修改配置
vim common/arch/arm64/configs/xxx_defconfig
CONFIG_NAMESPACES=y
CONFIG_NET_NS=y
CONFIG_PID_NS=y
CONFIG_IPC_NS=y
CONFIG_UTS_NS=y
CONFIG_CGROUPS=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_SCHED=y
CONFIG_CPUSETS=y
CONFIG_MEMCG=y
CONFIG_KEYS=y
CONFIG_VETH=y
CONFIG_BRIDGE=y
CONFIG_BRIDGE_NETFILTER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_IPVS=y
CONFIG_NETFILTER_XT_MARK=y
CONFIG_IP_NF_NAT=y
CONFIG_NF_NAT=y
CONFIG_POSIX_MQUEUE=y
CONFIG_NF_NAT_IPV4=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_CGROUP_BPF=y
CONFIG_USER_NS=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_CGROUP_PIDS=y
CONFIG_MEMCG_SWAP=y
CONFIG_MEMCG_SWAP_ENABLED=y
CONFIG_IOSCHED_CFQ=y
CONFIG_CFQ_GROUP_IOSCHED=y
CONFIG_BLK_CGROUP=y
CONFIG_BLK_DEV_THROTTLING=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_NET_CLS_CGROUP=y
CONFIG_CGROUP_NET_PRIO=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_VS=y
CONFIG_IP_VS_NFCT=y
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_RR=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_VXLAN=y CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_CRYPTO=y CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_GHASH=y CONFIG_XFRM=y
CONFIG_XFRM_USER=y
CONFIG_XFRM_ALGO=y
CONFIG_INET_ESP=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_IPVLAN=y
CONFIG_MACVLAN=y
CONFIG_DUMMY=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_NAT_TFTP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_AUFS_FS=y
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BLK_DEV_DM=y
CONFIG_DM_THIN_PROVISIONING=y
CONFIG_OVERLAY_FS=y
编译内核烧录
检测脚本
#!/usr/bin/env sh
set -e
EXITCODE=0
# bits of this were adapted from lxc-checkconfig
# see also https:
possibleConfigs="
/proc/config.gz
/boot/config-$(uname -r)
/usr/src/linux-$(uname -r)/.config
/usr/src/linux/.config
"
if [ $# -gt 0 ]; then
CONFIG=""
else
: "${CONFIG:=/proc/config.gz}"
fi
if ! command -v zgrep > /dev/null 2>&1; then
zgrep() {
zcat "" | grep ""
}
fi
useColor=true
if [ "$NO_COLOR" = "1" ] || [ ! -t 1 ]; then
useColor=false
fi
kernelVersion="$(uname -r)"
kernelMajor="${kernelVersion%%.*}"
kernelMinor="${kernelVersion#$kernelMajor.}"
kernelMinor="${kernelMinor%%.*}"
is_set() {
zgrep "CONFIG_=[y|m]" "$CONFIG" > /dev/null
}
is_set_in_kernel() {
zgrep "CONFIG_=y" "$CONFIG" > /dev/null
}
is_set_as_module() {
zgrep "CONFIG_=m" "$CONFIG" > /dev/null
}
color() {
# if stdout is not a terminal, then don't do color codes.
if [ "$useColor" = "false" ]; then
return 0
fi
codes=
if [ "" = 'bold' ]; then
codes='1'
shift
fi
if [ "$#" -gt 0 ]; then
code=
case "" in
# see https:
black) code=30 ;;
red) code=31 ;;
green) code=32 ;;
yellow) code=33 ;;
blue) code=34 ;;
magenta) code=35 ;;
cyan) code=36 ;;
white) code=37 ;;
esac
if [ "$code" ]; then
codes="${codes:+$codes;}$code"
fi
fi
printf '3[%sm' "$codes"
}
wrap_color() {
text=""
shift
color "$@"
printf '%s' "$text"
color reset
echo
}
wrap_good() {
echo "$(wrap_color "$1" white): $(wrap_color "$2" green)"
}
wrap_bad() {
echo "$(wrap_color "$1" bold): $(wrap_color "$2" bold red)"
}
wrap_warning() {
wrap_color >&2 "$*" red
}
check_flag() {
if is_set_in_kernel ""; then
wrap_good "CONFIG_" 'enabled'
elif is_set_as_module ""; then
wrap_good "CONFIG_" 'enabled (as module)'
else
wrap_bad "CONFIG_" 'missing'
EXITCODE=1
fi
}
check_flags() {
for flag in "$@"; do
printf -- '- '
check_flag "$flag"
done
}
check_command() {
if command -v "" > /dev/null 2>&1; then
wrap_good " command" 'available'
else
wrap_bad " command" 'missing'
EXITCODE=1
fi
}
check_device() {
if [ -c "" ]; then
wrap_good "" 'present'
else
wrap_bad "" 'missing'
EXITCODE=1
fi
}
if [ ! -e "$CONFIG" ]; then
wrap_warning "warning: $CONFIG does not exist, searching other paths for kernel config ..."
