Skip to content

Prototyping with Fedora CoreOS kernel #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
olljanat wants to merge 4 commits into from
Closed

Prototyping with Fedora CoreOS kernel #7

olljanat wants to merge 4 commits into from

Conversation

@olljanat
Copy link
Member

@olljanat olljanat commented Apr 8, 2021

Opening this one for discussion based on Discord. Currently it only contains just copy/paste config from Fedora CoreOS 33.20210314.3.0 which is similar container OS than BurmillaOS but which focuses to Podman/Kubernetes.

@olljanat
Copy link
Member Author

olljanat commented Apr 8, 2021

@ToeiRei I noticed your comment on Discord today.

Looks that this does not change those settings which I was mostly worry about on #5 so most probably it is better starting point than Debian kernel config.

Does not enable:

  • CONFIG_NUMA_EMU
  • CONFIG_PM_AUTOSLEEP

Does not disable:

  • CONFIG_CLEANCACHE

Did you had some other changes in-mind which we should include here?

@ToeiRei
Copy link

ToeiRei commented Apr 8, 2021

I was thinking to go down the selinux or other more hardened route. Due to covid some people have too much time on their hands and start to pentest docker hosts.

Still experiments, but I feel like we are a bit too easy on security, relying solely on the docker in docker concept.

For other kernel stuff I suggest zram as I have seen some improvements to performance here. (subjektive, but still noticeable on my build system)

@olljanat
Copy link
Member Author

olljanat commented Apr 8, 2021

I was thinking to go down the selinux

We actually have selinux support on BurmillaOS. It is described on documentation (selinux_enabled setting). It uses policies from https://github.com/burmilla/refpolicy but I'm not sure when it have been tested last time so I guess that it might need some work.

or other more hardened route.

Did you notice that I actually added one new security feature recently burmilla/os#63
Will build new beta version soon so it will get included to that one.

For other kernel stuff I suggest zram as I have seen some improvements to performance here. (subjektive, but still noticeable on my build system)

zram sounds interesting. Will study about it.

@olljanat
Copy link
Member Author

olljanat commented Apr 9, 2021

Unfortunately it looks that build fails with those changes.

@olljanat olljanat marked this pull request as draft April 9, 2021 15:03
@olljanat
Copy link
Member Author

olljanat commented Apr 19, 2021

@ToeiRei btw. how you solved that embed firwmware issue on #5 (comment) ? Looks that this config comes with same issue so kernel package is huge...

@ToeiRei
Copy link

ToeiRei commented Apr 19, 2021

As the kernel is updated quite often, I just compile the firmware in. No need in separate updates.

@olljanat
Copy link
Member Author

olljanat commented Apr 19, 2021

Yea but how I can avoid it? I see as very useful to be able to drop firmwares from version which is used by virtual machines without need rebuild kernel.

@ToeiRei
Copy link

ToeiRei commented Apr 19, 2021

Device Drivers -> Generic Driver Options -> Firmware loader -> Build named firmware blobs into the kernel binary

@olljanat olljanat closed this Jul 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@olljanat @ToeiRei