修改配置
vim common/arch/arm64/configs/xxx_defconfig
CONFIG_NAMESPACES=y
CONFIG_NET_NS=y
CONFIG_PID_NS=y
CONFIG_IPC_NS=y
CONFIG_UTS_NS=y
CONFIG_CGROUPS=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_SCHED=y
CONFIG_CPUSETS=y
CONFIG_MEMCG=y
CONFIG_KEYS=y
CONFIG_VETH=y
CONFIG_BRIDGE=y
CONFIG_BRIDGE_NETFILTER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_IPVS=y
CONFIG_NETFILTER_XT_MARK=y
CONFIG_IP_NF_NAT=y
CONFIG_NF_NAT=y
CONFIG_POSIX_MQUEUE=y
CONFIG_NF_NAT_IPV4=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_CGROUP_BPF=y
CONFIG_USER_NS=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_CGROUP_PIDS=y
CONFIG_MEMCG_SWAP=y
CONFIG_MEMCG_SWAP_ENABLED=y
CONFIG_IOSCHED_CFQ=y
CONFIG_CFQ_GROUP_IOSCHED=y
CONFIG_BLK_CGROUP=y
CONFIG_BLK_DEV_THROTTLING=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_NET_CLS_CGROUP=y
CONFIG_CGROUP_NET_PRIO=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_VS=y
CONFIG_IP_VS_NFCT=y
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_RR=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_VXLAN=y CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_CRYPTO=y CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_GHASH=y CONFIG_XFRM=y
CONFIG_XFRM_USER=y
CONFIG_XFRM_ALGO=y
CONFIG_INET_ESP=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_IPVLAN=y
CONFIG_MACVLAN=y
CONFIG_DUMMY=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_NAT_TFTP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_AUFS_FS=y
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BLK_DEV_DM=y
CONFIG_DM_THIN_PROVISIONING=y
CONFIG_OVERLAY_FS=y
编译内核烧录
检测脚本
#!/usr/bin/env sh
set -eEXITCODE=0# bits of this were adapted from lxc-checkconfig
# see also https:possibleConfigs="/proc/config.gz/boot/config-$(uname -r)/usr/src/linux-$(uname -r)/.config/usr/src/linux/.config
"if [ $# -gt 0 ]; thenCONFIG="$1"
else: "${CONFIG:=/proc/config.gz}"
fiif ! command -v zgrep > /dev/null 2>&1; thenzgrep() {zcat "$2" | grep "$1"}
fiuseColor=true
if [ "$NO_COLOR" = "1" ] || [ ! -t 1 ]; thenuseColor=false
fi
kernelVersion="$(uname -r)"
kernelMajor="${kernelVersion%%.*}"
kernelMinor="${kernelVersion#$kernelMajor.}"
kernelMinor="${kernelMinor%%.*}"is_set() {zgrep "CONFIG_$1=[y|m]" "$CONFIG" > /dev/null
}
is_set_in_kernel() {zgrep "CONFIG_$1=y" "$CONFIG" > /dev/null
}
is_set_as_module() {zgrep "CONFIG_$1=m" "$CONFIG" > /dev/null
}color() {# if stdout is not a terminal, then don't do color codes.if [ "$useColor" = "false" ]; thenreturn 0ficodes=if [ "$1" = 'bold' ]; thencodes='1'shiftfiif [ "$#" -gt 0 ]; thencode=case "$1" in# see https:black) code=30 ;;red) code=31 ;;green) code=32 ;;yellow) code=33 ;;blue) code=34 ;;magenta) code=35 ;;cyan) code=36 ;;white) code=37 ;;esacif [ "$code" ]; thencodes="${codes:+$codes;}$code"fifiprintf '\033[%sm' "$codes"
}
wrap_color() {text="$1"shiftcolor "$@"printf '%s' "$text"color resetecho
}wrap_good() {echo "$(wrap_color "$1" white): $(wrap_color "$2" green)"
