forked from bottlerocket-os/bottlerocket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config-bottlerocket
179 lines (142 loc) · 4.88 KB
/
config-bottlerocket
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# Because Bottlerocket does not have an initramfs, modules required to mount
# the root filesystem must be set to y.
# The root filesystem is ext4
CONFIG_EXT4_FS=y
# NVMe support
CONFIG_BLK_DEV_NVME=y
CONFIG_NVME_CORE=y
# Xen blkfront for Xen-based EC2 platforms
CONFIG_XEN_BLKDEV_FRONTEND=y
# virtio for local testing with QEMU
CONFIG_VIRTIO=y
CONFIG_VIRTIO_BLK=y
CONFIG_VIRTIO_PCI=y
# dm-verity and enabling it on the kernel command line
CONFIG_BLK_DEV_DM=y
CONFIG_DAX=y
CONFIG_DM_INIT=y
CONFIG_DM_VERITY=y
# TCMU/LIO
CONFIG_TCM_USER2=m
# EFI
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_EFI_MIXED=y
# EFI video
CONFIG_FB=y
CONFIG_FB_EFI=y
CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y
# yama LSM for ptrace restrictions
CONFIG_SECURITY_YAMA=y
# Do not allow SELinux to be disabled at boot.
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# Do not allow SELinux to be disabled at runtime.
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# Do not allow SELinux to use `enforcing=0` behavior.
# CONFIG_SECURITY_SELINUX_DEVELOP is not set
# Check the protection applied by the kernel for mmap and mprotect,
# rather than the protection requested by userspace.
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
# Enable support for the kernel lockdown security module.
CONFIG_SECURITY_LOCKDOWN_LSM=y
# Enable lockdown early so that if the option is present on the
# kernel command line, it can be enforced.
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
# Enable zstd compression for squashfs.
CONFIG_SQUASHFS_ZSTD=y
# enable /proc/config.gz
CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y
# kernel headers at /sys/kernel/kheaders.tar.xz
CONFIG_IKHEADERS=y
# BTF debug info at /sys/kernel/btf/vmlinux
CONFIG_DEBUG_INFO_BTF=y
# We don't want to extend the kernel command line with any upstream defaults;
# Bottlerocket uses a fairly custom setup that needs tight control over it.
# CONFIG_CMDLINE_EXTEND is not set
# We don't want to unpack the initramfs passed by the bootloader. The intent of
# this option is to ensure that the built-in initramfs is used. Since we do not
# have a built-in initramfs, in practice this means we will never unpack any
# initramfs.
#
# We rely on `CONFIG_BLK_DEV_INITRD` for boot config support, so we can't just
# disable the functionality altogether.
CONFIG_INITRAMFS_FORCE=y
# Enable ZSTD kernel image compression
CONFIG_HAVE_KERNEL_ZSTD=y
CONFIG_KERNEL_ZSTD=y
CONFIG_ZSTD_COMPRESS=y
CONFIG_ZSTD_DECOMPRESS=y
CONFIG_DECOMPRESS_ZSTD=y
# Enable xz modules compression
CONFIG_MODULE_COMPRESS=y
CONFIG_MODULE_COMPRESS_XZ=y
# Load i8042 controller, keyboard, and mouse as modules, to avoid waiting for
# them before mounting the root device.
CONFIG_SERIO_I8042=m
CONFIG_KEYBOARD_ATKBD=m
CONFIG_MOUSE_PS2=m
# Add support for the basic IPMI handler. While Bottlerocket does not ship with
# any specific IPMI interfaces, the basic IPMI handler interface is used by the
# nvidia drivers, which makes this necessary.
CONFIG_IPMI_HANDLER=m
# Disable more specialized IPMI drivers that are not relevant for our use-cases
# CONFIG_IPMI_DEVICE_INTERFACE is not set
# CONFIG_IPMI_PANIC_EVENT is not set
# CONFIG_IPMI_POWEROFF is not set
# CONFIG_IPMI_SI is not set
# CONFIG_IPMI_WATCHDOG is not set
# CONFIG_ACPI_IPMI is not set
# Add support for bootconfig
CONFIG_BOOT_CONFIG=y
# Enables support for checkpoint/restore
CONFIG_CHECKPOINT_RESTORE=y
# Disable unused filesystems.
# CONFIG_AFS_FS is not set
# CONFIG_CRAMFS is not set
# CONFIG_ECRYPT_FS is not set
# CONFIG_EXT2_FS is not set
# CONFIG_EXT3_FS is not set
CONFIG_EXT4_USE_FOR_EXT2=y
# CONFIG_GFS2_FS is not set
# CONFIG_HFS_FS is not set
# CONFIG_HFSPLUS_FS is not set
# CONFIG_JFS_FS is not set
# CONFIG_JFFS2_FS is not set
# CONFIG_NFS_V2 is not set
# CONFIG_NILFS2_FS is not set
# CONFIG_NTFS_FS is not set
# CONFIG_ROMFS_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_ZONEFS_FS is not set
# Disable unused network protocols.
# CONFIG_AF_RXRPC is not set
# CONFIG_ATM is not set
# CONFIG_CAN is not set
# CONFIG_HSR is not set
# CONFIG_IP_DCCP is not set
# CONFIG_L2TP is not set
# CONFIG_RDS is not set
# CONFIG_RFKILL is not set
# CONFIG_TIPC is not set
# Disable USB-attached network interfaces, unused in the cloud and on server-grade hardware.
# CONFIG_USB_NET_DRIVERS is not set
# Disable obsolete NIC drivers
# CONFIG_QLGE is not set
# CONFIG_MLX4_CORE is not set
# CONFIG_MLX4_EN is not set
# CONFIG_MLX4_INFINIBAND is not set
# CONFIG_MLXSW_CORE is not set
# CONFIG_MLXFW is not set
# Disable unused qdiscs
# - sch_cake targets home routers and residential links
# CONFIG_NET_SCH_CAKE is not set
# Disable unused MPI3MR driver AL carries as a backport
# CONFIG_SCSI_MPI3MR is not set
# Work with the previously used in-tree version of SMARTPQI instead of AL backport
# CONFIG_AMAZON_SCSI_SMARTPQI is not set
CONFIG_SCSI_SMARTPQI=m
# Disable edac driver for intel 10nm memory controllers
# CONFIG_EDAC_I10NM is not set
# Disable AL port of BBR2 congestion algorithm
# CONFIG_TCP_CONG_BBR2 is not set