packaging: merge packaging repository

git-subtree-dir: tools/packaging
git-subtree-mainline: f818b46a41
git-subtree-split: 1f22d72d5d

Signed-off-by: Peng Tao <bergwolf@hyper.sh>

tools/packaging/kernel/configs/README.md

@@ -0,0 +1,71 @@
+* [Kata Containers kernel config files](#kata-containers-kernel-config-files)
+   * [Types of config files](#types-of-config-files)
+   * [How to use config files](#how-to-use-config-files)
+   * [How to modify config files](#how-to-modify-config-files)
+
+# Kata Containers kernel config files
+
+This directory contains Linux Kernel config files used to configure Kata
+Containers VM kernels.
+
+## Types of config files
+
+This directory holds config files for the Kata Linux Kernel in two forms:
+
+- A tree of config file 'fragments' in the `fragments` sub-folder, that are
+  constructed into a complete config file using the kernel
+  `scripts/kconfig/merge_config.sh` script.
+- As complete config files that can be used as-is.
+
+Kernel config fragments are the preferred method of constructing `.config` files
+to build Kata Containers kernels, due to their improved clarity and ease of maintenance
+over single file monolithic `.config`s.
+
+## How to use config files
+
+The recommended way to set up a kernel tree, populate it with a relevant `.config` file,
+and build a kernel, is to use the [`build_kernel.sh`](../build-kernel.sh) script. For
+example:
+
+```bash
+$ ./build-kernel.sh setup
+```
+
+The `build-kernel.sh` script understands both full and fragment based config files.
+
+Run `./build-kernel.sh help` for more information.
+
+## How to modify config files
+
+Complete config files can be modified either with an editor, or preferably
+using the kernel `Kconfig` configuration tools, for example:
+
+```
+$ cp x86_kata_kvm_4.14.x linux-4.14.22/.config
+$ pushd linux-4.14.22
+$ make menuconfig
+$ popd
+$ cp linux-4.14.22/.config x86_kata_kvm_4.14.x
+```
+
+Kernel fragments are best constructed using an editor. Tools such as `grep` and
+`diff` can help find the differences between two config files to be placed
+into a fragment.
+
+If adding config entries for a new subsystem or feature, consider making a new
+fragment with an appropriately descriptive name.
+
+If you want to disable an entire fragment for a specific architecture, you can add the tag `# !${arch}` in the first line of the fragment. You can also exclude multiple architectures on the same line. Note the `#` at the beginning of the line, this is required to avoid that the tag is interpreted as a configuration.
+Example of valid exclusion:
+```
+# !s390x !ppc64le
+```
+
+The fragment gathering tool perfoms some basic sanity checks, and the `build-kernel.sh` will
+fail and report the error in the cases of:
+
+- A duplicate `CONFIG` symbol appearing.
+- A `CONFIG` symbol being in a fragment, but not appearing in the final .config
+  - which indicates that `CONFIG` variable is not a part of the kernel `Kconfig` setup, which
+    can indicate a typing mistake in the name of the symbol.
+- A `CONFIG` symbol appearing in the fragments with multiple different values.

tools/packaging/kernel/configs/fragments/arm64/acpi.conf

@@ -0,0 +1,5 @@
+# ACPI on arm64 is dependent on uEFI.
+CONFIG_EFI=y
+CONFIG_EFI_STUB=y
+# ARM64 can run properly in ACPI hardware reduced mode.
+CONFIG_ACPI_REDUCED_HARDWARE_ONLY=y

tools/packaging/kernel/configs/fragments/arm64/base.conf

@@ -0,0 +1,42 @@
+CONFIG_ARM64=y
+CONFIG_ARM64_4K_PAGES=y
+
+# ARM servers are often multi-cores, following configs improve
+# the CPU scheduler's decision making.
+CONFIG_SCHED_MC=y
+CONFIG_SCHED_SMT=y
+
+# Virtual address space size (48-bit)
+CONFIG_ARM64_VA_BITS_48=y
+CONFIG_ARM64_VA_BITS=48
+# Physical address space size (48-bit)
+CONFIG_ARM64_PA_BITS_48=y
+CONFIG_ARM64_PA_BITS=48
+
+# Use the maximum number of CPUs supported by KVM (255)
+CONFIG_NR_CPUS=255
+
+CONFIG_PERF_EVENTS=y
+
+# No architected NMI
+CONFIG_ARM64_PSEUDO_NMI=y
+CONFIG_ARM64_SVE=y
+
+# Arm64 prefers to use REFCOUNT_FULL by default.
+CONFIG_REFCOUNT_FULL=y
+
+#
+# ARMv8.1 architectural features
+#
+CONFIG_ARM64_HW_AFDBM=y
+CONFIG_ARM64_PAN=y
+# end of ARMv8.1 architectural features
+
+#
+# ARMv8.2 architectural features
+#
+CONFIG_ARM64_CNP=y
+CONFIG_ARM64_PMEM=y
+CONFIG_ARM64_RAS_EXTN=y
+CONFIG_ARM64_UAO=y
+# end of ARMv8.2 architectural feature

