Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add netlink debug to kernels #289

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Add netlink debug to kernels #289

wants to merge 3 commits into from

Conversation

yeazelm
Copy link
Contributor

@yeazelm yeazelm commented Nov 27, 2024

Issue number:

Closes # bottlerocket-os/bottlerocket#4313

Description of changes:
CRIU requires NETLINK_DEBUG for capturing socket info for checkpoint and restore. This adds the module to the kernel config for that use case.

Testing done:
Built aws-k8s-1.31 and confirmed module loads.

bash-5.1# modprobe netlink_diag
bash-5.1# lsmod | grep netlink
netlink_diag           16384  0
nf_conntrack_netlink    57344  0
nfnetlink_acct         16384  3 xt_nfacct
nfnetlink              20480  7 nfnetlink_acct,nf_conntrack_netlink,nf_tables
nf_conntrack          184320  7 xt_conntrack,nf_nat,xt_state,xt_nat,nf_conntrack_netlink,xt_connmark,xt_MASQUERADE

Confirmed the same works on aws-k8s-1.24 (5.15 kernel) and aws-ecs-1 (5.10 kernel). I also checked aarch64 for 6.1 kernel.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@yeazelm
packages/kernel-6.1: Add netlink debug for criu
ce1cf75 
CRIU requires NETLINK_DEBUG for capturing socket info for checkpoint and
restore. This adds the module for that use case.

Signed-off-by: Matthew Yeazel <[email protected]>
@yeazelm
packages/kernel-5.10: Add netlink debug for criu
09b19da 
CRIU requires NETLINK_DEBUG for capturing socket info for checkpoint and
restore. This adds the module for that use case.

Signed-off-by: Matthew Yeazel <[email protected]>
@yeazelm
packages/kernel-5.15: Add netlink debug for criu
a04d048 
CRIU requires NETLINK_DEBUG for capturing socket info for checkpoint and
restore. This adds the module for that use case.

Signed-off-by: Matthew Yeazel <[email protected]>
@yeazelm yeazelm requested review from bcressey and larvacea November 27, 2024 16:47
larvacea
larvacea reviewed Nov 27, 2024
View reviewed changes
packages/kernel-6.1/kernel-6.1.spec
@@ -1312,6 +1312,7 @@ install -p -m 0644 %{S:302} %{buildroot}%{_cross_bootconfigdir}/05-metal.conf
%{_cross_kmoddir}/kernel/net/netfilter/xt_TPROXY.ko.*
%{_cross_kmoddir}/kernel/net/netfilter/xt_TRACE.ko.*
%{_cross_kmoddir}/kernel/net/netfilter/xt_u32.ko.*
%{_cross_kmoddir}/kernel/net/netlink/netlink_diag.ko.*
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this the only spec file change? All three kernel configs look as if they should create a kmod.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The modules section in the other two kernel spec files are not as explicit. We are choosing exactly which modules we want in 6.1 but 5.10 and 5.15 basically include all the modules via this: https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/packages/kernel-5.10/kernel-5.10.spec#L302. So the specific break out is required only for 6.1. This is why I tried the other kernels explicitly to make sure the module is loadable on a booted box.

@arnaldo2792
Copy link
Contributor

arnaldo2792 commented Dec 3, 2024
edited
Loading

  • What other configurations are we getting by enabling the new CONFIG ?
  • Why shouldn't the module be built in the kernel image rather than as a kernel module?

@yeazelm
Copy link
Contributor Author

yeazelm commented Dec 4, 2024

  • What other configurations are we getting by enabling the new CONFIG ?

This just adds the one module.

diff --color /home/fedora/git/bottlerocket-core-kit/directory-for-develop/config-5.10-x86_64.config directory-for-updated-configs/config-5.10-x86_64.config
1671c1671
< # CONFIG_NETLINK_DIAG is not set
---
> CONFIG_NETLINK_DIAG=m
diff --color /home/fedora/git/bottlerocket-core-kit/directory-for-develop/config-5.15-aarch64.config directory-for-updated-configs/config-5.15-aarch64.config
1670c1670
< # CONFIG_NETLINK_DIAG is not set
---
> CONFIG_NETLINK_DIAG=m
diff --color /home/fedora/git/bottlerocket-core-kit/directory-for-develop/config-5.15-x86_64.config directory-for-updated-configs/config-5.15-x86_64.config
1664c1664
< # CONFIG_NETLINK_DIAG is not set
---
> CONFIG_NETLINK_DIAG=m
diff --color /home/fedora/git/bottlerocket-core-kit/directory-for-develop/config-6.1-aarch64.config directory-for-updated-configs/config-6.1-aarch64.config
1706c1706
< # CONFIG_NETLINK_DIAG is not set
---
> CONFIG_NETLINK_DIAG=m
diff --color /home/fedora/git/bottlerocket-core-kit/directory-for-develop/config-6.1-x86_64.config directory-for-updated-configs/config-6.1-x86_64.config
1717c1717
< # CONFIG_NETLINK_DIAG is not set
---
> CONFIG_NETLINK_DIAG=m
  • Why shouldn't the module be built in the kernel image rather than as a kernel module?

It isn't needed for most operations, so loading it only when you need it keeps the kernel binary smaller. We can make it built-in if we would like, but I tend to opt for loadable modules unless we expect the vast majority of use cases to need it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ytsssun ytsssun ytsssun approved these changes

@larvacea larvacea larvacea approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@yeazelm @arnaldo2792 @bcressey @larvacea @ytsssun