bottlerocket-os · bcressey · Sep 25, 2024 · Jul 13, 2024 · Jul 3, 2024 · Aug 2, 2024
diff --git a/packages/kernel-5.10/kernel-5.10.spec b/packages/kernel-5.10/kernel-5.10.spec
@@ -45,6 +45,9 @@ Requires: %{name}-devel = %{version}-%{release}
 # The 5.10 kernel is not FIPS certified.
 Conflicts: %{_cross_os}image-feature(fips)
 
+# Using EROFS for the root partition requires a 6.1+ kernel.
+Conflicts: %{_cross_os}image-feature(erofs-root-partition)
+
 %global kernel_sourcedir %{_cross_usrsrc}/kernels
 %global kernel_libdir %{_cross_libdir}/modules/%{version}
 

diff --git a/packages/kernel-5.15/kernel-5.15.spec b/packages/kernel-5.15/kernel-5.15.spec
@@ -40,6 +40,9 @@ Requires: %{name}-devel = %{version}-%{release}
 # The 5.15 kernel is not FIPS certified.
 Conflicts: %{_cross_os}image-feature(fips)
 
+# Using EROFS for the root partition requires a 6.1+ kernel.
+Conflicts: %{_cross_os}image-feature(erofs-root-partition)
+
 %global kernel_sourcedir %{_cross_usrsrc}/kernels
 %global kernel_libdir %{_cross_libdir}/modules/%{version}
 

diff --git a/packages/kernel-6.1/config-bottlerocket b/packages/kernel-6.1/config-bottlerocket
@@ -1,8 +1,9 @@
 # Because Bottlerocket does not have an initramfs, modules required to mount
 # the root filesystem must be set to y.
 
-# The root filesystem is ext4
+# The root filesystem is ext4 or erofs
 CONFIG_EXT4_FS=y
+CONFIG_EROFS_FS=y
 
 # btrfs support for compatibility
 CONFIG_BTRFS_FS=m

diff --git a/packages/kernel-6.1/kernel-6.1.spec b/packages/kernel-6.1/kernel-6.1.spec
@@ -16,6 +16,9 @@ Source200: check-fips-modules.drop-in.conf.in
 Source201: fipsmodules-x86_64
 Source202: fipsmodules-aarch64
 
+# Adjust kernel-devel mount behavior if not squashfs.
+Source210: var-lib-kernel-devel-lower.mount.drop-in.conf.in
+
 # Bootconfig snippets to adjust the default kernel command line for the platform.
 Source300: bootconfig-aws.conf
 Source301: bootconfig-vmware.conf
@@ -70,10 +73,24 @@ Requires: (%{name}-fips if %{_cross_os}image-feature(fips))
 
 %package devel
 Summary: Configured Linux kernel source for module building
+Requires: (%{name}-devel-squashed if %{_cross_os}image-feature(no-erofs-root-partition))
+Requires: (%{name}-devel-unpacked if %{_cross_os}image-feature(erofs-root-partition))
 
 %description devel
 %{summary}.
 
+%package devel-squashed
+Summary: Configured Linux kernel source for module building (squashed)
+
+%description devel-squashed
+%{summary}.
+
+%package devel-unpacked
+Summary: Configured Linux kernel source for module building (unpacked)
+
+%description devel-unpacked
+%{summary}.
+
 %package archive
 Summary: Archived Linux kernel source for module building
 
@@ -265,6 +282,10 @@ mkdir -p src_squashfs/%{version}
 tar c -T kernel_devel_files | tar x -C src_squashfs/%{version}
 mksquashfs src_squashfs kernel-devel.squashfs ${SQUASHFS_OPTS}
 
+# Create an uncompressed set of kernel-devel files in the standard location.
+install -d %{buildroot}%{_cross_datadir}/bottlerocket/kernel-devel/%{version}
+tar c -T kernel_devel_files | tar x -C %{buildroot}%{_cross_datadir}/bottlerocket/kernel-devel/%{version}
+
 # Create a tarball of the same files, for use outside the running system.
 # In theory we could extract these files with `unsquashfs`, but we do not want
 # to require it to be installed on the build host, and it errors out when run
@@ -300,6 +321,11 @@ for fipsmod in $(cat %{_sourcedir}/fipsmodules-%{_cross_arch}) ; do
   (( i+=1 ))
 done
 
+LOWERPATH=$(systemd-escape --path %{_cross_sharedstatedir}/kernel-devel/.overlay/lower)
+mkdir -p %{buildroot}%{_cross_unitdir}/"${LOWERPATH}.mount.d"
+sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:210} \
+  > %{buildroot}%{_cross_unitdir}/"${LOWERPATH}.mount.d"/no-squashfs.conf
+
 # Install platform-specific bootconfig snippets.
 install -d %{buildroot}%{_cross_bootconfigdir}
 install -p -m 0644 %{S:300} %{buildroot}%{_cross_bootconfigdir}/05-aws.conf
@@ -338,10 +364,16 @@ install -p -m 0644 %{S:302} %{buildroot}%{_cross_bootconfigdir}/05-metal.conf
 
