Adolfo Delorenzo
3bcf2e115f
Some checks failed
ARM64 Build / Build generic ARM64 disk image (push) Failing after 6s
CI / Go Tests (push) Successful in 2m12s
CI / Shellcheck (push) Successful in 55s
CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Successful in 1m48s
CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Successful in 1m35s
After 31eee77 added CONFIG_NFT_NUMGEN=m and friends to the kernel
fragment, the rebuilt kernel does include nft_numgen.ko on disk in
build/cache/kernel-arm64-generic/modules/. But the runtime kernel
doesn't load it, and kube-proxy keeps failing with the same
"No such file or directory" pointing at `numgen` as before the
kernel rebuild.
Root cause is the boot-stage-vs-lockdown ordering combined with
inject-kubesolo.sh's selective module copy:
1. inject-kubesolo.sh ships modules listed in modules.list /
modules-arm64.list plus their transitive deps. nft_numgen wasn't
in either list, so its .ko is in the kernel build cache but
never makes it into the initramfs.
2. Stage 30 (kernel-modules) only modprobes from the same list, so
it wouldn't load nft_numgen even if the .ko were present.
3. Stage 85 (security-lockdown) writes 1 to
/proc/sys/kernel/modules_disabled, blocking any further module
loads — including the lazy request_module() that nftables would
otherwise do when kube-proxy first uses the `numgen` expression.
The kernel-side fix (=m in the fragment) is necessary but not
sufficient: we have to ship + load these in stage 30, before lockdown.
Add nft_numgen, nft_hash, nft_limit, nft_log to BOTH modules.list
(x86) and modules-arm64.list. Same justification on x86 — KubeSolo's
nftables kube-proxy backend uses numgen regardless of arch, we just
haven't exercised it on x86 since v0.2 deployments stuck with the
older iptables-restore backend.
After this lands on the Odroid:
sudo make rootfs-arm64 disk-image-arm64 # kernel cached, rootfs only
# no kernel rebuild needed; this is a rootfs-only change
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>