tools/packaging/kernel/configs/fragments/arm64/crypto.conf

@@ -0,0 +1,6 @@
+# ARMv8 adds cryptographic instructions that could significantly improve
+# performance on tasks such as AES encryption and SHA1 and SHA256 hashing.
+CONFIG_ARM64_CRYPTO=y
+CONFIG_CRYPTO_AES_ARM64=y
+CONFIG_CRYPTO_AES_ARM64_CE=y
+CONFIG_CRYPTO_SHA256_ARM64=y

tools/packaging/kernel/configs/fragments/arm64/dt.conf

@@ -0,0 +1,4 @@
+# Device Tree and Open Firmware support
+CONFIG_DTC=y
+CONFIG_OF=y
+CONFIG_OF_PMEM=y

tools/packaging/kernel/configs/fragments/arm64/erratum.conf

@@ -0,0 +1,15 @@
+# ARM errata workarounds via the alternatives framework.
+# Vendor-specific option will be left to users to decide.
+CONFIG_ARM64_ERRATUM_1024718=y
+CONFIG_ARM64_ERRATUM_1165522=y
+CONFIG_ARM64_ERRATUM_1286807=y
+CONFIG_ARM64_ERRATUM_1463225=y
+CONFIG_ARM64_ERRATUM_819472=y
+CONFIG_ARM64_ERRATUM_824069=y
+CONFIG_ARM64_ERRATUM_826319=y
+CONFIG_ARM64_ERRATUM_827319=y
+CONFIG_ARM64_ERRATUM_832075=y
+CONFIG_ARM64_ERRATUM_843419=y
+CONFIG_ARM64_WORKAROUND_CLEAN_CACHE=y
+CONFIG_ARM64_WORKAROUND_REPEAT_TLBI=y
+

tools/packaging/kernel/configs/fragments/arm64/pci.conf

@@ -0,0 +1,3 @@
+# It brings PCI support to mach-virt based upon an idealised host controller.
+CONFIG_PCI_HOST_COMMON=y
+CONFIG_PCI_HOST_GENERIC=y

tools/packaging/kernel/configs/fragments/arm64/ptp.conf

@@ -0,0 +1,7 @@
+# PTP clock support
+#
+# The implementation of ptp_kvm on arm is one experimental feature,
+# you need to apply private patches to enable it on your host machine.
+# See https://github.com/kata-containers/packaging/pull/998 for detailed info.
+CONFIG_PTP_1588_CLOCK=y
+CONFIG_PTP_1588_CLOCK_KVM=y

tools/packaging/kernel/configs/fragments/arm64/rtc.conf

@@ -0,0 +1,10 @@
+CONFIG_RTC_LIB=y
+CONFIG_RTC_CLASS=y
+CONFIG_RTC_HCTOSYS=y
+CONFIG_RTC_SYSTOHC=y
+# RTC interfaces
+CONFIG_RTC_INTF_SYSFS=y
+CONFIG_RTC_INTF_PROC=y
+CONFIG_RTC_INTF_DEV=y
+# QEMU provides an emulated ARM AMBA PrimeCell PL031 RTC.
+CONFIG_RTC_DRV_PL031=y

tools/packaging/kernel/configs/fragments/arm64/serial.conf

@@ -0,0 +1,3 @@
+# This option is used for all 8250 compatible serial ports
+# that are probed through device tree.
+CONFIG_SERIAL_OF_PLATFORM=y

