… one also likes beauty and simplicity… this tutorial has not exactly grown into beauty – rather the beauty has grown into a beast and just as with software beyond a certain point – it needs to be split into separate CentOS7 and CentOS8 articles and rewrite from scratch.

CentOS7: tested and works

CentOS8: compiling latest (5.4.11) kernel: works!

intro:

(if one wants the latest kernel for Debian: debian9 stretch go here)

it seems very relevant to have the late as possible kernel up and running: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

first: backup one’s system!

on boot time (under “Advanced” for Debian) one can chose to boot the old kernel – never the less – backup one’s system completely before progressing.

hardware requirements:

one will need AT LEAST 15GB of free disk space, better 20GB. (yes one can free disk space again after compilation…)

also:

it works, but one should not compile as root. (says Owl River Company)

while installing dependencies and “make install” the new kernel requires root.

One should not compile as root so we create a new non-root user: (across distribution Debian8, RedHat(CentOS7), Suse12)

# add user and create home directory
useradd -m username;
# one will have to asign a password for the user straight afterwards
passwd username;
# probably would also want to change default-login-shell of username to bash
usermod -s /bin/bash username;
# change permissions, so non-root user may do things
chown -R username:username /usr/src/linux*
# become this new user when one needs to
su username;

the installation of the kernel and modules needs to be done as root (of course one are modifying the system) but not the compilation itself.

du -h --max-depth=0 /usr/src/linux-4.17.12
12G /usr/src/linux-4.17.12

# space requirements of sources
du -hs /usr/src/linux-5.1.15
12G	/usr/src/linux-5.1.15

du -hs /usr/src/linux-5.4.11
14G     /usr/src/linux-5.4.11

CentOS7 only: upgrade to gcc 7.X

(this step is not needed under CentOS8 which comes with gcc 8.X per default)

if one wants the LATEST Kernel ( above  4.17.19) one will need also gcc version > 4.5 or one might run into

arch/x86/Makefile:184: *** Compiler lacks asm-goto support..  Stop.

(src)

about x86: Force asm-goto: “We want to start using asm-goto to guarantee the absence of dynamic branches (and thus speculation).
A primary prerequisite for this is of course that the compiler supports asm-goto.
This effecively lifts the minimum GCC version to build an x86 kernel to gcc-4.5. Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxx.org> Signed-off-by: Thomas Gleixner of: linutronix.de  Link: https://lkml.kernel.org/r/20180319201327.GJ4043@hirez.programming.kicks-ass.net

in this case we install the old version and override with the new one, you could probably also just softlink to it. (untested)

# under Centos7/Redhat/Fedora this seems to be done like this: (src)
# become root
su
# install the old gcc 4.X
yum install gcc
which gcc
/usr/bin/gcc
gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-36)
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

# override with new gcc 7.X
yum install centos-release-scl
yum install devtoolset-7-gcc*
scl enable devtoolset-7 bash
which gcc
/opt/rh/devtoolset-7/root/usr/bin/gcc
gcc --version
gcc (GCC) 7.3.1 20180303 (Red Hat 7.3.1-5)
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

tested with:
CentOS-7-x86_64-Minimal-1810.iso
sha256sum: 38d5d51d9d100fd73df031ffd6bd8b1297ce24660dc8c13a3b8b4534a4bd291c

WorkFlow:

it seems to pretty much be always the same process:

  1. setup build environment
  2. change to /usr/src
  3. pull latest kernel sources from kernel.org
  4. create softlink with name “linux” to the folder with the latest kernel sources
  5. try make menuconfig
  6. install missing packages until make menuconfig works
  7. make kernel
  8. install kernel and kernel modules

in this example i try to compile the latest kernel from kernel.org on CentOS7

it compiles… and boots up…

hit ESC or other keys to see the verbose kernel output instead of the loading bar…

hostnamectl; # tested on
   Static hostname: CentOS7
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-514.26.1.el7.x86_64
      Architecture: x86-64

# also tested on
Kernel: Linux 3.10.0-693.11.6.el7.x86_64
# also tested 2018-02-06 on
Kernel: Linux 3.10.0-693.17.1.el7.x86_64
# also tested on 2018-07
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-862.6.3.el7.x86_64
# also tested on:
hostnamectl 
  Operating System: CentOS Linux 8 (Core)
       CPE OS Name: cpe:/o:centos:centos:8
            Kernel: Linux 4.18.0-80.11.2.el8_0.x86_64
      Architecture: x86-64
su; # become root
yum update; # update system

yum search kernel-devel; # search for kernel headers
yum install kernel-devel.x86_64; # install kernel headers required by gcc
yum search ncurses; # search for devel and i386 (32bit) or 64Bit
yum install wget ncurses-devel.x86_64; # install ncurses 
cd /usr/src/
# now visit http://kernel.org/ and get the link to the latest kernel

wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.12.tar.xz
wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.12.tar.sign
# or in case of kernel 5.4.11
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.4.11.tar.xz
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.4.11.tar.sign

