Mail archive

Re: [alpine-devel] [PATCH] testing/linux-virt-grsec

From: Natanael Copa <>
Date: Tue, 24 Jul 2012 11:49:56 +0200

On Tue, 24 Jul 2012 0:18:15 +0000
<> wrote:
> Attached patch reduces some of the differences between
> main/linux-grsec/kernelconfig.x86 and
> testing/linux-virt-grsec/kernelconfig.x86, hopefully without breaking
> anything for anyone else.

I am not sure we want them to be similar. The idea of linux-virt-grsec
is to have a kernel that is as small as possible and is optimized for
virtual environments.

This means that we can assume some things of the running environment.
That the disk is virtual (so we pick deadline io scheduler) , that most
likely realtime applications will not be running (so we set config hz
to 100). We are also fairly sure that there will not be any wireless in
the virtual environment. (or am i wrong here?)
> Changes included in particular (but not limited to), ramdisk
> compression, kernel profiling, io scheduling.

I picked gz ramdisk compression only to reduce size of kernel. seems
like xen only supports gz. If there is a specific need to other
compression formats then we can enable those.

> CONFIG_NETFILTER_XT_TARGET_LOG is included, which should fix
> shorewall. SCSI, ATA, 802.11 and WiMAX configs are more closely
> synchronized as well, but not necessarily drivers.

I would be ok to fix things that is broken (like
netfilter_xt_target_log) but I'd like good reasons for why pick CFQ
over dealine etc more than its similar to the default generic grsec

So to conclude, changes that makes kernel smaller (ie removing stuff
that does not make sense in virtual environment) is more than welcome.
Stuff that makes it bigger should have good reasons.


> -dean takemori

Received on Tue Jul 24 2012 - 11:49:56 UTC