}
wrap_bad() {echo "$(wrap_color "$1" bold): $(wrap_color "$2" bold red)"
}
wrap_warning() {wrap_color >&2 "$*" red
}check_flag() {if is_set_in_kernel "$1"; thenwrap_good "CONFIG_$1" 'enabled'elif is_set_as_module "$1"; thenwrap_good "CONFIG_$1" 'enabled (as module)'elsewrap_bad "CONFIG_$1" 'missing'EXITCODE=1fi
}check_flags() {for flag in "$@"; doprintf -- '- 'check_flag "$flag"done
}check_command() {if command -v "$1" > /dev/null 2>&1; thenwrap_good "$1 command" 'available'elsewrap_bad "$1 command" 'missing'EXITCODE=1fi
}check_device() {if [ -c "$1" ]; thenwrap_good "$1" 'present'elsewrap_bad "$1" 'missing'EXITCODE=1fi
}if [ ! -e "$CONFIG" ]; thenwrap_warning "warning: $CONFIG does not exist, searching other paths for kernel config ..."for tryConfig in $possibleConfigs; doif [ -e "$tryConfig" ]; thenCONFIG="$tryConfig"breakfidoneif [ ! -e "$CONFIG" ]; thenwrap_warning "error: cannot find kernel config"wrap_warning " try running this script again, specifying the kernel config:"wrap_warning " CONFIG=/path/to/kernel/.config $0 or $0 /path/to/kernel/.config"exit 1fi
fiwrap_color "info: reading kernel config from $CONFIG ..." white
echoecho 'Generally Necessary:'printf -- '- '
if [ "$(stat -f -c %t /sys/fs/cgroup 2> /dev/null)" = '63677270' ]; thenwrap_good 'cgroup hierarchy' 'cgroupv2'cgroupv2ControllerFile='/sys/fs/cgroup/cgroup.controllers'if [ -f "$cgroupv2ControllerFile" ]; thenecho ' Controllers:'for controller in cpu cpuset io memory pids; doif grep -qE '(^| )'"$controller"'($| )' "$cgroupv2ControllerFile"; thenecho " - $(wrap_good "$controller" 'available')"elseecho " - $(wrap_bad "$controller" 'missing')"fidoneelsewrap_bad "$cgroupv2ControllerFile" 'nonexistent??'fi# TODO find an efficient way to check if cgroup.freeze exists in subdir
elsecgroupSubsystemDir="$(sed -rne '/^[^ ]+ ([^ ]+) cgroup ([^ ]*,)?(cpu|cpuacct|cpuset|devices|freezer|memory)[, ].*$/ { s//\1/p; q }' /proc/mounts)"cgroupDir="$(dirname "$cgroupSubsystemDir")"if [ -d "$cgroupDir/cpu" ] || [ -d "$cgroupDir/cpuacct" ] || [ -d "$cgroupDir/cpuset" ] || [ -d "$cgroupDir/devices" ] || [ -d "$cgroupDir/freezer" ] || [ -d "$cgroupDir/memory" ]; thenecho "$(wrap_good 'cgroup hierarchy' 'properly mounted') [$cgroupDir]"elseif [ "$cgroupSubsystemDir" ]; thenecho "$(wrap_bad 'cgroup hierarchy' 'single mountpoint!') [$cgroupSubsystemDir]"elsewrap_bad 'cgroup hierarchy' 'nonexistent??'fiEXITCODE=1echo " $(wrap_color '(see https://github.com/tianon/cgroupfs-mount)' yellow)"fi
fiif [ "$(cat /sys/module/apparmor/parameters/enabled 2> /dev/null)" = 'Y' ]; thenprintf -- '- 'if command -v apparmor_parser > /dev/null 2>&1; thenwrap_good 'apparmor' 'enabled and tools installed'elsewrap_bad 'apparmor' 'enabled, but apparmor_parser missing'printf ' 'if command -v apt-get > /dev/null 2>&1; thenwrap_color '(use "apt-get install apparmor" to fix this)'elif command -v yum > /dev/null 2>&1; thenwrap_color '(your best bet is "yum install apparmor-parser")'elsewrap_color '(look for an "apparmor" package for your distribution)'fiEXITCODE=1fi