tools/packaging/kernel/configs/fragments/common/9p.conf

@@ -0,0 +1,17 @@
+# Enable 9p(fs) support - required for Kata to mount filesystems into the workload
+
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+CONFIG_9P_FS=y
+# NOTE - 9p client cacheing turned off?
+# FIXME: check if that is right?
+# https://github.com/kata-containers/packaging/issues/483
+#CONFIG_9P_FSCACHE=y
+CONFIG_NETWORK_FILESYSTEMS=y
+# Q. Do we use the POSIX_ACL over 9p?
+# FIXME: https://github.com/kata-containers/packaging/issues/483
+CONFIG_9P_FS_POSIX_ACL=y
+# NOTE - this adds security labels, such as used by SELinux - we may be able to
+# disable this, for now.
+# FIXME: https://github.com/kata-containers/packaging/issues/483
+CONFIG_9P_FS_SECURITY=y

tools/packaging/kernel/configs/fragments/common/acpi.conf

@@ -0,0 +1,20 @@
+# enable ACPI support.
+# This could do with REVIEW
+# https://github.com/kata-containers/packaging/issues/483
+CONFIG_ARCH_SUPPORTS_ACPI=y
+CONFIG_ACPI=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+# Having trouble enabling this - disable for now.
+# Would add support for ACPI CPPC power control via firmware - do we need
+# that for the guest??
+#CONFIG_ACPI_CPPC_LIB=y
+CONFIG_ACPI_PROCESSOR=y
+CONFIG_ACPI_HOTPLUG_CPU=y
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
+CONFIG_ACPI_TABLE_UPGRADE=y
+CONFIG_ACPI_PCI_SLOT=y
+CONFIG_ACPI_CONTAINER=y
+CONFIG_ACPI_HOTPLUG_MEMORY=y
+CONFIG_ACPI_NFIT=y
+CONFIG_HAVE_ACPI_APEI=y

tools/packaging/kernel/configs/fragments/common/base.conf

@@ -0,0 +1,52 @@
+# Basic necessary items!
+
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_SMP=y
+CONFIG_PARAVIRT=y
+# Note, no nested VM support enabled here
+
+# Turn off embedded mode, as it disabled 'too much', and we
+# no longer pass all the tests. We should refine this, and
+# work out which of the ~66 items it enables are really needed.
+# I believe this is the actual syntax we need for a fragment to
+# disable an item...
+# CONFIG_EMBEDDED is not set
+
+# Note, no virt enabled baloon yet
+CONFIG_INPUT=y
+CONFIG_PRINTK=y
+# We use this for metrics!
+CONFIG_PRINTK_TIME=y
+CONFIG_UNIX98_PTYS=y
+CONFIG_FUTEX=y
+CONFIG_HIGH_RES_TIMERS=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_NO_HZ=y
+CONFIG_NO_HZ_FULL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_TIMERS=y
+CONFIG_PROC_SYSCTL=y
+
+CONFIG_SHMEM=y
+
+# For security...
+CONFIG_RELOCATABLE=y
+CONFIG_RANDOMIZE_BASE=y
+# FIXME - check if we should be setting this
+# https://github.com/kata-containers/packaging/issues/483
+# I have a feeling it effects our memory hotplug maybe?
+# PHYSICAL_ALIGN=0x1000000
+
+# This would only affect two drivers, neither of which we have enabled.
+# The recommendation is to have it on, and you will see if in a diff if you
+# look for differences against the frag generated config - so, add it here as
+# a comment to make it clear in the future why we have not set it - as it would
+# only add noise to our frags and config.
+# PREVENT_FIRMWARE_BUILD=y
+
+# Trust the hardware vendor to initialise the RNG - which can speed up boot.
+# This can still be dynamically disabled on the kernel command line/kata config if needed.
+# Disable for now, as it upsets the entropy test, and we need to improve those: FIXME: see:
+# https://github.com/kata-containers/tests/issues/1543
+# RANDOM_TRUST_CPU=y

tools/packaging/kernel/configs/fragments/common/cgroup.conf

@@ -0,0 +1,26 @@
+# Add cgroup support. Needed both for the agent to place the workload into, and
+# also used/looked for by systemd rootfs.
+CONFIG_CGROUPS=y
+CONFIG_MEMCG=y
+CONFIG_BLK_CGROUP=y
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+CONFIG_SOCK_CGROUP_DATA=y
+
+# We have to enable SWAP CG, as runc/libcontainer in the agent currently fails
+# to write to it, even though it does some checks to see if swap is enabled.
+CONFIG_SWAP=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
+
+# Needed for cgroups v2
+CONFIG_BPF_SYSCALL=y
+CONFIG_CGROUP_BPF=y

tools/packaging/kernel/configs/fragments/common/cpu.conf

@@ -0,0 +1,7 @@
+# Items to do with CPU frequency, power etc.
+
+CONFIG_CPU_FREQ=y
+CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
+CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_MENU=y

