… one also likes beauty and simplicity… this tutorial has not exactly grown into beauty – rather the beauty has grown into a beast and just as with software beyond a certain point – it needs to be split into separate CentOS7 and CentOS8 articles and rewrite from scratch.
CentOS7: tested and works
CentOS8: compiling latest (5.4.11) kernel: works!
intro:
(if one wants the latest kernel for Debian: debian9 stretch go here)
it seems very relevant to have the late as possible kernel up and running: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
first: backup one’s system!
on boot time (under “Advanced” for Debian) one can chose to boot the old kernel – never the less – backup one’s system completely before progressing.
hardware requirements:
one will need AT LEAST 15GB of free disk space, better 20GB. (yes one can free disk space again after compilation…)
also:
it works, but one should not compile as root. (says Owl River Company)
while installing dependencies and “make install” the new kernel requires root.
One should not compile as root so we create a new non-root user: (across distribution Debian8, RedHat(CentOS7), Suse12)
# add user and create home directory useradd -m username; # one will have to asign a password for the user straight afterwards passwd username; # probably would also want to change default-login-shell of username to bash usermod -s /bin/bash username; # change permissions, so non-root user may do things chown -R username:username /usr/src/linux* # become this new user when one needs to su username;
the installation of the kernel and modules needs to be done as root (of course one are modifying the system) but not the compilation itself.
du -h --max-depth=0 /usr/src/linux-4.17.12 12G /usr/src/linux-4.17.12 # space requirements of sources du -hs /usr/src/linux-5.1.15 12G /usr/src/linux-5.1.15 du -hs /usr/src/linux-5.4.11 14G /usr/src/linux-5.4.11
CentOS7 only: upgrade to gcc 7.X
(this step is not needed under CentOS8 which comes with gcc 8.X per default)
if one wants the LATEST Kernel ( above 4.17.19) one will need also gcc version > 4.5 or one might run into
arch/x86/Makefile:184: *** Compiler lacks asm-goto support.. Stop.
in this case we install the old version and override with the new one, you could probably also just softlink to it. (untested)
# under Centos7/Redhat/Fedora this seems to be done like this: (src) # become root su # install the old gcc 4.X yum install gcc which gcc /usr/bin/gcc gcc --version gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-36) Copyright (C) 2015 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # override with new gcc 7.X yum install centos-release-scl yum install devtoolset-7-gcc* scl enable devtoolset-7 bash which gcc /opt/rh/devtoolset-7/root/usr/bin/gcc gcc --version gcc (GCC) 7.3.1 20180303 (Red Hat 7.3.1-5) Copyright (C) 2017 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
tested with:
CentOS-7-x86_64-Minimal-1810.iso
sha256sum: 38d5d51d9d100fd73df031ffd6bd8b1297ce24660dc8c13a3b8b4534a4bd291c
WorkFlow:
it seems to pretty much be always the same process:
- setup build environment
- change to /usr/src
- pull latest kernel sources from kernel.org
- create softlink with name “linux” to the folder with the latest kernel sources
- try make menuconfig
- install missing packages until make menuconfig works
- make kernel
- install kernel and kernel modules
in this example i try to compile the latest kernel from kernel.org on CentOS7
it compiles… and boots up…
hit ESC or other keys to see the verbose kernel output instead of the loading bar…
hostnamectl; # tested on Static hostname: CentOS7 Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-514.26.1.el7.x86_64 Architecture: x86-64 # also tested on Kernel: Linux 3.10.0-693.11.6.el7.x86_64 # also tested 2018-02-06 on Kernel: Linux 3.10.0-693.17.1.el7.x86_64 # also tested on 2018-07 Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.6.3.el7.x86_64 # also tested on: hostnamectl Operating System: CentOS Linux 8 (Core) CPE OS Name: cpe:/o:centos:centos:8 Kernel: Linux 4.18.0-80.11.2.el8_0.x86_64 Architecture: x86-64 su; # become root yum update; # update system yum search kernel-devel; # search for kernel headers yum install kernel-devel.x86_64; # install kernel headers required by gcc yum search ncurses; # search for devel and i386 (32bit) or 64Bit yum install wget ncurses-devel.x86_64; # install ncurses cd /usr/src/ # now visit http://kernel.org/ and get the link to the latest kernel wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.12.tar.xz wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.12.tar.sign # or in case of kernel 5.4.11 wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.4.11.tar.xz wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.4.11.tar.sign # unpack step1 unxz linux-5.4.11.tar.xz # verify the file gpg --verify linux-5.4.11.tar.sign # it will say that it can not verify because key with id 647F28654894E3BD457199BE38DBBDC86092693E is missing # get the key (from gpg default keyserver) gpg --recv-keys 647F28654894E3BD457199BE38DBBDC86092693E gpg: key 38DBBDC86092693E: 179 signatures not checked due to missing keys gpg: key 38DBBDC86092693E: "Greg Kroah-Hartman" not changed gpg: Total number processed: 1 gpg: unchanged: 1 # then run verify again gpg --verify linux-5.4.11.tar.sign # should look like this: (the user's mail was deleted for anti-spam reasons) gpg: assuming signed data in 'linux-5.4.11.tar' gpg: Signature made Sun 12 Jan 2020 06:24:28 AM EST gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E gpg: Good signature from "Greg Kroah-Hartman gpg: aka "Greg Kroah-Hartman gpg: aka "Greg Kroah-Hartman (Linux kernel stable release signing key) [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E # Good signature means: nobody but Greg inserted any backdoors (just kidding X-D) # so one may proceed safely # unpack step2 tar fxv linux-5.4.11.tar tar fxvJ linux-4.12.tar.xz ln -sv linux-4.12 linux cd linux uname -r; # this is our current kernel version 3.10.0-862.6.3.el7.x86_64 # reuse the currently used kernel.config # if one has already a custom kernel in place # one will have to find version number manually # (use latest from /boot/config-...) # cp -v /boot/config-$(uname -r) .config;
this is pretty critical
if there is no good .config under boot use the .config from last kernel compilation
or not all modules might get compiled and one’s new kernel won’t boot
if compilation process quits after 16min on 2x Xeon Cores
probably not all modules needed were compiled
during boot menu one can choose to boot old kernel
and redo compilation process with different .config
if one compiles kernel 4 config from kernel 3 should work
if one compiles kernel 5 config from kernel 4 should work
# for example, last time 2372 modules were compiled find /usr/src/linux-5.2.8/ -name *.ko -type f| wc -l 2372 # under CentOS 8 kernel 4.18 this error happened: make[2]: *** No rule to make target needed by 'certs/x509_certificate_list'. Stop # solution according to unix.stackexchange.com # is to open vim .config # and comment out those two lines # CONFIG_SYSTEM_TRUSTED_KEYS="certs/signing_key.pem" # CONFIG_MODULE_SIG_KEY="certs/rhel.pem" # before: # after: # or make modules_install will fail like this:
kernel compiles fine, but make modules_install fails:
has to do with kernel modules need to be “signed” for UEFI SecureBoot: https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html
(security feature: prevent unsigned modules to be loaded into kernel)
https://wiki.gentoo.org/wiki/Signed_kernel_module_support
http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/
luckily when one comments out those two lines in .config, the build process will just auto-generate keys for signing.
# CentOS8 when modules make_install succeeds, followed by make install (install kernel) # using config from: Linux 4.14.14 to compile Linux 5.2.8 worked
# now one could become "normal" user2start compilation su username # CentOS8 comes with gcc 8, so one does not need to upgrade to gcc 7.X gcc --version gcc (GCC) 8.2.1 20180905 (Red Hat 8.2.1-3) # need to enable gcc 7 for this user as well scl enable devtoolset-7 bash # check if right gcc version (7) is used gcc --version # build environment under CentOS7 needs to be modified so it will use gcc 7.X gcc (GCC) 7.3.1 20180303 (Red Hat 7.3.1-5) # make sure non root user is in cd /usr/linux make clean make menuconfig # gave me this error: HOSTCC scripts/basic/fixdep HOSTCC scripts/kconfig/mconf.o YACC scripts/kconfig/zconf.tab.c /bin/sh: bison: command not found make[1]: *** [scripts/kconfig/zconf.tab.c] Error 127 make: *** [menuconfig] Error 2 # become super user again (Ctrl+D) and fix it yum install bison # become normal user again su username # rerun make menuconfig # gave me this error YACC scripts/kconfig/zconf.tab.c LEX scripts/kconfig/zconf.lex.c /bin/sh: flex: command not found make[1]: *** [scripts/kconfig/zconf.lex.c] Error 127 make: *** [menuconfig] Error 2 # become super user again (Ctrl+D) and fix it yum install flex # for compile to work one needs additional packages, screen package is optional yum install elfutils-libelf-devel.x86_64 openssl-devel.x86_64 bc screen # rerun su username make menuconfig # now finally worked: # kernel5 # usually i do not modify anything here # just hit exit and save the .config # starting a new screen session with this name screen -S compiling_kernel; make clean; # LET THE MAGIC BEGIN! # compile using 4 cpu cores (faster than with one) time make -j4; # watch the magic for a while... # Ctrl+A then D = detach from current screen session # so one can let the compilation run in the background and do other stuff # while it is compiling # for example: what cpu does one have? cat /proc/cpuinfo lscpu # benchmarks: # (if this process quits a bit too fast in comparison to these figures # one were probably using the wrong .config and not building all modules = bad won't boot) ## kernel 5.1 using 4x core of Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz ### took real 46m39.147s ## kernel 4.17.4 using 2x cores of Xeon (Skylake, IBRS) 2GHZ 16MByte Cache ### took real 85minutes screen -ls; # show current screen sessions screen -R compiling_kernel; # resume this screen session # how to install htop in centos yum install epel-release yum install htop
# compiling kernel 5.1.25 on HP ProLiant DL360 G6 # full throttle on all cpus
lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 16 On-line CPU(s) list: 0-15 Thread(s) per core: 2 Core(s) per socket: 4 Socket(s): 2 NUMA node(s): 2 Vendor ID: GenuineIntel CPU family: 6 Model: 26 Model name: Intel(R) Xeon(R) CPU E5540 @ 2.53GHz # the time has come # when one will definitely # need to be root to progress su make modules_install # kernel build went good, but make modules_install failed on CentOS8 with: blowfish-x86_64.ko SSL error 02001002 system library fopen No such file or directory crypto bio bss_file.c make install # depending if one is in front of the server # one can select the new kernel at grub boot menu # if not one would want to check if the new kernel # is the default kernel to boot on reboot, before reboot # make sure those orange lines are present # so it will automatically remember # the last kernel one have chosen (the chosen one) # imho would remove the "quiet" parameter # imho would change GRUB_TIMEOUT=5 to 1 (less wait during boot) # so one get a more verbose output during boot vi /etc/default/grub; GRUB_TIMEOUT=1 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_SAVEDEFAULT=true GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" GRUB_DISABLE_RECOVERY="true" # :wq save quit vi/vim # can show one what the boot menu looks like and what entry should be default
awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
0 : CentOS Linux (4.10.0-862.14.4.el7.x86_64) 7 (Core)
1 : CentOS Linux (3.10.0-862.9.1.el7.x86_64) 7 (Core)
2 : CentOS Linux (0-rescue-9063ac396d784f4c997ceacdd0590c25) 7 (Core)
# show what is current default kernel
grub2-editenv list
saved_entry=CentOS Linux (3.10.0-862.14.4.el7.x86_64) 7 (Core) grub2-set-default 0 # centos7 update grub config and menu grub2-mkconfig -o /boot/grub2/grub.cfg # or if one have access to the server directly: # reboot select new kernel and it should be set to default # after # yes one could just hit reboot now # but we want to be gracefull mkdir /scripts echo 'sync; shutdown -r now "system reboot"' > /scripts/reboot.sh echo 'sync; shutdown -P now "system poweroff"' > /scripts/poweroff.sh # usually with shutdown one means also poweroff ln -sv /scripts/poweroff.sh /scripts/shutdown.sh chmod +x /scripts/*.sh # reboot /scripts/reboot.sh # if that worked one might want to make it boot the new kernel per default # and all goes well # CONGRATULATIONS! :) # one's server should now be running THE latest kernel
modules and kernel install fine – after reboot i can select the new kernel 4.12 and it boots up fine.
