From 8aa2177435cfd8c88b8ec1bb8d3429533d0891ad Mon Sep 17 00:00:00 2001 From: ErenAri Date: Sat, 27 Jun 2026 16:11:15 +0300 Subject: [PATCH 1/2] docs(rhcos): strengthen evidence framing + add sanitized JSON summary MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - rhcos-4.16-5.14.yaml: correct the comment — it is one row of the proven matrix (OCP 4.14/4.16/4.18 x86_64 + 4.16 aarch64), boot solved AND proven, not "remaining gap"; point at the evidence + summary. - README: broaden the recorded-run line from 4.16-centric to the full proven scope (4.14/4.16/4.18 + aarch64), link the machine-readable summary. - docs/report-rhcos-summary.json: sanitized, public per-release load/attach verdicts + classifications + image/artifact sha256s (no host paths, keys, or raw logs) to back the prose in docs/evidence-rhcos.md. Co-Authored-By: Claude Opus 4.8 --- README.md | 20 +-- docs/report-rhcos-summary.json | 218 +++++++++++++++++++++++++++++++ vm/profiles/rhcos-4.16-5.14.yaml | 24 ++-- 3 files changed, 244 insertions(+), 18 deletions(-) create mode 100644 docs/report-rhcos-summary.json diff --git a/README.md b/README.md index 27fce49..6d2486b 100644 --- a/README.md +++ b/README.md @@ -114,15 +114,17 @@ different bootstrap. bpfcompat implements it (Ignition config over QEMU -matrix matrices/rhcos.yaml -runner vm -out report.json ``` - Recorded evidence matrix: **3 OpenShift releases (4.14 / 4.16 / 4.18) × 6 - artifacts on x86_64, plus a real aarch64 boot** — - [docs/evidence-rhcos.md](docs/evidence-rhcos.md). Highlights: ring-buffer and - perf-buffer load+attach pass everywhere; a **BPF-LSM** program is rejected on - 4.14 (RHEL 9.2) but loads+attaches all hooks on 4.16/4.18 (RHEL 9.4) — a real - backport boundary; and a CO-RE failure is correctly rejected on every release. - Without an image, the **RHEL / AlmaLinux 9 (5.14)** profiles are the interim - kernel approximation. Full guide: - [docs/rhcos-openshift.md](docs/rhcos-openshift.md). + Recorded evidence — real boots, not claims, and not just 4.16: **OpenShift + 4.14, 4.16, and 4.18 on x86_64 (6 artifacts each), plus OpenShift 4.16 on + aarch64** — [docs/evidence-rhcos.md](docs/evidence-rhcos.md), with a + machine-readable [docs/report-rhcos-summary.json](docs/report-rhcos-summary.json). + Highlights: ring-buffer and perf-buffer load+attach pass on every release; a + **BPF-LSM** program is rejected on 4.14 (RHEL 9.2) but loads+attaches all hooks + on 4.16/4.18 (RHEL 9.4) — a real backport boundary; a CO-RE failure is + correctly rejected everywhere; and the aarch64 boot + (`5.14.0-427.50.1.el9_4.aarch64`) load+attaches under emulation. Without an + image, the **RHEL / AlmaLinux 9 (5.14)** profiles are the interim kernel + approximation. Full guide: [docs/rhcos-openshift.md](docs/rhcos-openshift.md). ## Try it in CI without your own KVM box diff --git a/docs/report-rhcos-summary.json b/docs/report-rhcos-summary.json new file mode 100644 index 0000000..698bb91 --- /dev/null +++ b/docs/report-rhcos-summary.json @@ -0,0 +1,218 @@ +{ + "schema": "bpfcompat.rhcos-evidence-summary.v1", + "generated_for": "bpfcompat v0.2.0", + "note": "Sanitized summary of real bpfcompat runs inside booted RHEL CoreOS guests. Host paths, per-run SSH keys, and raw logs are intentionally excluded; see docs/evidence-rhcos.md for the narrative and provenance.", + "image_source": "https://mirror.openshift.com/pub/openshift-v4//dependencies/rhcos//latest/ (public boot images; pull secret not required)", + "releases": [ + { + "openshift": "4.14", + "arch": "x86_64", + "rhcos": "414.92.202407091253", + "kernel": "5.14.0-284.73.1.el9_2.x86_64" + }, + { + "openshift": "4.16", + "arch": "x86_64", + "rhcos": "416.94.202510081640", + "kernel": "5.14.0-427.93.1.el9_4.x86_64" + }, + { + "openshift": "4.18", + "arch": "x86_64", + "rhcos": "418.94.202510081222", + "kernel": "5.14.0-427.93.1.el9_4.x86_64" + }, + { + "openshift": "4.16", + "arch": "aarch64", + "rhcos": "416.94.202501270445", + "kernel": "5.14.0-427.50.1.el9_4.aarch64" + } + ], + "x86_64_matrix": [ + { + "artifact": "simple-pass", + "description": "baseline program load", + "artifact_sha256": "416a492899e8713c8a84678940a11bb01b34dd6b8e758a885efa590cc8565967", + "by_release": { + "openshift-4.14-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + }, + "openshift-4.16-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + }, + "openshift-4.18-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + } + } + }, + { + "artifact": "ringbuf-modern", + "description": "tracepoint + ring buffer (upstream >=5.8)", + "artifact_sha256": "569df5541ad1246f17fb288c41cf3435e240da3b1ce254a348e4e0ffec021728", + "by_release": { + "openshift-4.14-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + }, + "openshift-4.16-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + }, + "openshift-4.18-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + } + } + }, + { + "artifact": "perfbuf-fallback", + "description": "tracepoint + perf-event buffer", + "artifact_sha256": "fdebfa1a8b98cdf9890b4ac21fc40dd5e016e672b875b5e46f356d333f6e6e2f", + "by_release": { + "openshift-4.14-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + }, + "openshift-4.16-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + }, + "openshift-4.18-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + } + } + }, + { + "artifact": "attach-warn", + "description": "kprobe to a missing symbol", + "artifact_sha256": "3c2d83d12c2d6357213cbf0a9ebbc1ba4b53d3565e9536cf4190dfe4d2fc1531", + "by_release": { + "openshift-4.14-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "warn", + "attach_passed": null, + "attach_attempted": 1 + }, + "openshift-4.16-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "warn", + "attach_passed": null, + "attach_attempted": 1 + }, + "openshift-4.18-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "warn", + "attach_passed": null, + "attach_attempted": 1 + } + } + }, + { + "artifact": "aegis", + "description": "BPF-LSM (4 hooks) + tracepoint", + "artifact_sha256": "83aa9d2620e6459a960768045af60a5d35936b7b2be4da25f689a44abff42819", + "by_release": { + "openshift-4.14-x86_64": { + "target_status": "fail", + "load": "fail", + "attach": "skipped", + "load_errno": -13, + "classification": "CAPABILITY_FAILURE" + }, + "openshift-4.16-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 4, + "attach_attempted": 4 + }, + "openshift-4.18-x86_64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 4, + "attach_attempted": 4 + } + } + }, + { + "artifact": "core-relocation-fail", + "description": "CO-RE relocation to a non-existent type (negative control)", + "artifact_sha256": "b9b4f3942a64fe9a8f789a574cb1958b445a18af37881c9ecce05791865dd8f5", + "by_release": { + "openshift-4.14-x86_64": { + "target_status": "fail", + "load": "fail", + "attach": "skipped", + "load_errno": -22, + "classification": "CORE_RELOCATION_FAILURE" + }, + "openshift-4.16-x86_64": { + "target_status": "fail", + "load": "fail", + "attach": "skipped", + "load_errno": -22, + "classification": "CORE_RELOCATION_FAILURE" + }, + "openshift-4.18-x86_64": { + "target_status": "fail", + "load": "fail", + "attach": "skipped", + "load_errno": -22, + "classification": "CORE_RELOCATION_FAILURE" + } + } + } + ], + "aarch64_matrix": [ + { + "artifact": "ringbuf-modern", + "description": "tracepoint + ring buffer (upstream >=5.8)", + "artifact_sha256": "569df5541ad1246f17fb288c41cf3435e240da3b1ce254a348e4e0ffec021728", + "by_release": { + "openshift-4.16-aarch64": { + "target_status": "pass", + "load": "pass", + "attach": "pass", + "attach_passed": 1, + "attach_attempted": 1 + } + } + } + ] +} diff --git a/vm/profiles/rhcos-4.16-5.14.yaml b/vm/profiles/rhcos-4.16-5.14.yaml index f8470b1..dd42f4f 100644 --- a/vm/profiles/rhcos-4.16-5.14.yaml +++ b/vm/profiles/rhcos-4.16-5.14.yaml @@ -1,18 +1,24 @@ -# RHEL CoreOS (OpenShift 4.16) — runnable with an operator-supplied image. +# RHEL CoreOS (OpenShift 4.16) — runnable, opt-in (operator-supplied image). +# +# One row of the proven RHCOS evidence matrix: OpenShift 4.14 / 4.16 / 4.18 on +# x86_64 (6 artifacts each) plus 4.16 on aarch64 — all real boots. See +# docs/evidence-rhcos.md and docs/report-rhcos-summary.json. # # RHCOS is the immutable node OS for OpenShift. Its kernel is the RHEL 9.4 # kernel (5.14, heavily backported), so for pure BPF-load questions a RHEL-9 / # AlmaLinux-9 profile already approximates it closely. RHCOS is the requested # "tricky target" because of how it boots and ships, not because of the kernel. # -# Boot: solved. RHCOS boots via Ignition, exactly like Fedora CoreOS, which is -# implemented and proven (see internal/vm/ignition.go). The only remaining gap -# is the image: -# - RHCOS qcow2 ships with an OpenShift release, not a public cloud-image URL. -# Obtain it for the 4.16 release (e.g. `openshift-install coreos -# print-stream-json`) and stage it with `make rhcos-image`, then opt in with -# BPFCOMPAT_ENABLE_RHCOS=1. Until then ExecutionTransport() keeps rhcos -# unsupported so it is never claimed runnable without a real image. +# Boot: solved and proven. RHCOS boots via Ignition, exactly like Fedora CoreOS +# (see internal/vm/ignition.go); a real boot of this profile load+attaches an +# artifact inside the guest (kernel 5.14.0-427.93.1.el9_4, evidence above). +# +# Image: RHCOS qcow2 ships with an OpenShift release, not a public cloud-image +# URL. Obtain it for the 4.16 release (e.g. `openshift-install coreos +# print-stream-json`, or the public mirror) and stage it with +# `make rhcos-image RHCOS_VERSION=4.16 RHCOS_IMAGE_URL=...`, then opt in with +# BPFCOMPAT_ENABLE_RHCOS=1. Off by default, ExecutionTransport() keeps rhcos +# unsupported so it is never claimed runnable without a real image present. # # Pragmatic interim (no image): validate against the matching RHEL/AlmaLinux 9 # (5.14) profile, which shares the kernel + backports. From 7cd03382253d4d758cb242042dc34d723ca22eef Mon Sep 17 00:00:00 2001 From: ErenAri Date: Sat, 27 Jun 2026 16:12:14 +0300 Subject: [PATCH 2/2] docs(rhcos): cross-link the summary JSON from the evidence doc Co-Authored-By: Claude Opus 4.8 --- docs/evidence-rhcos.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/evidence-rhcos.md b/docs/evidence-rhcos.md index 407726d..d2db357 100644 --- a/docs/evidence-rhcos.md +++ b/docs/evidence-rhcos.md @@ -7,7 +7,9 @@ Reproduce with the steps at the bottom. > Raw run artifacts (full `report.json`, `validator-result.json`, serial logs) > are written under `evidence/rhcos/` locally; that path is git-ignored as -> high-churn output, so the decisive fields are inlined here. +> high-churn output, so the decisive fields are inlined here and in a +> machine-readable [`report-rhcos-summary.json`](report-rhcos-summary.json) +> (sanitized: no host paths, keys, or raw logs). ## Releases under test