tools/packaging/kernel/configs/fragments/common/crypto.conf

@@ -0,0 +1,17 @@
+# Need decompressors for root filesystems and kernels.
+# Do we need all of these?
+CONFIG_CRYPTO=y
+# Deflate used by IPSec and IPCOMP protocols
+# Also selects ZLIB and a couple of other algos
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_XZ_DEC=y
+CONFIG_ZLIB_DEFLATE=y
+# FIXME - check, do we need gzip?
+# https://github.com/kata-containers/packaging/issues/483
+CONFIG_DECOMPRESS_GZIP=y
+# Some items required by systemd: https://github.com/systemd/systemd/blob/master/README
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_FIPS=y
+CONFIG_CRYPTO_ANSI_CPRNG=y

tools/packaging/kernel/configs/fragments/common/dax.conf

@@ -0,0 +1,32 @@
+# Enable DAX and NVDIMM support so we can map in our rootfs
+
+# Need HOTREMOVE, or ZONE_DEVICE will not get enabled
+# We don't actually afaik remove any memory once we have plugged it in, as
+# generally it is too 'expensive' an operation.
+CONFIG_MEMORY_HOTREMOVE=y
+# Also need this
+CONFIG_SPARSEMEM_VMEMMAP=y
+
+# Without these the pmem_should_map_pages() call in the kernel fails with new
+# Related to the ARCH_HAS_HMM set in the arch files.
+CONFIG_ZONE_DEVICE=y
+CONFIG_DEV_PAGEMAP_OPS=y
+
+CONFIG_ND_PFN=y
+CONFIG_NVDIMM_PFN=y
+CONFIG_NVDIMM_DAX=y
+
+CONFIG_BLOCK=y
+CONFIG_BLK_DEV=y
+CONFIG_BLK_DEV_PMEM=y
+CONFIG_BLK_DEV_RAM=y
+CONFIG_LIBNVDIMM=y
+CONFIG_ND_BLK=y
+CONFIG_BTT=y
+# FIXME: Should check if this is really needed
+# https://github.com/kata-containers/packaging/issues/483
+CONFIG_NVMEM=y
+# Is auto selected by other options
+#CONFIG_DAX_DRIVER=y
+CONFIG_DAX=y
+CONFIG_FS_DAX=y

tools/packaging/kernel/configs/fragments/common/elf.conf

@@ -0,0 +1,5 @@
+# Enable Elf loading, and script loading
+
+CONFIG_BINFMT_ELF=y
+CONFIG_BINFMT_SCRIPT=y
+CONFIG_BINFMT_MISC=y

tools/packaging/kernel/configs/fragments/common/experimental/virtio-fs.conf

@@ -0,0 +1,3 @@
+# virtio-fs support
+CONFIG_VIRTIO_FS=y
+CONFIG_FUSE_FS=y

tools/packaging/kernel/configs/fragments/common/fs.conf

@@ -0,0 +1,51 @@
+# Enable a whole bunch of filesystem related items
+
+CONFIG_BLK_DEV_INITRD=y
+
+# Recommended for Docker
+CONFIG_BLK_DEV_THROTTLING=y
+
+# Required for hotplug block devices into Kata, using SCSI
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_BSG=y
+CONFIG_BLK_DEV_SD=y
+
+# support initial ramdisk
+CONFIG_RD_GZIP=y
+CONFIG_FS_IOMAP=y
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_USE_FOR_EXT2=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+# FIXME - do we need journalling support in the container?
+# https://github.com/kata-containers/packaging/issues/483
+CONFIG_JBD2=y
+CONFIG_FS_MBCACHE=y
+CONFIG_XFS_FS=y
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+CONFIG_EXPORTFS_BLOCK_OPS=y
+CONFIG_FILE_LOCKING=y
+CONFIG_MANDATORY_FILE_LOCKING=y
+# A bunch of these are required for systemd at least.
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+CONFIG_FANOTIFY=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_AUTOFS_FS=y
+CONFIG_TMPFS=y
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EPOLL=y
+CONFIG_FHANDLE=y
+
+# We should support Async IO.
+CONFIG_AIO=y
+
+# Docker in Docker support requires overlay
+CONFIG_OVERLAY_FS=y
+CONFIG_OVERLAY_FS_INDEX=y
+CONFIG_OVERLAY_FS_REDIRECT_DIR=y

