some-natalie / fedora-acs-override Goto Github PK

View Code? Open in Web Editor NEW

42.0 42.0 14.0 445 KB

Using the ACS override patch for Fedora to split identical hardware in the kernel

Home Page: https://some-natalie.dev/blog/fedora-acs-override/

License: MIT License

Shell 63.99% Dockerfile 36.01%

acs-override fedora pci-passthrough

fedora-acs-override's Introduction

Hi there 👋

I'm Natalie, a DevSecOps engineer and consultant experienced in developer experience and consolidation within a wide array of security-focused environments. I work at the intersection of technology, people, and highly-regulated industries as a Principal Federal Solutions Engineer at Chainguard!

📝 I write about tech, what I'm working on, and what I'm playing with on my blog. Here's what I've been up to lately:

Reducing CVEs in actions-runner-controller: (Kubernoodles, part 9 of ?) - The same actions-runner-controller you know and love (or curse), but with many fewer CVEs to generate compliance paperwork.
GraphQL patterns to know: Handy snippets, tips, and tricks for working in GraphQL I struggled for so you don't have to.
Intro to GraphQL using custom fields in GitHub Projects: Getting started with the new GitHub Issues and Projects API, exclusively in GraphQL, doesn't have to be so difficult.

💼 Day to day, I work with

Linux (mostly RHEL and Ubuntu these days) - fedora-acs-override
Kubernetes - kubernoodles, self-hosted GitHub Actions runners made for humans
Software development in highly regulated industries (ITAR, CMMC, NIST 800-171, DoD IL 2-6)
Python - Advanced Security CSV export
Go - gh-org-admin-promote
GitHub Enterprise - enterprise security team, audit and compliance reporting
but mostly, I work with people on all of the above! 💖

You can find me in our work Slack sharing all sorts of neat things you can do with all that fun stuff and probably find out how I've broken and maybe fixed something too. 😀

👾 I play with

All sorts of handy Raspberry Pi projects, including
- Kodi set up on a television for local media (build directions)
- OpenWRT router (build directions)
- Pi-hole, for DNS and ad-blocking (build directions)
- Ubiquiti UniFi network controller, in Docker of course
I'm getting into the Flipper Zero lately - it's so handy and mischievous! (some fun uses)
Video games in a Windows VM on my Fedora desktop with libvirt, KVM, and a custom Linux kernel to pass hardware to it. It's got about 5% or so performance drop (just looking at frame rates) over a native install. You should check it out - code and write-up on how it works.

I have an awesome life outside of tech, so while I have a few projects that I enjoy (👆), nothing above is close to where I spend most of my time / energy. If you need anything of mine above fixed, please feel free to fork it and send me a pull request! ❤️

Heads up!

🌱 I’m currently studying to sit for my OSCP certification and learning to write better conference talk proposals.
🎤 Public speaking is fun! Check out what I've been up to here.
😄 Pronouns: she/her
❓ Looking for my résumé? It's here, but you can also find some of what I've been up to in my profile. If you want to know about where else I've worked and went to school, you should go to LinkedIn.
💬 Want to chat? I'm on Mastodon.

fedora-acs-override's People

Contributors

Stargazers

Watchers

Forkers

cereal7802 parndt rswens001 evernow patrykf03 evanjarrett z-fire821 larger-runner-demo red3amer kauld rustd curiousengg stefanleh some-fantastic safizn

fedora-acs-override's Issues

last build 3 weeks ago

hi natalie, the last build is 3 weeks in the past and there is a 6.6 kernel for fc38 in the official repo. would be nice to run a new build. tnx in advance, stefan

Investigate why F35 kernel is so much larger

Since adding FC35, I've noticed the build artifacts for it are about 10x bigger than FC34 (bit under 100 MB to around 900 MB). Why?

Is F34 build still relevant?

Hello all,

please comment if you are still using F34 and need ACS kernels for this release.
As i was the one asking for F34 kernels for my home server, i feel obligated to ask for deprecation.

Best regards,
Stefan

"To add the patch, add the two lines below to the spec file in the section for patches (usually right below the sources)."

Where?

I'm getting,

# don't apply patch if it's empty
ApplyOptionalPatch()                                                                                                    {                                                                                                                         local patch=$1                                                                                                          shift
  if [ ! -f $RPM_SOURCE_DIR/$patch ]; then                                                                                  exit 1                                                                                                                fi
  local C=$(wc -l $RPM_SOURCE_DIR/$patch | awk '{print $1}')
  if [ "$C" -gt 9 ]; then
    ApplyPatch $patch ${1+"$@"}
  fi
}                                                                                                                                                                                                                                               %setup -q -n kernel-5.17.12 -c
mv linux-5.17.12 linux-%{KVERREL}                                                                                                                                                                                                               cd linux-%{KVERREL}                                                                                                     cp -a %{SOURCE1} .                                                                                                                                                                                                                              %if !%{nopatches}                                                                                                                                                                                                                               ApplyOptionalPatch patch-%{patchversion}-redhat.patch                                                                   %endif                                                                                                                                                                                                                                          ApplyOptionalPatch linux-kernel-test.patch
ApplyOptionalPatch add-acs-override.patch
# END OF PATCH APPLICATIONS
                                                                                                                        # Any further pre-build tree manipulations happen here.                                                                                                                                                                                         chmod +x scripts/checkpatch.pl                                                                                                                                                                                                                  "kernel.spec" 5561L, 269302B written
[star@fedora SPECS]$ rpmbuild -bb kernel.spec
warning: Macro expanded in comment on line 191: %define with_kabichk   %{?_without_kabichk:   0} %{?!_without_kabichk:   1}

setting SOURCE_DATE_EPOCH=1653868800
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.Rw5RzT
+ umask 022
+ cd /home/star/rpmbuild/BUILD
+ patch_command='patch -p1 -F1 -s'
+ cd /home/star/rpmbuild/BUILD
+ rm -rf kernel-5.17.12
+ /usr/bin/mkdir -p kernel-5.17.12
+ cd kernel-5.17.12
+ /usr/bin/xz -dc /home/star/rpmbuild/SOURCES/linux-5.17.12.tar.xz
+ /usr/bin/tar -xof -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ mv linux-5.17.12 linux-5.17.12-300.acs.fc36.x86_64
+ cd linux-5.17.12-300.acs.fc36.x86_64
+ cp -a /home/star/rpmbuild/SOURCES/Makefile.rhelver .
+ ApplyOptionalPatch patch-5.17-redhat.patch
+ local patch=patch-5.17-redhat.patch
+ shift
+ '[' '!' -f /home/star/rpmbuild/SOURCES/patch-5.17-redhat.patch ']'
++ wc -l /home/star/rpmbuild/SOURCES/patch-5.17-redhat.patch
++ awk '{print $1}'
+ local C=2112
+ '[' 2112 -gt 9 ']'
+ ApplyPatch patch-5.17-redhat.patch
+ local patch=patch-5.17-redhat.patch
+ shift
+ '[' '!' -f /home/star/rpmbuild/SOURCES/patch-5.17-redhat.patch ']'
+ case "$patch" in
+ patch -p1 -F1 -s
+ ApplyOptionalPatch linux-kernel-test.patch
+ local patch=linux-kernel-test.patch
+ shift
+ '[' '!' -f /home/star/rpmbuild/SOURCES/linux-kernel-test.patch ']'
++ wc -l /home/star/rpmbuild/SOURCES/linux-kernel-test.patch
++ awk '{print $1}'
+ local C=0
+ '[' 0 -gt 9 ']'
+ ApplyOptionalPatch add-acs-override.patch
+ local patch=add-acs-override.patch
+ shift
+ '[' '!' -f /home/star/rpmbuild/SOURCES/add-acs-override.patch ']'
++ wc -l /home/star/rpmbuild/SOURCES/add-acs-override.patch
++ awk '{print $1}'
+ local C=192
+ '[' 192 -gt 9 ']'
+ ApplyPatch add-acs-override.patch
+ local patch=add-acs-override.patch
+ shift
+ '[' '!' -f /home/star/rpmbuild/SOURCES/add-acs-override.patch ']'
Patch1000: add-acs-override.patch
+ case "$patch" in
+ patch -p1 -F1 -s
1 out of 2 hunks FAILED -- saving rejects to file drivers/pci/quirks.c.rej
error: Bad exit status from /var/tmp/rpm-tmp.Rw5RzT (%prep)

RPM build warnings:
    Macro expanded in comment on line 191: %define with_kabichk   %{?_without_kabichk:   0} %{?!_without_kabichk:   1}


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.Rw5RzT (%prep)

Maybe it can be dropped now to clean stuff up a bit?

btw ... happy new year to you :)

Best regards,
Stefan

Make use of "releases" concept of GitHub

Maybe the artifacts built by GitHub Actions could be made available by using the "releases" concept of GitHub: https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases? This would make it a lot easier for people passing by to find the rpms.

FC 37 EOL

Hi Natalie,

Happy new Year! :)
Just wanted to remind you that FC 37 is EOL since end of last year.
Maybe you want to do a little spring cleaning?

Best regards, Stefan