Latest version of my kernel guide: http://eth0.us/?q=node/32
This version is much more generic and should work on more servers.



This guide is no longer going to be updated, I am going to focus on my 2.6.9 + grsecurity found at http://eth0.us/?q=node/18




How-To: Compile a 2.6.9 Kernel


Also posted on http://www.eth0.us


December 22nd:
Updated up2date so it would not overwrite module utilities preventing the kernel from booting

This guide is to be used completely at your own risk! It was designed with an ev1 dual xeon hardware configuration in mind but will also work on some of the P4 models. I am not going to try and support every possible hardware combination. I started this because I wanted a kernel for my own use but decided to share my work. Upgrading a kernel from rpm is easy and doing it as i have below is pretty easy as I have already done much of the hard configuration work. I was able to use the following guide on multiple servers with no problem and I know that it works. The key that makes this much easier is that you are using the .config file I have already created which contains all of the variables and configuration options. If you would like to view the .config file and offer any input please feel free! I have a little experience with compiling kernels but I am sure there are a few more things here and there I can remove.


I do plan on adding grsecurity when it becomes available for 2.6.9 and I get time.


Now that is done the guide is below, good luck!


First compile module-init-tools which is needed to compile a 2.6.* kernel on a system currently running a 2.4.* kernel. Do note that this may cause rkhunter to bring up false positives.

-----command-----
cd /usr/local/src/
wget http://www.kernel.org/pub/linux/kernel/peo...ools-3.1.tar.gz
tar -zxf module-init-tools-3.1.tar.gz
cd module-init-tools-3.1
./configure --prefix=""
make moveold
make install
./generate-modprobe.conf /etc/modprobe.conf
cd ..
-----command-----

-----command-----
cd /usr/local/src/
wget http://www.kernel.org/pub/linux/kernel/v2....ux-2.6.9.tar.gz
tar -zxf linux-2.6.9.tar.gz
cd linux-2.6.9
wget http://eth0.us/.config
-----command-----
At this stage you can configure the kernel how you like it. By running "make menuconfig" you will be presented by a huge menu of options that you can try to comile into your kernel. After you do your changes click exit and continue. Not making changes is fine as I have already removed a lot of the extra stuff in the kernel. If you change the configuration after you have compiled it you will need to run the below rm commands to delete the kernel files you have created. They will be regenerated next time you run make. Also know that if you have trouble with the kernel booting you can just delete the .config and redownload mine.

-----command-----
rm -rf /boot/config-2.6.9-eth00
rm -rf /boot/vmlinuz-2.6.9-eth00
rm -rf /boot/System.map-2.6.9-eth00
rm -rf /boot/initrd-2.6.9-eth00.img 2.6.9-eth00
-----command-----


Now to actually compile the kernel
-----command-----
make
make modules_install
-----command-----
Make sure there are NO errors after this! If you do get errors the below is not going to work. The next step is going to copy the kernel into your /boot directory so you are able to use it.

-----command-----
cp .config /boot/config-2.6.9-eth00
cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.9-eth00
cp System.map /boot/System.map-2.6.9-eth00
mkinitrd /boot/initrd-2.6.9-eth00.img 2.6.9-eth00
-----command-----



All of he ev1 servers I have worked on have lilo installed so below is what you need to add to the file to allow you to boot. The append elavator deadline should help with the IO of your server. If after recompiling you have trouble with the IO remove the line and reboot to see if that is what is causing the trouble.

image=/boot/vmlinuz-2.6.9-eth00
label=2.6.9-eth00
append="root=LABEL=/ elevator=deadline"
read-only
initrd=/boot/initrd-2.6.9-eth00.img

Make sure when you run this lilo command that you can see no errors. If there are something is configured wrong and the server is not going to boot.
-----command-----
lilo -v -v
-----command-----


Make SURE there are no errors! Now have your server reboot into the new kernel.

-----command-----
lilo -R 2.6.9-eth00
-----command-----


Ok you are ready to reboot and test it out. Go ahead and shutdown via "shutdown -r now". If it does not come up after 10 minutes you are going to have to get the server rebooted. Since we used the -R it will boot back to the old kernel last time. If it fails you can check the logs to see if anything is shown but many times nothing does and the only way to do it is have a tech look at the screen or use a kvm/drac. If it does work for you change the default= in the lilo.conf to your new kernel.

Now up2date needs to be updated so that redhat will not overwrite the module-init which will cause the kernel to not load. Edit the up2date config file
-----command-----
pico -w /etc/sysconfig/rhn/up2date
-----command-----

Next look for the skiplist, my old skiplist looked like this:
pkgSkipList=kernel*;httpd*;perl;mysql*;php*;mod_ssl*;

Add the following entry::
modutils*

It should look something like this:
pkgSkipList=kernel*;httpd*;perl;mysql*;php*;mod_ssl*;modutils*;

Save and you are all done.

I just did this on my Dell Dual Xeon 2.0, 2GB DDRAM, SCSI RHE3

Worked great! cant wait for your grsecurity howto

I have just updated the lilo.conf. The new append= line should give you a sizable increase in IO performance

Still waiting on the version of PAX to come out and until then the latest version grsecurity works with is 2.6.7. When they are done developing it I will start to play with grsecurity and get it working hopefully

so i should change to this now?

append="root=LABEL=/ elevator=deadline"

Yes, then run lilo -v -v and reboot it. If you google that you will see a lot about it helping a lot of servers. I have been running it for a day on one of my servers just fine

k made the changes, it came back up fine

oh yea almost forgot, great job on the new site looks amazing!

Thanks for the comment on the site, I got tired of having nothing on it. When I figure out what I want I will probably create a graphic of some sort.

See how that kernel works for you, so far I have seen nothing bad from it.

2.6.9 has been running for almost 24 hours now, seems rock solid.

I have tried your new mod_security 'mod-sec-Low.txt' file and it still causes all sorts of problems with sites i host, can you make a file for cpanel that only stops access to very important things?

for example

# Prevent OS specific keywords
SecFilter /etc/password

# Prevent path traversal (..) attacks
SecFilter "../"


your low.txt file even causes issues with vbulletin 3.0.3 so i had to disable mod_security once again

Thanks ok I will look at what is causing it. For now I just removed the files from the website so nobody else has trouble.

just upgraded another dual xeon to this 2.6.9 kernel went great!

thanks again for this helpful post!

I just rebooted the server today and it never came online, any ideas?


12/22/2004 10:08:26 AM
DataCenter
Your server's back online with the default/stock kernel loaded - 2.4.21-4.0.1.ELsmp

Make sure that you compile and/or add the appropriate network drivers into this new kernel (2.6.99-eth00)

when i ran cpanel update yesterday up2date had like 20 updates so i think something in those updates caused it to not work correctly with 2.6.9

Do the utilities part again. Up2date probably upgraded those which is what caused the problem. I am going to have to add a part on how to stop up2date from updating those 3-4 binaries that we have to manually upgrade for 2.6.* to work.

I guess i'll hold off until you have a fix

because when cpanel updates it runs up2date.

Done look above.

Thanks much, I ran yours steps on my Ensim 4.0.2 RHEL P4 box and it worked with out any problems! (Just need to wait a few days to see if anything pops up)

http://eth0.us/?q=node/18

2.6.9 + grsecurity

I have tested it on 2 different xeons and a celeron and all came up fine first time. Please report any problems here or on my website.

I just tried your 2.6.9 + grsecurity howto but i dont think it worked, when i login as a normal user and type top i can view other peoples running processes.

Check in uname -a if you have -grsec- in the kernel name if you do it is enabled. I did not compile it with the most strict option avialable as many of the options require per server customizations. Off the top of my head I am not even sure that grsecurity has an option to restrict that. If do not want others to view the processes diable able. If you look in "ps -aux" the user is only able to see what they are running

The kernel is not setup for a shell server and if you are interested in doing something like that take a look in menuconfig as there are a lot more options you can fool with. If it actually pretty easy to figure out once you have a good configuration. The grsecurity website has a lot of very good information as well.

Just tried your updated 2.6.9 + grsecurity howto, worked great! your first one didnt work at all

Yeah sorry about that the 2.6.10 started to have some issues, I have put a huge disclaimer on it and seperated the two.

2.6.10 vs 2.6.9 does not contain any security changes it is just part of the natural progression of the kernel with upgrades and such. I am going to be playing around with it but there is no worry about being at 2.6.9. More then likely just have to wait until grsecurity puts out another patch for 2.6.10.

Hate to bump but the 2.6.10 guide should work fine now and includes a patch for the kernel exploit released today.

http://eth0.us/?q=node/25

Just tried your 2.6.10 how-to server didnt come back online

Just curious, but is anybody running this kernel on a FC1 server with ensim? Can FC1 handle a 2.6 kernel?

here is what ev1 said regarding your 2.6.10 kernel how-to which i followed exactly.


1/8/2005 11:12:04 PM
DataCenter
The first kernel in lilo came up with kernel panic : not syncing
booted to the second kernel - grsec, server is online with remote access, closing ticket

So in other words they used the kernel - grsec and it worked just fine....

I got this error when doing a MAKE:

CC arch/i386/mm/fault.o
arch/i386/mm/fault.c: In function `do_page_fault':
arch/i386/mm/fault.c:626: warning: long long unsigned int format, different type arg (arg 2)
arch/i386/mm/fault.c:626: warning: long long unsigned int format, different type arg (arg 2)
arch/i386/mm/fault.c:629: warning: long long unsigned int format, different type arg (arg 2)
arch/i386/mm/fault.c:629: warning: long long unsigned int format, different type arg (arg 2)
arch/i386/mm/fault.c:639: warning: long long unsigned int format, different type arg (arg 2)
arch/i386/mm/fault.c:639: warning: long long unsigned int format, different type arg (arg 2)
CC arch/i386/mm/ioremap.o

As it's only a warning i'm guessing it's OK to continue.

I've got a 2.8ghz hyperthreading cpu - currently using 2.4smp kernel which shows 2 cpus.

Only change I made to .config was to change number of cpu's from 4 to 2.

Server wouldn't boot into 2.6.10...

No error messages in /var/log/messages

I'd switch to 1 processor since actually HT is not really two processors, nor two cores, despite what Intel or top say

regards

Whizhosting - so were you trying to use 2.6.10 with the patch but without grsec? I have had some issues with that as well and I do not think it will run the best. If you really do not want grsec go though menuconfig and remove the grsecurity stuff.

Freddo - as kami said you only have to put 1 processor but that should not cause it trouble. That is just a max number of physical processors. What does the /etc/modules.conf look like of that particular server that would not boot? Also double check the lilo.conf that your root=/dev/sdX or hdX is correct. Those are the two most common reasons a kernel will not boot.


Doobla - Personally not tried but as the guide says the only thing to watch is the grsecurity with ensim high security mode. There are some chroot options that need to be removed for it to work properly.

yes i get those errors to, but i got them on the 2.6.9 kernel and it works fine.

Not sure what you mean? I followed your directions exactly that all i can say i guess i'll wait for your 2nd revision like with 2.6.9 + grsec to try again.

root@secure [~]# more /etc/modules.conf
alias eth0 tg3
alias eth1 natsemi
alias usb-controller usb-uhci
alias usb-controller1 ehci-hcd
alias scsi_hostadapter ata_piix

My server has SATA drives which are configured as SCSI (and running fine) so my config is sdx too.

Yes, only changed MAX cpu's so that shouldn't make any difference.

I have been busy for the past week and did not have the time to sit down and figure this out but now I have.

Freddo:
"alias scsi_hostadapter ata_piix"
That is a SATA controller put out by intel and previously not supported by my .config. If you get the latest 2.6.10 config your box should now boot.


Whizhosting:
I think I have found the issue with the other xeons not working and it appears to the scsi drivers have an additional module. The error is related to the filesystem being mounted so that would make sense why you get the above error. You might also have the same issue as freddo.

I am not 100% sure that the new config will fix it. If you want to either try it with the new config OR paste the output of the following so I can check what modules you need.

cat /etc/modules.conf
cat /etc/proc/pci |grep SCSI (may not work)





Both of you may want to run make clean before make just to make sure it works. You probably do not have to but easier to be safe.

Hey thanks John.

I look forward to trying this out.

Didn't work John.

Are you sure you put the latest .config online - I couldn't see where you added the SATA driver.... I could be blind

root@xeon2 [~]# cat /etc/modules.conf
alias eth0 e1000
alias eth1 natsemi
alias scsi_hostadapter mptbase
alias scsi_hostadapter1 mptscsih
alias usb-controller usb-ohci

haha no you are not blind at all messed up someplace when I was moving the files from a dev server. If you get the latest then to make clean; make it will compile it with the SATA support.

I see it also supports DMA now.

Server booted OK. The only thing was that cppop and pure-ftp did not start. I started them manually and they seem to be running fine. I'll watch /var/log/messages to see how it goes over next 24 hours.

Thanks for the how-to!

I have a couple of errors:

--------------------- Init Begin ------------------------

**Unmatched Entries**
Id "ag" respawning too fast: disabled for 5 minutes
Id "ag" respawning too fast: disabled for 5 minutes
Id "ag" respawning too fast: disabled for 5 minutes
Id "ag" respawning too fast: disabled for 5 minutes

and:

--------------------- Connections (secure-log) Begin ------------------------


Connections:
Service imap:
127.0.0.1: 170 Time(s)

**Unmatched Entries**
agetty[4142]: /dev/ttyS0: cannot open as standard input: No such device or address
agetty[27951]: /dev/ttyS0: cannot open as standard input: No such device or address
agetty[26522]: /dev/ttyS0: cannot open as standard input: No such device or address
agetty[6464]: /dev/ttyS0: cannot open as standard input: No such device or address
agetty[10642]: /dev/ttyS0: cannot open as standard input: No such device or address
agetty[2161]: /dev/ttyS0: cannot open as standard input: No such device or address
agetty[25140]: /dev/ttyS0: cannot open as standard input: No such device or address

Otherwise, my load has decreased.

The AG thing I will have to look up but have never been completely sure what is causing it. The /dev/ttyS0 is part of the ev1 console access. The console box is probably trying to connect but the kernel does not have the necessary modules. I thought that I had enough in the latest kernel but apparently not...time to search some more.

Neither of the errors are critical and they will not cause any problems

did you see my last post? any advice?

Yep, you're right Console can't connect.

I did miss it somehow...oops. I did add some modules which may help but not 100% sure yet. I am looking on google for some information about the module that it needs. The first scsi module is no problem but "mptscsih" seems to be causing some issues. If I cannot find anything more tonight it might be worth it if you can to reboot and try it again.

What does the SCSI stuff look like in /proc/pci or lspci. I am mainly interested in a card name which I might be able to get more information from.


Freddo - I will look into the console thing when I get time to see if I can add support. I think I know what is missing.

I dont have either, /proc/pci or lspci

your 2.6.9-grsec kernel is running right now very well, i dont understand why 2.6.10 is causing such a problem?

isint there someway i can just patch the 2.6.9-grsec kernel?

Try copying the .config from your 2.6.9 dir to the 2.6.10 directory and running make clean. I am pretty sure that I have not removed anything from the kernel but worth a try.

k done & server never came back up