tools/packaging/kernel/configs/fragments/common/hotplug.conf

@@ -0,0 +1,13 @@
+# Setups to support our hotplug - memory, PCI devices and cpus
+
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_HOTPLUG_CPU=y
+CONFIG_HOTPLUG_PCI=y
+CONFIG_HOTPLUG_PCI_PCIE=y
+CONFIG_PCIEPORTBUS=y
+CONFIG_HOTPLUG_PCI_ACPI=y
+CONFIG_PNPACPI=y
+
+# Define hotplugs to be online immediately. Speeds things up, and makes things
+# work smoother on some arch's.
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y

tools/packaging/kernel/configs/fragments/common/huge.conf

@@ -0,0 +1,12 @@
+# Items to enable large/huge mmu pages and tlbs etc.
+
+# Compaction is the only memory management component to form high order
+# (larger physically contiguous) memory blocks reliably. The lack of the
+# feature can lead to unexpected OOM killer invocations for high order memory requests.
+CONFIG_COMPACTION=y
+
+CONFIG_HUGETLBFS=y
+
+# Enable memory page physical migration here, as it can come
+# into play when trying to find space to allocate a hugepage.
+CONFIG_MIGRATION=y

tools/packaging/kernel/configs/fragments/common/mmio.conf

@@ -0,0 +1,3 @@
+# mmio devices are required for firecracker
+CONFIG_VIRTIO_MMIO=y
+CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y

tools/packaging/kernel/configs/fragments/common/mmu.conf

@@ -0,0 +1,5 @@
+# MMU specific items
+
+# vmap the kernel stacks - detects stack over-runs better and reduces
+# the stack attack window.
+CONFIG_VMAP_STACK=y

tools/packaging/kernel/configs/fragments/common/namespaces.conf

@@ -0,0 +1,11 @@
+# We need namespaces to isolate the workload
+
+# Cannot have namespaces if not multi user...
+CONFIG_MULTIUSER=y
+CONFIG_NAMESPACES=y
+CONFIG_SYSVIPC=y
+CONFIG_UTS_NS=y
+CONFIG_IPC_NS=y
+CONFIG_USER_NS=y
+CONFIG_PID_NS=y
+CONFIG_NET_NS=y

