Automatically install headers

Author: sjmiller609

lib/system/README.md

@@ -79,6 +79,16 @@ via `INIT_MODE` in the config disk.
 
 **Result:** OCI images require **zero modifications** - no `/init` script needed!
 
+## Kernel Headers
+
+Kernel headers are bundled in the initrd and automatically installed at boot, enabling DKMS to build out-of-tree kernel modules (e.g., NVIDIA vGPU drivers).
+
+**Why:** Guest images come with headers for their native kernel (e.g., Ubuntu's 5.15), but hypeman VMs run a custom kernel. Without matching headers, DKMS cannot compile drivers.
+
+**How:** The initrd includes `kernel-headers.tar.gz` from the same release as the kernel. At boot, init extracts headers to `/usr/src/linux-headers-{version}/`, creates the `/lib/modules/{version}/build` symlink, and removes mismatched headers from the guest image.
+
+**Result:** Guests can `apt install nvidia-driver-xxx` and DKMS builds modules for the running kernel automatically.
+
 ## Kernel Sources
 
 Kernels downloaded from kernel/linux releases (Cloud Hypervisor-optimized fork):
@@ -94,7 +104,7 @@ Example URLs:
 2. **Add guest-agent binary** (embedded, runs in guest for exec/shell)
 3. **Add init.sh wrapper** (mounts /proc, /sys, /dev before Go runtime)
 4. **Add init binary** (embedded Go binary, runs as PID 1)
-5. **Add NVIDIA modules** (optional, for GPU passthrough)
+5. **Add kernel headers tarball** (downloaded from release, for DKMS)
 6. **Package as cpio** (initramfs format, pure Go - no shell tools required)
 
 ## Adding New Versions
@@ -148,7 +158,7 @@ go test ./lib/system/...
 | File | Size | Purpose |
 |------|------|---------|
 | kernel/*/vmlinux | ~70MB | Cloud Hypervisor optimized kernel |
-| initrd/*/initrd | ~5-10MB | Alpine base + Go init binary + guest-agent |
+| initrd/*/initrd | ~20MB | Alpine base + init binary + guest-agent + kernel headers |
 
 Files downloaded/built once per version, reused for all instances using that version.
 
@@ -161,7 +171,7 @@ lib/system/init/
     mount.go          # Mount operations (overlay, bind mounts)
     config.go         # Parse config disk
     network.go        # Network configuration
-    drivers.go        # GPU driver loading
+    headers.go        # Kernel headers setup for DKMS
     volumes.go        # Volume mounting
     mode_exec.go      # Exec mode: chroot, run entrypoint, wait on guest-agent
     mode_systemd.go   # Systemd mode: chroot + exec /sbin/init

