Add squashfs compression support to inception kernel #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Kernels | |
| on: | |
| push: | |
| paths: | |
| - 'kernel/**' | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| force_build: | |
| description: 'Force rebuild even if release exists' | |
| type: boolean | |
| default: false | |
| # Cancel in-progress runs when a new revision is pushed | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| # Ensure self-hosted runner EC2 is running | |
| ensure-runner: | |
| name: Ensure Runner | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-west-1 | |
| - name: Start EC2 if stopped | |
| run: | | |
| INSTANCE_ID="i-0f116a86a2fd78cbe" | |
| STATE=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID --query 'Reservations[0].Instances[0].State.Name' --output text) | |
| echo "Current state: $STATE" | |
| if [ "$STATE" = "stopped" ]; then | |
| echo "Starting instance..." | |
| aws ec2 start-instances --instance-ids $INSTANCE_ID | |
| aws ec2 wait instance-running --instance-ids $INSTANCE_ID | |
| echo "Instance started, waiting for runner to register..." | |
| sleep 60 | |
| fi | |
| build-inception-kernel: | |
| name: Build Inception Kernel | |
| needs: ensure-runner | |
| runs-on: [self-hosted, Linux, ARM64] | |
| permissions: | |
| contents: write # Required for creating releases | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install GitHub CLI | |
| run: | | |
| if ! command -v gh &> /dev/null; then | |
| echo "Installing GitHub CLI..." | |
| curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg | |
| echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null | |
| sudo apt-get update | |
| sudo apt-get install -y gh | |
| else | |
| echo "GitHub CLI already installed: $(gh --version)" | |
| fi | |
| - name: Compute kernel version and SHA | |
| id: kernel | |
| run: | | |
| # Extract version from build.sh | |
| VERSION=$(grep '^KERNEL_VERSION=' kernel/build.sh | head -1 | cut -d'"' -f2 || echo "6.18") | |
| if [ -z "$VERSION" ]; then | |
| VERSION=$(grep 'KERNEL_VERSION:-' kernel/build.sh | grep -oE '[0-9]+\.[0-9]+' | head -1 || echo "6.18") | |
| fi | |
| # Get architecture | |
| ARCH=$(uname -m) | |
| # Compute SHA from build inputs | |
| SHA=$(cat kernel/build.sh kernel/inception.conf kernel/patches/*.patch 2>/dev/null | sha256sum | cut -c1-12) | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "arch=$ARCH" >> $GITHUB_OUTPUT | |
| echo "sha=$SHA" >> $GITHUB_OUTPUT | |
| echo "tag=kernel-inception-${VERSION}-${ARCH}-${SHA}" >> $GITHUB_OUTPUT | |
| echo "filename=vmlinux-inception-${VERSION}-${ARCH}-${SHA}.bin" >> $GITHUB_OUTPUT | |
| echo "Kernel version: $VERSION" | |
| echo "Architecture: $ARCH" | |
| echo "Build SHA: $SHA" | |
| - name: Check if release already exists | |
| id: check | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| TAG="${{ steps.kernel.outputs.tag }}" | |
| if gh release view "$TAG" &>/dev/null; then | |
| echo "Release $TAG already exists" | |
| echo "exists=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "Release $TAG does not exist" | |
| echo "exists=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Install build dependencies | |
| if: steps.check.outputs.exists == 'false' || inputs.force_build == true | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y flex bison bc libelf-dev libssl-dev | |
| - name: Build kernel | |
| if: steps.check.outputs.exists == 'false' || inputs.force_build == true | |
| run: | | |
| KERNEL_PATH="/tmp/${{ steps.kernel.outputs.filename }}" | |
| echo "Building kernel to: $KERNEL_PATH" | |
| # Run build script | |
| KERNEL_PATH="$KERNEL_PATH" ./kernel/build.sh | |
| # Verify output | |
| if [ ! -f "$KERNEL_PATH" ]; then | |
| echo "ERROR: Kernel not found at $KERNEL_PATH" | |
| exit 1 | |
| fi | |
| ls -lh "$KERNEL_PATH" | |
| file "$KERNEL_PATH" | |
| - name: Create GitHub Release | |
| if: steps.check.outputs.exists == 'false' || inputs.force_build == true | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| TAG="${{ steps.kernel.outputs.tag }}" | |
| FILENAME="${{ steps.kernel.outputs.filename }}" | |
| VERSION="${{ steps.kernel.outputs.version }}" | |
| SHA="${{ steps.kernel.outputs.sha }}" | |
| # Delete existing release if force rebuilding | |
| if [ "${{ inputs.force_build }}" == "true" ]; then | |
| gh release delete "$TAG" --yes 2>/dev/null || true | |
| fi | |
| # Create release with kernel binary | |
| ARCH="${{ steps.kernel.outputs.arch }}" | |
| gh release create "$TAG" \ | |
| --title "Inception Kernel ${VERSION} (${ARCH}) - ${SHA}" \ | |
| --notes "Inception kernel for running fcvm inside fcvm (nested virtualization). | |
| ## Kernel Details | |
| | Property | Value | | |
| |----------|-------| | |
| | Version | ${VERSION} | | |
| | Build SHA | ${SHA} | | |
| | Architecture | ${ARCH} | | |
| ## Features | |
| - **CONFIG_KVM=y** - KVM hypervisor built-in for nested virtualization | |
| - **FUSE support** - For volume mounts between host and guest | |
| - **MMFR4 override patch** - Enables \`arm64.nv2\` boot parameter for NV2 support | |
| ## ARM64 Nested Virtualization (EL2) | |
| This kernel enables recursive VM nesting on ARM64 using FEAT_NV2: | |
| - **EL2** - ARM Exception Level 2 (hypervisor mode), required for KVM | |
| - **VHE mode** - Virtualization Host Extensions for efficient hypervisor | |
| - **NV2** - Nested Virtualization v2, allows guest kernels to run their own KVM | |
| ## Requirements | |
| - **Host**: ARM64 with FEAT_NV2 (AWS Graviton3+: c7g.metal, m7g.metal) | |
| - **Host kernel**: 6.18+ with \`kvm-arm.mode=nested\` boot parameter | |
| ## Usage | |
| \`\`\`bash | |
| fcvm setup --inception | |
| fcvm podman run --kernel <path> --privileged --name outer alpine:latest | |
| # Inside VM: fcvm podman run --name inner alpine:latest | |
| \`\`\` | |
| " \ | |
| "/tmp/$FILENAME" | |
| echo "✅ Created release: $TAG" | |
| - name: Summary | |
| run: | | |
| echo "### Kernel Build Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY | |
| echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| Version | ${{ steps.kernel.outputs.version }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Architecture | ${{ steps.kernel.outputs.arch }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| SHA | ${{ steps.kernel.outputs.sha }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Tag | ${{ steps.kernel.outputs.tag }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Filename | ${{ steps.kernel.outputs.filename }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Already Existed | ${{ steps.check.outputs.exists }} |" >> $GITHUB_STEP_SUMMARY |