First version of scripts

Makefile

@@ -0,0 +1,161 @@
+include config.mk
+
+SRC_DIR=linux-source
+VERSION=$(shell $(MAKE) -s -C $(SRC_DIR) kernelversion)
+BZIMAGE=archives/bzImage.$(VERSION)
+CONFIG_REPO=kernel-config
+KERNEL.CONFIG=$(shell realpath "$(CONFIG_REPO)/kernel.config")
+TESTED_HASH=.bzImage_tested.sha512
+CHECKCONFIG_SCRIPT=./scripts/checkconfig.sh
+VIRSH_TEST_SCRIPT=./scripts/test_libvirt.expect
+DEBVM_TEST_SCRIPT=./scripts/test_debvm.expect
+DEBVM_IMG_DIR=/tmp
+DEBVM_DISK=$(DEBVM_IMG_DIR)/vz5_kernel_test.ext4
+DEBVM_SWAPFILE=$(DEBVM_IMG_DIR)/vz5_kernel_test.swapfile
+DEBVM_SWAPLABEL=testswap
+UPGRADE_SCRIPT=./scripts/upgrade.sh
+HASH=sha512sum
+
+CRED=$(shell tput setaf 1)
+CGRN=$(shell tput setaf 2)
+CRAZ=$(shell tput sgr0)
+
+
+ARCHIVE=archives/install_$(shell date "+%Y_%m_%dT%H_%M_%S")_$(VERSION)
+
+all: status
+
+status:
+	@echo "Images :\n========\n";
+	@[ -f "bzImage.latest" ] && echo 'Latest    : $(shell [ -f "bzImage.latest" ] && file -L bzImage.latest | cut -d ',' -f2)' || echo "Latest : $(CRED)None built$(CRAZ)";
+	@[ -f "$(BZIMAGE_TEST)" ] && echo 'In test   : $(shell [ -f "$(BZIMAGE_TEST)" ] && file -L $(BZIMAGE_TEST) | cut -d ',' -f2)' || echo "In test : $(CRED)None in test$(CRAZ)";
+	@[ -f "$(BZIMAGE_INSTALL)" ] && echo 'Installed : $(shell [ -f "$(BZIMAGE_INSTALL)" ] && file -L $(BZIMAGE_INSTALL) | cut -d ',' -f2)' || echo "Installed : $(CRED)None installed$(CRAZ)";
+	@echo "\nLatest tested :\n----------";
+	@[ -f "bzImage.latest" ] && $(MAKE) -s tested || true;
+	@echo "\nSources :\n=========";
+	@sh $(UPGRADE_SCRIPT) check >/dev/null \
+		&& echo "$(CGRN)Kernel sources are up to date$(CRAZ)" \
+		|| echo "$(CRED)Kernel sources can be upgraded$(CRAZ)";
+	@echo "\nKernel config git repo :\n========================"
+	@git -C $(CONFIG_REPO) status
+
+
+$(SRC_DIR)/.config: $(KERNEL.CONFIG)
+	cp -v "$<" "$@"
+
+$(KERNEL.CONFIG): $(SRC_DIR)/.config
+	cp -v "$<" "$@"
+
+$(CONFIG_REPO):
+	mkdir $(CONFIG_REPO) && git -C $(CONFIG_REPO) init;
+
+menuconfig: $(SRC_DIR)/.config
+	$(MAKE) -C $(SRC_DIR) menuconfig
+	sh "$(CHECKCONFIG_SCRIPT)" -v "$(SRC_DIR)/.config"
+
+$(BZIMAGE): $(SRC_DIR)/.config
+	$(MAKE) -C $(SRC_DIR);
+	mkdir -p archives/;
+	cp "$(SRC_DIR)/arch/x86_64/boot/bzImage" "$@";
+	ln -vfs "$@" bzImage.latest
+	ls -lah "$@"
+
+upgrade_src:
+	sh $(UPGRADE_SCRIPT)
+
+can_upgrade:
+	@sh $(UPGRADE_SCRIPT) check || echo "$(CRED)Kernel sources can be ugraded$(CRAZ)";
+
+kernel: can_upgrade $(BZIMAGE)
+
+commit-config: tested $(KERNEL.CONFIG) can_upgrade checkconfig
+	cp -v "$(SRC_DIR)/.config" "$(KERNEL.CONFIG)";
+	git -C $(CONFIG_REPO) add "$(KERNEL.CONFIG)";
+	git -C $(CONFIG_REPO) commit -m "Update config for kernel $(VERSION)";
+	git -C $(CONFIG_REPO) tag -fa "$(VERSION)" -m "$(shell date -Is) Config for kernel $(VERSION)";
+
+archives/:
+	mkdir -p archives;
+
+archive:
+	mkdir -p $(ARCHIVE);