hostnamectl Static hostname: CentOSworkstation.localdomain Icon name: computer-laptop Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 4.14.12 (recent in 2017-01) Architecture: x86-64 hostnamectl Static hostname: hostname Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 5.2.9 (recent in 2019-08) Architecture: x86-64
CONGRATULATIONS! 🙂
cleaning up:
# to avoid overwriting one's custom compiled kernel with the next update add this vim /etc/yum.conf exclude=kernel* # if it is a desktop workstation one might also want to exclude=icedove* firefox* libreoffice*
benchmark:
a quadcore Intel(R) Core(TM) i5-3470T CPU @ 2.90GHz needs real 36m58.294s to compile linux-4.15.1
….not sure what those messages are about:
full error message:
SELinux is preventing /usr/libexec/accounts-daemon from using the dac_read_search capability. ***** Plugin dac_override (91.4 confidence) suggests ********************** If sie berprfen wollen, ob Domne diesen Zugriff bentigt oder Sie eine Datei mit den falschen Berechtigungen auf Ihrem System haben Then aktivieren Sie die vollstndige Audit-Funktion, um die Pfad-Information der problematischen Datei zu erhalten. Dann reproduzieren Sie den Fehler erneut. Do Volle Audit-Funktion aktivieren # auditctl -w /etc/shadow -p w Versuchen Sie AVC zu reproduzieren. Fhren Sie dann folgendes aus # ausearch -m avc -ts recent Falls PATH record ersichtlich ist, berprfen Sie Eigentmer/ Berechtigungen der Datei und korrigieren Sie dies, anderenfalls melden Sie dies an Bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If sie denken, dass accounts-daemon standardmig dac_read_search Berechtigung haben sollten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, knnen Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:system_r:accountsd_t:s0 Target Objects Unknown [ capability ] Source accounts-daemon Source Path /usr/libexec/accounts-daemon Port Host CentOS7 Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name CentOS7 Platform Linux CentOS7 4.12.0cuztom #1 SMP Mon Jul 3 12:01:05 CEST 2017 x86_64 x86_64 Alert Count 6 First Seen 2017-07-03 15:13:18 CEST Last Seen 2017-07-03 15:13:52 CEST Local ID 286945cd-6cfc-4233-a5b4-747cfe5afe79 Raw Audit Messages type=AVC msg=audit(1499087632.710:111): avc: denied { dac_read_search } for pid=782 comm="accounts-daemon" capability=2 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0 Hash: accounts-daemon,accountsd_t,accountsd_t,capability,dac_read_search
important or simply cool and probably related links 🙂
watch Linus Torvalds at work at kernel.org: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
all kernel changes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/
http://www.kroah.com/log/blog/2018/02/05/linux-kernel-release-model/
https://www.heise.de/ct/artikel/Die-Neuerungen-von-Linux-4-12-3712705.html
Among the material likely coming for Linux 4.13 that we have already covered on Phoronix includes:
– Initial AMD Raven Ridge graphics support (sans no display due to no DC/DAL yet), Vega fixes, and other updates.
– DRM sync objects are landing.
– Raspberry Pi / VC4 improvements.
– Various updates to the Intel DRM driver.
– Large directory support for EXT4.
– XPad updates and Google Rose Touchpad support.
– AES-128-CBC support in Fscrypt, the file-system generic crypto code currently utilized by EXT4 and F2FS.
– Possibly the AMD SME/SEV security features supported by new EPYC CPUs.
– Continued push for more HDMI CEC drivers.
Stay tuned for thorough Linux 4.13 kernel feature coverage once the merge window opens following the 4.12 debut.
src: http://www.phoronix.com/scan.php?page=news_item&px=Linux-4.13-Early-Look
About Greg the Kernel Monkey:
“Who are you, and what do you do?”
“I’m Greg Kroah-Hartman. I am a Linux kernel developer working for The Linux Foundation as a Fellow. I’m responsible for different parts of the Linux kernel as a maintainer (USB, driver core, staging area, other various bits), and I do the Linux kernel stable releases every week or so, taking the bug fixes from the latest development tree and backporting them to the last released kernel for all to use.
I started the Linux Driver Project many years ago while I was working at Novell/SuSE which provides free Linux drivers for any company that wants them. That project still continues today, writing a handful of new drivers every year.”
“What hardware do you use?”
“My laptop is a MacBook Pro Retina. My workstation is an old pieced-together Intel machine, the parts selected for the size and lack of noise more than anything else, with two large monitors connected. The laptop and the workstation all only have SSD drives in them. I have an old Dell workstation as a build machine for kernel testing, with an extremely fast Micron Flash PCI drive in it for building kernels. Thanks to Amazon’s generosity, I’ve been doing a lot more kernel build testing on their AWS systems, utilizing a 32 processor, 64Gb virtual machine, allowing me to build multiple kernels at the same time all on a RAM disk in minutes. That has enabled me to be more productive while traveling.”
src: https://usesthis.com/interviews/greg.kh/
tweets:
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!