lib/system/init/headers.go

@@ -0,0 +1,153 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"syscall"
+)
+
+const (
+	// Paths in the overlay filesystem
+	newrootLibModules = "/overlay/newroot/lib/modules"
+	newrootUsrSrc     = "/overlay/newroot/usr/src"
+	headersTarball    = "/kernel-headers.tar.gz"
+)
+
+// setupKernelHeaders installs kernel headers and cleans up mismatched headers from the guest image.
+// This enables DKMS to build out-of-tree kernel modules (e.g., NVIDIA vGPU drivers).
+func setupKernelHeaders(log *Logger) error {
+	// Get running kernel version
+	var uname syscall.Utsname
+	if err := syscall.Uname(&uname); err != nil {
+		return fmt.Errorf("uname: %w", err)
+	}
+	runningKernel := int8ArrayToString(uname.Release[:])
+	log.Info("headers", "running kernel: "+runningKernel)
+
+	// Check if headers tarball exists in initrd
+	if _, err := os.Stat(headersTarball); os.IsNotExist(err) {
+		log.Info("headers", "no kernel headers tarball found, skipping")
+		return nil
+	}
+
+	// Clean up mismatched kernel modules directories
+	if err := cleanupMismatchedModules(log, runningKernel); err != nil {
+		log.Info("headers", "warning: failed to cleanup mismatched modules: "+err.Error())
+		// Non-fatal, continue
+	}
+
+	// Clean up mismatched kernel headers directories
+	if err := cleanupMismatchedHeaders(log, runningKernel); err != nil {
+		log.Info("headers", "warning: failed to cleanup mismatched headers: "+err.Error())
+		// Non-fatal, continue
+	}
+
+	// Create target directories
+	headersDir := filepath.Join(newrootUsrSrc, "linux-headers-"+runningKernel)
+	modulesDir := filepath.Join(newrootLibModules, runningKernel)
+
+	if err := os.MkdirAll(headersDir, 0755); err != nil {
+		return fmt.Errorf("mkdir headers dir: %w", err)
+	}
+	if err := os.MkdirAll(modulesDir, 0755); err != nil {
+		return fmt.Errorf("mkdir modules dir: %w", err)
+	}
+
+	// Extract headers tarball
+	if err := extractTarGz(headersTarball, headersDir); err != nil {
+		return fmt.Errorf("extract headers: %w", err)
+	}
+	log.Info("headers", "extracted kernel headers to "+headersDir)
+
+	// Create build symlink
+	buildLink := filepath.Join(modulesDir, "build")
+	os.Remove(buildLink) // Remove if exists
+	// Use absolute path for symlink target (will be correct after chroot)
+	symlinkTarget := "/usr/src/linux-headers-" + runningKernel
+	if err := os.Symlink(symlinkTarget, buildLink); err != nil {
+		return fmt.Errorf("create build symlink: %w", err)
+	}
+	log.Info("headers", "created build symlink")
+
+	return nil
+}
+
+// cleanupMismatchedModules removes /lib/modules/* directories that don't match the running kernel
+func cleanupMismatchedModules(log *Logger, runningKernel string) error {
+	entries, err := os.ReadDir(newrootLibModules)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil // No modules directory, nothing to clean
+		}
+		return err
+	}
+
+	for _, entry := range entries {
+		if !entry.IsDir() {
+			continue
+		}
+		if entry.Name() != runningKernel {
+			path := filepath.Join(newrootLibModules, entry.Name())
+			log.Info("headers", "removing mismatched modules: "+entry.Name())
+			if err := os.RemoveAll(path); err != nil {
+				return fmt.Errorf("remove %s: %w", path, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// cleanupMismatchedHeaders removes /usr/src/linux-headers-* directories that don't match the running kernel
+func cleanupMismatchedHeaders(log *Logger, runningKernel string) error {
+	entries, err := os.ReadDir(newrootUsrSrc)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil // No usr/src directory, nothing to clean
+		}
+		return err
+	}
+
+	expectedName := "linux-headers-" + runningKernel
+
+	for _, entry := range entries {
+		if !entry.IsDir() {
+			continue
+		}
+		// Remove any linux-headers-* directory that doesn't match
+		if strings.HasPrefix(entry.Name(), "linux-headers-") && entry.Name() != expectedName {
+			path := filepath.Join(newrootUsrSrc, entry.Name())
+			log.Info("headers", "removing mismatched headers: "+entry.Name())
+			if err := os.RemoveAll(path); err != nil {
+				return fmt.Errorf("remove %s: %w", path, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+// extractTarGz extracts a .tar.gz file to a destination directory
+func extractTarGz(tarball, destDir string) error {
+	// Use tar command since it's available in Alpine
+	cmd := exec.Command("/bin/tar", "-xzf", tarball, "-C", destDir)
+	if output, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("tar: %s: %s", err, output)
+	}
+	return nil
+}
+
+// int8ArrayToString converts a null-terminated int8 array (from syscall) to a Go string
+func int8ArrayToString(arr []int8) string {
+	var buf []byte
+	for _, b := range arr {
+		if b == 0 {
+			break
+		}
+		buf = append(buf, byte(b))
+	}
+	return string(buf)
+}

lib/system/init/main.go

@@ -66,7 +66,13 @@ func main() {
 		// Continue anyway - exec will still work, just no remote access
 	}
 
-	// Phase 8: Mode-specific execution
+	// Phase 8: Setup kernel headers for DKMS
+	if err := setupKernelHeaders(log); err != nil {
+		log.Error("headers", "failed to setup kernel headers", err)
+		// Continue anyway - only needed for DKMS module building
+	}
+
+	// Phase 9: Mode-specific execution
 	if cfg.InitMode == "systemd" {
 		log.Info("mode", "entering systemd mode")
 		runSystemdMode(log, cfg)

lib/system/initrd.go

@@ -5,6 +5,8 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
+	"io"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -68,6 +70,11 @@ func (m *manager) buildInitrd(ctx context.Context, arch string) (string, error)
 		return "", fmt.Errorf("write init binary: %w", err)
 	}
 
+	// Download and add kernel headers tarball (for DKMS support)
+	if err := downloadKernelHeaders(arch, rootfsDir); err != nil {
+		return "", fmt.Errorf("download kernel headers: %w", err)
+	}
+
 	// Generate timestamp for this build
 	timestamp := strconv.FormatInt(time.Now().Unix(), 10)
 
@@ -141,11 +148,57 @@ func (m *manager) isInitrdStale(initrdPath, arch string) bool {
 	return string(storedHash) != currentHash
 }
 
-// computeInitrdHash computes a hash of the embedded binaries
-func computeInitrdHash(_ string) string {
+// computeInitrdHash computes a hash of the embedded binaries and header URL
+func computeInitrdHash(arch string) string {
 	h := sha256.New()
 	h.Write(GuestAgentBinary)
 	h.Write(InitBinary)
 	h.Write(InitWrapper)
+	// Include kernel header URL in hash so initrd rebuilds when headers change
+	if url, ok := KernelHeaderURLs[DefaultKernelVersion][arch]; ok {
+		h.Write([]byte(url))
+	}
 	return hex.EncodeToString(h.Sum(nil))[:16]
 }
+
+// downloadKernelHeaders downloads kernel headers tarball and adds it to the initrd rootfs
+func downloadKernelHeaders(arch, rootfsDir string) error {
+	url, ok := KernelHeaderURLs[DefaultKernelVersion][arch]
+	if !ok {
+		// No headers available for this arch, skip (non-fatal)
+		return nil
+	}
+
+	destPath := filepath.Join(rootfsDir, "kernel-headers.tar.gz")
+
+	// Download headers (GitHub releases return 302 redirects)
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return nil // Follow redirects
+		},
+	}
+
+	resp, err := client.Get(url)
+	if err != nil {
+		return fmt.Errorf("http get: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return fmt.Errorf("download failed with status %d from %s", resp.StatusCode, url)
+	}
+
+	// Create output file
+	outFile, err := os.Create(destPath)
+	if err != nil {
+		return fmt.Errorf("create file: %w", err)
+	}
+	defer outFile.Close()
+
+	// Copy content
+	if _, err = io.Copy(outFile, resp.Body); err != nil {
+		return fmt.Errorf("write file: %w", err)
+	}
+
+	return nil
+}

lib/system/versions.go

@@ -6,66 +6,35 @@ import "runtime"
 type KernelVersion string
 
 const (
-	// Kernel versions from kernel/linux releases
-	Kernel_202511182 KernelVersion = "ch-6.12.8-kernel-1-202511182"
-	Kernel_20251211  KernelVersion = "ch-6.12.8-kernel-1.1-20251211"
-	Kernel_20251213  KernelVersion = "ch-6.12.8-kernel-1.2-20251213" // NVIDIA module + driver lib support + networking configs
+	// Kernel_202601152 is the current kernel version with vGPU support
+	Kernel_202601152 KernelVersion = "ch-6.12.8-kernel-1.3-202601152"
 )
 
 var (
 	// DefaultKernelVersion is the kernel version used for new instances
-	DefaultKernelVersion = Kernel_20251213
+	DefaultKernelVersion = Kernel_202601152
 
 	// SupportedKernelVersions lists all supported kernel versions
 	SupportedKernelVersions = []KernelVersion{
-		Kernel_202511182,
-		Kernel_20251211,
-		Kernel_20251213,
-		// Add future versions here
+		Kernel_202601152,
 	}
 )
 
 // KernelDownloadURLs maps kernel versions and architectures to download URLs
 var KernelDownloadURLs = map[KernelVersion]map[string]string{
-	Kernel_202511182: {
-		"x86_64":  "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1-202511182/vmlinux-x86_64",
-		"aarch64": "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1-202511182/Image-arm64",
+	Kernel_202601152: {
+		"x86_64":  "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.3-202601152/vmlinux-x86_64",
+		"aarch64": "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.3-202601152/Image-arm64",
 	},
-	Kernel_20251211: {
-		"x86_64":  "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.1-20251211/vmlinux-x86_64",
-		"aarch64": "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.1-20251211/Image-arm64",
-	},
-	Kernel_20251213: {
-		"x86_64":  "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.2-20251213/vmlinux-x86_64",
-		"aarch64": "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.2-20251213/Image-arm64",
-	},
-	// Add future versions here
 }
 
-// NvidiaModuleURLs maps kernel versions and architectures to NVIDIA module tarball URLs
-// These tarballs contain pre-built NVIDIA kernel modules that match the kernel version
-var NvidiaModuleURLs = map[KernelVersion]map[string]string{
-	Kernel_20251213: {
-		"x86_64": "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.2-20251213/nvidia-modules-x86_64.tar.gz",
-		// Note: NVIDIA open-gpu-kernel-modules does not support arm64 yet
+// KernelHeaderURLs maps kernel versions and architectures to kernel header tarball URLs
+// These tarballs contain kernel headers needed for DKMS to build out-of-tree modules (e.g., NVIDIA vGPU drivers)
+var KernelHeaderURLs = map[KernelVersion]map[string]string{
+	Kernel_202601152: {
+		"x86_64":  "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.3-202601152/kernel-headers-x86_64.tar.gz",
+		"aarch64": "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.3-202601152/kernel-headers-aarch64.tar.gz",
 	},
-	// Kernel_202511182 and Kernel_20251211 do not have NVIDIA modules (pre-module-support kernels)
-}
-
-// NvidiaDriverLibURLs maps kernel versions and architectures to driver library tarball URLs
-// These tarballs contain userspace NVIDIA libraries (libcuda.so, libnvidia-ml.so, etc.)
-// that match the kernel modules and are injected into containers at boot time.
-// See lib/devices/GPU.md for documentation on driver injection.
-var NvidiaDriverLibURLs = map[KernelVersion]map[string]string{
-	Kernel_20251213: {
-		"x86_64": "https://github.com/kernel/linux/releases/download/ch-6.12.8-kernel-1.2-20251213/nvidia-driver-libs-x86_64.tar.gz",
-	},
-}
-
-// NvidiaDriverVersion tracks the NVIDIA driver version bundled with each kernel
-var NvidiaDriverVersion = map[KernelVersion]string{
-	Kernel_20251213: "570.86.16",
-	// Kernel_202511182 and Kernel_20251211 do not have NVIDIA modules
 }
 
 // GetArch returns the architecture string for the current platform