on architecture
|
||||
if [ "$ARCH" = "arm64" ] || [ "$ARCH" = "aarch64" ]; then
|
||||
# ARM64: qemu-system-aarch64 with -machine virt
|
||||
# No KVM for cross-arch emulation (TCG only)
|
||||
CONSOLE="ttyAMA0"
|
||||
|
||||
# Build QEMU command
|
||||
QEMU_CMD=(
|
||||
qemu-system-x86_64
|
||||
-m "$MEMORY"
|
||||
-smp "$CPUS"
|
||||
-nographic
|
||||
-net nic,model=virtio
|
||||
-net "user,hostfwd=tcp::${API_PORT}-:6443,hostfwd=tcp::${SSH_PORT}-:22"
|
||||
-drive "file=$DATA_DISK,format=raw,if=virtio"
|
||||
-serial "file:$SERIAL_LOG"
|
||||
)
|
||||
|
||||
[ -n "$KVM_FLAG" ] && QEMU_CMD+=("$KVM_FLAG")
|
||||
|
||||
case "$IMAGE" in
|
||||
*.iso)
|
||||
QEMU_CMD+=(
|
||||
-cdrom "$IMAGE"
|
||||
-boot d
|
||||
-append "console=ttyS0,115200n8 kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND"
|
||||
)
|
||||
;;
|
||||
*.img)
|
||||
QEMU_CMD+=(
|
||||
-drive "file=$IMAGE,format=raw,if=virtio"
|
||||
)
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unrecognized image format: $IMAGE" >&2
|
||||
# ARM64 requires explicit kernel + initrd (no -cdrom support with -machine virt)
|
||||
if [ -z "$VM_KERNEL" ] || [ -z "$VM_INITRD" ]; then
|
||||
echo "ERROR: ARM64 mode requires --kernel and --initrd options" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
QEMU_CMD=(
|
||||
qemu-system-aarch64
|
||||
-machine virt
|
||||
-cpu cortex-a72
|
||||
-m "$MEMORY"
|
||||
-smp "$CPUS"
|
||||
-nographic
|
||||
-net nic,model=virtio
|
||||
-net "user,hostfwd=tcp::${API_PORT}-:6443,hostfwd=tcp::${SSH_PORT}-:22"
|
||||
-drive "file=$DATA_DISK,format=raw,if=virtio"
|
||||
-serial "file:$SERIAL_LOG"
|
||||
-kernel "$VM_KERNEL"
|
||||
-initrd "$VM_INITRD"
|
||||
-append "console=${CONSOLE} kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND"
|
||||
)
|
||||
else
|
||||
# x86_64: standard QEMU
|
||||
CONSOLE="ttyS0,115200n8"
|
||||
|
||||
# Detect KVM availability
|
||||
KVM_FLAG=""
|
||||
if [ -w /dev/kvm ] 2>/dev/null; then
|
||||
KVM_FLAG="-enable-kvm"
|
||||
fi
|
||||
|
||||
QEMU_CMD=(
|
||||
qemu-system-x86_64
|
||||
-m "$MEMORY"
|
||||
-smp "$CPUS"
|
||||
-nographic
|
||||
-net nic,model=virtio
|
||||
-net "user,hostfwd=tcp::${API_PORT}-:6443,hostfwd=tcp::${SSH_PORT}-:22"
|
||||
-drive "file=$DATA_DISK,format=raw,if=virtio"
|
||||
-serial "file:$SERIAL_LOG"
|
||||
)
|
||||
|
||||
[ -n "$KVM_FLAG" ] && QEMU_CMD+=("$KVM_FLAG")
|
||||
|
||||
case "$IMAGE" in
|
||||
*.iso)
|
||||
QEMU_CMD+=(
|
||||
-cdrom "$IMAGE"
|
||||
-boot d
|
||||
-append "console=${CONSOLE} kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND"
|
||||
)
|
||||
;;
|
||||
*.img)
|
||||
QEMU_CMD+=(
|
||||
-drive "file=$IMAGE,format=raw,if=virtio"
|
||||
)
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unrecognized image format: $IMAGE" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# Launch
|
||||
"${QEMU_CMD[@]}" &
|
||||
|
||||
Reference in New Issue
Block a user