############################################################################### # Core initramfs / board support ############################################################################### CONFIG_HWMON=y # Hardware monitoring framework. Needed so sensor drivers can expose temps/fans. CONFIG_I2C=y # Core I2C subsystem. Required by your RTC/fan controller drivers. CONFIG_SENSORS_EMC2305=y # EMC2305 fan controller driver. Built-in so fan control is available early. CONFIG_RTC_DRV_PCF2127=y # RTC driver for PCF2127. Built-in so timekeeping is available early. ############################################################################### # Namespaces # These are fundamental container primitives. Keep these built-in. ############################################################################### CONFIG_NAMESPACES=y # Master switch for Linux namespaces. CONFIG_UTS_NS=y # Isolates hostname/domainname per container. CONFIG_IPC_NS=y # Isolates SysV IPC and POSIX message queues between containers. CONFIG_PID_NS=y # Gives containers their own PID tree (so processes inside see their own PID 1). CONFIG_NET_NS=y # Gives containers their own network stack, interfaces, routing, etc. CONFIG_USER_NS=y # User namespaces. Useful for modern container behavior and future flexibility. # Not every setup strictly needs this on day one, but I would enable it. ############################################################################### # Cgroups / resource control # Required for kubelet/CRI-O to manage resource isolation. ############################################################################### CONFIG_CGROUPS=y # Master switch for cgroups. CONFIG_CGROUP_BPF=y # Allows BPF programs to be attached to cgroups. Not required for first boot, # but modern systems increasingly expect this. CONFIG_CGROUP_FREEZER=y # Allows freezing/thawing process groups. Useful for container lifecycle control. CONFIG_CGROUP_PIDS=y # Limits number of processes in a cgroup. CONFIG_CGROUP_DEVICE=y # Controls device access from containers. CONFIG_CPUSETS=y # CPU affinity partitioning by cgroup. CONFIG_MEMCG=y # Memory cgroup support. Critical for container memory accounting/limits. CONFIG_BLK_CGROUP=y # Block IO control/accounting for cgroups. CONFIG_CGROUP_SCHED=y # Scheduler integration for cgroups. CONFIG_FAIR_GROUP_SCHED=y # Fair scheduler group support for cgroups. CONFIG_CFS_BANDWIDTH=y # CPU quota/limit support. Important for kubelet resource enforcement. ############################################################################### # Filesystem / tmpfs / container filesystem basics ############################################################################### CONFIG_KEYS=y # Kernel key retention service. Commonly relied on by container/userland tooling. CONFIG_TMPFS=y # Tmpfs support. Containers and runtimes rely on this heavily. CONFIG_TMPFS_XATTR=y # Extended attributes on tmpfs. Useful for container runtime behavior. CONFIG_TMPFS_POSIX_ACL=y # POSIX ACLs on tmpfs. Good compatibility feature for userland. CONFIG_OVERLAY_FS=y # Overlay filesystem. This is the big one for container image/layer storage. # Module is fine; CRI-O can load/use it after boot. No need to bloat FIT image. CONFIG_FS_POSIX_ACL=y # General POSIX ACL support. Good to have for overlay/tmpfs behavior. ############################################################################### # Core networking stack ############################################################################### CONFIG_INET=y # IPv4 stack. CONFIG_IPV6=y # IPv6 stack. You may be tempted to disable it, but Kubernetes/container stacks # increasingly assume it exists. Keep it on unless you have a hard reason not to. CONFIG_UNIX=y # Unix domain sockets. Containers and runtimes absolutely rely on this. CONFIG_TUN=m # TUN/TAP device support. Commonly used by networking tools/VPN/CNI-related flows. # Module is fine. CONFIG_DUMMY=m # Dummy network interface. Sometimes useful for CNI/network setups and testing. ############################################################################### # Netfilter / packet filtering / NAT # This is where container networking gets messy. Better to enable a sane baseline. ############################################################################### CONFIG_NETFILTER=y # Netfilter core framework. Module is okay if your setup loads it before use. CONFIG_NETFILTER_ADVANCED=y # Exposes more advanced netfilter options and modules. CONFIG_NF_CONNTRACK=y # Connection tracking. Critical for NAT, Kubernetes service traffic, and many CNIs. CONFIG_NF_NAT=y # NAT framework. Required for masquerading and pod egress in many setups. CONFIG_NF_TABLES=y # nftables framework. Modern Linux packet filtering backend. CONFIG_NFT_CT=y # nftables conntrack expressions. CONFIG_NFT_COUNTER=y # nftables packet/byte counters CONFIG_NFT_CHAIN_NAT=y # nftables NAT chain support. CONFIG_NFT_MASQ=y # nftables masquerade support. Often needed for pod egress NAT. CONFIG_NFT_REDIR=y # nftables redirect target. CONFIG_NFT_NAT=y # nftables NAT support. CONFIG_NF_NAT_IPV4=y # IPv4 NAT helper support. Some kernels still expose this separately. CONFIG_NF_NAT_IPV6=y # IPv6 NAT helper support. CONFIG_NF_CT_NETLINK=y # userspace netlink access to the conntrack table; kube-proxy uses this for conntrack listing/cleanup CONFIG_NF_CT_NETLINK_TIMEOUT=y # userspace netlink support for conntrack timeout objects CONFIG_NF_CT_NETLINK_HELPER=y # userspace netlink support for conntrack helper objects CONFIG_IP_NF_IPTABLES=y # iptables compatibility for IPv4. Still useful because lots of CNI/plugin code # still expects iptables even on nft-backed systems. CONFIG_IP_NF_NAT=y # IPv4 NAT support for iptables compatibility. CONFIG_IP6_NF_IPTABLES=y # ip6tables compatibility. CONFIG_IP6_NF_FILTER=y # IPv6 "filter" table (same as above but for IPv6) CONFIG_NF_REJECT_IPV4=y # core IPv4 reject logic used by netfilter/iptables/nftables CONFIG_NFT_REJECT=y # nftables equivalent of REJECT (needed for nf_tables backend compatibility) CONFIG_IP_NF_FILTER=y # IPv4 "filter" table (INPUT/FORWARD/OUTPUT chains for iptables) CONFIG_IP_NF_TARGET_REJECT=y # IPv4-specific REJECT target for legacy iptables CONFIG_IP6_NF_TARGET_REJECT=y # IPv6-specific REJECT target for legacy iptables CONFIG_IP_SET=m # IP sets. Useful for some network policies / firewalling toolchains. CONFIG_NETFILTER_NETLINK_ACCT=y # netfilter accounting subsystem used for nfacct-based kube-proxy metrics CONFIG_NETFILTER_XT_MATCH_NFACCT=y # iptables nfacct match that hooks rules into the netfilter accounting subsystem CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y # xtables match for address types. Often used in iptables rules. CONFIG_NETFILTER_XT_TARGET_REJECT=y # iptables REJECT target (actively reject packets instead of silently dropping) CONFIG_NETFILTER_XT_MATCH_COMMENT=y # Allows comments in iptables rules. Not critical, but harmless and useful. CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y # xtables conntrack matching. CONFIG_NETFILTER_XT_MATCH_STATISTIC=y # iptables "statistic" match used for probabilistic packet matching / load balancing CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y # Match multiple ports in one rule. CONFIG_NETFILTER_XT_MATCH_TCPMSS=y # Useful for TCP MSS clamping in some network paths. CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y # iptables MASQUERADE target. Very commonly needed for pod outbound NAT. CONFIG_NETFILTER_XT_TARGET_REDIRECT=y # Redirect target. CONFIG_NETFILTER_XT_TARGET_MARK=y # Packet marking support. Useful for advanced networking/routing rules. CONFIG_NETFILTER_XT_TARGET_CT=y # Connection tracking target for xtables. # Optional. Good only if you know you need transparent proxying. # Not required for initial CRI-O bring-up. # CONFIG_NETFILTER_XT_TARGET_TPROXY=m ############################################################################### # Bridge / container interface plumbing ############################################################################### CONFIG_VETH=y # Virtual Ethernet pairs. This is how container interfaces are commonly connected # to the host/network namespace. CONFIG_BRIDGE=y # Ethernet bridge support. Needed by bridge-based CNIs. CONFIG_BRIDGE_NETFILTER=y # Allows bridged traffic to pass through netfilter/iptables/nftables hooks. # Important for Kubernetes networking behavior. # Optional / version-dependent: # Some kernels expose additional ebtables/bridge netfilter pieces separately. # Keep this if your kernel has it, but don't panic if it doesn't. CONFIG_BRIDGE_NF_EBTABLES=y # Bridge filtering via ebtables compatibility. Sometimes useful, not always critical. ############################################################################### # Security / sandboxing ############################################################################### CONFIG_SECCOMP=y # Secure computing mode. Lets runtimes restrict syscall surface. CONFIG_SECCOMP_FILTER=y # BPF-based seccomp filters. This is the useful seccomp mode for containers. # AppArmor / SELinux are optional depending on distro/security model. # Alpine often won't use AppArmor by default; that's fine for first bring-up. # If your kernel tree has these and you care later: # CONFIG_SECURITY=y # CONFIG_SECURITYFS=y ############################################################################### # Misc userspace/container compatibility ############################################################################### CONFIG_POSIX_MQUEUE=y # POSIX message queues. Containers/apps sometimes rely on this. CONFIG_EPOLL=y # Event polling. Usually already enabled; standard modern userspace feature. CONFIG_SIGNALFD=y # File-descriptor-based signal delivery. Common Linux userspace feature. CONFIG_TIMERFD=y # File-descriptor timers. Common Linux userspace feature. CONFIG_EVENTFD=y # Event notification file descriptors. Common Linux userspace feature. CONFIG_MEMFD_CREATE=y # Anonymous memory-backed file creation. Widely used by modern software. CONFIG_FHANDLE=y # File handle support. Useful for container/runtime operations. CONFIG_DMIID=n # Optional on embedded boards; usually not needed unless your tree selects it. ############################################################################### # Storage / block / other practical container bits ############################################################################### CONFIG_BLK_DEV_LOOP=y # Loop devices. Often useful for image/layer tooling or debugging. # Could be =m too, but built-in is harmless and often convenient. CONFIG_AUTOFS_FS=y # Automount filesystem support. Not strictly required for CRI-O, but harmless. CONFIG_PROC_FS=y # /proc support. Essential. CONFIG_SYSFS=y # /sys support. Essential. CONFIG_DEVTMPFS=y # Kernel-managed /dev population support. CONFIG_DEVTMPFS_MOUNT=y # Automatically mount devtmpfs. Very practical on small/custom systems. ### Disable XEN because it breaks our build and we don't need it CONFIG_XEN=n CONFIG_XEN_DOM0=n CONFIG_VHOST_XEN=n