adds support for building hook kernel

[jaxesn]

Issue #, if available:

Description of changes:

This adds support for building the hook os kernel to our build tooling. Currently linuxkit pulls the kernel built from upstream via https://github.com/tinkerbell/hook/tree/main/kernel. This ensures we can build and update the kernel when necessary as well as giving us the ability to include additional/different drives in our default builds based on what we see with customers.

The main difference between "our" build and upstreams will be that we will use AL23 whereas upstream uses debian. The new git_tag for hook is 0.9.0. This new version has made significant changes to the kernel build dockerfile. The builds-kernel-from-al2.patch patches patches just the first layer in the docker file from debian to al23. There are 3 files, keys.asc and the two kernel config files, which are copied from the upstream clone before building the kernel image.

A way to add additional kernel options has also been added and is documented in the readme. For now, I am adding the cisco drivers based on customer feedback we have recieved.

In addition to the hook upgrade, we are introducing the ability to embedded the need action container images into the local docker cache so that these images do not need pulled at runtime. Most of the new patches come from @jacobweinstock's work upstream and will go away when hook is released with this change. We use this new upstream process to docker pull/save/load to create a hook-embedded image which containers the /var/lib/docker folder with the action images + tink-worker.

A new batch-build.yml is introduced so that we can build the amd image on an amd host and the arm image on an arm host. AL2, nor Al23, provide cross compilation like upstream gets from debian. This is a pretty standard we have followed for other complex builds that require arch specific binary or image builds.

The kernel-config target is added as a helper for customers who need to add or change the kernel config for their specific hardware, similar to upstrea which we currently reference in our docs

The kernel version is set to the latest 5.10.x version we are using from upstream. Automation will be added to keep this version updated.

TODO:

• add new private ecr repos for newly introduced images hook-runc hook-containerd hook-ip hook-mdev hook-dind hook-embedded
• change codebuild job to be batch
• update release019 and release020 branches to have batch build spec for this project similar to Add buildspec file for tink project #3568
• Automate kernel patch version upgrades

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[eks-distro-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jaxesn]

here is what the final Dockerfile looks like:

ARG BASE_IMAGE
FROM ${BASE_IMAGE} as kernel-source-unpacked-amd64

ARG DEFCONFIG
ENV KERNEL_ARCH=x86_64
ENV INPUT_DEFCONFIG=${DEFCONFIG}-${KERNEL_ARCH}
ENV KERNEL_OUTPUT_IMAGE=arch/${KERNEL_ARCH}/boot/bzImage

ARG BASE_IMAGE
FROM ${BASE_IMAGE} as kernel-source-unpacked-arm64

ARG DEFCONFIG
ENV KERNEL_ARCH=aarch64
ENV INPUT_DEFCONFIG=${DEFCONFIG}-${KERNEL_ARCH}
ENV KERNEL_OUTPUT_IMAGE=arch/${KERNEL_ARCH}/boot/bzImage

ARG TARGETARCH
FROM kernel-source-unpacked-${TARGETARCH} as kernel-source-unpacked

RUN set -x && yum -y update && \
        yum -y install bc bison elfutils-libelf-devel flex gcc gzip kmod make ncurses-devel openssl-devel perl tar xz && \
        yum clean all && \
        rm -rf /var/cache/yum

ARG KERNEL_MAJOR_V
ARG KERNEL_VERSION
ARG KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR_V}/linux-${KERNEL_VERSION}.tar.xz
ARG KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR_V}/sha256sums.asc
ARG KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/${KERNEL_MAJOR_V}/linux-${KERNEL_VERSION}.tar.sign

# PGP keys: 589DA6B1 (greg@kroah.com) & 6092693E (autosigner@kernel.org) & 00411886 (torvalds@linux-foundation.org)
COPY /keys.asc /keys.asc

