[pve-kernel.git] / README

KERNEL SOURCE:
==============

We currently use the Ubuntu kernel sources, available from:

 http://kernel.ubuntu.com/git/ubuntu/ubuntu-bionic.git/

Ubuntu will maintain those kernels till:

 https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable


Additional/Updated Modules:
---------------------------

- include latest e1000e driver from intel/sourceforge

- include latest ixgbe driver from intel/sourceforge

- include latest igb driver from intel/sourceforge

- include native OpenZFS filesystem kernel modules for Linux

  * https://github.com/zfsonlinux/

  For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ


RELATED PACKAGES:
=================

proxmox-ve
----------

top level meta package, depends on current default kernel series meta package.

git clone git://git.proxmox.com/git/proxmox-ve.git

pve-kernel-meta
---------------

depends on latest kernel and header package within a certain kernel series,
e.g., pve-kernel-4.15 / pve-headers-4.15

git clone git://git.proxmox.com/git/pve-kernel-meta.git

pve-firmware
------------

contains the firmware for all released PVE kernels.

git clone git://git.proxmox.com/git/pve-firmware.git


NOTES:
======

ABI versions, package versions and package name:
------------------------------------------------

We follow debian's versioning w.r.t ABI changes:

https://kernel-team.pages.debian.net/kernel-handbook/ch-versions.html
https://wiki.debian.org/DebianKernelABIChanges

The debian/rules file has a target comparing the build kernel's ABI against the
version stored in the repository and indicates when an ABI bump is necessary.
An ABI bump within one upstream version consists of incrementing the KREL
variable in the Makefile, rebuilding the packages and running 'make abiupdate'
(the 'abiupdate' target in 'Makefile' contains the steps for consistently
updating the repository).

Watchdog blacklist
------------------

By default, all watchdog modules are black-listed because it is totally undefined
which device is actually used for /dev/watchdog.
We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
The user typically edit /etc/modules to enable a specific watchdog device.

Additional information
----------------------

We use the default configuration provided by Ubuntu, and apply
the following modifications:

see debian/rules (PVE_CONFIG_OPTS)

- enable INTEL_MEI_WDT=m (to allow disabling via patch)

- disable CONFIG_SND_PCM_OSS (enabled by default in Ubuntu, not needed)

- switch CONFIG_TRANSPARENT_HUGEPAGE to MADVISE from ALWAYS

- enable CONFIG_CEPH_FS=m (request from user)

- enable common CONFIG_BLK_DEV_XXX to avoid hardware detection
  problems (udev, update-initramfs have serious problems without that)

  	 CONFIG_BLK_DEV_SD=y
  	 CONFIG_BLK_DEV_SR=y
  	 CONFIG_BLK_DEV_DM=y

- add workaround for Debian bug #807000 (see
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807000)

  	 CONFIG_BLK_DEV_NVME=y

- compile NBD and RBD modules
	 CONFIG_BLK_DEV_NBD=m
	 CONFIG_BLK_DEV_RBD=m

- set LOOP_MIN_COUNT to 8 (debian defaults)
	 CONFIG_BLK_DEV_LOOP_MIN_COUNT=8

- disable module signatures (CONFIG_MODULE_SIG)

- enable IBM JFS file system

  This is disabled in RHEL kernel for no real reason, so we enable
  it as requested by users (bug #64)

- enable apple HFS and HFSPLUS

  This is disabled in RHEL kernel for no real reason, so we enable
  it as requested by users

- enable CONFIG_BCACHE=m (requested by user)

- enable CONFIG_BRIDGE=y

  Else we get warnings on boot, that
  net.bridge.bridge-nf-call-iptables is an unknown key

- enable CONFIG_DEFAULT_SECURITY_APPARMOR

  We need this for lxc

- set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y

  because if not set, it can give some dynamic memory or cpu frequencies 
  change, and vms can crash (mainly windows guest).

  see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273

- use 'deadline' as default scheduler

  This is the suggested setting for KVM. We also measure bad fsync
  performance with ext4 and cfq.

- disable CONFIG_INPUT_EVBUG

  Module evbug is not blacklisted on debian, so we simply disable it
  to avoid key-event logs (which is a big security problem)

- enable CONFIG_MODVERSIONS (needed for ABI tracking)