for tryConfig in $possibleConfigs; do
if [ -e "$tryConfig" ]; then
CONFIG="$tryConfig"
break
fi
done
if [ ! -e "$CONFIG" ]; then
wrap_warning "error: cannot find kernel config"
wrap_warning " try running this script again, specifying the kernel config:"
wrap_warning " CONFIG=/path/to/kernel/.config 1 or "info: reading kernel config from $CONFIG ..." /path/to/kernel/.config"
exit 'Generally Necessary:'
fi
fi
wrap_color -- white
echo
echo '- '
printf if [
"$(stat -f -c %t /sys/fs/cgroup 2> /dev/null)" = '63677270' ] ; 'cgroup hierarchy''cgroupv2' then
wrap_good = /
cgroupv2ControllerFile/'/sys/fs.cgroupifcgroup[controllers'
- "$cgroupv2ControllerFile" ]f ; ' Controllers:'for then
echo ;
do controller in cpu cpuset io memory pidsif -
'(^| )' grep "$controller"qE '($| )'"$cgroupv2ControllerFile"; " - $(wrap_good "" 'available')" then
echo else$controller" - $(wrap_bad "
" 'missing')"
echo else$controller"$cgroupv2ControllerFile"
fi
done
'nonexistent??'
wrap_bad # if
fi
. TODO find an efficient way to check else cgroup=freeze exists in subdir
"$(sed -rne '/^[^ ]+ ([^ ]+) cgroup ([^ ]*,)?(cpu|cpuacct|cpuset|devices|freezer|memory)[, ].*$/ { s///p; q }' /proc/mounts)"
cgroupSubsystemDir="$(dirname "
cgroupDir")"if$cgroupSubsystemDir[
- "$cgroupDir/cpu" ]d || [ - "$cgroupDir/cpuacct" ]d || [ - "$cgroupDir/cpuset" ]d || [ - "$cgroupDir/devices" ]d || [ - "$cgroupDir/freezer" ]d || [ - "$cgroupDir/memory" ]d ; "$(wrap_good 'cgroup hierarchy' 'properly mounted') [$cgroupDir]"else then
echo if
[
"$cgroupSubsystemDir" ] ; "$(wrap_bad 'cgroup hierarchy' 'single mountpoint!') [$cgroupSubsystemDir]"else then
echo 'cgroup hierarchy'
'nonexistent??'
wrap_bad = 1
fi
EXITCODE" $(wrap_color '(see https://github.com/tianon/cgroupfs-mount)' yellow)"if
echo [
fi
fi
"$(cat /sys/module/apparmor/parameters/enabled 2> /dev/null)" = 'Y' ] ; --'- ' then
printf if -
> command /v apparmor_parser / 2dev>null &1;'apparmor''enabled and tools installed' then
wrap_good else 'apparmor'
,
wrap_bad ' ' 'enabledif but apparmor_parser missing'
printf -
- command >v apt/get / 2dev>null &1;("apt-get install apparmor" then
wrap_color ')use - to fix this>'
elif command /v yum / 2dev>null &1;("yum install apparmor-parser" then
wrap_color ')your best bet is else('
for
wrap_color '"apparmor"look for an ) package = your distribution1'
fi
EXITCODE(for
fi
fi
check_flags \
NAMESPACES NET_NS PID_NS IPC_NS UTS_NS \
CGROUPS CGROUP_CPUACCT CGROUP_DEVICE CGROUP_FREEZER CGROUP_SCHED CPUSETS MEMCG \
KEYS \
VETH BRIDGE BRIDGE_NETFILTER \
IP_NF_FILTER IP_NF_MANGLE IP_NF_TARGET_MASQUERADE \