tools/packaging/kernel/configs/fragments/common/netfilter.conf

@@ -0,0 +1,203 @@
+# Netfilter (used by sidecars like istio)
+
+# FIXME - this is a big file - it could probably benefit from a
+# good reviewing. https://github.com/kata-containers/packaging/issues/483
+
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_FAMILY_ARP=y
+CONFIG_NETFILTER_NETLINK_ACCT=y
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NETFILTER_NETLINK_OSF=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NETFILTER_CONNCOUNT=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_ZONES=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+CONFIG_NF_CONNTRACK_TIMEOUT=y
+CONFIG_NF_CONNTRACK_TIMESTAMP=y
+CONFIG_NF_CONNTRACK_LABELS=y
+CONFIG_NF_CT_PROTO_DCCP=y
+CONFIG_NF_CT_PROTO_GRE=y
+CONFIG_NF_CT_PROTO_SCTP=y
+CONFIG_NF_CT_PROTO_UDPLITE=y
+CONFIG_NF_CONNTRACK_AMANDA=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_H323=y
+CONFIG_NF_CONNTRACK_IRC=y
+CONFIG_NF_CONNTRACK_BROADCAST=y
+CONFIG_NF_CONNTRACK_NETBIOS_NS=y
+CONFIG_NF_CONNTRACK_SNMP=y
+CONFIG_NF_CONNTRACK_PPTP=y
+CONFIG_NF_CONNTRACK_SANE=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CONNTRACK_TFTP=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NF_CT_NETLINK_TIMEOUT=y
+CONFIG_NF_CT_NETLINK_HELPER=y
+CONFIG_NETFILTER_NETLINK_GLUE_CT=y
+CONFIG_NF_NAT=y
+# NF_NAT_NEEDED is removed in newer kernels - we should drop once we move to next LTS (5.4).
+#  This is part of whitelist.conf
+CONFIG_NF_NAT_NEEDED=y
+
+# NF_NAT_PROTO_* are removed in newer kernels, but needed currentlyi. They are part of whitelist.conf:
+CONFIG_NF_NAT_PROTO_DCCP=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+CONFIG_NF_NAT_PROTO_SCTP=y
+CONFIG_NF_NAT_PROTO_GRE=y
+
+CONFIG_NF_NAT_AMANDA=y
+CONFIG_NF_NAT_FTP=y
+CONFIG_NF_NAT_IRC=y
+CONFIG_NF_NAT_SIP=y
+CONFIG_NF_NAT_TFTP=y
+CONFIG_NF_NAT_REDIRECT=y
+CONFIG_NETFILTER_SYNPROXY=y
+CONFIG_NETFILTER_XTABLES=y
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+CONFIG_NETFILTER_XT_TARGET_HMARK=y
+CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_RATEEST=y
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+CONFIG_NETFILTER_XT_TARGET_TEE=y
+CONFIG_NETFILTER_XT_TARGET_TPROXY=y
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+CONFIG_NETFILTER_XT_MATCH_BPF=y
+CONFIG_NETFILTER_XT_MATCH_CGROUP=y
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_CPU=y
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+CONFIG_NETFILTER_XT_MATCH_IPCOMP=y
+CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
+CONFIG_NETFILTER_XT_MATCH_IPVS=y
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+CONFIG_NETFILTER_XT_MATCH_NFACCT=y
+CONFIG_NETFILTER_XT_MATCH_OSF=y
+CONFIG_NETFILTER_XT_MATCH_OWNER=y
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+CONFIG_NETFILTER_XT_MATCH_RATEEST=y
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+CONFIG_NETFILTER_XT_MATCH_RECENT=y
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_TIME=y
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+CONFIG_IP_SET_HASH_IPMARK=y
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+CONFIG_IP_SET_HASH_MAC=y
+CONFIG_IP_SET_HASH_NETPORTNET=y
+CONFIG_IP_SET_HASH_NET=y
+CONFIG_IP_SET_HASH_NETNET=y
+CONFIG_IP_SET_HASH_NETPORT=y
+CONFIG_IP_SET_HASH_NETIFACE=y
+CONFIG_IP_SET_LIST_SET=y
+CONFIG_IP_VS=y
+CONFIG_IP_VS_PROTO_TCP=y
+CONFIG_IP_VS_PROTO_UDP=y
+CONFIG_IP_VS_PROTO_AH_ESP=y
+CONFIG_IP_VS_PROTO_ESP=y
+CONFIG_IP_VS_PROTO_AH=y
+CONFIG_IP_VS_PROTO_SCTP=y
+CONFIG_IP_VS_RR=y
+CONFIG_IP_VS_WRR=y
+CONFIG_IP_VS_LC=y
+CONFIG_IP_VS_WLC=y
+CONFIG_IP_VS_FO=y
+CONFIG_IP_VS_OVF=y
+CONFIG_IP_VS_LBLC=y
+CONFIG_IP_VS_LBLCR=y
+CONFIG_IP_VS_DH=y
+CONFIG_IP_VS_SH=y
+CONFIG_IP_VS_SED=y
+CONFIG_IP_VS_NQ=y
+CONFIG_IP_VS_FTP=y
+CONFIG_IP_VS_NFCT=y
+CONFIG_IP_VS_PE_SIP=y
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_TPROXY_IPV4=y
+CONFIG_NF_DUP_IPV4=y
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+
+# NF_NAT_IPV4 is removed in future kernel, and is part of whitelist.conf:
+CONFIG_NF_NAT_IPV4=y
+
+CONFIG_NF_NAT_SNMP_BASIC=y
+CONFIG_NF_NAT_PPTP=y
+CONFIG_NF_NAT_H323=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+CONFIG_IP_NF_MATCH_RPFILTER=y
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_SYNPROXY=y
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_SECURITY=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+CONFIG_NF_DUP_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_DEFRAG_IPV6=y

