X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id E7839DC0108 for ; Thu, 23 May 2013 21:01:15 +0000 (UTC) Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 3638820B2E for ; Thu, 23 May 2013 17:01:03 -0400 (EDT) Received: from web3.nyi.mail.srv.osa ([10.202.2.213]) by compute5.internal (MEProxy); Thu, 23 May 2013 17:01:04 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:subject:date; s=smtpout; bh=Hz199CPc3cC2/9mDERm5rA40Kyw=; b=IGmRlY4mM+pGZYawa6ueBWRPyTBp 0vBsnYqxooqcEeVrXY/8uiLSQeKc4p3iI5RxhhQeWUGy2hxLhtqvt/Mk4jIXSSFy QszSWfIK3Tf8VuPK+lZtky+cuYv9b8ySrFCGsMJb+Nb6GISmGpyVu1sRW1Q5uI9Y kg8to63pwXVwbF4= Received: by web3.nyi.mail.srv.osa (Postfix, from userid 99) id 8C789B2CCC9; Thu, 23 May 2013 17:01:03 -0400 (EDT) Message-Id: <1369342863.25917.140661234919793.65D0DC1F@webmail.messagingengine.com> X-Sasl-Enc: IaTDOMjyL3aXAmo9lC9fBGRhdw96l9uvvDjf17iHObdd 1369342863 From: Dubiousjim To: Alpine X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - html Subject: [alpine-devel] kernel config diffs made easy! Date: Thu, 23 May 2013 17:01:03 -0400 ...or at least merely tedious, not mind-numbingly stupefying. I was following up on this exchange: On Fri, May 17, 2013, at 02:04 PM, Natanael Copa wrote: > > I've got Alpine installed as a Xen guest on a Linode instance. To do > > this, I built my own stripped-down Xen-guest-only kernels. (The x86_64 > > linux-grsec also worked, but the x86 one doesn't have Xen stuff turned > > on. I didn't try Alpine's linux-xen package, which is intended for Xen > > hosting, and so enables stuff I didn't need/want on my guest instances). > > > > If anyone else is interested in these stripped-down kernel configs, > > perhaps we could make an additional kernel package. > > Yes, I am interested, but I'd like a kernel for a generic virtual guest > that works for xen, kvm, virtualbox, vmware and hyper-v. We have the > linux-virt-grsec kernel for this purpose > http://git.alpinelinux.org/cgit/aports/tree/testing/linux-virt-grsec > > Unfortunally, it is lagging behind. If you use it and plan to maintain > it anyways... maybe you could help us maintain it? > > I would be ok to start over with your config and then add other virtual > drivers on request. and I figured there were likely to be some scripts or libraries out there to make dealing with Kconfig files easier. I found this nice Python library:. I've created a wrapper around that library that takes several kernel config files and lets you manipulate representations of them in an interactive python session. Here's the wrapper: . I've run it on our own linux-grsec kernel config, x86, for kernel 3.9.2. This differs from the default kernel settings at 2946 modifiable symbols, and 25 modifiable choices. (One might also consider comparing it to "allno" and "allyes" kernel configs, or to configs from, e.g., Gentoo hardened.) But my present aim was to compare the xenguest kernel config I had made, and described above, and also the linux-virt-grsec config, to our main, linux-grsec kernel config. My xenguest config differs from the "main" linux-grsec config at: 331 modifiable symbols and 6 modifiable choices. An "updated" version of the linux-virt-grsec config differs from either xenguest or linux-grsec at: 1469 modifiable symbols and 10 modifiable choices. What I mean by "updated" is I just took the old config (for 3.4.something) and installed it in the 3.9.2 kernel source tree, then did 'make silentoldconfig' and selected all the default choices. Probably the xenguest config is closer to what we want, though I think not in every respect. A page listing all of the linux-virt-grsec differences, together with help text and so on for each symbol or choice, is posted here: https://gist.github.com/dubiousjim/5638961/raw/kernel_comparisons That's a large file (1.3M), but perhaps when some of you are bored you could help look through some of the things listed there and weigh in on a few of them: I think this setting should be blah, this other setting should be foo, and so on. I'd recommend reading the doc text at the start of the "wrapper" I linked to above, to understand the listings better. When I first read this exchange with Natanael, I thought bringing the linux-virt-grsec into synch with 3.9.x kernel releases would give me what I wanted for a Xen guest-only kernel config. Now I'm no longer so sure. I disabled all the hardware drivers on my xenguest config, because the xen host should deal with them. I also disabled some things like acpi, and even the xen frontends for sound and framebuffer video, because this machine is running in some remote datacenter. Some of these choices I made might be incorrect, even for my intended uses. Some of them may be correct, but idiosyncratic to my intended uses, and not generally applicable to a Xen-guest-only kernel. Let's ignore all of those things, and assume we're aiming at creating a kernel config suitable for general use but only as a Xen guest. The question then is: how much would that differ from the somewhat more general uses Natanael describes linux-virt-grsec as targeting? Can kvm, virtualbox, vmware and hyper-v also turn off all direct hardware drivers and so on? (From a casual lookover, it seems that currently, linux-virt-grsec doesn't do so.) --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---