+	cp -v $(BZIMAGE) $(ARCHIVE)/bzImage.new;
+	cp -v $(BZIMAGE_INSTALL) $(ARCHIVE)/bzImage.old;
+
+
+clean:
+	-rm -v $(BZIMAGE) bzImage.latest "$(DEBVM_SWAPFILE)" "$(DEBVM_DISK)" "$(TESTED_HASH)";
+	$(MAKE) -C $(SRC_DIR) clean;
+
+distclean:
+	-rm -R "$(shell realpath $(SRC_DIR))" "$(SRC_DIR)"
+
+.PHONY: can_upgrade distclean clean $(BZIMAGE_TEST) $(BZIMAGE_INSTALL) _test tested install checkconfig
+
+checkconfig: $(KERNEL.CONFIG)
+	-sh $(CHECKCONFIG_SCRIPT) -v $(KERNEL.CONFIG)
+
+tested:
+	@$(HASH) -c "$(TESTED_HASH)" 2>/dev/null || {\
+		echo "$(CRED)$(BZIMAGE) is not tested.";\
+		echo "run make test as root.$(CRAZ)";\
+		false;\
+	};
+
+_test:
+	if $(MAKE) is_root >/dev/null 2>/dev/null; then \
+	     	$(MAKE) _virsh_test;\
+	else\
+		$(MAKE) _debvm_test;\
+	fi
+
+test: _test
+	$(HASH) "$(BZIMAGE)" > "$(TESTED_HASH)";
+
+# non-privileged user tests
+
+$(DEBVM_DISK): $(BZIMAGE)
+	@debvm-create -r stable -o "$@" -h "$(TEST_VM_HOSTNAME)" \
+		--skip autologin --skip kernel --skip systemdnetwork -- \
+		--customize-hook="echo \"LABEL=$(DEBVM_SWAPLABEL) none swap sw 0 0\" >> \$$1/etc/fstab"\
+		--customize-hook="mkdir -p \$$1/etc/network; echo \"auto enp0s2\niface enp0s2 inet dhcp\" > \$$1/etc/network/interfaces" \
+		--include="udev" \
+		--include="iputils-ping iproute2 ifupdown isc-dhcp-client" \
+		--include="ssh qemu-guest-agent tzdata initscripts ntpdate ca-certificates console-setup console-common console-data locales acpid vim screen bash-completion rsyslog" \
+		|| { rm "$@"; false;}
+
+$(DEBVM_SWAPFILE):
+	dd if=/dev/zero "of=$@" bs=4096 count=32768 status=progress &&\
+		chmod 0600 "$@" &&\
+		/usr/sbin/mkswap -L "$(DEBVM_SWAPLABEL)" "$@"
+
+_debvm_test: $(DEBVM_DISK) $(DEBVM_SWAPFILE)
+	@$(DEBVM_TEST_SCRIPT) "$(TEST_VM_HOSTNAME)" "$(VERSION)" "$(DEBVM_DISK)" "$(BZIMAGE)" "$(DEBVM_SWAPFILE)" "$(DEBVM_SWAPLABEL)" \
+		|| { echo "$(CRED)Kernel $(VERSION) [Error]$(CRAZ): Check /tmp/test_vz5_debvm_expect.log" >&2; false; } \
+		&& echo "$(CGRN)Kernel $(VERSION) [OK]$(CRAZ): console logs in /tmp/test_debvm_expect.log" >&2;
+
+# superuser designed targets
+
+is_root:
+	@[ "$(shell whoami)" = "root" ] || {\
+		echo "$(CRED)ERROR :$(CRAZ) You need to be root to run this target" >&2;\
+		false;\
+	};
+
+$(BZIMAGE_TEST): can_upgrade is_root
+	cp "$(BZIMAGE)" "$@"
+
+_virsh_test: $(BZIMAGE_TEST) can_upgrade is_root
+	@$(VIRSH_TEST_SCRIPT) "$(TEST_VM_HOSTNAME)" "$(VERSION)" "$(TEST_VM_NAME)" "$(TEST_VM_IFNAME)" "$(TEST_VM_IPV4)" "$(TEST_VM_IPV6)" || {\
+		echo "$(CRED)Kernel $(VERSION) [Error]$(CRAZ): Check /tmp/test_vz5_expect.log" >&2;\
+		false;\
+	} && echo "$(CGRN)Kernel $(VERSION) [OK]$(CRAZ): console logs in /tmp/test_vz5_expect.log" >&2;
+
+
+
+$(BZIMAGE_INSTALL): tested can_upgrade is_root
+	-cp -v $(BZIMAGE_INSTALL) $(BZIMAGE_INSTALL).old;
+	cp -v $(BZIMAGE) $(BZIMAGE_INSTALL);
+
+install: $(BZIMAGE_INSTALL) archive is_root
+

