TencentCloud
diff --git a/‎.github/workflows/build-pvm-guest-vmlinux.yml‎
Lines changed: 81 additions & 0 deletions b/‎.github/workflows/build-pvm-guest-vmlinux.yml‎
Lines changed: 81 additions & 0 deletions
diff --git a/‎.github/workflows/release-one-click.yml‎
Lines changed: 98 additions & 0 deletions b/‎.github/workflows/release-one-click.yml‎
Lines changed: 98 additions & 0 deletions
diff --git a/‎.github/workflows/release-pvm-host-kernel.yml‎
Lines changed: 107 additions & 0 deletions b/‎.github/workflows/release-pvm-host-kernel.yml‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎deploy/one-click/README.md‎
Lines changed: 7 additions & 3 deletions b/‎deploy/one-click/README.md‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎deploy/one-click/README_zh.md‎
Lines changed: 6 additions & 2 deletions b/‎deploy/one-click/README_zh.md‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎deploy/one-click/assets/kernel-artifacts/README.md‎
Lines changed: 2 additions & 0 deletions b/‎deploy/one-click/assets/kernel-artifacts/README.md‎
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,81 @@
+name: Build PVM Guest vmlinux
+
+on:
+  push:
+    paths:
+      - 'deploy/pvm/build-pvm-guest-vmlinux.sh'
+      - 'deploy/pvm/common.sh'
+      - 'deploy/pvm/configs/pvm_guest'
+      - '.github/workflows/build-pvm-guest-vmlinux.yml'
+  workflow_dispatch:
+
+env:
+  PVM_KERNEL_TAG: 6.6.69-1.cubesandbox
+  PVM_VMLINUX_CACHE_PATH: kernel-cache/vmlinux-pvm
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Compute PVM vmlinux cache metadata
+        id: pvm_vmlinux_metadata
+        run: |
+          source_hash="$(
+            sha256sum \
+              deploy/pvm/build-pvm-guest-vmlinux.sh \
+              deploy/pvm/common.sh \
+              deploy/pvm/configs/pvm_guest \
+              | sha256sum \
+              | awk '{print $1}'
+          )"
+          echo "source_hash=${source_hash}" >> "${GITHUB_OUTPUT}"
+          echo "cache_key=vmlinux-pvm-${PVM_KERNEL_TAG}-${source_hash}-ubuntu-latest" >> "${GITHUB_OUTPUT}"
+          echo "artifact_name=vmlinux-pvm-${PVM_KERNEL_TAG}-${source_hash}" >> "${GITHUB_OUTPUT}"
+
+      - name: Restore cached PVM vmlinux
+        id: restore_pvm_vmlinux
+        uses: actions/cache/restore@v4
+        with:
+          path: ${{ env.PVM_VMLINUX_CACHE_PATH }}
+          key: ${{ steps.pvm_vmlinux_metadata.outputs.cache_key }}
+
+      - name: Build PVM guest vmlinux
+        if: steps.restore_pvm_vmlinux.outputs.cache-hit != 'true'
+        run: |
+          WORK_DIR="${GITHUB_WORKSPACE}/pvm-guest-build" \
+          OUTPUT_DIR="${GITHUB_WORKSPACE}/pvm-guest-build/output" \
+            bash deploy/pvm/build-pvm-guest-vmlinux.sh
+          install -D -m 0644 \
+            "${GITHUB_WORKSPACE}/pvm-guest-build/output/vmlinux" \
+            "${PVM_VMLINUX_CACHE_PATH}"
+
+      - name: Verify PVM vmlinux
+        run: |
+          test -f "${PVM_VMLINUX_CACHE_PATH}"
+          file "${PVM_VMLINUX_CACHE_PATH}"
+
+      - name: Save PVM vmlinux cache
+        if: steps.restore_pvm_vmlinux.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ env.PVM_VMLINUX_CACHE_PATH }}
+          key: ${{ steps.pvm_vmlinux_metadata.outputs.cache_key }}
+
+      - name: Stage PVM vmlinux artifact payload
+        run: |
+          rm -rf pvm-vmlinux-artifact
+          install -D -m 0644 "${PVM_VMLINUX_CACHE_PATH}" pvm-vmlinux-artifact/vmlinux-pvm
+
+      - name: Upload PVM vmlinux artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.pvm_vmlinux_metadata.outputs.artifact_name }}
+          path: pvm-vmlinux-artifact/vmlinux-pvm
+          if-no-files-found: error
+          retention-days: 14
@@ -19,10 +19,79 @@ env:
   VMLINUX_CACHE_PATH: kernel-cache/vmlinux
   VMLINUX_RELEASE_PATH: deploy/one-click/assets/kernel-artifacts/vmlinux
   KERNEL_TAG: 6.6.119-49.6
+  PVM_KERNEL_TAG: 6.6.69-1.cubesandbox
+  PVM_VMLINUX_CACHE_PATH: kernel-cache/vmlinux-pvm
+  PVM_VMLINUX_RELEASE_PATH: deploy/one-click/assets/kernel-artifacts/vmlinux-pvm
 