NETFILTER_XT_MATCH_ADDRTYPE \
NETFILTER_XT_MATCH_CONNTRACK \
NETFILTER_XT_MATCH_IPVS \
NETFILTER_XT_MARK \
IP_NF_NAT NF_NAT \
POSIX_MQUEUE
# -POSIX_MQUEUE is required / bind/mounting )devifmqueue into containers[
"$kernelMajor" - 4 ]lt || ( [ "$kernelMajor"- 4 ]eq && [ "$kernelMinor" - 8 ]lt ) ;if[ then
check_flags DEVPTS_MULTIPLE_INSTANCES
fi
"$kernelMajor" - 5 ]lt || [ "$kernelMajor" - 5 -eq "$kernelMinor" -a 1 ]le ; if[ then
check_flags NF_NAT_IPV4
fi
"$kernelMajor" - 5 ]lt || [ "$kernelMajor" - 5 -eq "$kernelMinor" -a 2 ]le ; #check then
check_flags NF_NAT_NEEDED
fi
availability of BPF_CGROUP_DEVICE support if [
"$kernelMajor" - 5 ]ge || ( [ "$kernelMajor"- 4 ]eq && [ "$kernelMinor" - 15 ]ge ) ;'Optional Features:'} then
check_flags CGROUP_BPF
fi
echo
echo }
{
check_flags USER_NS
}
{
check_flags SECCOMP
check_flags SECCOMP_FILTER
#
{
check_flags CGROUP_PIDS
.
{
check_flags MEMCG_SWAP
8 Kernel v5+.if removes MEMCG_SWAP_ENABLED[
"$kernelMajor" - 5 ]lt || [ "$kernelMajor" - 5 -eq "$kernelMinor" -a 8 ]le ; =} then
CODE#${EXITCODE-
check_flags MEMCG_SWAP_ENABLED
if FIXME this check is cgroupv1[specific
- / /e /sys/fs/cgroup.memory.memory]memsw;limit_in_bytes " $(wrap_color '(cgroup swap accounting is currently enabled)' bold black)"= then
echo }
EXITCODE&&${CODE!
elif is_set MEMCG_SWAP ; " $(wrap_color '(cgroup swap accounting is currently not enabled, you can enable it by setting boot option " is_set MEMCG_SWAP_ENABLED= then
echo 1swapaccount")' bold black)"else#
fi
.
8 Kernel v5+default. enables swap accounting by " $(wrap_color '(cgroup swap accounting is currently enabled)' bold black)"}
echo if
fi
;
{
-- is_set LEGACY_VSYSCALL_NATIVE'- ' then
printf "CONFIG_LEGACY_VSYSCALL_NATIVE" 'enabled'
wrap_bad " $(wrap_color '(dangerous, provides an ASLR-bypassing target with usable ROP gadgets.)' bold black)" ;
echo --
elif is_set LEGACY_VSYSCALL_EMULATE'- ' then
printf "CONFIG_LEGACY_VSYSCALL_EMULATE" 'enabled'
wrap_good ; --
elif is_set LEGACY_VSYSCALL_NONE'- ' then
printf "CONFIG_LEGACY_VSYSCALL_NONE" 'enabled'
wrap_bad " $(wrap_color '(containers using eglibc <= 2.13 will not work. Switch to' bold black)" " $(wrap_color ' "
echo [
echo |CONFIG_VSYSCALL_]NATIVE" or use "EMULATE=[vsyscall|]native"' bold black)"emulate" $(wrap_color ' on kernel command line. Note that this will disable ASLR for the,' bold black)"" $(wrap_color ' VDSO which may assist in exploiting security vulnerabilities.)' bold black)"
echo #
echo else
kernels ( Older 3 ,prior to .dc33bd30f3e40 released in v4-)dorc1# not
have these LEGACY_VSYSCALL options and are effectively # .