README

@@ -0,0 +1,90 @@
+Linux VZ5 :
+===========
+
+Compile test & install kernel image for vz5's VM.
+
+Dependencies :
+==============
+
+- expect
+- qemu/kvm
+- `apt build-dep linux-image-amd64`
+- `apt install linux-source`
+
+Optionnal dependencies :
+------------------------
+- virsh
+- debvm
+
+Install & config :
+==================
+
+Copy sample config `cp config.mk.inc config.mk`
+Edit configuration file to meet your needs `editor config.mk`
+
+Then you will need kernel sources & kernel configuration.
+
+Kernel sources  :
+-----------------
+
+* Automatic method (debian based) :
+
+Run `make upgrade`
+Will fetch the last kernel source in /usr/src
+
+* Manual method :
+
+Decompress kernel sources and create a symlink `linux-source` pointing to it.
+
+Kernel config :
+---------------
+
+Kernel configuration are versionned in a separetd git repository in kernel-config/ directory.
+In order to seed config file with yours run (see Notes about kernel config) :
+```
+mkdir kernel-config
+git -C kernel-config/ init
+cp /path/to/.config kernel-config/kernel.config
+git -C kernel-config add kernel.config
+git -C kernel-config commit -m 'Initial kernel config'
+```
+
+Usage :
+=======
+
+Get current status with `make`
+
+Compile a kernel `make kernel`
+
+Test a kernel on virsh vm `make test`
+	If make test is run with root, we will try to start TEST_VM_NAME with virsh
+	If make test is run without privileges, a disk image will be built using debvm
+	and the tests will be run using qemu.
+	NOTE : the user needs access to /dev/kvm (adduser username kvm)
+
+Install kernel `make install`
+
+Commit tested kernel config `make commit-config`
+
+Notes :
+=======
+
+All scripts & tests are designed for monolitic kernel without initrd.
+
+Kernel config should contains :
+```
+# CONFIG_BLK_DEV_INITRD is not set
+# CONFIG_MODULES is not set
+```
+
+KVM has a documentation about kernel tuning for guest that can be found here :
+https://www.linux-kvm.org/page/Tuning_Kernel#Kernel_for_guest_with_paravirtualization
+
+The script `./scripts/checkconfig.sh` check that kernel config fits basic needs.
+
+You can use the script to generate a config file with most mandatory options set
+`./scripts/checkconfig.sh -g > linux-source/.config`
+and then run
+`make menuconfig`
+or to prompt for a y/n choice for each config
+`make -C linux-source config`

config.mk.inc

@@ -0,0 +1,16 @@
+# Kernel installation path
+BZIMAGE_INSTALL=/srv/tftpd/boot/bzImage
+# Test VM hostname (for both virsh & debvm tests)
+TEST_VM_HOSTNAME=test
+
+# virsh test specific config
+
+# Test kernel installation path
+BZIMAGE_TEST=/srv/tftpd/boot/bzImageTest
+# virsh test vm name
+TEST_VM_NAME=test
+# test vm ifname
+TEST_VM_IFNAME=enp1s0
+# test vm ips
+TEST_VM_IPV4=10.0.2.42
+TEST_VM_IPV6=fe80::42

scripts/checkconfig.sh

@@ -0,0 +1,228 @@
+#!/bin/sh
+set -e
+
+TEMP=$(getopt -s 'sh' -o 'vg' -l 'verbose,generate' -n 'checkconfig.sh' -- "$@")
+[ $? -ne 0 ] && exit 1
+
+eval set -- "$TEMP"
+unset TEMP
+
+verbose=0
+generate=0
+while true; do
+	case "$1" in
+		'-v'|'--verbose')
+			verbose=1
+			shift
+			continue
+		;;
+		'-g'|'--generate')
+			generate=1
+			shift
+			continue
+		;;
+		'--')
+			shift
+			break
+		;;
+		*)
+			echo 'getopt error...' >&2
+			exit 1
+		;;
+	esac
+done
+
+if [ "$generate" -eq "0" ] && [ "$#" -lt 1 ]
+then
+	echo "Usage : $0 [-v] [-g] configfile" 2>/dev/null
+	exit 1
+fi
+
+config=$1
+err=0
+
+if [ "$generate" -eq "0" ]
+then
+	conf=$(cat "$config")
+fi
+
+while read -r rule
+do
+	opt="$(echo "$rule" | cut -d ":" -f 1)"
+	comment="$(echo "$rule" | cut -d ":" -f 2-)"
+	if [ "$generate" -ne "0" ]
+	then
+		echo "$opt"
+		continue
+	fi
+	ok=0
+	if echo "$conf" | grep "$opt" >/dev/null
+	then
+		ok=1
+	else
+		if echo "$opt" | grep "^#" >/dev/null
+		then
+			if echo "$conf" | grep -v "$(echo "$opt" | sed -e 's/^# //' -e 's/ is not set.*$//')" >/dev/null
+			then
+				ok=1
+			fi
+		fi
+	fi
+	if [ "$ok" -eq 1 ]
+	then
+		if [ "$verbose" -ne 0 ]
+		then
+			printf "%-50s" "$opt"
+			echo " [$(tput setaf 2)OK$(tput sgr0)]"
+		fi
+	else
+		err=1
+		printf "%-50s" "$opt"
+		echo "[$(tput setaf 1)FAIL$(tput sgr0)] $comment"
+	fi
+
+done << __EOF__
+# CONFIG_BLK_DEV_INITRD is not set:Initrd should be disabled
+# CONFIG_MODULES is not set:Kernel should be monolitic (without module support)
+# CONFIG_VIRTUALIZATION is not set:Do you want to run guest on guest ?
+# CONFIG_VIRT_DRIVERS is not set:Do you want to run guest on guest ?
+# CONFIG_VHOST_MENU is not set:Do you want to run guest on guest ?
+CONFIG_HYPERVISOR_GUEST=y:Run as guest
+CONFIG_PREEMPT_NONE_BUILD=y:Disable preemption for server
+# CONFIG_PREEMPT_DYNAMIC is not set:Disable dynamic preemption
+CONFIG_PREEMPT_NONE=y:Disable preemption for server
+CONFIG_VIRTIO=y:Needed by VIRTIO_PCI and VIRTIO_BALOON
+CONFIG_VIRTIO_BALLOON=y:Support for hot memory amount change for KVM guest
+CONFIG_VIRTIO_BLK=y:The virtio block device driver
+CONFIG_VIRTIO_CONSOLE=y:Support for virtio serial console
+CONFIG_VIRTIO_INPUT=y:The virtio input (kbd, mice) driver
+CONFIG_VIRTIO_IOMMU=y:Virtio IOMMU support
+CONFIG_VIRTIO_MEM=y:The virtio memory driver
+CONFIG_VIRTIO_MENU=y:The virtio drivers
+CONFIG_VIRTIO_MMIO=y:Support for memory mapped virtio driver
+CONFIG_VIRTIO_NET=y:The virtio network driver
+CONFIG_VIRTIO_PCI=y:Support for virtio PCI devices
+CONFIG_VIRTIO_VDPA=y:Virtio data path acceleration support
+CONFIG_HW_RANDOM_VIRTIO=y:Virtio random number generator support
+CONFIG_VP_VDPA=y:Bridges virtio PCI to vDPA
+CONFIG_SCSI_VIRTIO=y:Virtual HBA driver for virtio
+CONFIG_PCI_MSI=y:Allows driver to enable Message Signaled Interrupts
+CONFIG_KVM_GUEST=y:Optimization for KVM guest
+CONFIG_PARAVIRT=y:Optimization for linux guest
+CONFIG_PARAVIRT_CLOCK=y:Optimization for linux guest
+CONFIG_PARAVIRT_SPINLOCKS=y:Optimization for linux spinlocks on guest
+CONFIG_MEMORY_HOTPLUG=y:Needed by VIRTIO_BALLOON
+CONFIG_MEMORY_HOTREMOVE=y:Needed by VIRTIO_BALLOON
+CONFIG_SERIAL_8250_CONSOLE=y:Needed by serial console
+CONFIG_TMPFS=y:Needed for various pseudo-filesystems
+CONFIG_DEVTMPFS=y:/dev pseudofilesystem
+CONFIG_EXT4_FS=y:Needed by tests with debvm
+CONFIG_SWAP=y:Swap support
+CONFIG_STANDALONE=y:Select only drivers that don't need compile-time external firmware
+CONFIG_PREVENT_FIRMWARE_BUILD=y:Disable drivers features which enable custom firmware building
+# CONFIG_FW_CFG_SYSFS is not set:Disable qemu firmware controlling interface
+# CONFIG_RPMSG_VIRTIO is not set:Not needed
+CONFIG_CGROUPS=y:Cgroups support
+CONFIG_UNIX=y:Unix socket support
+CONFIG_PACKET=y:Packet socket support
+CONFIG_CRYPTO_USER_API_RNG=y:Userspace interface for RNG
+CONFIG_PAGE_TABLE_CHECK=y:Security hardening
+CONFIG_SHUFFLE_PAGE_ALLOCATOR=y:Security hardening
+CONFIG_SECURITY_DMESG_RESTRICT=y:Security hardening
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y:Security hardening
+CONFIG_HARDENED_USERCOPY=y:Security hardening
+CONFIG_FORTIFY_SOURCE=y:Security hardening
+CONFIG_STATIC_USERMODEHELPER=y:Security hardening
+CONFIG_STRICT_KERNEL_RWX=y:Security hardening
+# CONFIG_DEBUG_FS is not set:Security hardening
+CONFIG_STACKPROTECTOR=y:Security hardening
+CONFIG_STACKPROTECTOR_STRONG=y:Security hardening
+# CONFIG_DEVMEM is not set:Security hardening
+CONFIG_SCHED_STACK_END_CHECK=y:Security hardening
+CONFIG_HARDENED_USERCOPY=y:Security hardening
+CONFIG_VMAP_STACK=y:Security hardening
+CONFIG_FORTIFY_SOURCE=y:Security hardening
+# CONFIG_PROC_KCORE is not set:Security hardening
+CONFIG_SECURITY_DMESG_RESTRICT=y:Security hardening
+CONFIG_RETPOLINE=y:Security hardening
+CONFIG_LEGACY_VSYSCALL_NONE=y:Security hardening
+# CONFIG_LEGACY_VSYSCALL_XONLY is not set:Security hardening
+CONFIG_DEBUG_CREDENTIALS=y:Security hardening
+CONFIG_DEBUG_NOTIFIERS=y:Security hardening
+CONFIG_DEBUG_LIST=y:Security hardening
+CONFIG_DEBUG_SG=y:Security hardening
+CONFIG_BUG_ON_DATA_CORRUPTION=y:Security hardening
+CONFIG_SLAB_FREELIST_RANDOM=y:Security hardening
+CONFIG_SLUB=y:Security hardening
+CONFIG_SLAB_FREELIST_HARDENED=y:Security hardening
+# CONFIG_SLAB_MERGE_DEFAULT is not set:Security hardening
+CONFIG_PAGE_POISONING=y:Security hardening
+# CONFIG_COMPAT_BRK is not set:Security hardening
+CONFIG_BUG=y:Security hardening
+CONFIG_PANIC_ON_OOPS=y:Security hardening
+CONFIG_PANIC_TIMEOUT=-1:Security hardening
+CONFIG_SECURITY_YAMA=y:Security hardening
+CONFIG_SECCOMP=y:Security hardening
+CONFIG_SECCOMP_FILTER=y:Security hardening
+CONFIG_SYN_COOKIES=y:Security hardening
+# CONFIG_KEXEC is not set:Security hardening
+# CONFIG_HIBERNATION is not set:Security hardening
+# CONFIG_BINFMT_MISC is not set:Security hardening
+# CONFIG_LEGACY_PTYS is not set:Security hardening
+# CONFIG_ACPI_CUSTOM_METHOD is not set
+# CONFIG_COMPAT_VDSO is not set
+# CONFIG_LEGACY_VSYSCALL_EMULATE is not set
+# CONFIG_X86_VSYSCALL_EMULATION is not set
+# CONFIG_SECURITY_WRITABLE_HOOKS is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536:Security hardening
+CONFIG_RANDOMIZE_BASE=y:Security hardening
+CONFIG_RANDOMIZE_MEMORY=y:Security hardening
+CONFIG_PAGE_TABLE_ISOLATION=y:Security hardening
+# CONFIG_IA32_EMULATION is not set:Security hardening
+# CONFIG_MODIFY_LDT_SYSCALL is not set:Security hardening
+CONFIG_GCC_PLUGINS=y:Security hardening
+CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y:Security hardening
+CONFIG_GCC_PLUGIN_STACKLEAK=y:Security hardening
+CONFIG_RANDSTRUCT=y:Security hardening
+CONFIG_RANDSTRUCT_FULL=y:Security hardening
+__EOF__
+
+if [ "$generate" -ne 0 ]
+then
+	echo "\
+CONFIG_X86_PLATFORM_DEVICES=n
+CONFIG_IOMMU_SUPPORT=y
+# Needed by paravirt spinlocks
+CONFIG_SMP=y
+# Needed by virtio scsi
+CONFIG_SCSI=y
+CONFIG_SCSI_LOWLEVEL=y
+CONFIG_BLK_DEV=y
+# Needed by virtio net
+CONFIG_NET=y
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+CONFIG_INET=y
+# PCI support
+CONFIG_PCI=y
+#Needed by serial console
+CONFIG_SERIAL_8250=y
+# Needed by virtio rng
+CONFIG_HW_RANDOM=y
+# Needed by virtio vdpa
+CONFIG_VDPA=y
+# Security hardening dependencies
+CONFIG_SECURITY=y
+CONFIG_SLUB_DEBUG_ON=y
+CONFIG_ARCH_OPTIONAL_KERNEL_RWX=y
+CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
+CONFIG_DEBUG_KERNEL=y
+# Security hardening
+CONFIG_RELOCATABLE=y
+CONFIG_MODIFY_LDT_SYSCALL=n
+CONFIG_EXPERT=y
+"
+fi
+
+
+exit $err