 jobs:
+  build_pvm_guest_vmlinux:
+    name: Build PVM guest vmlinux for release
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Compute PVM vmlinux cache metadata
+        id: pvm_vmlinux_metadata
+        run: |
+          source_hash="$(
+            sha256sum \
+              deploy/pvm/build-pvm-guest-vmlinux.sh \
+              deploy/pvm/common.sh \
+              deploy/pvm/configs/pvm_guest \
+              | sha256sum \
+              | awk '{print $1}'
+          )"
+          echo "source_hash=${source_hash}" >> "${GITHUB_OUTPUT}"
+          echo "cache_key=vmlinux-pvm-${PVM_KERNEL_TAG}-${source_hash}-ubuntu-latest" >> "${GITHUB_OUTPUT}"
+          echo "artifact_name=vmlinux-pvm-${PVM_KERNEL_TAG}-${source_hash}" >> "${GITHUB_OUTPUT}"
+
+      - name: Restore cached PVM vmlinux
+        id: restore_pvm_vmlinux
+        uses: actions/cache/restore@v4
+        with:
+          path: ${{ env.PVM_VMLINUX_CACHE_PATH }}
+          key: ${{ steps.pvm_vmlinux_metadata.outputs.cache_key }}
+
+      - name: Build PVM guest vmlinux
+        if: steps.restore_pvm_vmlinux.outputs.cache-hit != 'true'
+        run: |
+          WORK_DIR="${GITHUB_WORKSPACE}/pvm-guest-build" \
+          OUTPUT_DIR="${GITHUB_WORKSPACE}/pvm-guest-build/output" \
+            bash deploy/pvm/build-pvm-guest-vmlinux.sh
+          install -D -m 0644 \
+            "${GITHUB_WORKSPACE}/pvm-guest-build/output/vmlinux" \
+            "${PVM_VMLINUX_CACHE_PATH}"
+
+      - name: Verify PVM vmlinux
+        run: |
+          test -f "${PVM_VMLINUX_CACHE_PATH}"
+          file "${PVM_VMLINUX_CACHE_PATH}"
+
+      - name: Save PVM vmlinux cache
+        if: steps.restore_pvm_vmlinux.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ env.PVM_VMLINUX_CACHE_PATH }}
+          key: ${{ steps.pvm_vmlinux_metadata.outputs.cache_key }}
+
+      - name: Stage PVM vmlinux artifact payload
+        run: |
+          rm -rf pvm-vmlinux-artifact
+          install -D -m 0644 "${PVM_VMLINUX_CACHE_PATH}" pvm-vmlinux-artifact/vmlinux-pvm
+
+      - name: Upload PVM vmlinux artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.pvm_vmlinux_metadata.outputs.artifact_name }}
+          path: pvm-vmlinux-artifact/vmlinux-pvm
+          if-no-files-found: error
+          retention-days: 14
+
   release:
     runs-on: ubuntu-latest
+    needs: build_pvm_guest_vmlinux
 
     steps:
       - name: Checkout
@@ -134,6 +203,35 @@ jobs:
           test -f "${VMLINUX_RELEASE_PATH}"
           file "${VMLINUX_RELEASE_PATH}"
 
+      - name: Compute PVM vmlinux cache metadata
+        id: pvm_vmlinux_metadata
+        run: |
+          source_hash="$(
+            sha256sum \
+              deploy/pvm/build-pvm-guest-vmlinux.sh \
+              deploy/pvm/common.sh \
+              deploy/pvm/configs/pvm_guest \
+              | sha256sum \
+              | awk '{print $1}'
+          )"
+          echo "source_hash=${source_hash}" >> "${GITHUB_OUTPUT}"
+          echo "cache_key=vmlinux-pvm-${PVM_KERNEL_TAG}-${source_hash}-ubuntu-latest" >> "${GITHUB_OUTPUT}"
+          echo "artifact_name=vmlinux-pvm-${PVM_KERNEL_TAG}-${source_hash}" >> "${GITHUB_OUTPUT}"
+
+      - name: Download PVM vmlinux artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ steps.pvm_vmlinux_metadata.outputs.artifact_name }}
+          path: downloaded-pvm-vmlinux
+
+      - name: Stage PVM vmlinux
+        run: |
+          install -D -m 0644 \
+            downloaded-pvm-vmlinux/vmlinux-pvm \
+            "${PVM_VMLINUX_RELEASE_PATH}"
+          test -f "${PVM_VMLINUX_RELEASE_PATH}"
+          file "${PVM_VMLINUX_RELEASE_PATH}"
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
 
@@ -0,0 +1,107 @@
+name: Release PVM Host Kernel Packages
+
+on:
+  push:
+    tags:
+      - '*'
+  workflow_dispatch:
+
+concurrency:
+  group: release-pvm-host-kernel-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build PVM host kernel (${{ matrix.package_type }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - package_type: deb
+            build_mode: native
+          - package_type: rpm
+            build_mode: container
+            container_image: fedora:latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build DEB package
+        if: matrix.build_mode == 'native'
+        run: |
+          WORK_DIR="${GITHUB_WORKSPACE}/pvm-host-build" \
+          OUTPUT_DIR="${GITHUB_WORKSPACE}/pvm-host-build/output" \
+            bash deploy/pvm/build-pvm-host-kernel-pkg.sh
+
+      - name: Build RPM package
+        if: matrix.build_mode == 'container'
+        run: |
+          docker run --rm \
+            -v "${GITHUB_WORKSPACE}:/workspace" \
+            -w /workspace \
+            "${{ matrix.container_image }}" \
+            bash -lc 'WORK_DIR=/workspace/pvm-host-build OUTPUT_DIR=/workspace/pvm-host-build/output bash deploy/pvm/build-pvm-host-kernel-pkg.sh'
+
+      - name: Verify package artifacts
+        run: |
+          shopt -s nullglob
+          packages=(pvm-host-build/output/*.${{ matrix.package_type }})
+          if [[ "${#packages[@]}" -eq 0 ]]; then
+            echo "No ${{ matrix.package_type }} packages were produced" >&2
+            exit 1
+          fi
+          ls -lh "${packages[@]}"
+
+      - name: Upload package artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: pvm-host-kernel-${{ matrix.package_type }}-${{ github.ref_name }}
+          path: pvm-host-build/output/*.${{ matrix.package_type }}
+          if-no-files-found: error
+          retention-days: 14
+
+  publish:
+    name: Upload PVM host packages to GitHub Release
+    needs: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download package artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: pvm-host-release-assets
+          pattern: pvm-host-kernel-*-${{ github.ref_name }}
+          merge-multiple: true
+
+      - name: Verify release assets
+        run: |
+          shopt -s nullglob
+          assets=(pvm-host-release-assets/*.{deb,rpm})
+          if [[ "${#assets[@]}" -eq 0 ]]; then
+            echo "No PVM host kernel packages were downloaded" >&2
+            exit 1
+          fi
+          ls -lh "${assets[@]}"
+
+      - name: Ensure GitHub Release exists
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if ! gh release view "${GITHUB_REF_NAME}" >/dev/null 2>&1; then
+            gh release create "${GITHUB_REF_NAME}" \
+              --title "${GITHUB_REF_NAME}" \
+              --notes "Automated PVM host kernel packages."
+          fi
+
+      - name: Upload PVM host packages to Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          shopt -s nullglob
+          assets=(pvm-host-release-assets/*.{deb,rpm})
+          gh release upload "${GITHUB_REF_NAME}" "${assets[@]}" --clobber
@@ -22,16 +22,20 @@ This directory is used to build and deliver the single-machine one-click release
 
 ## Build Inputs
 
-The only fixed file that needs to be prepared is the guest kernel `vmlinux`:
+The required fixed kernel artifact is the ordinary guest kernel `vmlinux`. A PVM guest kernel can also be packaged as `vmlinux-pvm`:
 
 - `vmlinux`
+- `vmlinux-pvm` (optional)
 
-By default it is placed under `assets/kernel-artifacts/`, but can be overridden via an environment variable:
+By default they are placed under `assets/kernel-artifacts/`, but can be overridden via environment variables:
 
 ```bash
 export ONE_CLICK_CUBE_KERNEL_VMLINUX=/abs/path/to/vmlinux
+export ONE_CLICK_CUBE_KERNEL_PVM_VMLINUX=/abs/path/to/vmlinux-pvm
 ```
 
+The installed runtime still uses `cube-kernel-scf/vmlinux`. By default that file is the ordinary guest kernel. If the target machine sets `CUBE_PVM_ENABLE=1` during installation, the installer copies the packaged `vmlinux-pvm` over `cube-kernel-scf/vmlinux`.
+
 The guest image no longer depends on a local zip file. Instead, it is generated locally from `deploy/guest-image/Dockerfile` during the one-click release package build. Common override parameters:
 
 ```bash
@@ -313,7 +317,7 @@ Conditional commands:
 
 ## Known Limitations
 
-- If `vmlinux` is missing from `assets/kernel-artifacts/`, `build-vm-assets.sh` and `build-release-bundle.sh` will fail immediately. The `cube-kernel-scf.zip` in the release package is generated automatically during the packaging phase.
+- If `vmlinux` is missing from `assets/kernel-artifacts/`, `build-vm-assets.sh` and `build-release-bundle.sh` will fail immediately. `vmlinux-pvm` is optional at build time, but installation with `CUBE_PVM_ENABLE=1` requires it to be present in the package. The `cube-kernel-scf.zip` in the release package is generated automatically during the packaging phase.
 - If the `deploy/guest-image/Dockerfile` build fails, or the build machine's `mkfs.ext4` does not support the `-d` flag, guest image generation will fail immediately.
 - `cube-snapshot/spec.json` is not a mandatory artifact in the current first release of one-click. If absent, the related plugin degrades to a warning rather than blocking the basic startup.
 - If the target machine has neither `systemd-resolved` / `resolvectl` nor a restartable `NetworkManager`, one-click will currently report an error, as a third host DNS solution for such environments has not yet been integrated.
 
@@ -22,16 +22,20 @@
 
 ## 构建输入
 
-需要准备的固定文件只有 guest kernel 的 `vmlinux`：
+必须准备的固定 kernel 制品是普通 guest kernel `vmlinux`，也可以额外打包 PVM guest kernel `vmlinux-pvm`：
 
 - `vmlinux`
+- `vmlinux-pvm`（可选）
 
 默认放在 `assets/kernel-artifacts/`，也可以通过环境变量覆盖：
 
 ```bash
 export ONE_CLICK_CUBE_KERNEL_VMLINUX=/abs/path/to/vmlinux
+export ONE_CLICK_CUBE_KERNEL_PVM_VMLINUX=/abs/path/to/vmlinux-pvm
 ```
 
+运行时仍然使用 `cube-kernel-scf/vmlinux`。默认情况下该文件是普通 guest kernel；如果目标机安装时设置 `CUBE_PVM_ENABLE=1`，安装脚本会把包内的 `vmlinux-pvm` 覆盖安装为 `cube-kernel-scf/vmlinux`。
+
 guest image 不再依赖本地 zip，而是在构建 one-click 发布包时基于 `deploy/guest-image/Dockerfile` 本地生成。常用覆盖参数如下：
 
 ```bash
@@ -313,7 +317,7 @@ export E2B_API_KEY=dummy
 
 ## 已知限制
 
-- 如果 `assets/kernel-artifacts/` 下缺少 `vmlinux`，`build-vm-assets.sh` 和 `build-release-bundle.sh` 会立即失败；发布包里的 `cube-kernel-scf.zip` 会在打包阶段自动生成。
+- 如果 `assets/kernel-artifacts/` 下缺少 `vmlinux`，`build-vm-assets.sh` 和 `build-release-bundle.sh` 会立即失败；`vmlinux-pvm` 在构建时是可选制品，但安装时若设置 `CUBE_PVM_ENABLE=1`，发布包内必须包含它；发布包里的 `cube-kernel-scf.zip` 会在打包阶段自动生成。
 - 如果 `deploy/guest-image/Dockerfile` 构建失败，或构建机的 `mkfs.ext4` 不支持 `-d`，guest image 生成会立即失败。
 - `cube-snapshot/spec.json` 在当前 one-click 首版中不是强制产物；缺失时相关插件会退化为告警，而不是阻塞基础启动。
 - 如果目标机既没有 `systemd-resolved` / `resolvectl`，也没有可重启的 `NetworkManager`，当前 one-click 仍会报错，因为这类环境下暂未接入第三套宿主机 DNS 方案。
 
@@ -1,9 +1,11 @@
 请把固定 kernel 制品放到本目录，默认文件名如下：
 
 - `vmlinux`
+- `vmlinux-pvm`（可选，PVM guest kernel）
 
 guest image 会在构建 one-click 发布包时，基于 `deploy/guest-image/Dockerfile` 在本地动态构建，不再依赖预制 zip。
 
 如需覆盖 kernel 默认路径，可以通过环境变量指定：
 
 - `ONE_CLICK_CUBE_KERNEL_VMLINUX`
+- `ONE_CLICK_CUBE_KERNEL_PVM_VMLINUX`