search

cloux / aws-devuan

systemd-free GNU/Linux for AWS Cloud Environment
Do What The F*ck You Want To Public License
20 stars 4 forks source link

Kernel modules/dm-crypt #10

Open p opened 4 years ago

p commented 4 years ago

Hi,

Thank you for providing this aws image. I was looking for a systemd-free OS to run on amazon.

One issue I ran into was I wanted to use disk encryption (cryptsetup/dm-crypt) and it appears that the kernel that comes with aws-devuan does not include dm-crypt modules (and in general has very few modules included?). Eventually I dealt with this by installing linux-image-cloud-amd64, removing /boot/*5.6* and running update-grub. The system seems to work with kernel 4.19.

The questions I have are:

  1. How is one meant to add kernel modules to the 5.6 kernel? Couldn't find anything relevant in the readme.
  2. Is there a functional difference between using 5.6 kernel and the 4.19 kernel in linux-image-cloud-amd64 ?
  3. Is there an officially recommended way to switch from the 5.6 kernel to one of the standard kernels shipped with Devuan, such as linux-image-cloud-amd64 ?

Thanks in advance.

cloux commented 4 years ago

Hello p, nice to hear that!

As I optimized the kernel for AWS EC2, I looked at Amazon Linux, Clear Linux and others who made some kernel optimizations. I took their switches and adjusted for better performance as reported by Phoronix tests, and added some additional features (VPN tunnelling, Docker support etc.). Overall I would say that my kernel has pretty good performance/features ratio. That being said, less-frequently used features are simply left out. There is however an easy way for you to compile any additional kernel module you want. This might be easy, but lacks documentation, so here we go:

1) Add kernel module

First you have to compile the missing module from Linux kernel source. In my Devuan system, this is pretty simple to do by using the sin command. First check the file /etc/default/kernel-update, there should be a parameter CLEANUP=n. This means that after the update all source files will be kept in place. This should be the default behavior, but still worth checking. Now run:

sin kernel

and wait for ~20 minutes while your new kernel gets compiled for you. This depends on the speed/CPU of your EC2 instance. NOTE: If the the latest kernel is already installed, the command will simply say "We already have that one". In that case you can change the /etc/default/kernel-update and set MONIKER=mainline which will pull a different kernel branch. Alternatively, install my older release that does not have the latest kernel yet and start the kernel update on that older instance.

If all went OK, your kernel source should be in /usr/src/linux-X.Y.Z. Now you can:

cd /usr/src/linux-*
make menuconfig

Now you can add/remove any kernel module you want. For dm-crypt, press '/' and search for DM_CRYPT. Set it to 'Y' or 'M', save, and run:

make
make modules_install
make install

This will recompile your changes and put your kernel to /boot. Now you can:

update-grub
restart

That's it, in about 10 seconds your EC2 instance should be back online with your new kernel. I hope these steps are not too complicated to follow. In order to use your new kernel on all your instances it can be easily shared, so other instances can pull your binary by running sin pull kernel. Let me know if you need to know how to do this. It would require a new Issue, Ticket, or a better Manpage;)

NOTE: The minimal allowed EBS size of my instance is set to 4GB. The main reason is that less than 4GB would not be enough to compile a new kernel. If you want to keep several kernels around you might want to use a bigger base EBS.

Please let me know if there are any issues with the steps above.

2) Is there a functional difference between using 5.6 and 4.19 kernel

Yes! To mention a few, the 5.6 branch includes PSI for the oomd system (since kernel 4.20), wireguard VPN (since 5.6), and my kernel is carefully optimized for EC2 environment: includes AWS virtual network drivers (ixgbevf and ENA), XEN virtualization support, and lot more. Just check /boot/config-* files and compare for yourself. At the same time all unnecessary stuff is excluded to keep things slim and fast. To speed up the boot time even INITRD is stripped away. My system boots directly into the kernel and initializes from runit stage1, no need for initramfs.

For additional AWS compatibility, performance gain and stability features (oomd) I would definitely recommend my kernel over the "stock" from the repo. However, if you don't care about any of these things and 4.19 simply works for you, go for it! Please note that the speed measurements and feature list in the readme are directly related to my kernel and I will not be able to provide support for issues with other kernels.

3) Is there an officially recommended way to switch from the 5.6 kernel to one of the standard kernels shipped with Devuan, such as linux-image-cloud-amd64

Well, no. I recommend not to do it. If any of the stock kernels would perform well, I would be using it. All stock kernels require initramfs. That adds bloat. Even the specialized big players on EC2 like Amazon Linux waste the boot time trying to show you a desktop boot animation on headless cloud servers with no graphics. Clear Linux for EC2 being the faster from the bunch is actually slightly modified Android kernel. While it includes nonsense like drivers for Huawei mobile phones (?!?), it does not support VPN tunnels. This is a mess.

To be honest, I was only looking and comparing the kernels provided by the big players on EC2 platform. The overall quality is somewhat disappointing, so I would not expect much from a "stock" kernel, even if it's marketed as "cloud". Your mileage may vary.

