adelorenzo/kubesolo-os
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
e372df578bc08b9af39217c1a2f77b4ec48927b8
kubesolo-os/build/config/kernel-audit.sh
Adolfo Delorenzo e372df578b feat: initial Phase 1 PoC scaffolding for KubeSolo OS 
Complete Phase 1 implementation of KubeSolo OS — an immutable, bootable
Linux distribution built on Tiny Core Linux for running KubeSolo
single-node Kubernetes.

Build system:
- Makefile with fetch, rootfs, initramfs, iso, disk-image targets
- Dockerfile.builder for reproducible builds
- Scripts to download Tiny Core, extract rootfs, inject KubeSolo,
  pack initramfs, and create bootable ISO/disk images

Init system (10 POSIX sh stages):
- Early mount (proc/sys/dev/cgroup2), cmdline parsing, persistent
  mount with bind-mounts, kernel module loading, sysctl, DHCP
  networking, hostname, clock sync, containerd prep, KubeSolo exec

Shared libraries:
- functions.sh (device wait, IP lookup, config helpers)
- network.sh (static IP, config persistence, interface detection)
- health.sh (containerd, API server, node readiness checks)
- Emergency shell for boot failure debugging

Testing:
- QEMU boot test with serial log marker detection
- K8s readiness test with kubectl verification
- Persistence test (reboot + verify state survives)
- Workload deployment test (nginx pod)
- Local storage test (PVC + local-path provisioner)
- Network policy test
- Reusable run-vm.sh launcher

Developer tools:
- dev-vm.sh (interactive QEMU with port forwarding)
- rebuild-initramfs.sh (fast iteration)
- inject-ssh.sh (dropbear SSH for debugging)
- extract-kernel-config.sh + kernel-audit.sh

Documentation:
- Full design document with architecture research
- Boot flow documentation covering all 10 init stages
- Cloud-init examples (DHCP, static IP, Portainer Edge, air-gapped)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 10:18:42 -06:00

170 lines
6.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# kernel-audit.sh — Verify kernel config has all required features for KubeSolo
# Usage: ./kernel-audit.sh [/path/to/kernel/.config]
# If no path given, attempts to read from /proc/config.gz or boot config
set -euo pipefail
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# --- Locate kernel config ---
find_kernel_config() {
if [[ -n "${1:-}" ]] && [[ -f "$1" ]]; then
echo "$1"
return 0
fi
# Try /proc/config.gz (if CONFIG_IKCONFIG_PROC=y)
if [[ -f /proc/config.gz ]]; then
local tmp
tmp=$(mktemp)
zcat /proc/config.gz > "$tmp"
echo "$tmp"
return 0
fi
# Try /boot/config-$(uname -r)
local boot_config="/boot/config-$(uname -r)"
if [[ -f "$boot_config" ]]; then
echo "$boot_config"
return 0
fi
echo ""
return 1
}
CONFIG_FILE=$(find_kernel_config "${1:-}") || {
echo -e "${RED}ERROR: Cannot find kernel config.${NC}"
echo "Provide path as argument, or ensure /proc/config.gz or /boot/config-\$(uname -r) exists."
exit 1
}
echo "==> Auditing kernel config: $CONFIG_FILE"
echo ""
PASS=0
FAIL=0
WARN=0
check_config() {
local option="$1"
local required="$2" # "mandatory" or "recommended"
local description="$3"
local value
value=$(grep -E "^${option}=" "$CONFIG_FILE" 2>/dev/null || true)
if [[ -n "$value" ]]; then
local setting="${value#*=}"
echo -e " ${GREEN}${NC} ${option}=${setting}${description}"
((PASS++))
elif grep -qE "^# ${option} is not set" "$CONFIG_FILE" 2>/dev/null; then
if [[ "$required" == "mandatory" ]]; then
echo -e " ${RED}${NC} ${option} is NOT SET — ${description} [REQUIRED]"
((FAIL++))
else
echo -e " ${YELLOW}${NC} ${option} is NOT SET — ${description} [recommended]"
((WARN++))
fi
else
if [[ "$required" == "mandatory" ]]; then
echo -e " ${RED}?${NC} ${option} not found in config — ${description} [REQUIRED]"
((FAIL++))
else
echo -e " ${YELLOW}?${NC} ${option} not found in config — ${description} [recommended]"
((WARN++))
fi
fi
}
# --- cgroup v2 ---
echo "cgroup v2:"
check_config CONFIG_CGROUPS mandatory "Control groups support"
check_config CONFIG_CGROUP_CPUACCT mandatory "CPU accounting"
check_config CONFIG_CGROUP_DEVICE mandatory "Device controller"
check_config CONFIG_CGROUP_FREEZER mandatory "Freezer controller"
check_config CONFIG_CGROUP_SCHED mandatory "CPU scheduler controller"
check_config CONFIG_CGROUP_PIDS mandatory "PIDs controller"
check_config CONFIG_MEMCG mandatory "Memory controller"
check_config CONFIG_CGROUP_BPF recommended "BPF controller"
echo ""
# --- Namespaces ---
echo "Namespaces:"
check_config CONFIG_NAMESPACES mandatory "Namespace support"
check_config CONFIG_NET_NS mandatory "Network namespaces"
check_config CONFIG_PID_NS mandatory "PID namespaces"
check_config CONFIG_USER_NS mandatory "User namespaces"
check_config CONFIG_UTS_NS mandatory "UTS namespaces"
check_config CONFIG_IPC_NS mandatory "IPC namespaces"
echo ""
# --- Filesystem ---
echo "Filesystem:"
check_config CONFIG_OVERLAY_FS mandatory "OverlayFS (containerd)"
check_config CONFIG_SQUASHFS mandatory "SquashFS (Tiny Core root)"
check_config CONFIG_BLK_DEV_LOOP mandatory "Loop device (SquashFS mount)"
check_config CONFIG_EXT4_FS mandatory "ext4 (persistent partition)"
echo ""
# --- Networking ---
echo "Networking:"
check_config CONFIG_BRIDGE mandatory "Bridge (K8s pod networking)"
check_config CONFIG_NETFILTER mandatory "Netfilter framework"
check_config CONFIG_NF_NAT mandatory "NAT support"
check_config CONFIG_NF_CONNTRACK mandatory "Connection tracking"
check_config CONFIG_IP_NF_IPTABLES mandatory "iptables"
check_config CONFIG_IP_NF_NAT mandatory "iptables NAT"
check_config CONFIG_IP_NF_FILTER mandatory "iptables filter"
check_config CONFIG_VETH mandatory "Virtual ethernet pairs"
check_config CONFIG_VXLAN mandatory "VXLAN (overlay networking)"
check_config CONFIG_NET_SCH_HTB recommended "HTB qdisc (bandwidth limiting)"
echo ""
# --- Security ---
echo "Security:"
check_config CONFIG_SECCOMP recommended "Seccomp (container security)"
check_config CONFIG_SECCOMP_FILTER recommended "Seccomp BPF filter"
check_config CONFIG_BPF_SYSCALL recommended "BPF syscall"
check_config CONFIG_AUDIT recommended "Audit framework"
echo ""
# --- Crypto ---
echo "Crypto:"
check_config CONFIG_CRYPTO_SHA256 recommended "SHA-256 (image verification)"
echo ""
# --- IPVS (optional, for kube-proxy IPVS mode) ---
echo "IPVS (optional, kube-proxy IPVS mode):"
check_config CONFIG_IP_VS recommended "IPVS core"
check_config CONFIG_IP_VS_RR recommended "IPVS round-robin"
check_config CONFIG_IP_VS_WRR recommended "IPVS weighted round-robin"
check_config CONFIG_IP_VS_SH recommended "IPVS source hashing"
echo ""
# --- Summary ---
echo "========================================"
echo -e " ${GREEN}Passed:${NC} $PASS"
echo -e " ${RED}Failed:${NC} $FAIL"
echo -e " ${YELLOW}Warnings:${NC} $WARN"
echo "========================================"
if [[ $FAIL -gt 0 ]]; then
echo ""
echo -e "${RED}FAIL: $FAIL mandatory kernel config(s) missing.${NC}"
echo "Options:"
echo " 1. Check if missing features are available as loadable modules (=m)"
echo " 2. Recompile the kernel with missing options enabled"
echo " 3. Use a different kernel (e.g., Alpine Linux kernel)"
exit 1
else
echo ""
echo -e "${GREEN}PASS: All mandatory kernel configs present.${NC}"
if [[ $WARN -gt 0 ]]; then
echo -e "${YELLOW}Note: $WARN recommended configs missing (non-blocking).${NC}"
fi
exit 0
fi
Reference in New Issue View Git Blame Copy Permalink