-
Notifications
You must be signed in to change notification settings - Fork 1
Linux kernel
The kernel is loaded on the host computer. With systemd-nspawn container, resources are shared and thus the Kernel.
Host machine kernel follows recent changes and is updated regularly. The Kernel is build from source with a custom config file. Our kernel is minimalistic as much as possible.
This config file file is available in the github. Current version is 32. This version 32 is very special as it brings back in the Kernel some removed previously features
Our host machine needed to run a docker image. Unfortunately, the minimalistic Kernel didn't include some necessary features to be able to run docker.
To help to find what were the missing pieces, we ran this script. Most missing features have been enabled, except the aufs and zfs filesystems. The former is now well replaced by overlayFS, and the latter is not mandatory.
- restrict unprivileged access to the Kernel syslog is enable
TODO: more security options when the server will no more be a container.
Tip: to see kernel settings, use the zcat command.
Example: ensure loop devices are enabled:
$ zcat /proc/config.gz | grep CONFIG_BLK_DEV_LOOP
1122:CONFIG_BLK_DEV_LOOP=m
1123:CONFIG_BLK_DEV_LOOP_MIN_COUNT=0
- RAID support is disabled
- Block device as cache (Bcache) is enabled and compiled
- Crypt, Snapshot, Thin provisioning, Cache, Mirror target are enabled
- Deadline and CFQ I/O scedulers are enabled. Default to CFQ
sysctl is a tool for chqanging Kernel parameters at runtime. systemd applies settings from /etc/sysctl.d/.conf and /usr/lib/sysctl.d/.conf.
To see parameters, run # sysctl -p. Settings can be changed through file manipulation or using the sysctl utility:
# sysctl kernel.sysrq=1
OR
# echo "1" > /proc/sys/kernel/sysrq
Netfilter is a collection of softwares which enable packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains
iptables is a command line utility for configuring Linux kernel firewall implemented within the Netfilter project.
NOTE:iptable has to be build into the kernel and not as modules to work with systemd container.
Networking >> Networking options >> Network packet filtering (replaces ipchains) >> Core Netfilter Configuration >> Netfilter Xtables support (required for ip_tables) and select the all following options as modules.
Networking >> Networking options >> Network packet filtering (replaces ipchains) >> IP: Net Filter configurationS >> IP Tables support
Nftables is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It is built in the kernel.
- The CFQ scheduler is preferable for HD. It provides a fair allocation of the disk I/O bandwidth. It is the default when compiling the kernel
- The Deadline scheduler is the recommended one for SSD drive. As the kernel is compiled with default CFQ scheduler, write an udev rule to apply deadline to SSD.
/etc/udev/rules.d/60-schedulers.rules
.....................................
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="deadline"
Check the scheduler when running this command:
$ cat /sys/block/sdb/queue/scheduler
noop [deadline] cfq
mkinitcpio is the next generation of initramfs creation.The initial ramdisk is in essence a very small environment (early userspace) which loads various kernel modules and sets up necessary things before handing over control to init.
The primary configuration file for mkinitcpio is /etc/mkinitcpio.conf . By default, the mkinitcpio script generates two images after kernel installation or upgrades: /boot/initramfs-linux.img and /boot/initramfs-linux-fallback.img.
To generate a new image, run # mkinitcpio -p linux or # mkinitcpio -c /etc/mkinitcpio-custom.conf -g /boot/linux-custom.img in case of a custom kernel.
Hooks are scripts that execute in the initial ramdisk.List available hooks:
% mkinitcpio -L
==> Available hooks
autodetect filesystems mdadm_udev sata¹ sleep vboxhost
base fsck memdisk scsi¹ strip virtio¹
bcache fw¹ mmc¹ sd-encrypt systemd
block keyboard modconf sd-lvm2 udev
btrfs keymap pata¹ sd-shutdown usb¹
consolefont lvm2 pcmcia sd-vconsole usbinput²
encrypt mdadm resume shutdown usr