scripts/test_debvm.expect

@@ -0,0 +1,60 @@
+#!/usr/bin/expect -f
+
+log_file -noappend "/tmp/test_debvm_expect.log"
+
+namespace eval VZ5 {
+	variable HOSTNAME "[lindex $argv 0]"
+	variable KVER "[lindex $argv 1]"
+}
+set DISK_IMG_PATH "[lindex $argv 2]"
+set KERNEL_PATH "[lindex $argv 3]"
+set SWAP_PATH "[lindex $argv 4]"
+set SWAP_UUID "[lindex $argv 5]"
+
+set where [file dirname [info script]]
+source [file join $where testlib.expect]
+
+proc VZ5::destroy {} {
+	send_log "\nERROR EXIT DESTROY\n"
+	system "kill [exp_pid]"
+	exit 1
+}
+
+proc VZ5::abort {} {
+	send_log "\nERROR ABORT\n"
+	set timeout 1
+	send "\r"
+	expect "[prompt]" { send "shutdown -h now\r"; } timeout destroy
+	set timeout 15
+	expect eof {} timeout destroy
+	exit 1
+}
+
+spawn qemu-system-x86_64 \
+	-name $::VZ5::HOSTNAME \
+	-m 1024\
+	-smp 8 -cpu host -machine type=q35,accel=kvm:tcg,kernel-irqchip=split -no-user-config\
+	-netdev "user,id=net0,domainname=testvm"\
+	-device "virtio-net-pci,netdev=net0,disable-legacy=on,iommu_platform=on"\
+	-device "virtio-rng-pci,rng=rng0"\
+	-device intel-iommu,intremap=on\
+	-object "rng-random,filename=/dev/urandom,id=rng0"\
+	-drive "media=disk,format=raw,discard=unmap,file=$DISK_IMG_PATH,if=virtio,cache=unsafe"\
+	-drive "media=disk,format=raw,discard=unmap,file=$SWAP_PATH,if=virtio,cache=unsafe"\
+	-kernel $KERNEL_PATH -append "root=/dev/vda rw console=ttyS0,38400n8"\
+	-nographic -snapshot
+
+
+login
+
+test_base
+test_kernel_version $::VZ5::KVER
+test_swap
+test_ssh
+test_vda_rw
+test_apt
+test_reboot
+
+shutdown
+
+exit 0

scripts/test_libvirt.expect

@@ -0,0 +1,53 @@
+#!/usr/bin/expect -f
+
+log_file -noappend "/tmp/test_libvirt_expect.log"
+namespace eval VZ5 {
+	variable HOSTNAME "[lindex $argv 0]"
+	variable KVER "[lindex $argv 1]"
+}
+variable VMNAME "[lindex $argv 2]"
+variable VM_IFNAME "[lindex $argv 3]"
+variable VM_IPV4 "[lindex $argv 4]"
+variable VM_IPV6 "[lindex $argv 5]"
+
+set where [file dirname [info script]]
+source [file join $where testlib.expect]
+
+
+proc VZ5::destroy {} {
+	system virsh destroy $::VMNAME
+	send_log "ERROR EXIT DESTROY\n"
+	system reset
+	exit 1
+}
+proc VZ5::abort {} {
+	set timeout 5
+	send_log "\nERROR ABORT\n"
+	send "\r"
+	expect "root@test:~#" {} timeout VZ5::destroy
+	send "shutdown -h now\r"
+	expect eof {} timeout VZ5::destroy
+	send_log "ERROR EXIT"
+	system reset
+	exit 1
+}
+
+spawn virsh start --console $VMNAME
+
+login
+
+test_base
+test_kernel_version $::VZ5::KVER
+test_swap
+test_ssh
+test_netconfig_ipv4 "$VM_IFNAME" "$VM_IPV4"
+test_netconfig_ipv6 "$VM_IFNAME" "$VM_IPV6"
+test_ping
+test_vda_rw
+test_apt
+test_reboot
+test_virsh_reboot
+
+shutdown
+
+exit 0

scripts/testlib.expect

@@ -0,0 +1,227 @@
+# Common VZ5 kernel test procedures
+# This file is designed to be sourced from expect script
+
+namespace eval VZ5 {
+	variable rows [stty rows]
+	variable cols [stty columns]
+}
+
+
+# Procedure called on timeout
+# The expect main script must define VZ5::abort ordering the VM to stop
+proc abort {} {
+	VZ5::abort
+}
+
+# Procedure called when abort fails to stop the VM
+# The expect main script must define VZ5::destroy
+proc destroy {} {
+	VZ5::destroy
+}
+
+# 
+proc debug_interact {} {
+	expect "[prompt]" {
+		send " echo H4sIAAAAAAACA+OSjjY2zFXGB7iUFaSjc/mlo01zXVydQt0VPP1CXIMcnUM8w1wVgl2Dgz39/aAqQEZxETbM2Cg3oCi1uFghuaQoRztRIb9IIS5WoSRfITUvRQFmCkRdSUaqQjFQaWZ+HlhCARUQsA3kKi4uALzdLXnkAAAA|base64 -d|gzip -d\r"
+	}
+	interact {
+		\001 { abort; }
+		\x1d { abort; }
+	}
+}
+
+proc vm_stty {} {
+	expect "[prompt]" {send "stty -brkint -imaxbel iutf8 rows $::VZ5::rows cols $::VZ5::cols\r"} timeout destroy
+}
+
+proc termconfig {} {
+	# tput smam : set autowrap
+	send_tty "\033\[?7h"
+	# set smooth scrolling
+	send_tty "\033\[?4h"
+	# tput sgr0 : turn off character attributes
+	send_tty "\033\[0m"
+}
+
+
+####################
+# Tests procedures #
+####################
+
+
+# Wait for login prompt, and login as root without password
+# Calls stty to inform VM of terminal size
+proc login {} {
+	send_log "\nPID : '[exp_pid]'\n"
+	if { [exp_pid] == 0 } { destroy }
+	set timeout 15
+	expect "Console: " { termconfig } timeout destroy
+	if {[catch {
+		expect {
+			"$::VZ5::HOSTNAME login:" {}
+			"FAIL" {
+				expect "\r"
+				expect "\r" {
+					sleep 2;
+					expect "login:" {
+						send "root\r";
+						vm_stty;
+						debug_interact;
+					} timeout destroy
+				} timeout destroy
+			}
+			timeout destroy
+		}
+	} err]} {
+		destroy
+	}
+	set timeout 5
+	if {[catch {send "root\r"} err]} {
+		destroy
+	}
+	termconfig
+	vm_stty
+}
+
+# Basics tests
+# - Checks date & time
+# - Check uname status code
+# - Checks /proc/cpuinfo
+# - Checks kernel clocksource kvm-clock support
+proc test_base {} {
+	set timeout 2
+	expect "[prompt]" { send "date -Im\r" } timeout abort
+	expect [system date -Im] {} timeout abort
+	expect "[prompt]" { send "date\r" } timeout abort
+	check_ret
+	expect "[prompt]" { send "uname -a\r" } timeout abort
+	check_ret
+	expect {
+		"[prompt]" { send "cat /proc/cpuinfo\r" } timeout abort
+		"processor " {} timeout abort
+	}
+	expect "[prompt]" { send "cat /sys/devices/system/clocksource/clocksource0/current_clocksource\r" } timeout abort
+	expect "kvm-clock" {} timeout abort
+	expect "[prompt]" { send "cat /sys/class/misc/hw_random/rng_available\r" } timeout abort
+	expect "virtio" {} timeout abort
+	expect "[prompt]" { send "cat /sys/class/misc/hw_random/rng_current\r" } timeout abort
+	expect "virtio" {} timeout abort
+}
+
+# Tests uname kernel version
+# Arguments :
+#  - version : expected kernel version
+proc test_kernel_version {version} {
+	set timeout 3
+	expect "[prompt]" { send "uname -r\r" } timeout abort
+	expect "$version" {} timeout abort
+}
+
+# Testing swap support
+proc test_swap {} {
+	set timeout 3
+	expect "[prompt]" { send "cat /proc/swaps | grep partition\r" } timeout abort