# LEGACY_VSYSCALL_EMULATEeffectively Even older kernels are presumably
. } LEGACY_VSYSCALL_NATIVEif
fi
[
"$kernelMajor" - 4 ]lt || ( [ "$kernelMajor"- 4 ]eq && [ "$kernelMinor" - 5 ]le ) ;if[ then
check_flags MEMCG_KMEM
fi
"$kernelMajor" - 3 ]lt || ( [ "$kernelMajor"- 3 ]eq && [ "$kernelMinor" - 18 ]le ) ;if[ then
check_flags RESOURCE_COUNTERS
fi
"$kernelMajor" - 3 ]lt || ( [ "$kernelMajor"- 3 ]eq && [ "$kernelMinor" - 13 ]le ) ;=else then
netprio=NETPRIO_CGROUP
if
netprio[CGROUP_NET_PRIO
fi
"$kernelMajor" - 5 ]lt ; if! then
check_flags IOSCHED_CFQ CFQ_GROUP_IOSCHED
fi
check_flags \
BLK_CGROUP BLK_DEV_THROTTLING \
CGROUP_PERF \
CGROUP_HUGETLB \
NET_CLS_CGROUP $netprio \
CFS_BANDWIDTH FAIR_GROUP_SCHED \
IP_NF_TARGET_REDIRECT \
IP_VS \
IP_VS_NFCT \
IP_VS_PROTO_TCP \
IP_VS_PROTO_UDP \
IP_VS_RR \
SECURITY_SELINUX \
SECURITY_APPARMOR
; if is_set EXT4_USE_FOR_EXT2! then
check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
|| ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL ; " $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)" is_set EXT3_FS_SECURITYif then
echo !
fi
fi
check_flags EXT4_FS EXT4_FS_POSIX_ACL EXT4_FS_SECURITY
|| ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL ; if is_set EXT4_FS_SECURITY; then
" $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)" is_set EXT4_USE_FOR_EXT2else then
echo " $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
'- Network Drivers:'
echo " - \"$(wrap_color 'overlay' blue)\":"
fi
fi
echo |
echo 's/^/ /'
check_flags VXLAN BRIDGE_VLAN_FILTERING Optional sed (
echo ' for ): encrypted networks|'s/^/ /''
check_flags CRYPTO CRYPTO_AEAD CRYPTO_GCM CRYPTO_SEQIV CRYPTO_GHASH \
XFRM XFRM_USER XFRM_ALGO INET_ESP NETFILTER_XT_MATCH_BPF if sed [
"$kernelMajor" - 5 ]lt || [ "$kernelMajor" - 5 -eq "$kernelMinor" -a 3 ]le ; |'s/^/ /' then
check_flags INET_XFRM_MODE_TRANSPORT " - \"$(wrap_color 'ipvlan' blue)\":" sed |
fi
echo 's/^/ /'
check_flags IPVLAN " - \"$(wrap_color 'macvlan' blue)\":" sed |
echo 's/^/ /'
check_flags MACVLAN DUMMY " - \"$(wrap_color 'ftp,tftp client in container' blue)\":" sed |
echo 's/^/ /'
check_flags NF_NAT_FTP NF_CONNTRACK_FTP NF_NAT_TFTP NF_CONNTRACK_TFTP # sed only
if = fail } no storage drivers available
CODE=${EXITCODE0
EXITCODE=1
STORAGE'- Storage Drivers:'" - \"$(wrap_color 'btrfs' blue)\":"
echo |
echo 's/^/ /'
check_flags BTRFS_FS | sed 's/^/ /'
check_flags BTRFS_FS_POSIX_ACL [ sed "$EXITCODE"
= 0 ] && = 0 STORAGE=0
EXITCODE" - \"$(wrap_color 'overlay' blue)\":"|
echo 's/^/ /'
check_flags OVERLAY_FS [ sed "$EXITCODE"
= 0 ] && = 0 STORAGE=0
EXITCODE" - \"$(wrap_color 'zfs' blue)\":"' - '
echo /
printf /
check_device ' - 'dev' - 'zfs
printf [
check_command zfs
printf "$EXITCODE"
check_command zpool
= 0 ] && = 0 STORAGE=0
EXITCODE=[
EXITCODE"$STORAGE"$CODE
= 1 ] && = 1 EXITCODEcheck_limit_over(
echo
)if[ {
"$(cat " 1 ")"$-"" ]le ; "- ""$(cat " then
wrap_bad 1 ")"$" This should be set to at least , for example set: sysctl -w kernel/keys/root_maxkeys=1000000"=
wrap_color 1 bold black
EXITCODEelse"- "
"$(cat "
wrap_good 1 ")"$}'Limits:'
fi
/
echo /
check_limit_over /proc/sys/kernel10000keys检测结果
root_maxkeys :
echo
exit $EXITCODE
--
Generally Necessary:
:cgroup hierarchy- cgroupv2
Controllers:
- cpu: missing
- cpuset: missing
- io: missing
- memory: missing
-- pids: available
--CONFIG_NAMESPACES: enabled
--CONFIG_NET_NS: enabled
--CONFIG_PID_NS: enabled
--CONFIG_IPC_NS: enabled
--CONFIG_UTS_NS: enabled
--CONFIG_CGROUPS: enabled
--CONFIG_CGROUP_CPUACCT: enabled
--CONFIG_CGROUP_DEVICE: enabled
--CONFIG_CGROUP_FREEZER: enabled
--CONFIG_CGROUP_SCHED: enabled
--CONFIG_CPUSETS: enabled
--CONFIG_MEMCG: enabled
--CONFIG_KEYS: enabled
--CONFIG_VETH: enabled
--CONFIG_BRIDGE: enabled
--CONFIG_BRIDGE_NETFILTER: enabled
--CONFIG_IP_NF_FILTER: enabled
--CONFIG_IP_NF_MANGLE: enabled
--CONFIG_IP_NF_TARGET_MASQUERADE: enabled
--CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled
--CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled
--CONFIG_NETFILTER_XT_MATCH_IPVS: enabled
--CONFIG_NETFILTER_XT_MARK: enabled
--CONFIG_IP_NF_NAT: enabled
--CONFIG_NF_NAT: enabled
--CONFIG_POSIX_MQUEUE: enabled
:CONFIG_CGROUP_BPF-- enabled
Optional Features:
--CONFIG_USER_NS: enabled
--CONFIG_SECCOMP: enabled
--CONFIG_SECCOMP_FILTER: enabled
--CONFIG_CGROUP_PIDS: enabled
enabledCONFIG_MEMCG_SWAP( )
--cgroup swap accounting is currently enabled:
--CONFIG_BLK_CGROUP: enabled
--CONFIG_BLK_DEV_THROTTLING: enabled
--CONFIG_CGROUP_PERF: enabled
--CONFIG_CGROUP_HUGETLB: missing
--CONFIG_NET_CLS_CGROUP: enabled
--CONFIG_CGROUP_NET_PRIO: enabled
--CONFIG_CFS_BANDWIDTH: enabled
--CONFIG_FAIR_GROUP_SCHED: enabled
--CONFIG_IP_NF_TARGET_REDIRECT: enabled
--CONFIG_IP_VS: enabled
--CONFIG_IP_VS_NFCT: enabled
--CONFIG_IP_VS_PROTO_TCP: enabled
--CONFIG_IP_VS_PROTO_UDP: enabled
--CONFIG_IP_VS_RR: enabled
--CONFIG_SECURITY_SELINUX: enabled
--CONFIG_SECURITY_APPARMOR: enabled
--CONFIG_EXT4_FS: enabled
--CONFIG_EXT4_FS_POSIX_ACL: enabled
-CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers"overlay"
: --:
--CONFIG_VXLAN: enabled
OptionalCONFIG_BRIDGE_VLAN_FILTERING( missing
for ): encrypted networks--:
--CONFIG_CRYPTO: enabled
--CONFIG_CRYPTO_AEAD: enabled
--CONFIG_CRYPTO_GCM: enabled
--CONFIG_CRYPTO_SEQIV: enabled
--CONFIG_CRYPTO_GHASH: enabled
--CONFIG_XFRM: enabled
--CONFIG_XFRM_USER: enabled
--CONFIG_XFRM_ALGO: enabled
--CONFIG_INET_ESP: enabled
-CONFIG_NETFILTER_XT_MATCH_BPF"ipvlan" enabled
: --:
-CONFIG_IPVLAN"macvlan" enabled
: --:
--CONFIG_MACVLAN: enabled
-CONFIG_DUMMY"ftp,tftp client in container" enabled
: --:
--CONFIG_NF_NAT_FTP: enabled
--CONFIG_NF_CONNTRACK_FTP: enabled
--CONFIG_NF_NAT_TFTP: enabled
-CONFIG_NF_CONNTRACK_TFTP: enabled
- Storage Drivers"btrfs"
: --:
--CONFIG_BTRFS_FS: enabled
-CONFIG_BTRFS_FS_POSIX_ACL"overlay" enabled
: --:
-CONFIG_OVERLAY_FS"zfs" enabled
: -/
/ :dev-zfs: missing
- zfs command: missing
zpool command missing
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明原文出处。如若内容造成侵权/违法违规/事实不符,请联系SD编程学习网:675289112@qq.com进行投诉反馈,一经查实,立即删除!