Adolfo Delorenzo
bc3300e7e7
Some checks failed
ARM64 Build / Build generic ARM64 disk image (push) Failing after 5s
CI / Go Tests (push) Successful in 2m35s
CI / Shellcheck (push) Successful in 1m23s
CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Successful in 1m53s
CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Successful in 1m47s
3bcf2e1 added nft_numgen / nft_hash / nft_limit / nft_log to both module
lists but in a format the inject parser doesn't handle:
nft_numgen # numgen random/inc mod N vmap — Service endpoint LB
The parser's only comment skip is `case "$mod" in \#*|"") continue ;;`
which matches lines STARTING with #, not lines with inline #-comments.
So each new line was passed to modprobe verbatim as a single (invalid)
module name, modprobe returned nonzero, and the .ko never made it into
the initramfs. ls'ing the rootfs after the rootfs rebuild confirmed:
ls .../lib/modules/*/kernel/net/netfilter/ | grep nft_numgen
<empty>
Two changes:
1. Strip inline comments from the new entries in modules.list and
modules-arm64.list. Each module name on its own line, matching the
convention the rest of the file uses.
2. Harden the parser in inject-kubesolo.sh to handle "name # comment"
regardless. Single-line tweak: `mod="${mod%%#*}"` before the
continue check. Prevents a future contributor's inline doc from
silently dropping a module the same way.
After rebuilding the rootfs on the Odroid (no kernel rebuild needed —
this is a rootfs-only change), the four .ko files should appear at
build/rootfs-work/rootfs/lib/modules/*/kernel/net/netfilter/.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
93 lines
2.1 KiB
Plaintext
93 lines
2.1 KiB
Plaintext
# Kernel modules loaded at boot by init (ARM64 / Raspberry Pi)
|
|
# One module per line. Lines starting with # are ignored.
|
|
# Modules are loaded in order listed — dependencies must come first.
|
|
|
|
# Network device drivers (loaded early so interfaces are available)
|
|
# Note: no e1000/e1000e on ARM64 — those are x86 Intel NIC drivers
|
|
virtio_net
|
|
|
|
# Virtio support (for QEMU VMs — block, entropy)
|
|
virtio_blk
|
|
virtio_rng
|
|
|
|
# Raspberry Pi specific (USB Ethernet on Pi 4 is built-in, no module needed)
|
|
# Pi 5 uses PCIe ethernet, also typically built-in
|
|
|
|
# Filesystem — overlay (required for containerd)
|
|
overlay
|
|
|
|
# Netfilter dependencies (must load before conntrack)
|
|
nf_defrag_ipv4
|
|
nf_defrag_ipv6
|
|
|
|
# Netfilter / connection tracking (required for kube-proxy)
|
|
nf_conntrack
|
|
nf_nat
|
|
nf_conntrack_netlink
|
|
|
|
# nftables (modern iptables backend)
|
|
nf_tables
|
|
nft_compat
|
|
nft_chain_nat
|
|
nft_ct
|
|
nft_masq
|
|
nft_nat
|
|
nft_redir
|
|
|
|
# Netfilter xt match/target modules (used by kube-proxy iptables rules via nft_compat)
|
|
xt_conntrack
|
|
xt_MASQUERADE
|
|
xt_mark
|
|
xt_comment
|
|
xt_multiport
|
|
xt_nat
|
|
xt_addrtype
|
|
xt_connmark
|
|
xt_REDIRECT
|
|
xt_recent
|
|
xt_statistic
|
|
xt_set
|
|
|
|
# nft extras (reject, fib — used by kube-proxy nf_tables rules)
|
|
nft_reject
|
|
nft_reject_ipv4
|
|
nft_reject_ipv6
|
|
nft_fib
|
|
nft_fib_ipv4
|
|
nft_fib_ipv6
|
|
|
|
# nft expressions used by the Kubernetes 1.34+ nftables kube-proxy backend.
|
|
# Loading these at boot (stage 30) is mandatory because stage 85 sets
|
|
# kernel.modules_disabled=1, which would otherwise block kube-proxy from
|
|
# auto-loading them on first rule install.
|
|
# (Note: list parser only honours full-line "#"-prefixed comments, NOT
|
|
# inline "module # comment". Keep module names on their own line.)
|
|
nft_numgen
|
|
nft_hash
|
|
nft_limit
|
|
nft_log
|
|
|
|
# Reject targets (used by kube-proxy iptables-restore rules)
|
|
nf_reject_ipv4
|
|
nf_reject_ipv6
|
|
ipt_REJECT
|
|
ip6t_REJECT
|
|
|
|
# nfacct extension (kube-proxy probes for it)
|
|
xt_nfacct
|
|
|
|
# Networking — bridge and netfilter (required for K8s pod networking)
|
|
# Load order: llc → stp → bridge → br_netfilter
|
|
llc
|
|
stp
|
|
bridge
|
|
br_netfilter
|
|
veth
|
|
vxlan
|
|
|
|
# IPVS — useful for kube-proxy IPVS mode and CNI plugins
|
|
ip_vs
|
|
ip_vs_rr
|
|
ip_vs_wrr
|
|
ip_vs_sh
|