 %files devel
 %dir %{_cross_ksrcdir}
-%{_cross_datadir}/bottlerocket/kernel-devel.squashfs
 %{_cross_kmoddir}/source
 %{_cross_kmoddir}/build
 
+%files devel-squashed
+%{_cross_datadir}/bottlerocket/kernel-devel.squashfs
+
+%files devel-unpacked
+%{_cross_datadir}/bottlerocket/kernel-devel
+%{_cross_unitdir}/*kernel*devel*.mount.d/no-squashfs.conf
+
 %files archive
 %{_cross_datadir}/bottlerocket/kernel-devel.tar.xz
 
@@ -923,7 +955,6 @@ install -p -m 0644 %{S:302} %{buildroot}%{_cross_bootconfigdir}/05-metal.conf
 %{_cross_kmoddir}/kernel/lib/crypto/libpoly1305.ko.*
 %{_cross_kmoddir}/kernel/lib/lru_cache.ko.*
 %{_cross_kmoddir}/kernel/lib/lz4/lz4_compress.ko.*
-%{_cross_kmoddir}/kernel/lib/lz4/lz4_decompress.ko.*
 %{_cross_kmoddir}/kernel/lib/lz4/lz4hc_compress.ko.*
 %{_cross_kmoddir}/kernel/lib/raid6/raid6_pq.ko.*
 %{_cross_kmoddir}/kernel/lib/reed_solomon/reed_solomon.ko.*

diff --git a/packages/kernel-6.1/var-lib-kernel-devel-lower.mount.drop-in.conf.in b/packages/kernel-6.1/var-lib-kernel-devel-lower.mount.drop-in.conf.in
@@ -0,0 +1,4 @@
+[Mount]
+What=PREFIX/share/bottlerocket/kernel-devel
+Type=none
+Options=rbind,rshared
diff --git a/packages/release/release.spec b/packages/release/release.spec
@@ -211,22 +211,22 @@ install -p -m 0644 %{S:1102} \
 install -d %{buildroot}%{_cross_unitdir}/check-fips-modules.service.d
 
 LOWERPATH=$(systemd-escape --path %{_cross_sharedstatedir}/kernel-devel/.overlay/lower)
-sed -e 's|PREFIX|%{_cross_prefix}|' %{S:1080} > ${LOWERPATH}.mount
+sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:1080} > ${LOWERPATH}.mount
 install -p -m 0644 ${LOWERPATH}.mount %{buildroot}%{_cross_unitdir}
 
 # Mounting on usr/src/kernels requires using the real path: %{_cross_usrsrc}/kernels
 KERNELPATH=$(systemd-escape --path %{_cross_usrsrc}/kernels)
-sed -e 's|PREFIX|%{_cross_prefix}|' %{S:1081} > ${KERNELPATH}.mount
+sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:1081} > ${KERNELPATH}.mount
 install -p -m 0644 ${KERNELPATH}.mount %{buildroot}%{_cross_unitdir}
 
 # Mounting on usr/share/licenses requires using the real path: %{_cross_datadir}/licenses
 LICENSEPATH=$(systemd-escape --path %{_cross_licensedir})
-sed -e 's|PREFIX|%{_cross_prefix}|' %{S:1082} > ${LICENSEPATH}.mount
+sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:1082} > ${LICENSEPATH}.mount
 install -p -m 0644 ${LICENSEPATH}.mount %{buildroot}%{_cross_unitdir}
 
 # Mounting on lib/modules requires using the real path: %{_cross_libdir}/modules
 LIBDIRPATH=$(systemd-escape --path %{_cross_libdir})
-sed -e 's|PREFIX|%{_cross_prefix}|' %{S:1083} > ${LIBDIRPATH}-modules.mount
+sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:1083} > ${LIBDIRPATH}-modules.mount
 install -p -m 0644 ${LIBDIRPATH}-modules.mount %{buildroot}%{_cross_unitdir}
 
 # Mounting on usr/bin requires using the real path: %{_cross_bindir}

diff --git a/packages/release/usr-share-licenses.mount.in b/packages/release/usr-share-licenses.mount.in
@@ -4,6 +4,7 @@ DefaultDependencies=no
 Conflicts=umount.target
 Before=umount.target
 After=local-fs.target
+ConditionPathExists=PREFIX/share/bottlerocket/licenses.squashfs
 
 [Mount]
 What=PREFIX/share/bottlerocket/licenses.squashfs

diff --git a/packages/selinux-policy/fs.cil b/packages/selinux-policy/fs.cil
@@ -2,6 +2,7 @@
 (fsuse xattr ext4 local)
 (fsuse xattr overlay local)
 (fsuse xattr xfs local)
+(fsuse xattr erofs local)
 
 ; Label inodes by using the type of the creating task.
 (fsuse task eventpollfs any)