Wednesday, June 15, 2016

Adding seccomp support to Elasticsearch on ARM

Linux kernel supports seccomp since 2.6.12.  The ARM support was added in 2012.

However, the current Elasticsearch source only supports seccomp on x86 and amd84 platforms.  When starting Elasticsearch on an ARM platform, you will see bootstrap failed to install seccomp filters:

[2016-06-15 22:11:00,078][WARN ][bootstrap                ] unable to install syscall filter: seccomp unavailable: 'arm' architecture unsupported


To add support for ARM platforms, it is just a matter of finding the correct audit code of ARM architecture and the appropriate syscall number of blocked functions.

Here is the code change required:


diff --git a/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java b/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
index 46908e6..d94c848 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/Seccomp.java
@@ -243,6 +243,9 @@ final class Seccomp {
         Map<String,Arch> m = new HashMap<>();
         m.put("amd64", new Arch(0xC000003E, 0x3FFFFFFF, 57, 58, 59, 322, 317));
         m.put("i386",  new Arch(0x40000003, 0xFFFFFFFF, 2, 190, 11, 358, 354));
+        // ARM syscall number ref based on kernel 4.6
+        // https://github.com/torvalds/linux/blob/v4.6/arch/arm/kernel/calls.S
+        m.put("arm", new Arch(0x40000028, 0xFFFFFFFF, 2, 190, 11, 387, 383));
         ARCHITECTURES = Collections.unmodifiableMap(m);
     }


Also forked the Elasticsearch github source for that.

Friday, June 3, 2016

Compiling Nvidia driver 340.96 for Linux 4.6.x kernel

Updates Oct 2016: The latest Nvidia driver should support kernel 4.6.x, 4.7.x, and 4.8.x.  There is no need to use this patch anymore.

Updates 2016-08-13: The patch works for Linux kernel 4.7.x too.

With the latest Linux 4.6.x kernel, the Nvidia 340.96 driver won't compile.  Here is a quick fix to compile and install the driver until Nvidia releases a new version.

First, download extract the driver package:

./NVIDIA-Linux-x86_64-340.96 -x

Then patch the files accordingly:

diff -r NVIDIA-Linux-x86_64-340.96/kernel/os-mlock.c NVIDIA-Linux-x86_64-340.96.mod/kernel/os-mlock.c
48c48
<     ret = get_user_pages(current, mm, (unsigned long)address,
---
>     ret = get_user_pages_remote(current, mm, (unsigned long)address,
61c61,62
<             page_cache_release(user_pages[i]);
---
>             //page_cache_release(user_pages[i]);
>             put_page(user_pages[i]);
88c89,90
<         page_cache_release(user_pages[i]);
---
>         //page_cache_release(user_pages[i]);
>         put_page(user_pages[i]);

diff -r NVIDIA-Linux-x86_64-340.96/kernel/uvm/nvidia_uvm_lite.c NVIDIA-Linux-x86_64-340.96.mod/kernel/uvm/nvidia_uvm_lite.c
788c788,789
<         retValue = VM_FAULT_MINOR;
---
>         //retValue = VM_FAULT_MINOR;
>         retValue = 0;


Finally, compile and install:

./nvidia-installer