# unpack step1
unxz linux-5.4.11.tar.xz
# verify the file
gpg --verify linux-5.4.11.tar.sign
# it will say that it can not verify because key with id 647F28654894E3BD457199BE38DBBDC86092693E is missing
# get the key (from gpg default keyserver)
gpg --recv-keys 647F28654894E3BD457199BE38DBBDC86092693E
gpg: key 38DBBDC86092693E: 179 signatures not checked due to missing keys
gpg: key 38DBBDC86092693E: "Greg Kroah-Hartman" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

# then run verify again
gpg --verify linux-5.4.11.tar.sign
# should look like this: (the user's mail was deleted for anti-spam reasons)
gpg: assuming signed data in 'linux-5.4.11.tar'
gpg: Signature made Sun 12 Jan 2020 06:24:28 AM EST
gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman
gpg:                 aka "Greg Kroah-Hartman
gpg:                 aka "Greg Kroah-Hartman (Linux kernel stable release signing key) [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

# Good signature means: nobody but Greg inserted any backdoors (just kidding X-D)
# so one may proceed safely
# unpack step2
tar fxv linux-5.4.11.tar
tar fxvJ linux-4.12.tar.xz
ln -sv linux-4.12 linux
cd linux
uname -r;
# this is our current kernel version
3.10.0-862.6.3.el7.x86_64

# reuse the currently used kernel.config
# if one has already a custom kernel in place
# one will have to find version number manually
# (use latest from /boot/config-...)
# 
cp -v /boot/config-$(uname -r) .config;

this is pretty critical

if there is no good .config under boot use the .config from last kernel compilation
or not all modules might get compiled and one’s new kernel won’t boot
if compilation process quits after 16min on 2x Xeon Cores
probably not all modules needed were compiled
during boot menu one can choose to boot old kernel
and redo compilation process with different .config
if one compiles kernel 4 config from kernel 3 should work
if one compiles kernel 5 config from kernel 4 should work

# for example, last time 2372 modules were compiled
find /usr/src/linux-5.2.8/ -name *.ko -type f| wc -l
2372

# under CentOS 8 kernel 4.18 this error happened:
make[2]: *** No rule to make target needed by 'certs/x509_certificate_list'.  Stop
# solution according to unix.stackexchange.com
# is to open
vim .config
# and comment out those two lines
# CONFIG_SYSTEM_TRUSTED_KEYS="certs/signing_key.pem"
# CONFIG_MODULE_SIG_KEY="certs/rhel.pem"

# before:



# after:

# or make modules_install will fail like this:

kernel compiles fine, but make modules_install fails:

has to do with kernel modules need to be “signed” for UEFI SecureBoot: https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html

(security feature: prevent unsigned modules to be loaded into kernel)

https://wiki.gentoo.org/wiki/Signed_kernel_module_support

http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/

luckily when one comments out those two lines in .config, the build process will just auto-generate keys for signing.

# CentOS8 when modules make_install succeeds, followed by make install (install kernel)



# using config from: Linux 4.14.14 to compile Linux 5.2.8 worked
# now one could become "normal" user2start compilation
su username

# CentOS8 comes with gcc 8, so one does not need to upgrade to gcc 7.X
gcc --version
gcc (GCC) 8.2.1 20180905 (Red Hat 8.2.1-3)

# need to enable gcc 7 for this user as well
scl enable devtoolset-7 bash
# check if right gcc version (7) is used
gcc --version

# build environment under CentOS7 needs to be modified so it will use gcc 7.X
gcc (GCC) 7.3.1 20180303 (Red Hat 7.3.1-5)

# make sure non root user is in
cd /usr/linux
make clean
make menuconfig
# gave me this error:
HOSTCC scripts/basic/fixdep
HOSTCC scripts/kconfig/mconf.o
YACC scripts/kconfig/zconf.tab.c
/bin/sh: bison: command not found
make[1]: *** [scripts/kconfig/zconf.tab.c] Error 127
make: *** [menuconfig] Error 2
# become super user again (Ctrl+D) and fix it
yum install bison

# become normal user again
su username
# rerun
make menuconfig
# gave me this error
YACC scripts/kconfig/zconf.tab.c
LEX scripts/kconfig/zconf.lex.c
/bin/sh: flex: command not found
make[1]: *** [scripts/kconfig/zconf.lex.c] Error 127
make: *** [menuconfig] Error 2
# become super user again (Ctrl+D) and fix it
yum install flex
# for compile to work one needs additional packages, screen package is optional
yum install elfutils-libelf-devel.x86_64 openssl-devel.x86_64 bc screen 