ficheck_flags \NAMESPACES NET_NS PID_NS IPC_NS UTS_NS \CGROUPS CGROUP_CPUACCT CGROUP_DEVICE CGROUP_FREEZER CGROUP_SCHED CPUSETS MEMCG \KEYS \VETH BRIDGE BRIDGE_NETFILTER \IP_NF_FILTER IP_NF_MANGLE IP_NF_TARGET_MASQUERADE \NETFILTER_XT_MATCH_ADDRTYPE \NETFILTER_XT_MATCH_CONNTRACK \NETFILTER_XT_MATCH_IPVS \NETFILTER_XT_MARK \IP_NF_NAT NF_NAT \POSIX_MQUEUE
# (POSIX_MQUEUE is required for bind-mounting /dev/mqueue into containers)if [ "$kernelMajor" -lt 4 ] || ([ "$kernelMajor" -eq 4 ] && [ "$kernelMinor" -lt 8 ]); thencheck_flags DEVPTS_MULTIPLE_INSTANCES
fiif [ "$kernelMajor" -lt 5 ] || [ "$kernelMajor" -eq 5 -a "$kernelMinor" -le 1 ]; thencheck_flags NF_NAT_IPV4
fiif [ "$kernelMajor" -lt 5 ] || [ "$kernelMajor" -eq 5 -a "$kernelMinor" -le 2 ]; thencheck_flags NF_NAT_NEEDED
fi
# check availability of BPF_CGROUP_DEVICE support
if [ "$kernelMajor" -ge 5 ] || ([ "$kernelMajor" -eq 4 ] && [ "$kernelMinor" -ge 15 ]); thencheck_flags CGROUP_BPF
fiechoecho 'Optional Features:'
{check_flags USER_NS
}
{check_flags SECCOMPcheck_flags SECCOMP_FILTER
}
{check_flags CGROUP_PIDS
}
{check_flags MEMCG_SWAP# Kernel v5.8+ removes MEMCG_SWAP_ENABLED.if [ "$kernelMajor" -lt 5 ] || [ "$kernelMajor" -eq 5 -a "$kernelMinor" -le 8 ]; thenCODE=${EXITCODE}check_flags MEMCG_SWAP_ENABLED# FIXME this check is cgroupv1-specificif [ -e /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes ]; thenecho " $(wrap_color '(cgroup swap accounting is currently enabled)' bold black)"EXITCODE=${CODE}elif is_set MEMCG_SWAP && ! is_set MEMCG_SWAP_ENABLED; thenecho " $(wrap_color '(cgroup swap accounting is currently not enabled, you can enable it by setting boot option "swapaccount=1")' bold black)"fielse# Kernel v5.8+ enables swap accounting by default.echo " $(wrap_color '(cgroup swap accounting is currently enabled)' bold black)"fi
}
{if is_set LEGACY_VSYSCALL_NATIVE; thenprintf -- '- 'wrap_bad "CONFIG_LEGACY_VSYSCALL_NATIVE" 'enabled'echo " $(wrap_color '(dangerous, provides an ASLR-bypassing target with usable ROP gadgets.)' bold black)"elif is_set LEGACY_VSYSCALL_EMULATE; thenprintf -- '- 'wrap_good "CONFIG_LEGACY_VSYSCALL_EMULATE" 'enabled'elif is_set LEGACY_VSYSCALL_NONE; thenprintf -- '- 'wrap_bad "CONFIG_LEGACY_VSYSCALL_NONE" 'enabled'echo " $(wrap_color '(containers using eglibc <= 2.13 will not work. Switch to' bold black)"echo " $(wrap_color ' "CONFIG_VSYSCALL_[NATIVE|EMULATE]" or use "vsyscall=[native|emulate]"' bold black)"echo " $(wrap_color ' on kernel command line. Note that this will disable ASLR for the,' bold black)"echo " $(wrap_color ' VDSO which may assist in exploiting security vulnerabilities.)' bold black)"# else Older kernels (prior to 3dc33bd30f3e, released in v4.40-rc1) do# not have these LEGACY_VSYSCALL options and are effectively# LEGACY_VSYSCALL_EMULATE. Even older kernels are presumably# effectively LEGACY_VSYSCALL_NATIVE.fi
}if [ "$kernelMajor" -lt 4 ] || ([ "$kernelMajor" -eq 4 ] && [ "$kernelMinor" -le 5 ]); thencheck_flags MEMCG_KMEM
fiif [ "$kernelMajor" -lt 3 ] || ([ "$kernelMajor" -eq 3 ] && [ "$kernelMinor" -le 18 ]); thencheck_flags RESOURCE_COUNTERS
fiif [ "$kernelMajor" -lt 3 ] || ([ "$kernelMajor" -eq 3 ] && [ "$kernelMinor" -le 13 ]); thennetprio=NETPRIO_CGROUP
elsenetprio=CGROUP_NET_PRIO
fiif [ "$kernelMajor" -lt 5 ]; thencheck_flags IOSCHED_CFQ CFQ_GROUP_IOSCHED
ficheck_flags \BLK_CGROUP BLK_DEV_THROTTLING \CGROUP_PERF \CGROUP_HUGETLB \NET_CLS_CGROUP $netprio \CFS_BANDWIDTH FAIR_GROUP_SCHED \IP_NF_TARGET_REDIRECT \IP_VS \IP_VS_NFCT \IP_VS_PROTO_TCP \IP_VS_PROTO_UDP \IP_VS_RR \SECURITY_SELINUX \SECURITY_APPARMORif ! is_set EXT4_USE_FOR_EXT2; thencheck_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITYif ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; thenecho " $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"fi
ficheck_flags EXT4_FS EXT4_FS_POSIX_ACL EXT4_FS_SECURITY
if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; thenif is_set EXT4_USE_FOR_EXT2; thenecho " $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"elseecho " $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"fi
fiecho '- Network Drivers:'
echo " - \"$(wrap_color 'overlay' blue)\":"
check_flags VXLAN BRIDGE_VLAN_FILTERING | sed 's/^/ /'
echo ' Optional (for encrypted networks):'
check_flags CRYPTO CRYPTO_AEAD CRYPTO_GCM CRYPTO_SEQIV CRYPTO_GHASH \XFRM XFRM_USER XFRM_ALGO INET_ESP NETFILTER_XT_MATCH_BPF | sed 's/^/ /'
if [ "$kernelMajor" -lt 5 ] || [ "$kernelMajor" -eq 5 -a "$kernelMinor" -le 3 ]; thencheck_flags INET_XFRM_MODE_TRANSPORT | sed 's/^/ /'
fi
echo " - \"$(wrap_color 'ipvlan' blue)\":"
check_flags IPVLAN | sed 's/^/ /'
echo " - \"$(wrap_color 'macvlan' blue)\":"
check_flags MACVLAN DUMMY | sed 's/^/ /'
echo " - \"$(wrap_color 'ftp,tftp client in container' blue)\":"
check_flags NF_NAT_FTP NF_CONNTRACK_FTP NF_NAT_TFTP NF_CONNTRACK_TFTP | sed 's/^/ /'# only fail if no storage drivers available
CODE=${EXITCODE}
EXITCODE=0
STORAGE=1echo '- Storage Drivers:'
echo " - \"$(wrap_color 'btrfs' blue)\":"
check_flags BTRFS_FS | sed 's/^/ /'
check_flags BTRFS_FS_POSIX_ACL | sed 's/^/ /'
[ "$EXITCODE" = 0 ] && STORAGE=0
EXITCODE=0echo " - \"$(wrap_color 'overlay' blue)\":"
check_flags OVERLAY_FS | sed 's/^/ /'
[ "$EXITCODE" = 0 ] && STORAGE=0
EXITCODE=0echo " - \"$(wrap_color 'zfs' blue)\":"
printf ' - '
check_device /dev/zfs
printf ' - '
check_command zfs
printf ' - '
check_command zpool
[ "$EXITCODE" = 0 ] && STORAGE=0
EXITCODE=0EXITCODE=$CODE
[ "$STORAGE" = 1 ] && EXITCODE=1echocheck_limit_over() {if [ "$(cat "$1")" -le "$2" ]; thenwrap_bad "- $1" "$(cat "$1")"wrap_color " This should be set to at least $2, for example set: sysctl -w kernel/keys/root_maxkeys=1000000" bold blackEXITCODE=1elsewrap_good "- $1" "$(cat "$1")"fi
}echo 'Limits:'
check_limit_over /proc/sys/kernel/keys/root_maxkeys 10000
echoexit $EXITCODE
检测结果
Generally Necessary:
--cgroup hierarchy: cgroupv2Controllers:- cpu: missing- cpuset: missing- io: missing- memory: missing- pids: available
--CONFIG_NAMESPACES: enabled
--CONFIG_NET_NS: enabled
--CONFIG_PID_NS: enabled
--CONFIG_IPC_NS: enabled
--CONFIG_UTS_NS: enabled
--CONFIG_CGROUPS: enabled
--CONFIG_CGROUP_CPUACCT: enabled
--CONFIG_CGROUP_DEVICE: enabled
--CONFIG_CGROUP_FREEZER: enabled
--CONFIG_CGROUP_SCHED: enabled
--CONFIG_CPUSETS: enabled
--CONFIG_MEMCG: enabled
--CONFIG_KEYS: enabled
--CONFIG_VETH: enabled
--CONFIG_BRIDGE: enabled
--CONFIG_BRIDGE_NETFILTER: enabled
--CONFIG_IP_NF_FILTER: enabled
--CONFIG_IP_NF_MANGLE: enabled
--CONFIG_IP_NF_TARGET_MASQUERADE: enabled
--CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
--CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
--CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
--CONFIG_NETFILTER_XT_MARK: enabled
--CONFIG_IP_NF_NAT: enabled
--CONFIG_NF_NAT: enabled
--CONFIG_POSIX_MQUEUE: enabled
--CONFIG_CGROUP_BPF: enabledOptional Features:
--CONFIG_USER_NS: enabled
--CONFIG_SECCOMP: enabled
--CONFIG_SECCOMP_FILTER: enabled
--CONFIG_CGROUP_PIDS: enabled
--CONFIG_MEMCG_SWAP: enabled(cgroup swap accounting is currently enabled)
--CONFIG_BLK_CGROUP: enabled
--CONFIG_BLK_DEV_THROTTLING: enabled
--CONFIG_CGROUP_PERF: enabled
--CONFIG_CGROUP_HUGETLB: missing
--CONFIG_NET_CLS_CGROUP: enabled
--CONFIG_CGROUP_NET_PRIO: enabled
--CONFIG_CFS_BANDWIDTH: enabled
--CONFIG_FAIR_GROUP_SCHED: enabled
--CONFIG_IP_NF_TARGET_REDIRECT: enabled
--CONFIG_IP_VS: enabled
--CONFIG_IP_VS_NFCT: enabled
--CONFIG_IP_VS_PROTO_TCP: enabled
--CONFIG_IP_VS_PROTO_UDP: enabled
--CONFIG_IP_VS_RR: enabled
--CONFIG_SECURITY_SELINUX: enabled
--CONFIG_SECURITY_APPARMOR: enabled
--CONFIG_EXT4_FS: enabled
--CONFIG_EXT4_FS_POSIX_ACL: enabled
--CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:- "overlay":--CONFIG_VXLAN: enabled--CONFIG_BRIDGE_VLAN_FILTERING: missingOptional (for encrypted networks):--CONFIG_CRYPTO: enabled--CONFIG_CRYPTO_AEAD: enabled--CONFIG_CRYPTO_GCM: enabled--CONFIG_CRYPTO_SEQIV: enabled--CONFIG_CRYPTO_GHASH: enabled--CONFIG_XFRM: enabled--CONFIG_XFRM_USER: enabled--CONFIG_XFRM_ALGO: enabled--CONFIG_INET_ESP: enabled--CONFIG_NETFILTER_XT_MATCH_BPF: enabled- "ipvlan":--CONFIG_IPVLAN: enabled- "macvlan":--CONFIG_MACVLAN: enabled--CONFIG_DUMMY: enabled- "ftp,tftp client in container":--CONFIG_NF_NAT_FTP: enabled--CONFIG_NF_CONNTRACK_FTP: enabled--CONFIG_NF_NAT_TFTP: enabled--CONFIG_NF_CONNTRACK_TFTP: enabled
- Storage Drivers:- "btrfs":--CONFIG_BTRFS_FS: enabled--CONFIG_BTRFS_FS_POSIX_ACL: enabled- "overlay":--CONFIG_OVERLAY_FS: enabled- "zfs":- /dev/zfs: missing- zfs command: missing- zpool command: missing
](/images/no-images.jpg)