+	expect "/dev/vd*" {} timeout abort
+
+	expect {
+		"[prompt]" { send "free -h\r" } timeout abort
+		"Mem: " {} timeout abort
+		"Swap: " {} timeout abort
+	}
+
+}
+
+# Testing ssh daemon is running
+proc test_ssh {} {
+	set timeout 3
+	expect {
+		"[prompt]" { send "ps aux|grep sshd\r" }
+		expect "*/usr/sbin/sshd -D \[listener\] *"
+		timeout abort
+	}
+
+}
+
+# Check that given ifname has given IP (prefix, 10.0.2. will match 10.0.2.42)
+proc test_netconfig_ipv4 {ifname ip_prefix} {
+	set timeout 2
+	expect "[prompt]" { send "ip addr show $ifname\r" } timeout abort
+	expect ": $ifname: <BROADCAST,MULTICAST,UP,LOWER_UP>" {} timeout abort
+	expect "inet $ip_prefix" {} timeout abort
+}
+
+# Check that given ifname has given Ip (prefix, fe80:: will match fe80::1312)
+proc test_netconfig_ipv6 {ifname ip6_prefix} {
+	set timeout 5
+	expect "[prompt]" { send "ip a show $ifname\r" } timeout abort
+	expect ": $ifname: <BROADCAST,MULTICAST,UP,LOWER_UP>" {} timeout abort
+	expect "inet6 $ip6_prefix" {} timeout abort
+}
+
+# Testing that apt runs
+proc test_apt {} {
+	set timeout 30
+	expect "[prompt]" { send "apt update\r" } timeout abort
+	check_ret
+	expect "[prompt]" { send "apt -y dist-upgrade\r" } timeout abort
+	check_ret
+}
+
+# Testing ping
+proc test_ping {} {
+	set timeout 10
+	expect "[prompt]" { send "ping -c2 gnu.org\r" } timeout abort
+	check_ret
+	expect "[prompt]" { send "ping -4 -c2 gnu.org\r" } timeout abort
+	check_ret
+}
+
+# Testing that vda is mounted rw
+proc test_vda_rw {} {
+	set timeout 3
+	expect {
+		"[prompt]" { send "grep '^rw' /proc/fs/ext4/vda/options\r" } timeout abort
+		"rw" {} timeout abort
+	}
+}
+
+
+# Reboot using systemctl and reboot
+proc test_reboot {} {
+	expect "[prompt]" { send "# Rebooting in 2 seconds\r" }
+	set timeout 30
+	expect "[prompt]" { sleep 2; send "systemctl reboot\r" }
+	login
+	expect "[prompt]" { send "reboot\r" }
+	login
+}
+
+
+proc test_virsh_reboot {} {
+	system virsh reboot test
+	login
+}
+
+proc shutdown {} {
+	set timeout 2
+	expect "[prompt]" { send "shutdown -h now\r" }
+	set timeout 15
+	expect eof {} timeout destroy
+}
+
+
+
+# Return the expected prompt in order to expect it
+proc prompt {} {
+	return "root@${::VZ5::HOSTNAME}:~#"
+}
+
+# Check that a command return a 0 status code
+proc check_ret {} {
+	expect "[prompt]" {
+		send "echo \"ret='$?'\"\r";
+		expect -timeout 1 "ret='0'" {} timeout abort
+	} timeout abort
+}
+
+

scripts/upgrade.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+set -e
+
+src_tarball=$(find /usr/src/linux-source-* |sort -V | tail  -n1)
+version=$(basename "$src_tarball" |sed -e 's/^linux-source-//' -e 's/\.tar\.xz//')
+tarball_hash=.debian_src_tarball.sha512
+
+src_dir=$(realpath linux-source)
+
+if [ -d "$src_dir" ] && [ -L "linux-source" ]
+then
+	if sha512sum -c "$tarball_hash"
+	then
+		exit 0
+	fi
+
+	if [ "$1" = "check" ]
+	then
+		exit 1
+	fi
+
+	make commit-config || true
+	rm -Rf "$src_dir" || true
+	rm "linux-source" || true
+
+elif [ "$1" = "check" ]
+then
+	exit 1
+fi
+
+tar -xvf "$src_tarball"
+
+ln -vs "linux-source-${version}" "linux-source"
+
+sha512sum "$src_tarball" > "$tarball_hash"