# Download and verify kernel
RUN set -x &&  \
    curl -fsSLO ${KERNEL_SHA256_SUMS} && \
    gpg2 -q --import keys.asc && \
    gpg2 --verify sha256sums.asc && \
    KERNEL_SHA256=$(grep linux-${KERNEL_VERSION}.tar.xz sha256sums.asc | cut -d ' ' -f 1) && \
    [ -f linux-${KERNEL_VERSION}.tar.xz ] || curl -fsSLO ${KERNEL_SOURCE} && \
    echo "${KERNEL_SHA256}  linux-${KERNEL_VERSION}.tar.xz" | sha256sum -c - && \
    xz -T 0 -d linux-${KERNEL_VERSION}.tar.xz && \
    curl -fsSLO ${KERNEL_PGP2_SIGN} && \
    gpg2 --verify linux-${KERNEL_VERSION}.tar.sign linux-${KERNEL_VERSION}.tar && \
    cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux


FROM kernel-source-unpacked as kernel-with-config

ARG INPUT_DEFCONFIG
ARG KERNEL_ARCH
ARG KERNEL_CROSS_COMPILE

ENV KERNEL_ARCH=${KERNEL_ARCH}
ENV ARCH=${KERNEL_ARCH}
ENV CROSS_COMPILE=${KERNEL_CROSS_COMPILE}
ENV KCFLAGS="-fdiagnostics-color=always -fno-pie"
ENV KBUILD_BUILD_USER="hook"
ENV KBUILD_BUILD_HOST="tinkerbell"

# Copy just the defconfig needed for this build
WORKDIR /linux
COPY /configs/${INPUT_DEFCONFIG} /linux/.config

# Kernel config; copy the correct defconfig as .config, and run olddefconfig
RUN set -x && make "ARCH=${KERNEL_ARCH}" olddefconfig

# Use this stage to run kernel configuration tasks like menuconfig / savedefconfig etc with:
#   docker buildx build --load --progress=plain --build-arg KERNEL_VERSION=5.10.212 --build-arg KERNEL_SERIES=5.10.y -t hook-kernel:builder --target kernel-configurator .
#   docker run -it -v "$(pwd)":/out-config hook-kernel:builder
# Otherwise, since this stage is not referenced anywhere during normal build, it is completely skipped
FROM kernel-with-config as kernel-configurator
VOLUME /host


FROM kernel-with-config AS kernel-build

ARG KERNEL_OUTPUT_IMAGE

RUN mkdir /out

RUN sed -i 's/#define COMMAND_LINE_SIZE 2048/#define COMMAND_LINE_SIZE 4096/' arch/x86/include/asm/setup.h

# Kernel build. ENVs in previous stages are inherited; thus ARCH, CROSS_COMPILE, KCFLAGS, KBUILD_BUILD_USER, KBUILD_BUILD_HOST are available
RUN set -x && \
    echo "Cross compiler: ${CROSS_COMPILE}" && \
    make -j"$(getconf _NPROCESSORS_ONLN)" && \
    cp ${KERNEL_OUTPUT_IMAGE} /out/kernel && \
    cp System.map /out


# Modules, from lib/modules go into kernel.tar (will be extracted in root filesystem by linuxkit)
RUN set -x && \
    make -s -j"$(getconf _NPROCESSORS_ONLN)" INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
    ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
      cd /tmp/kernel-modules/lib/modules/$DVER && \
      rm -f build source ) && \
    ( cd /tmp/kernel-modules && tar cf /out/kernel.tar . )

# For arches that have DTB's, eg arm64; they go separately into dtbs.tar; for arches that don't (x86), an empty dtbs.tar is created
RUN set -x && \
    mkdir -p /tmp/kernel-dtb && \
    case "$KERNEL_ARCH" in \
    arm64) \
        make -s -j"$(getconf _NPROCESSORS_ONLN)" INSTALL_DTBS_PATH=/tmp/kernel-dtb dtbs_install; \
        ;; \
    esac && \
     ( cd /tmp/kernel-dtb && tar czvf /out/dtbs.tar.gz . )

FROM scratch
ENTRYPOINT []
CMD []
WORKDIR /
COPY --from=kernel-build /out/* /

[jaxesn]

/hold

[jaxesn]

/test hook-tooling-presubmit-arm64

[jacobweinstock]

/approve

[abhay-krishna]

/lgtm
/approve

[jaxesn]

/unhold

[eks-distro-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhay-krishna, jacobweinstock

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abhay-krishna,jacobweinstock]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment