Allow custom kernel boot args via --kernel-arg#1744
Open
arirubinstein wants to merge 1 commit into
Open
Conversation
Add a repeatable --kernel-arg flag to plumb arbitrary boot arguments onto the kernel command line. User-supplied args are persisted on the kernel in the bundle, and the runtime's built-in defaults (oops=panic, lsm=...) are now applied per-key only when the user has not already supplied that key. This lets custom kernels override the LSM stack, e.g. to enable BPF LSM with: --kernel-arg lsm=lockdown,capability,landlock,yama,apparmor,bpf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
What
Adds a repeatable
--kernel-argflag tocontainer run/container createfor appending arbitrary boot arguments to the kernel command line.Why
The runtime hardcodes
lsm=lockdown,capability,landlock,yama,apparmor(andoops=panic) onto every kernel command line inRuntimeService.bootstrap. With a custom kernel there is no way to adjust this — e.g. to enable BPF LSM you needlsm=...,bpf, which is currently impossible. More generally there is no escape hatch for any boot-time kernel argument.How
--kernel-arg <arg>option (repeatable) onFlags.Management.Utility.getKernelappends the user args ontokernel.commandLine.kernelArgs, which is persisted into the container bundle.RuntimeService.bootstrapnow applies its built-in defaults per-key, skipping any default whose key the user already supplied. Defaults are expressed as a small keyed table, so this also letsoops=be overridden and makes future defaults easy to add.Default behavior is unchanged for anyone who does not pass
--kernel-arg— the sameoops=panicandlsm=...args are applied.Testing
swift buildclean.container run --helprenders the new flag.