tools/packaging/kernel/configs/fragments/common/network.conf

@@ -0,0 +1,75 @@
+# Our networking requirements
+### FIXME - this probably needs a good review ###
+# https://github.com/kata-containers/packaging/issues/483
+
+# pre-reqs
+CONFIG_NETDEVICES=y
+CONFIG_PROC_FS=y
+CONFIG_SYSFS=y
+CONFIG_SECURITY=y
+
+# The list
+CONFIG_NET=y
+CONFIG_ETHERNET=y
+CONFIG_NET_CORE=y
+CONFIG_NET_INGRESS=y
+CONFIG_PACKET=y
+CONFIG_PACKET_DIAG=y
+CONFIG_UNIX=y
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+# Used for mobile ipv6 type instances, unlikely we need
+#CONFIG_XFRM_MIGRATE=y
+# Developer feature - unlikely we need it
+#CONFIG_XFRM_STATISTICS=y
+CONFIG_INET=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_ROUTE_CLASSID=y
+CONFIG_IP_PNP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_SYN_COOKIES=y
+CONFIG_TCP_CONG_ADVANCED=y
+CONFIG_TCP_CONG_BBR=y
+CONFIG_DEFAULT_BBR=y
+CONFIG_TCP_MD5SIG=y
+CONFIG_IPV6=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+
+CONFIG_STP=y
+CONFIG_BRIDGE=y
+CONFIG_BRIDGE_IGMP_SNOOPING=y
+CONFIG_HAVE_NET_DSA=y
+CONFIG_LLC=y
+CONFIG_NET_SCHED=y
+CONFIG_NET_SCH_CBQ=y
+CONFIG_NET_SCH_MULTIQ=y
+CONFIG_NET_SCH_FQ_CODEL=y
+CONFIG_NET_SCH_FQ=y
+CONFIG_NET_CLS=y
+CONFIG_NET_CLS_CGROUP=y
+CONFIG_NET_EMATCH=y
+CONFIG_NET_SCH_FIFO=y
+CONFIG_VSOCKETS=y
+CONFIG_VIRTIO_VSOCKETS=y
+CONFIG_VIRTIO_VSOCKETS_COMMON=y
+CONFIG_NET_SWITCHDEV=y
+CONFIG_RPS=y
+CONFIG_RFS_ACCEL=y
+CONFIG_XPS=y
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+CONFIG_NET_FLOW_LIMIT=y
+CONFIG_GRO_CELLS=y
+CONFIG_FAILOVER=y
+CONFIG_HAVE_EBPF_JIT=y
+
+# We v.likely need some intel chip support
+CONFIG_NET_VENDOR_INTEL=y
+
+# Add VETH support (necessary for running Docker in the guest)
+CONFIG_VETH=y
+# We quite likely need to add others for passthrough and maybe SRIOV support

tools/packaging/kernel/configs/fragments/common/seccomp.conf

@@ -0,0 +1,4 @@
+# enable seccomp items
+
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y

tools/packaging/kernel/configs/fragments/common/security.conf

@@ -0,0 +1,6 @@
+
+# Let's enable stack protection checks, and strong checks
+# Estimated cost (detailed in the kernel config files)
+# is maybe 2.3% for both
+CONFIG_STACKPROTECTOR=y
+CONFIG_STACKPROTECTOR_STRONG=y

tools/packaging/kernel/configs/fragments/common/serial.conf

@@ -0,0 +1,14 @@
+# We need some sort of 'serial' for virtio-serial consoles - at the moment.
+# We might not need all of thse though...
+# FIXME - https://github.com/kata-containers/packaging/issues/483
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_8250_PCI=y
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_CORE_CONSOLE=y
+CONFIG_SERIAL_CORE=y
+CONFIG_SERIAL_EARLYCON=y
+
+# SERIO may be only for keyboards, mice etc., and not UARTS
+# We likely don't need
+#CONFIG_SERIO_RAW=y
+#CONFIG_SERIO=y

tools/packaging/kernel/configs/fragments/common/virtio.conf

@@ -0,0 +1,29 @@
+# We need virtio for 9p and serial and vsock at least
+
+# To get VIRTIO, we need a bus - ours of choice is PCI. We need to enable
+# PCI support to get VIRTIO_PCI support
+CONFIG_PCI=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+# To get to the VIRTIO_PCI, we need the VIRTIO_MENU enabled
+CONFIG_VIRTIO_MENU=y
+CONFIG_VIRTIO_PCI=y
+# Without this nested-VM Kata does not work (we have not worked out exactly why)
+CONFIG_VIRTIO_PCI_LEGACY=y
+
+# This is used by the s390 arch at least. Leave it on globally.
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_VIRTIO=y
+
+# This is required for booting from pmem
+CONFIG_VIRTIO_PMEM=y
+
+# FIXME - are we moving away from/choosing between SCSI and BLK support?
+# https://github.com/kata-containers/packaging/issues/483
+CONFIG_SCSI=y
+CONFIG_SCSI_LOWLEVEL=y
+CONFIG_SCSI_VIRTIO=y
+CONFIG_VIRTIO_BLK=y
+CONFIG_TTY=y
+CONFIG_VIRTIO_CONSOLE=y
+CONFIG_VIRTIO_NET=y

tools/packaging/kernel/configs/fragments/gpu/intel.conf

@@ -0,0 +1,7 @@
+# The following i915 kernel config options need to be enabled
+CONFIG_DRM=y
+CONFIG_DRM_I915=y
+CONFIG_DRM_I915_USERPTR=y
+
+# Linux kernel version suffix
+CONFIG_LOCALVERSION="-intel-gpu"

tools/packaging/kernel/configs/fragments/gpu/nvidia.conf

@@ -0,0 +1,14 @@
+# Support mmconfig PCI config space access.
+# It's used to enable the MMIO access method for PCIe devices.
+CONFIG_PCI_MMCONFIG=y
+
+# Support for loading modules.
+# It is used to support loading GPU drivers.
+CONFIG_MODULES=y
+CONFIG_MODULE_UNLOAD=y
+
+# CRYPTO_FIPS requires this config when loading modules is enabled.
+CONFIG_MODULE_SIG=y
+
+# Linux kernel version suffix
+CONFIG_LOCALVERSION="-nvidia-gpu"

tools/packaging/kernel/configs/fragments/whitelist.conf

@@ -0,0 +1,8 @@
+# configuration options which may dropped in newer kernels
+# without generating an error in fragment merging
+CONFIG_NF_NAT_IPV4
+CONFIG_NF_NAT_NEEDED
+CONFIG_NF_NAT_PROTO_DCCP
+CONFIG_NF_NAT_PROTO_GRE
+CONFIG_NF_NAT_PROTO_SCTP
+CONFIG_NF_NAT_PROTO_UDPLITE

tools/packaging/kernel/configs/fragments/x86_64/acpi.conf

@@ -0,0 +1,14 @@
+CONFIG_X86_INTEL_PSTATE=y
+
+# For old smp systems that do not have proper acpi support.
+# Firecracker needs this to support `vcpu_count`
+CONFIG_X86_MPPARSE=y
+
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP
+CONFIG_ACPI_LPIT=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+CONFIG_HAVE_ACPI_APEI_NMI=y

tools/packaging/kernel/configs/fragments/x86_64/base.conf

@@ -0,0 +1,20 @@
+CONFIG_X86=y
+CONFIG_X86_CPUID=y
+CONFIG_X86_MSR=y
+CONFIG_X86_X2APIC=y
+CONFIG_X86_VERBOSE_BOOTUP=y
+
+# Configs around linux guest support and optimizations.
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_KVM_GUEST=y
+
+# Use the maximum number of CPUs supported by KVM (240)
+CONFIG_NR_CPUS=240
+
+# For security
+CONFIG_LEGACY_VSYSCALL_NONE=y
+CONFIG_RETPOLINE=y
+
+# Boot directly into the uncompressed kernel
+# Reduce memory footprint
+CONFIG_PVH=y

tools/packaging/kernel/configs/fragments/x86_64/fs.conf

@@ -0,0 +1,5 @@
+# x86 specific filesystem items
+
+# Yes, we do support unaligned word accesses
+CONFIG_DCACHE_WORD_ACCESS=y
+

tools/packaging/kernel/configs/fragments/x86_64/hotplug.conf

@@ -0,0 +1,5 @@
+# Since we disable pci shpc hotplug for arm64,
+# See https://github.com/kata-containers/packaging/pull/498
+# for detailed reasons.
+# we move this config into x86_64-specific.
+CONFIG_HOTPLUG_PCI_SHPC=y

tools/packaging/kernel/configs/fragments/x86_64/mmu.conf

@@ -0,0 +1,4 @@
+# x86 specific mmu/memory related items
+
+# Remove the kernel mapping from the user space - security improvement.
+CONFIG_PAGE_TABLE_ISOLATION=y

tools/packaging/kernel/configs/fragments/x86_64/nemu.conf

@@ -0,0 +1,7 @@
+# Items needed to run the NEMU cut of QEMU
+# NEMU uses an EFI bios/boot, so requires a few extra bits
+
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI=y
+CONFIG_EFI_ESRT=y
+CONFIG_EFI_RUNTIME_WRAPPERS=y

tools/packaging/kernel/configs/x86_64_kata_old_kernel_compat

@@ -0,0 +1,7 @@
+#
+# This file contains config options which is removed/modified in kernel 4.14 but
+# necessary for older kernels, if you're using a old kernel and failed to start
+# kata containers, try to add these options and hope it can help! Enjoy it!
+#
+CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
+