You have been warned, but as I said before: try it and if it works for you, great!

p commented 4 years ago

Thank you, this is very helpful. I'll see about getting dm-crypt added to my system using the steps you described.

p commented 4 years ago

I tried this today on a brand new instance and make menuconfig didn't work.

sin kernel:

root@ip-172-31-90-153:~# sin kernel
Command: install
Modules: kernel
====================================================
Running: /usr/share/sin/kernel/install
Logfile: /var/log/sin/kernel.log

Get: 1 https://mirrors.dotsrc.org/devuan/merged testing InRelease [25.6 kB]
Get: 2 https://mirrors.dotsrc.org/devuan/merged testing-updates InRelease [25.6 kB]
Get: 3 https://mirrors.dotsrc.org/devuan/merged testing-proposed-updates InRelease [25.6 kB]
Get: 4 https://mirrors.dotsrc.org/devuan/merged testing/main amd64 Packages [7,811 kB]
Get: 5 https://mirrors.dotsrc.org/devuan/merged testing/contrib amd64 Packages [47.7 kB]
Get: 6 https://mirrors.dotsrc.org/devuan/merged testing/non-free amd64 Packages [95.0 kB]
Fetched 8,031 kB in 4s (2,060 kB/s)
Reading package lists...
Building dependency tree...
Reading state information...
Reading extended state information...
Initializing package states...
Writing extended state information...
Building tag database...
Reading package lists...
Building dependency tree...
Reading state information...
Reading extended state information...
Initializing package states...
Writing extended state information...
Building tag database...
wget is already installed at the requested version (1.20.3-1+b3)
bc is already installed at the requested version (1.07.1-2+b2)
bison is already installed at the requested version (2:3.7+dfsg-1)
flex is already installed at the requested version (2.6.4-8)
libssl-dev is already installed at the requested version (1.1.1g-1)
libelf-dev is already installed at the requested version (0.180-1+b1)
lz4 is already installed at the requested version (1.9.2-2)
wget is already installed at the requested version (1.20.3-1+b3)
bc is already installed at the requested version (1.07.1-2+b2)
bison is already installed at the requested version (2:3.7+dfsg-1)
flex is already installed at the requested version (2.6.4-8)
libssl-dev is already installed at the requested version (1.1.1g-1)
libelf-dev is already installed at the requested version (0.180-1+b1)
lz4 is already installed at the requested version (1.9.2-2)
The following NEW packages will be installed:
  jq libjq1{a} libonig5{a} 
0 packages upgraded, 3 newly installed, 0 to remove and 15 not upgraded.
Need to get 378 kB of archives. After unpacking 1,137 kB will be used.
Writing extended state information...
Get: 1 https://mirrors.dotsrc.org/devuan/merged testing/main amd64 libonig5 amd64 6.9.5-2 [182 kB]
Get: 2 https://mirrors.dotsrc.org/devuan/merged testing/main amd64 libjq1 amd64 1.6-1 [133 kB]
Get: 3 https://mirrors.dotsrc.org/devuan/merged testing/main amd64 jq amd64 1.6-1 [63.4 kB]
Fetched 378 kB in 1s (256 kB/s)
Selecting previously unselected package libonig5:amd64.
(Reading database ... 56496 files and directories currently installed.)
Preparing to unpack .../libonig5_6.9.5-2_amd64.deb ...
Unpacking libonig5:amd64 (6.9.5-2) ...
Selecting previously unselected package libjq1:amd64.
Preparing to unpack .../libjq1_1.6-1_amd64.deb ...
Unpacking libjq1:amd64 (1.6-1) ...
Selecting previously unselected package jq.
Preparing to unpack .../archives/jq_1.6-1_amd64.deb ...
Unpacking jq (1.6-1) ...
Setting up libonig5:amd64 (6.9.5-2) ...
Setting up libjq1:amd64 (1.6-1) ...
Setting up jq (1.6-1) ...
Processing triggers for man-db (2.9.3-2) ...
Processing triggers for libc-bin (2.31-3) ...
Reading package lists...
Building dependency tree...
Reading state information...
Reading extended state information...
Initializing package states...
Writing extended state information...
Building tag database...
Current kernel: 5.8.5
Latest stable kernel: 5.8.5 (2020-08-27)
We already have that one.

make menuconfig:

root@ip-172-31-90-153:~# cd /usr/src/linux-5.8.5/
root@ip-172-31-90-153:/usr/src/linux-5.8.5# make menuconfig
  UPD     scripts/kconfig/mconf-cfg
  HOSTCC  scripts/kconfig/mconf.o
  HOSTCC  scripts/kconfig/lxdialog/checklist.o
  HOSTCC  scripts/kconfig/lxdialog/inputbox.o
  HOSTCC  scripts/kconfig/lxdialog/menubox.o
  HOSTCC  scripts/kconfig/lxdialog/textbox.o
  HOSTCC  scripts/kconfig/lxdialog/util.o
  HOSTCC  scripts/kconfig/lxdialog/yesno.o
  HOSTLD  scripts/kconfig/mconf
scripts/kconfig/mconf  Kconfig
Kconfig:10: can't open file "init/Kconfig"
make[1]: *** [scripts/kconfig/Makefile:29: menuconfig] Error 1
make: *** [Makefile:606: menuconfig] Error 2
p commented 4 years ago

I see that Kconfig has

source "init/Kconfig"

But, I do not have an init subdirectory.

cloux commented 4 years ago

Hello p, sorry for the late reply.

Yes, this is expected behavior. By default the /usr/src/linux-* directory is present, but it only contains header files required to compile external kernel modules, not the full source, so make menuconfig will fail.

There are few important points in my instructions above which you might have missed:

When a new kernel was found and is being compiled the output should look like this:

Downloading ...
...
Unpacking ...
...
Configure "unattended" ...
...
Compile using N threads ...

And that takes about 20 minutes to complete. Again, as I wrote above: if you see "We already have that one", you can set MONIKER=mainline in the /etc/default/kernel-update and run sin kernel again. That will pull a different kernel branch. Alternatively, install older release which has an older kernel and run sin kernel in that instance. Then a new kernel with full source code will be present and make menuconfig will work fine.

Please let me know if that worked.