penguin/monok8s
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0091b86cf51a06524f956a000c21f26a67da8d7153b5daf6ee8563de239cbf14
monok8s/kernel-extra.config

313 lines
9.6 KiB
Plaintext
Raw Blame History

###############################################################################
# Core initramfs / board support
# These are built-in because you said initramfs needs them and you want them
# available early during boot.
###############################################################################
CONFIG_HWMON=y
# Hardware monitoring framework. Needed so sensor drivers can expose temps/fans.
CONFIG_I2C=y
# Core I2C subsystem. Required by your RTC/fan controller drivers.
CONFIG_SENSORS_EMC2305=y
# EMC2305 fan controller driver. Built-in so fan control is available early.
CONFIG_RTC_DRV_PCF2127=y
# RTC driver for PCF2127. Built-in so timekeeping is available early.
###############################################################################
# Namespaces
# These are fundamental container primitives. Keep these built-in.
###############################################################################
CONFIG_NAMESPACES=y
# Master switch for Linux namespaces.
CONFIG_UTS_NS=y
# Isolates hostname/domainname per container.
CONFIG_IPC_NS=y
# Isolates SysV IPC and POSIX message queues between containers.
CONFIG_PID_NS=y
# Gives containers their own PID tree (so processes inside see their own PID 1).
CONFIG_NET_NS=y
# Gives containers their own network stack, interfaces, routing, etc.
CONFIG_USER_NS=y
# User namespaces. Useful for modern container behavior and future flexibility.
# Not every setup strictly needs this on day one, but I would enable it.
###############################################################################
# Cgroups / resource control
# Required for kubelet/CRI-O to manage resource isolation.
###############################################################################
CONFIG_CGROUPS=y
# Master switch for cgroups.
CONFIG_CGROUP_BPF=y
# Allows BPF programs to be attached to cgroups. Not required for first boot,
# but modern systems increasingly expect this.
CONFIG_CGROUP_FREEZER=y
# Allows freezing/thawing process groups. Useful for container lifecycle control.
CONFIG_CGROUP_PIDS=y
# Limits number of processes in a cgroup.
CONFIG_CGROUP_DEVICE=y
# Controls device access from containers.
CONFIG_CPUSETS=y
# CPU affinity partitioning by cgroup.
CONFIG_MEMCG=y
# Memory cgroup support. Critical for container memory accounting/limits.
CONFIG_BLK_CGROUP=y
# Block IO control/accounting for cgroups.
CONFIG_CGROUP_SCHED=y
# Scheduler integration for cgroups.
CONFIG_FAIR_GROUP_SCHED=y
# Fair scheduler group support for cgroups.
CONFIG_CFS_BANDWIDTH=y
# CPU quota/limit support. Important for kubelet resource enforcement.
###############################################################################
# Filesystem / tmpfs / container filesystem basics
###############################################################################
CONFIG_KEYS=y
# Kernel key retention service. Commonly relied on by container/userland tooling.
CONFIG_TMPFS=y
# Tmpfs support. Containers and runtimes rely on this heavily.
CONFIG_TMPFS_XATTR=y
# Extended attributes on tmpfs. Useful for container runtime behavior.
CONFIG_TMPFS_POSIX_ACL=y
# POSIX ACLs on tmpfs. Good compatibility feature for userland.
CONFIG_OVERLAY_FS=m
# Overlay filesystem. This is the big one for container image/layer storage.
# Module is fine; CRI-O can load/use it after boot. No need to bloat FIT image.
CONFIG_FS_POSIX_ACL=y
# General POSIX ACL support. Good to have for overlay/tmpfs behavior.
###############################################################################
# Core networking stack
###############################################################################
CONFIG_INET=y
# IPv4 stack.
CONFIG_IPV6=y
# IPv6 stack. You may be tempted to disable it, but Kubernetes/container stacks
# increasingly assume it exists. Keep it on unless you have a hard reason not to.
CONFIG_UNIX=y
# Unix domain sockets. Containers and runtimes absolutely rely on this.
CONFIG_TUN=m
# TUN/TAP device support. Commonly used by networking tools/VPN/CNI-related flows.
# Module is fine.
CONFIG_DUMMY=m
# Dummy network interface. Sometimes useful for CNI/network setups and testing.
###############################################################################
# Netfilter / packet filtering / NAT
# This is where container networking gets messy. Better to enable a sane baseline.
###############################################################################
CONFIG_NETFILTER=m
# Netfilter core framework. Module is okay if your setup loads it before use.
CONFIG_NETFILTER_ADVANCED=y
# Exposes more advanced netfilter options and modules.
CONFIG_NF_CONNTRACK=m
# Connection tracking. Critical for NAT, Kubernetes service traffic, and many CNIs.
CONFIG_NF_NAT=m
# NAT framework. Required for masquerading and pod egress in many setups.
CONFIG_NF_TABLES=m
# nftables framework. Modern Linux packet filtering backend.
CONFIG_NFT_CT=m
# nftables conntrack expressions.
CONFIG_NFT_CHAIN_NAT=m
# nftables NAT chain support.
CONFIG_NFT_MASQ=m
# nftables masquerade support. Often needed for pod egress NAT.
CONFIG_NFT_REDIR=m
# nftables redirect target.
CONFIG_NFT_NAT=m
# nftables NAT support.
CONFIG_NF_NAT_IPV4=m
# IPv4 NAT helper support. Some kernels still expose this separately.
CONFIG_NF_NAT_IPV6=m
# IPv6 NAT helper support.
CONFIG_IP_NF_IPTABLES=m
# iptables compatibility for IPv4. Still useful because lots of CNI/plugin code
# still expects iptables even on nft-backed systems.
CONFIG_IP_NF_NAT=m
# IPv4 NAT support for iptables compatibility.
CONFIG_IP6_NF_IPTABLES=m
# ip6tables compatibility.
CONFIG_IP_SET=m
# IP sets. Useful for some network policies / firewalling toolchains.
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
# xtables match for address types. Often used in iptables rules.
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
# Allows comments in iptables rules. Not critical, but harmless and useful.
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
# xtables conntrack matching.
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
# Match multiple ports in one rule.
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
# Useful for TCP MSS clamping in some network paths.
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
# iptables MASQUERADE target. Very commonly needed for pod outbound NAT.
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
# Redirect target.
CONFIG_NETFILTER_XT_TARGET_MARK=m
# Packet marking support. Useful for advanced networking/routing rules.
CONFIG_NETFILTER_XT_TARGET_CT=m
# Connection tracking target for xtables.
# Optional. Good only if you know you need transparent proxying.
# Not required for initial CRI-O bring-up.
# CONFIG_NETFILTER_XT_TARGET_TPROXY=m
###############################################################################
# Bridge / container interface plumbing
###############################################################################
CONFIG_VETH=m
# Virtual Ethernet pairs. This is how container interfaces are commonly connected
# to the host/network namespace.
CONFIG_BRIDGE=m
# Ethernet bridge support. Needed by bridge-based CNIs.
CONFIG_BRIDGE_NETFILTER=m
# Allows bridged traffic to pass through netfilter/iptables/nftables hooks.
# Important for Kubernetes networking behavior.
# Optional / version-dependent:
# Some kernels expose additional ebtables/bridge netfilter pieces separately.
# Keep this if your kernel has it, but don't panic if it doesn't.
CONFIG_BRIDGE_NF_EBTABLES=m
# Bridge filtering via ebtables compatibility. Sometimes useful, not always critical.
###############################################################################
# Security / sandboxing
###############################################################################
CONFIG_SECCOMP=y
# Secure computing mode. Lets runtimes restrict syscall surface.
CONFIG_SECCOMP_FILTER=y
# BPF-based seccomp filters. This is the useful seccomp mode for containers.
# AppArmor / SELinux are optional depending on distro/security model.
# Alpine often won't use AppArmor by default; that's fine for first bring-up.
# If your kernel tree has these and you care later:
# CONFIG_SECURITY=y
# CONFIG_SECURITYFS=y
###############################################################################
# Misc userspace/container compatibility
###############################################################################
CONFIG_POSIX_MQUEUE=y
# POSIX message queues. Containers/apps sometimes rely on this.
CONFIG_EPOLL=y
# Event polling. Usually already enabled; standard modern userspace feature.
CONFIG_SIGNALFD=y
# File-descriptor-based signal delivery. Common Linux userspace feature.
CONFIG_TIMERFD=y
# File-descriptor timers. Common Linux userspace feature.
CONFIG_EVENTFD=y
# Event notification file descriptors. Common Linux userspace feature.
CONFIG_MEMFD_CREATE=y
# Anonymous memory-backed file creation. Widely used by modern software.
CONFIG_FHANDLE=y
# File handle support. Useful for container/runtime operations.
CONFIG_DMIID=n
# Optional on embedded boards; usually not needed unless your tree selects it.
###############################################################################
# Storage / block / other practical container bits
###############################################################################
CONFIG_BLK_DEV_LOOP=y
# Loop devices. Often useful for image/layer tooling or debugging.
# Could be =m too, but built-in is harmless and often convenient.
CONFIG_AUTOFS_FS=y
# Automount filesystem support. Not strictly required for CRI-O, but harmless.
CONFIG_PROC_FS=y
# /proc support. Essential.
CONFIG_SYSFS=y
# /sys support. Essential.
CONFIG_DEVTMPFS=y
# Kernel-managed /dev population support.
CONFIG_DEVTMPFS_MOUNT=y
# Automatically mount devtmpfs. Very practical on small/custom systems.
### Disable XEN because it breaks our build and we don't need it
CONFIG_XEN=n
CONFIG_XEN_DOM0=n
CONFIG_VHOST_XEN=n
Reference in New Issue View Git Blame Copy Permalink