- switch default UNWINDER to FRAME_POINTER

  the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS

- enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)
Commit	Line	Data
ba2f1a67 FG	1	KERNEL SOURCE:
	2	==============
	3
	4	We currently use the Ubuntu kernel sources, available from:
	5
1e99f45b	6	http://kernel.ubuntu.com/git/ubuntu/ubuntu-bionic.git/
ba2f1a67 FG	7
	8	Ubuntu will maintain those kernels till:
	9
	10	https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
	11
	12
	13	Additional/Updated Modules:
	14	---------------------------
	15
	16	- include latest e1000e driver from intel/sourceforge
	17
	18	- include latest ixgbe driver from intel/sourceforge
	19
44403fcc	20	- include latest igb driver from intel/sourceforge
ba2f1a67 FG	21
	22	- include native OpenZFS filesystem kernel modules for Linux
	23
	24	* https://github.com/zfsonlinux/
	25
	26	For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ
	27
ba2f1a67	28
44403fcc FG	29	RELATED PACKAGES:
	30	=================
	31
	32	proxmox-ve
	33	----------
ba2f1a67	34
44403fcc	35	top level meta package, depends on current default kernel series meta package.
ba2f1a67	36
44403fcc	37	git clone git://git.proxmox.com/git/proxmox-ve.git
ba2f1a67	38
44403fcc FG	39	pve-kernel-meta
44403fcc FG	40	---------------
ba2f1a67	41
44403fcc	42	depends on latest kernel and header package within a certain kernel series,
1e99f45b	43	e.g., pve-kernel-4.15 / pve-headers-4.15
ba2f1a67	44
44403fcc	45	git clone git://git.proxmox.com/git/pve-kernel-meta.git
ba2f1a67	46
44403fcc FG	47	pve-firmware
44403fcc FG	48	------------
ba2f1a67	49
44403fcc	50	contains the firmware for all released PVE kernels.
ba2f1a67	51
44403fcc	52	git clone git://git.proxmox.com/git/pve-firmware.git
ba2f1a67	53
ba2f1a67	54
44403fcc FG	55	NOTES:
44403fcc FG	56	======
ba2f1a67	57
8b4e1fa9 SI	58	ABI versions, package versions and package name:
	59	------------------------------------------------
	60
	61	We follow debian's versioning w.r.t ABI changes:
	62
	63	https://kernel-team.pages.debian.net/kernel-handbook/ch-versions.html
	64	https://wiki.debian.org/DebianKernelABIChanges
	65
	66	The debian/rules file has a target comparing the build kernel's ABI against the
	67	version stored in the repository and indicates when an ABI bump is necessary.
	68	An ABI bump within one upstream version consists of incrementing the KREL
	69	variable in the Makefile, rebuilding the packages and running 'make abiupdate'
	70	(the 'abiupdate' target in 'Makefile' contains the steps for consistently
	71	updating the repository).
	72
ba2f1a67 FG	73	Watchdog blacklist
	74	------------------
	75
	76	By default, all watchdog modules are black-listed because it is totally undefined
	77	which device is actually used for /dev/watchdog.
	78	We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
	79	The user typically edit /etc/modules to enable a specific watchdog device.
	80
	81	Additional information
	82	----------------------
	83
	84	We use the default configuration provided by Ubuntu, and apply
44403fcc FG	85	the following modifications:
	86
	87	see debian/rules (PVE_CONFIG_OPTS)
	88
	89	- enable INTEL_MEI_WDT=m (to allow disabling via patch)
ba2f1a67	90
44403fcc FG	91	- disable CONFIG_SND_PCM_OSS (enabled by default in Ubuntu, not needed)
	92
	93	- switch CONFIG_TRANSPARENT_HUGEPAGE to MADVISE from ALWAYS
ba2f1a67 FG	94
	95	- enable CONFIG_CEPH_FS=m (request from user)
	96
	97	- enable common CONFIG_BLK_DEV_XXX to avoid hardware detection
0b82622c	98	problems (udev, update-initramfs have serious problems without that)
ba2f1a67 FG	99
	100	CONFIG_BLK_DEV_SD=y
	101	CONFIG_BLK_DEV_SR=y
	102	CONFIG_BLK_DEV_DM=y
	103
	104	- add workaround for Debian bug #807000 (see
	105	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807000)
	106
	107	CONFIG_BLK_DEV_NVME=y
	108
	109	- compile NBD and RBD modules
	110	CONFIG_BLK_DEV_NBD=m
	111	CONFIG_BLK_DEV_RBD=m
	112
	113	- set LOOP_MIN_COUNT to 8 (debian defaults)
	114	CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
	115
	116	- disable module signatures (CONFIG_MODULE_SIG)
44403fcc FG	117
44403fcc FG	118	- enable IBM JFS file system
ba2f1a67 FG	119
	120	This is disabled in RHEL kernel for no real reason, so we enable
	121	it as requested by users (bug #64)
	122
	123	- enable apple HFS and HFSPLUS
	124
	125	This is disabled in RHEL kernel for no real reason, so we enable
	126	it as requested by users
	127
	128	- enable CONFIG_BCACHE=m (requested by user)
	129
	130	- enable CONFIG_BRIDGE=y
	131
	132	Else we get warnings on boot, that
	133	net.bridge.bridge-nf-call-iptables is an unknown key
	134
	135	- enable CONFIG_DEFAULT_SECURITY_APPARMOR
	136
	137	We need this for lxc
44403fcc	138
ba2f1a67 FG	139	- set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
	140
	141	because if not set, it can give some dynamic memory or cpu frequencies
	142	change, and vms can crash (mainly windows guest).
	143
	144	see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273
	145
	146	- use 'deadline' as default scheduler
	147
	148	This is the suggested setting for KVM. We also measure bad fsync
	149	performance with ext4 and cfq.
	150
	151	- disable CONFIG_INPUT_EVBUG
	152
	153	Module evbug is not blacklisted on debian, so we simply disable it
	154	to avoid key-event logs (which is a big security problem)
	155
44403fcc FG	156	- enable CONFIG_MODVERSIONS (needed for ABI tracking)
	157
	158	- switch default UNWINDER to FRAME_POINTER
ba2f1a67	159
44403fcc	160	the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS
ba2f1a67	161
44403fcc	162	- enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)