# rerun
su username
make menuconfig
# now finally worked:
# kernel5

# usually i do not modify anything here
# just hit exit and save the .config

# starting a new screen session with this name
screen -S compiling_kernel;
make clean;
# LET THE MAGIC BEGIN!
# compile using 4 cpu cores (faster than with one)
time make -j4;
# watch the magic for a while...
# Ctrl+A then D = detach from current screen session
# so one can let the compilation run in the background and do other stuff
# while it is compiling
# for example: what cpu does one have?
cat /proc/cpuinfo
lscpu
# benchmarks:
# (if this process quits a bit too fast in comparison to these figures
# one were probably using the wrong .config and not building all modules = bad won't boot)
## kernel 5.1 using 4x core of Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
### took real 46m39.147s 
## kernel 4.17.4 using 2x cores of Xeon (Skylake, IBRS) 2GHZ 16MByte Cache
### took real 85minutes
screen -ls; # show current screen sessions
screen -R compiling_kernel; # resume this screen session
# how to install htop in centos
yum install epel-release
yum install htop
compiling kernel 4.12.13 under centos7 with 8x xeon E5504 at 2.00GHz cores on supermicro X8DT3 server

watching kernel 4.12.13 compiling under centos7 with 8x xeon E5504 at 2.00GHz cores on supermicro X8DT3 server (2018-01) good way to stress test one’s system 😀  real: 24m48.755s … not too bad 😀

# compiling kernel 5.1.25 on HP ProLiant DL360 G6
# full throttle on all cpus
the HP ProLiant DL360 G6 made a build of 5.1.15 in real 16m4.780s

the HP ProLiant DL360 G6 made a build of 5.1.15 in real 16m4.780s

lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                16
On-line CPU(s) list:   0-15
Thread(s) per core:    2
Core(s) per socket:    4
Socket(s):             2
NUMA node(s):          2
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 26
Model name:            Intel(R) Xeon(R) CPU           E5540  @ 2.53GHz

# the time has come
# when one will definitely
# need to be root to progress
su
make modules_install

# kernel build went good, but make modules_install failed on CentOS8 with:
blowfish-x86_64.ko SSL error 02001002 system library fopen No such file or directory crypto bio bss_file.c

make install

# depending if one is in front of the server
# one can select the new kernel at grub boot menu
# if not one would want to check if the new kernel
# is the default kernel to boot on reboot, before reboot
# make sure those orange lines are present
# so it will automatically remember
# the last kernel one have chosen (the chosen one)
# imho would remove the "quiet" parameter
# imho would change GRUB_TIMEOUT=5 to 1 (less wait during boot)
# so one get a more verbose output during boot
vi /etc/default/grub;
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_SAVEDEFAULT=true
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet"
GRUB_DISABLE_RECOVERY="true"
# :wq save quit vi/vim

# can show one what the boot menu looks like and what entry should be default
awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
0 : CentOS Linux (4.10.0-862.14.4.el7.x86_64) 7 (Core)
1 : CentOS Linux (3.10.0-862.9.1.el7.x86_64) 7 (Core)
2 : CentOS Linux (0-rescue-9063ac396d784f4c997ceacdd0590c25) 7 (Core)

# show what is current default kernel
grub2-editenv list
saved_entry=CentOS Linux (3.10.0-862.14.4.el7.x86_64) 7 (Core)

grub2-set-default 0

# centos7 update grub config and menu
grub2-mkconfig -o /boot/grub2/grub.cfg

# or if one have access to the server directly:
# reboot select new kernel and it should be set to default
# after
# yes one could just hit reboot now
# but we want to be gracefull
mkdir /scripts
echo 'sync; shutdown -r now "system reboot"' > /scripts/reboot.sh
echo 'sync; shutdown -P now "system poweroff"' > /scripts/poweroff.sh
# usually with shutdown one means also poweroff
ln -sv /scripts/poweroff.sh /scripts/shutdown.sh
chmod +x /scripts/*.sh
# reboot
/scripts/reboot.sh

# if that worked one might want to make it boot the new kernel per default

# and all goes well
# CONGRATULATIONS! :)
# one's server should now be running THE latest kernel

modules and kernel install fine – after reboot i can select the new kernel 4.12 and it boots up fine.

hostnamectl 
 Static hostname: CentOSworkstation.localdomain
 Icon name: computer-laptop
 Operating System: CentOS Linux 7 (Core)
 CPE OS Name: cpe:/o:centos:centos:7
 Kernel: Linux 4.14.12 (recent in 2017-01)
 Architecture: x86-64

hostnamectl 
   Static hostname: hostname
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 5.2.9 (recent in 2019-08)
      Architecture: x86-64

CONGRATULATIONS! 🙂

cleaning up:

# to avoid overwriting one's custom compiled kernel with the next update add this
vim /etc/yum.conf 
exclude=kernel*
# if it is a desktop workstation one might also want to
exclude=icedove* firefox* libreoffice*

benchmark:

a quadcore Intel(R) Core(TM) i5-3470T CPU @ 2.90GHz needs real 36m58.294s to compile linux-4.15.1

….not sure what those messages are about:

full error message:

SELinux is preventing /usr/libexec/accounts-daemon from using the dac_read_search capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If sie berprfen wollen, ob Domne diesen Zugriff bentigt oder Sie eine Datei mit den falschen Berechtigungen auf Ihrem System haben
Then aktivieren Sie die vollstndige Audit-Funktion, um die Pfad-Information der problematischen Datei zu erhalten. Dann reproduzieren Sie den Fehler erneut.
Do

Volle Audit-Funktion aktivieren
# auditctl -w /etc/shadow -p w
Versuchen Sie AVC zu reproduzieren. Fhren Sie dann folgendes aus
# ausearch -m avc -ts recent
Falls PATH record ersichtlich ist, berprfen Sie Eigentmer/ Berechtigungen der Datei und korrigieren Sie dies,
anderenfalls melden Sie dies an Bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If sie denken, dass accounts-daemon standardmig dac_read_search Berechtigung haben sollten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, knnen Sie ein lokales Richtlinien-Modul erstellen.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -i my-accountsdaemon.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:system_r:accountsd_t:s0
Target Objects                Unknown [ capability ]
Source                        accounts-daemon
Source Path                   /usr/libexec/accounts-daemon
Port                          
Host                          CentOS7
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     CentOS7
Platform                      Linux CentOS7 4.12.0cuztom #1 SMP Mon Jul 3
                              12:01:05 CEST 2017 x86_64 x86_64
Alert Count                   6
First Seen                    2017-07-03 15:13:18 CEST
Last Seen                     2017-07-03 15:13:52 CEST
Local ID                      286945cd-6cfc-4233-a5b4-747cfe5afe79

Raw Audit Messages
type=AVC msg=audit(1499087632.710:111): avc:  denied  { dac_read_search } for  pid=782 comm="accounts-daemon" capability=2  scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability permissive=0


Hash: accounts-daemon,accountsd_t,accountsd_t,capability,dac_read_search


important or simply cool and probably related links 🙂

watch Linus Torvalds at work at kernel.org: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

all kernel changes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/

http://www.kroah.com/log/blog/2018/02/05/linux-kernel-release-model/

https://www.heise.de/ct/artikel/Die-Neuerungen-von-Linux-4-12-3712705.html

Among the material likely coming for Linux 4.13 that we have already covered on Phoronix includes:

– Initial AMD Raven Ridge graphics support (sans no display due to no DC/DAL yet), Vega fixes, and other updates.

Many Allwinner DRM changes.

DRM sync objects are landing.

Raspberry Pi / VC4 improvements.

Various updates to the Intel DRM driver.

Large directory support for EXT4.

XPad updates and Google Rose Touchpad support.

AES-128-CBC support in Fscrypt, the file-system generic crypto code currently utilized by EXT4 and F2FS.

– Possibly the AMD SME/SEV security features supported by new EPYC CPUs.

– Continued push for more HDMI CEC drivers.

Stay tuned for thorough Linux 4.13 kernel feature coverage once the merge window opens following the 4.12 debut.

src: http://www.phoronix.com/scan.php?page=news_item&px=Linux-4.13-Early-Look

About Greg the Kernel Monkey:

“Who are you, and what do you do?”

“I’m Greg Kroah-Hartman. I am a Linux kernel developer working for The Linux Foundation as a Fellow. I’m responsible for different parts of the Linux kernel as a maintainer (USB, driver core, staging area, other various bits), and I do the Linux kernel stable releases every week or so, taking the bug fixes from the latest development tree and backporting them to the last released kernel for all to use.

I started the Linux Driver Project many years ago while I was working at Novell/SuSE which provides free Linux drivers for any company that wants them. That project still continues today, writing a handful of new drivers every year.”

“What hardware do you use?”

“My laptop is a MacBook Pro Retina. My workstation is an old pieced-together Intel machine, the parts selected for the size and lack of noise more than anything else, with two large monitors connected. The laptop and the workstation all only have SSD drives in them. I have an old Dell workstation as a build machine for kernel testing, with an extremely fast Micron Flash PCI drive in it for building kernels. Thanks to Amazon’s generosity, I’ve been doing a lot more kernel build testing on their AWS systems, utilizing a 32 processor, 64Gb virtual machine, allowing me to build multiple kernels at the same time all on a RAM disk in minutes. That has enabled me to be more productive while traveling.”

src: https://usesthis.com/interviews/greg.kh/

tweets:

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin