~alpine/devel

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
4 2

[alpine-devel] [PATCH] testing/linux-virt-grsec

<deant@hawaii.rr.com>
Details
Message ID
<20120724001815.9MNPK.48733.root@hrndva-web05-z02>
Sender timestamp
1343089095
DKIM signature
missing
Download raw message
11 years ago 
Attached patch reduces some of the differences between main/linux-grsec/kernelconfig.x86
and testing/linux-virt-grsec/kernelconfig.x86, hopefully without breaking anything for
anyone else.

Changes included in particular (but not limited to), ramdisk compression, kernel
profiling, io scheduling. CONFIG_NETFILTER_XT_TARGET_LOG is included, which should fix 
shorewall.  SCSI, ATA, 802.11 and WiMAX configs are more closely synchronized as well,
but not necessarily drivers.

-dean takemori
Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20120724114956.2ef69845@ncopa-desktop.nor.wtbts.net>
In-Reply-To
<20120724001815.9MNPK.48733.root@hrndva-web05-z02> (view parent)
Sender timestamp
1343123396
DKIM signature
missing
Download raw message
11 years ago 
On Tue, 24 Jul 2012 0:18:15 +0000
<deant@hawaii.rr.com> wrote:
 
> Attached patch reduces some of the differences between
> main/linux-grsec/kernelconfig.x86 and
> testing/linux-virt-grsec/kernelconfig.x86, hopefully without breaking
> anything for anyone else.

I am not sure we want them to be similar. The idea of linux-virt-grsec
is to have a kernel that is as small as possible and is optimized for
virtual environments.

This means that we can assume some things of the running environment.
That the disk is virtual (so we pick deadline io scheduler) , that most
likely realtime applications will not be running (so we set config hz
to 100). We are also fairly sure that there will not be any wireless in
the virtual environment. (or am i wrong here?)
 
> Changes included in particular (but not limited to), ramdisk
> compression, kernel profiling, io scheduling.

I picked gz ramdisk compression only to reduce size of kernel. seems
like xen only supports gz. If there is a specific need to other
compression formats then we can enable those.

> CONFIG_NETFILTER_XT_TARGET_LOG is included, which should fix
> shorewall.  SCSI, ATA, 802.11 and WiMAX configs are more closely
> synchronized as well, but not necessarily drivers.

I would be ok to fix things that is broken (like
netfilter_xt_target_log) but I'd like good reasons for why pick CFQ
over dealine etc more than its similar to the default generic grsec
kernel.

So to conclude, changes that makes kernel smaller (ie removing stuff
that does not make sense in virtual environment) is more than welcome.
Stuff that makes it bigger should have good reasons.

Thanks!

-nc
 
> -dean takemori


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
<deant@hawaii.rr.com>
Details
Message ID
<20120726014648.XNQR0.67798.root@hrndva-web05-z02>
In-Reply-To
<20120724114956.2ef69845@ncopa-desktop.nor.wtbts.net> (view parent)
Sender timestamp
1343267208
DKIM signature
missing
Download raw message
11 years ago 
---- Natanael Copa <ncopa@alpinelinux.org> wrote: 
> On Tue, 24 Jul 2012 0:18:15 +0000
> <deant@hawaii.rr.com> wrote:
>  
> > Attached patch reduces some of the differences between
> > main/linux-grsec/kernelconfig.x86 and
> > testing/linux-virt-grsec/kernelconfig.x86, hopefully without breaking
> > anything for anyone else.
> 
> I am not sure we want them to be similar. The idea of linux-virt-grsec
> is to have a kernel that is as small as possible and is optimized for
> virtual environments.

Ok, that makes sense.  Consider the patch withdrawn; I'll work on
a replacement that fixes the Shorewall logging bug and a few other 
minor bits I found;


> This means that we can assume some things of the running environment.
> That the disk is virtual (so we pick deadline io scheduler) , that most
> likely realtime applications will not be running (so we set config hz
> to 100). We are also fairly sure that there will not be any wireless in
> the virtual environment. (or am i wrong here?)

The place where it would make sense is for a virtualized desktop or 
development environment, but hopefully the xen domu vs. TRANSPARENT_HUGEPAGES
problem will be fixed in a newer release and the main kernel can fill
that role.

-dean takemori


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
<deant@hawaii.rr.com>
Details
Message ID
<20120726025454.9WCEQ.68291.root@hrndva-web05-z02>
In-Reply-To
<20120724114956.2ef69845@ncopa-desktop.nor.wtbts.net> (view parent)
Sender timestamp
1343271294
DKIM signature
missing
Download raw message
11 years ago 
---- Natanael Copa <ncopa@alpinelinux.org> wrote: 
> On Tue, 24 Jul 2012 0:18:15 +0000
> <deant@hawaii.rr.com> wrote:
>  
> > Attached patch reduces some of the differences between
> > main/linux-grsec/kernelconfig.x86 and
> > testing/linux-virt-grsec/kernelconfig.x86, hopefully without breaking
> > anything for anyone else.
> 
> I am not sure we want them to be similar. The idea of linux-virt-grsec
> is to have a kernel that is as small as possible and is optimized for
> virtual environments.

Ok.  Try this kernel config patch;

CONFIG_NETFILTER_XT_TARGET_LOG is needed for shorewall's logging
and CONFIG_SCSI_VIRTIO is a new virtual machine driver.

--- /boot/config-3.4.5-grsec
+++ kernelconfig.x86
@@ -730,7 +730,7 @@
 CONFIG_NETFILTER_XT_TARGET_DSCP=m
 CONFIG_NETFILTER_XT_TARGET_HL=m
 CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
-# CONFIG_NETFILTER_XT_TARGET_LOG is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=m
 CONFIG_NETFILTER_XT_TARGET_MARK=m
 CONFIG_NETFILTER_XT_TARGET_NFLOG=m
 CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
@@ -1311,7 +1311,7 @@
 # CONFIG_SCSI_PM8001 is not set
 # CONFIG_SCSI_SRP is not set
 # CONFIG_SCSI_BFA_FC is not set
-# CONFIG_SCSI_VIRTIO is not set
+CONFIG_SCSI_VIRTIO=m
 CONFIG_SCSI_DH=m
 CONFIG_SCSI_DH_RDAC=m
 CONFIG_SCSI_DH_HP_SW=m





---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20120731131141.7b8b55a6@ncopa-desktop.nor.wtbts.net>
In-Reply-To
<20120726025454.9WCEQ.68291.root@hrndva-web05-z02> (view parent)
Sender timestamp
1343733101
DKIM signature
missing
Download raw message
11 years ago 
Sorry late reply. Had a long weekend off, without any computers.

On Thu, 26 Jul 2012 2:54:54 +0000
<deant@hawaii.rr.com> wrote:

> 
> ---- Natanael Copa <ncopa@alpinelinux.org> wrote: 
> > On Tue, 24 Jul 2012 0:18:15 +0000
> > <deant@hawaii.rr.com> wrote:
> >  
> > > Attached patch reduces some of the differences between
> > > main/linux-grsec/kernelconfig.x86 and
> > > testing/linux-virt-grsec/kernelconfig.x86, hopefully without
> > > breaking anything for anyone else.
> > 
> > I am not sure we want them to be similar. The idea of
> > linux-virt-grsec is to have a kernel that is as small as possible
> > and is optimized for virtual environments.
> 
> Ok.  Try this kernel config patch;
> 
> CONFIG_NETFILTER_XT_TARGET_LOG is needed for shorewall's logging
> and CONFIG_SCSI_VIRTIO is a new virtual machine driver.
> 
> --- /boot/config-3.4.5-grsec
> +++ kernelconfig.x86
> @@ -730,7 +730,7 @@
>  CONFIG_NETFILTER_XT_TARGET_DSCP=m
>  CONFIG_NETFILTER_XT_TARGET_HL=m
>  CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
> -# CONFIG_NETFILTER_XT_TARGET_LOG is not set
> +CONFIG_NETFILTER_XT_TARGET_LOG=m
>  CONFIG_NETFILTER_XT_TARGET_MARK=m
>  CONFIG_NETFILTER_XT_TARGET_NFLOG=m
>  CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
> @@ -1311,7 +1311,7 @@
>  # CONFIG_SCSI_PM8001 is not set
>  # CONFIG_SCSI_SRP is not set
>  # CONFIG_SCSI_BFA_FC is not set
> -# CONFIG_SCSI_VIRTIO is not set
> +CONFIG_SCSI_VIRTIO=m
>  CONFIG_SCSI_DH=m
>  CONFIG_SCSI_DH_RDAC=m
>  CONFIG_SCSI_DH_HP_SW=m

Applied. Thanks alot!

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)