Thoughts on how to improve Linux kernel maintenance a bit #140281
Comments
|
Since we are using the hardened kernels on our infrastructure, I'm a big fan of changing the way it currently works. I don't know how many people other than us use the hardened kernels, but I don't think it's fesible for everybody to overlay in the hardened kernel and keep it up to date, especially for new users who are switching from other Distros and want to keep their kernels. For this reason, I tend to prefer your second idea. I did this for OpenSSH in #115012 as well and I think most of the user base who are using the stock ssh benefit from this change with the others having to accept the less maintained packages. |
|
Just one more detail. For zfs, there is the I don't use hardened yet, but I am interested in it, the second choice would be amazing. |
Yeah, I'm aware of that, but I don't think this is useful here. Also, this doesn't help when trying to update the "latest compatible version" in question, if no hardened patch is available for a new patch-release we can either delay the upgrade or ignore the hardened kernel. |
|
I have not had as much time to do this maintenance as I used to. I would go with the "keep a specific version for the hardened kernels"-approach. |
|
To chime in, I support decoupling hardened kernel bumps from vanilla kernel bumps. Adopting the the hardening patches takes time and testing, so hardened kernels will often be delayed by a few days. Another thing that we should take care of before 21.11 are the other Kernel flavours, e.g. Xanmod. While the version in unstable is pretty up-to-date, 21.05 is currently stuck with 5.12.13-xanmod. |
|
If someone who uses |
|
I've been switching around Kernel versions on |
I'm fine with a stable version of xanmod if there's enough demand of it, personally I use the latest available, as I don't use ZFS and the like. |
|
I use xanmod latest and zfs |
|
Hardened plan sounds fine to me. I'm happy to be in the maintainer team
so I get pinged if I'm around, as long as everybody has the expectation
going in that I don't often find the time to do kernel patch releases.
|
|
Splendid! I'll file PRs for both the hardening topic and the maintainer team during one fo the next days :) |
|
I (evidently 😉) use the hardened kernel so would prefer the second approach. Do you believe this will be a significant maintenance burden? |
|
there's already #141100 doing exactly that :) |
Now there are a few more folks who should get pinged on kernel changes:
$ nix-instantiate -E 'with import ./. {}; (map (x: x.github) linux.meta.maintainers)' --eval --strict
[ "TredwellGit" "mweinelt" "ma27" "nequissimus" "alyssais" "thoughtpolice" ]
Refs NixOS#140281
Until now we merged kernel updates even if no hardened versions were available yet. On one hand we don't want to delay patch-level updates, on the other hand users of hardened kernels have frequent breakage now[1]. This change aims to provide a solution this issue: * The hardened patchset now references the kernel version it's released for (including a sha256 hash for the fixed-output path of the source tarball). * The `hardenedKernelFor`-function doesn't just append hardened patches now, but also overrides version & src to match the kernel version the patch was built & tested for. Refs NixOS#140281 [1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all
Now there are a few more folks who should get pinged on kernel changes:
$ nix-instantiate -E 'with import ./. {}; (map (x: x.github) linux.meta.maintainers)' --eval --strict
[ "TredwellGit" "mweinelt" "ma27" "nequissimus" "alyssais" "thoughtpolice" ]
Refs NixOS#140281
(cherry picked from commit 65930ca)
Until now we merged kernel updates even if no hardened versions were available yet. On one hand we don't want to delay patch-level updates, on the other hand users of hardened kernels have frequent breakage now[1]. This change aims to provide a solution this issue: * The hardened patchset now references the kernel version it's released for (including a sha256 hash for the fixed-output path of the source tarball). * The `hardenedKernelFor`-function doesn't just append hardened patches now, but also overrides version & src to match the kernel version the patch was built & tested for. Refs NixOS#140281 [1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all (cherry picked from commit bb5aa01)
Now there are a few more folks who should get pinged on kernel changes:
$ nix-instantiate -E 'with import ./. {}; (map (x: x.github) linux.meta.maintainers)' --eval --strict
[ "TredwellGit" "mweinelt" "ma27" "nequissimus" "alyssais" "thoughtpolice" ]
Refs NixOS#140281
(cherry picked from commit 65930ca)
Until now we merged kernel updates even if no hardened versions were available yet. On one hand we don't want to delay patch-level updates, on the other hand users of hardened kernels have frequent breakage now[1]. This change aims to provide a solution this issue: * The hardened patchset now references the kernel version it's released for (including a sha256 hash for the fixed-output path of the source tarball). * The `hardenedKernelFor`-function doesn't just append hardened patches now, but also overrides version & src to match the kernel version the patch was built & tested for. Refs NixOS#140281 [1] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all (cherry picked from commit bb5aa01)
Motivation
I'm one of the folks who are currently testing/merging/backporting Linux kernel updates. All in all, this is quite a smooth process thanks to @TredwellGit who tirelessly files update PRs in the first place and an existing updater-script.
However there are a few minor issues I have that I'd like to discuss here before submitting any code.
Topics
Hardened Kernel
We have all active Kernel releases packaged and - if available - also linux-hardened which provides a few additional security properties. However these releases lag behind the upstream Kernel usually, on a few occasions we had to wait for about a week[1][2].
However, Kernel updates are quite relevant usually, either because of important bugfixes or because of CVEs to be fixed. Because of that, we decided to ignore outdated hardened patches at some point[3] and right now the hardened kernel is broken rather regularly[4]. Another issue is what's supposed to happen if a kernel minor-release gets EOL and no hardened patches are available for the next higher minor release (that's also
_latest)[5].IMHO neither the "old" approach (awaiting hardened patches and thus delaying kernel updates for everyone) nor the current one (ignoring build failures) is optimal. Current ideas I have are:
5.14.5and want to upgrade to5.14.6, but no hardened patch is available yet. Now we upgrade to5.14.6, but use continue to use5.14.5for the hardened kernel).Maintainer team
This is a rather trivial one 😅
I noticed that I get pinged rather inconsistently on Kernel PRs which is totally understandable, I also wouldn't want to keep track of everyone I have to ping for each PR I open, especially because this is automatable.
Currently we seem to have a single person listed as maintainer for Kernels:
My suggestion is rather simple - we should for a maintainer team with both a team in the NixOS GH org and an entry in
maintainers/team-list.nix. I'd nominateand make sure the members are requested for a review on each Kernel bump.
[1] #119543
[2] #125469
[3] #134692
[4] https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.linuxPackages_hardened.kernel.x86_64-linux/all
[5] #133587 (review)
The text was updated successfully, but these errors were encountered: