| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add an option, -o / --output, to specify a prefix used for the name of the
directory where debootstrap generates the system, and the final disk image
and SSH key filenames.
The default remains using the distro release codename.
For now, ban the use of slashes, spaces, . and .. as output names.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Improve the help message:
- sort options alphabetically
- print default values
- print first line to stdout like the rest of the message
- fix typos, improve style
Also sort the options parsing to be alphabetical (except --help), and use
spaces consistently for indentation in this section.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Debian bullseye is now oldoldstable, so update the default release to
trixie.
While we're at it, update documentation references to old Debian releases
to match.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Richard Smith <happyercat@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Try using `archive.debian.org` and old keys from the Debian keyring
if debootstrap fails.
This improvement allows the following scenario:
```
sh create-image.sh -s 4096 -d wheezy
```
Signed-off-by: Alexander Popov <alex.popov@linux.com>
|
| |
|
|
|
|
|
|
|
|
| |
Currently, the `create-image.sh` script prepares the image in the `./chroot`
directory.
Let's do that in the `$RELEASE` directory. That allows having multiple
debootstrap images at the same time.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
create-image.sh uses sudo to invoke debootstrap, which by default drops
existing environment variables.
Tell sudo to preserve http_proxy, https_proxy, ftp_proxy and no_proxy
variables so that the user's proxy settings are respected by debootstrap.
Suggested-by: Russell Currey <ruscur@russell.cc>
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the latest Debian release, bookworm, non-free firmware has been moved
to a new archive component, non-free-firmware. This means that running
create-image.sh for bookworm will fail, because the firmware-atheros
package can no longer be found.
Add the non-free-firmware component to debootstrap's arguments. (This
appears to still work for older releases such as bullseye, which don't
have a non-free-firmware component.)
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
bullseye has been the current Debian stable release since 2021, and
stretch is now well and truly in the LTS support phase. Change the default
release in create-image.sh to bullseye.
Also update most other references to stretch in the documentation and
elsewhere (there's still a few references we don't change because they're
links to images etc).
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
| |
Move the remaining sysctls from image creation scripts into executor.
We have the rest in executor now, and these are captured in reproducers
and are not duplicated.
It seems that ping_group_range was accidentially lost along the way,
re-add it.
|
| |
|
|
|
|
|
|
|
|
|
| |
* pkg/vcs: remove obsolete test script
Per Dmitry, this should have been removed as part of 8f58e4b
("pkg/bisect: switch to kconfig.Minimize").
* all: convert shebang lines to use /usr/bin/env
* Makefile: fix non-portable use of find(1)
|
| |
|
|
|
|
|
|
|
|
| |
to the $KERNEL src
current script hard-coded the basename for the path of kernel source
if the basename of the path for the kernel source code is not "linux",
this script will just abort.
Fix this by using the basename obtained by the basename utility.
|
| |
|
|
|
|
|
|
| |
riscv64 is not yet a released Debian port, so it's hosted by the
debian-ports repository. Add a special case to use debian-ports if the
architecture is riscv64.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When building an i386 image on an x86_64 host, we don't need to use qemu or
check for the presence of an appropriate qemu binfmt_misc configuration.
i386 binaries can run natively, so we also don't need to do debootstrap in
two stages.
Skip qemu checks and run debootstrap in one stage when building i386 on an
x86_64 host.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
| |
Add a mapping from qemu architecture x86_64 to Debian architecture amd64
which I forgot to add earlier.
(Also fix up the indentation to be consistent while we're here.)
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
create-image.sh assumes that the qemu name and the Debian name for the
target architecture are the same. This is not always true.
For comedy and/or historical reasons, Debian refers to 64-bit little
endian PowerPC as ppc64el, whereas qemu and most other things use ppc64le.
Debian refers to aarch64 as arm64, and 32-bit little endian arm as armel.
Add special cases to handle this.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| | |
|
| |
|
|
|
|
| |
Also update sy-env to be able to build the root image inside.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
| |
Add a default udev rule file to the image creation process in
create-gce-image.sh and create-image.sh.
This change creates a default rule to make udev create a custom-named
symlink for the specific vim2m device.
|
| | |
|
| |
|
|
|
|
|
| |
Among other things this changes timeout for USB programs from 2 to 3 seconds.
ath9k fuzzing also requires ath9k firmware to be present, so system images
need to be regenerated with the updated script.
|
| |
|
|
| |
It's quite useful for debugging network related stuff.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usage of current create-image.sh:
```
./create-image.sh -d=stretch -f=minimal --add-perf
The options are in the following:
-d, --distribution Set on which debian distribution to create
-f, --feature Check what packages to install in the image, options are minimal, full
-s, --seek Image size (MB), default 2048 (2G)
-p, --add-perf Add perf support with this option enabled
The default image size may too small (2G) in some debugging scenarios, so change it to configurable.
|
| |
|
|
| |
allow user to provide ADD_PACKAGE and double check if KERNEL is set when perf is enabled
|
| |
|
|
|
| |
The list of packages to install is comma-separated, not space. This
fixes the "-f full" argument to actually install the expected packages.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usage of current create-image.sh:
```
./create-image.sh -d=stretch -f=minimal --add-perf
The options are in the following:
-d, --distribution Set on which debian distribution to create
-f, --feature Check what packages to install in the image, options are minimal, full
-p, --add-perf Add perf support with this option enabled
The default image is stretch with minimal feature, without perf.
|
| | |
|
| |
|
|
|
|
|
| |
This updates the image creation tool to use Debian stretch (current stable)
instead of wheezy, which is very out of date. The only change needed here
was a hint to systemd to make the root filesystem read-write after booting.
Documentation has also been updated.
|
| |
|
|
|
|
|
| |
Upstream "selinux: fix mounting of cgroup2 under older policies"
commit fixes mounting of cgroup2 under wheezy selinux policy.
So don't disable selinux on start.
Create separate cmdline arguments that enable selinux and apparmor.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I had missed that once hardening is enabled, it automatically disables
any exposure of JITed addresses, therefore when crashes or warnings are
thrown we don't unwind beyond a helper function. For now disable hardening.
After merge window I'll see if it's possible to detangle the case where
kernel queries kallsyms internally to find function names whenever a WARN
or BUG is thrown. If that's not possible easily, we can potentially add a
harden mode 3 which does hardening but does not disable kallsyms exposure
and then set this here for tools like syzkaller.
Fixes: ac9b19d2e435 ("bpf: enable hardening mode 1 for jited images")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[dvyukov: also updated dashboard/config/upstream.sysctl]
|
| |
|
|
|
|
|
|
| |
This will harden non-root programs from kernel side, but not
root-only ones. Helps also to increase coverage a bit since
syzkaller generates programs for both cases.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
| |
|
|
|
|
|
| |
Helps syzkaller in particular for unwinding full stack in case
of warnings or crashes.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
| |
|
| |
watchdog_thresh is capped at 60, so 120 causes EINVAL.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
The comments were unintentionally committed in a previous commit.
|
| | |
|
| |
|
|
| |
Uncomment unintentionally commented out lines from a previous commit.
|
| |
|
|
| |
These packages are required to actually activate selinux during boot.
|
| |
|
|
|
| |
1G does not seem to be enough.
Create 2G images as we do in create-gce-image.sh.
|
| | |
|
| |
|
|
| |
Move few additional settings from create-gce-image.sh to create-image.sh.
|
| | |
|
| | |
|
| |
|
|
| |
+ raise console output level, otherwise stack traces may be dropped
|
| |
|
|
| |
Checkout necessary packages during debootstrap instead of a separate step.
|
| | |
|
