feat(vm): close RHCOS coverage gaps — aarch64 boot + broader artifact matrix#54
Merged
Conversation
… matrix Two real fixes unblock aarch64 VM validation (latent bugs for any aarch64 cloud-image profile, not just RHCOS): - aarch64 UEFI firmware: aarch64 `virt` has no built-in firmware, so the executor now supplies AAVMF as pflash (read-only CODE + a per-VM writable VARS copy), overridable via BPFCOMPAT_AARCH64_UEFI_CODE/_VARS. Without it an aarch64 guest never boots. - KVM only accelerates a same-arch guest: /dev/kvm on an x86_64 host cannot run an aarch64 guest, so qemuMachineArgs now falls back to TCG when guest arch != host arch instead of passing an invalid accel=kvm. Evidence (docs/evidence-rhcos.md) expanded to enterprise scope, all real boots: - x86_64: 6 artifacts × OpenShift 4.14/4.16/4.18. Adds perf-buffer, kprobe, and a BPF-LSM artifact (aegis). The LSM case is a real backport boundary — rejected on 4.14 (RHEL 9.2, EPERM/CAPABILITY_FAILURE) but load+attach all 4 hooks on 4.16/4.18 (RHEL 9.4). core-relocation-fail rejected everywhere (discriminator). - aarch64: real RHCOS 4.16 boot (5.14.0-427.50.1.el9_4.aarch64) under TCG, ring-buffer load+attach 1/1 — exercising the cross-compiled aarch64 validator, EDK II UEFI, Ignition, and SSH. Adds profile rhcos-4.16-arm64 and matrices/rhcos-arm64.yaml; env vars cataloged in envref + env-reference.md. RHCOS stays opt-in (BPFCOMPAT_ENABLE_RHCOS) and out of the README "Distributions covered" table. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the two gaps called out on the RHCOS evidence matrix: aarch64 and a broader artifact set. Both done with real boots, plus two genuine executor fixes uncovered along the way.
Executor fixes (latent bugs for any aarch64 cloud-image profile)
virthas no built-in firmware (x86 has SeaBIOS), so the executor now supplies AAVMF as pflash — read-only CODE + a per-VM writable VARS copy — overridable viaBPFCOMPAT_AARCH64_UEFI_CODE/_VARS. Without this an aarch64 guest never boots./dev/kvmon an x86_64 host can't run an aarch64 guest, soqemuMachineArgsnow falls back to TCG when guest arch ≠ host arch instead of passing an invalidaccel=kvm.Broader artifacts — x86_64, 6 × 3, real boots
The LSM row is the headline: a real backport boundary — BPF-LSM is active in RHEL 9.4 but not 9.2, on the same 5.14 line. Version inference can't see that; a real boot does.
aarch64 — real cross-arch boot
RHCOS 4.16 aarch64 booted on this x86_64 host under TCG: kernel
5.14.0-427.50.1.el9_4.aarch64, ring-buffer load+attach 1/1 — exercising the cross-compiled aarch64 validator, EDK II (AAVMF) UEFI, Ignition over-fw_cfg, SSH ascore. On a native ARM64 KVM host the same run uses hardware acceleration automatically.Honest scoping (unchanged)
bpf()); native ARM64 KVM is the fast path.BPFCOMPAT_ENABLE_RHCOS) and out of the README "Distributions covered" table.Tests / verify
go build/vet,gofmt,env-docs-check,go test ./internal/...green.Adds profile
rhcos-4.16-arm64,matrices/rhcos-arm64.yaml, env vars ininternal/envref+docs/env-reference.md; full data indocs/evidence-rhcos.md.🤖 Generated with Claude Code