[pve-kernel.git] / README

KERNEL SOURCE:
==============

We currently use the Ubuntu kernel sources, available from our mirror:

 https://git.proxmox.com/?p=mirror_ubuntu-kernels.git;a=summary

Ubuntu will maintain those kernels till:

 https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
 or
 https://pve.proxmox.com/pve-docs/chapter-pve-faq.html#faq-support-table

 whatever happens to be earlier.


Additional/Updated Modules:
---------------------------

- include native OpenZFS filesystem kernel modules for Linux

  * https://github.com/zfsonlinux/

  For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ


BUILD
=====

As this is packaging for the Linux kernel with some extra integrations, like
ZFS, this repo cannot be handled like a plain Linux kernel git repository.

The actual Linux kernel source lives in a git submodule.

For a build you should init the submodules and then handle it like most our
Debian packaging builds. If unsure you can follow this:

Installing Build-Dependencies
-----------------------------

You can either just check the package metadata template `debian/control.in`
and install the packages listed in the `Build-Depends` section manually
(replace `debhelper-compat` with just `debhelper`) or use a more automated way
described below:

 # install base build-dependencies and helpers
 apt update
 apt install devscripts

 # create build-directory so that we got final packaging control files from the
 # .in templates generated
 make build-dir-fresh

 # install build-dependencies (replace BUILD-DIR with actual one)
 mk-build-deps -ir BUILD-DIR/debian/control


Package Build
-------------

 # start the actual build
 make deb

For simple KConfig modifications you can adapt the list in `debian/rules` file.
For quick code changes to the actual kernel code you can do them directly in
the submodule/ubuntu-kernels directory, then re-create the build-directory, e.g.:

 make clean
 # now build again, explicitly creating the build-dir isn't required anymore
 # after one has the build-dependencies already installed.
 make deb


Modify-Build-Test Cycles
------------------------

Ideally you avoid the need for doing a full package build and just directly
build linux from the ubuntu-kernels or the mainline (stable) repo with copying
over a build-config of a proxmox-kernel to that as .config and then using the
`make olddefconfig` target.

If you need full package builds you can try to make changes inside the
BUILD-DIR directly and then continue build from there, e.g., using
`dpkg-buildpackage -b -uc -us --no-pre-clean`. Depending on what stage you want
to continue build you might need to touch, or remove some *.prepared files.
Just check `debian/rules` for how kernel build progress is tracked by make.

SUBMODULE
=========

We track the current upstream repository as submodule. Besides obvious
advantages over tracking binary tar archives this also has some implications.

For building the submodule directory gets copied into build/ and a few patches
get applied with the `patch` tool. From a git point-of-view, the copied
directory remains clean even with extra patches applied since it does not
contain a .git directory, but a reference to the (still pristine) submodule:

$ cat build/ubuntu-kernel/.git

If you mistakenly cloned the upstream repo as "normal" clone (not via the
submodule mechanics) this means that you have a real .git directory with its
independent objects and tracking info when copying for building, thus git
operates on the copied directory - and "sees" that it was dirtied by `patch`,
and thus the kernel buildsystem sees this too and will add a '+' to the version
as a result. This changes the output directories for modules and other build
artefacts and let's then the build fail on packaging.

So always ensure that you really checked it out as submodule, not as full
"normal" clone. You can also explicitly set the LOCALVERSION variable to
undefined with: `export LOCALVERSION= but that should only be done for test
builds.

RELATED PACKAGES:
=================

proxmox-ve
----------

top level meta package, depends on current default kernel series meta package.

git clone git://git.proxmox.com/git/proxmox-ve.git

proxmox-default-kernel
----------------------

Depends on default kernel and header meta package, e.g., proxmox-kernel-6.2 /
proxmox-headers-6.2.

git clone git://git.proxmox.com/git/pve-kernel-meta.git

proxmox-kernel-X.Y
------------------

Depends on the latest kernel (or header, in case of proxmox-headers-X.Y)
package within a certain series.

e.g., proxmox-kernel-6.2 depends on proxmox-kernel-6.2.16-6-pve

NOTE: Since Proxmox VE 8, based on Debian 12 Bookworm, the kernel ABI is bumped
with every version bump due to module signing. Since then the meta package was
pulled into the kernel repo, before that it lived in pve-kernel-meta.git.

pve-firmware
------------

Contains the firmware for all released PVE kernels.

git clone git://git.proxmox.com/git/pve-firmware.git


NOTES:
======

ABI versions, package versions and package name:
------------------------------------------------

We follow debian's versioning w.r.t ABI changes:

https://kernel-team.pages.debian.net/kernel-handbook/ch-versions.html
https://wiki.debian.org/DebianKernelABIChanges

The debian/rules file has a target comparing the build kernel's ABI against the
version stored in the repository and indicates when an ABI bump is necessary.
An ABI bump within one upstream version consists of incrementing the KREL
variable in the Makefile, rebuilding the packages and running 'make abiupdate'
(the 'abiupdate' target in 'Makefile' contains the steps for consistently
updating the repository).

Watchdog blacklist
------------------

By default, all watchdog modules are black-listed because it is totally undefined
which device is actually used for /dev/watchdog.
We ship this list in /lib/modprobe.d/blacklist_proxmox-kernel-<VERSION>.conf
The user typically edit /etc/modules to enable a specific watchdog device.

Debug kernel and modules
------------------------

In order to build a -dbgsym package containing an unstripped copy of the kernel
image and modules, enable the 'pkg.proxmox-kernel.debug' build profile (e.g. by
exporting DEB_BUILD_PROFILES='pkg.proxmox-kernel.debug'). The resulting package can
be used together with 'crash'/'kdump-tools' to debug kernel crashes.

Note: the -dbgsym package is only valid for the proxmox-kernel packages produced by
the same build. A kernel/module from a different build will likely not match,
even if both builds are of the same kernel and package version.

Additional information
----------------------

We use the default configuration provided by Ubuntu, and apply
the following modifications:

NOTE: For the exact and current list see debian/rules (PVE_CONFIG_OPTS)

- enable INTEL_MEI_WDT=m (to allow disabling via patch)

- disable CONFIG_SND_PCM_OSS (enabled by default in Ubuntu, not needed)

- switch CONFIG_TRANSPARENT_HUGEPAGE to MADVISE from ALWAYS

- enable CONFIG_CEPH_FS=m (request from user)

- enable common CONFIG_BLK_DEV_XXX to avoid hardware detection
  problems (udev, update-initramfs have serious problems without that)

  	 CONFIG_BLK_DEV_SD=y
  	 CONFIG_BLK_DEV_SR=y
  	 CONFIG_BLK_DEV_DM=y

- compile NBD and RBD modules
	 CONFIG_BLK_DEV_NBD=m
	 CONFIG_BLK_DEV_RBD=m

- enable IBM JFS file system as module
  requested by users (bug #64)

- enable apple HFS and HFSPLUS as module
  requested by users

- enable CONFIG_BCACHE=m (requested by user)

- enable CONFIG_BRIDGE=y
  to avoid warnings on boot, e.g. that net.bridge.bridge-nf-call-iptables is an unknown key

- enable CONFIG_DEFAULT_SECURITY_APPARMOR
  We need this for lxc

- set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
  because if not set, it can give some dynamic memory or cpu frequencies 
  change, and vms can crash (mainly windows guest).
  see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273

- use 'deadline' as default scheduler
  This is the suggested setting for KVM. We also measure bad fsync performance with ext4 and cfq.

- disable CONFIG_INPUT_EVBUG
  Module evbug is not blacklisted on debian, so we simply disable it to avoid
  key-event logs (which is a big security problem)

- enable CONFIG_MODVERSIONS (needed for ABI tracking)

- switch default UNWINDER to FRAME_POINTER
  the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS

- enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)
Commit	Line	Data
ba2f1a67 FG	1	KERNEL SOURCE:
	2	==============
	3
d53796d6	4	We currently use the Ubuntu kernel sources, available from our mirror:
ba2f1a67	5
d53796d6	6	https://git.proxmox.com/?p=mirror_ubuntu-kernels.git;a=summary
ba2f1a67 FG	7
	8	Ubuntu will maintain those kernels till:
	9
	10	https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
5d602710 TL	11	or
	12	https://pve.proxmox.com/pve-docs/chapter-pve-faq.html#faq-support-table
	13
	14	whatever happens to be earlier.
ba2f1a67 FG	15
	16
	17	Additional/Updated Modules:
	18	---------------------------
	19
ba2f1a67 FG	20	- include native OpenZFS filesystem kernel modules for Linux
	21
	22	* https://github.com/zfsonlinux/
	23
	24	For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ
	25
ba2f1a67	26
5ba48a84 TL	27	BUILD
	28	=====
	29
	30	As this is packaging for the Linux kernel with some extra integrations, like
	31	ZFS, this repo cannot be handled like a plain Linux kernel git repository.
	32
	33	The actual Linux kernel source lives in a git submodule.
	34
	35	For a build you should init the submodules and then handle it like most our
	36	Debian packaging builds. If unsure you can follow this:
	37
	38	Installing Build-Dependencies
	39	-----------------------------
	40
	41	You can either just check the package metadata template `debian/control.in`
	42	and install the packages listed in the `Build-Depends` section manually
	43	(replace `debhelper-compat` with just `debhelper`) or use a more automated way
	44	described below:
	45
	46	# install base build-dependencies and helpers
	47	apt update
	48	apt install devscripts
	49
	50	# create build-directory so that we got final packaging control files from the
	51	# .in templates generated
	52	make build-dir-fresh
	53
	54	# install build-dependencies (replace BUILD-DIR with actual one)
	55	mk-build-deps -ir BUILD-DIR/debian/control
	56
	57
	58	Package Build
	59	-------------
	60
	61	# start the actual build
	62	make deb
	63
	64	For simple KConfig modifications you can adapt the list in `debian/rules` file.
	65	For quick code changes to the actual kernel code you can do them directly in
	66	the submodule/ubuntu-kernels directory, then re-create the build-directory, e.g.:
	67
	68	make clean
	69	# now build again, explicitly creating the build-dir isn't required anymore
	70	# after one has the build-dependencies already installed.
	71	make deb
	72
	73
	74	Modify-Build-Test Cycles
	75	------------------------
	76
	77	Ideally you avoid the need for doing a full package build and just directly
	78	build linux from the ubuntu-kernels or the mainline (stable) repo with copying
	79	over a build-config of a proxmox-kernel to that as .config and then using the
	80	`make olddefconfig` target.
	81
	82	If you need full package builds you can try to make changes inside the
	83	BUILD-DIR directly and then continue build from there, e.g., using
	84	`dpkg-buildpackage -b -uc -us --no-pre-clean`. Depending on what stage you want
	85	to continue build you might need to touch, or remove some *.prepared files.
	86	Just check `debian/rules` for how kernel build progress is tracked by make.
	87
fd921db9 TL	88	SUBMODULE
	89	=========
	90
	91	We track the current upstream repository as submodule. Besides obvious
	92	advantages over tracking binary tar archives this also has some implications.
	93
	94	For building the submodule directory gets copied into build/ and a few patches
	95	get applied with the `patch` tool. From a git point-of-view, the copied
	96	directory remains clean even with extra patches applied since it does not
	97	contain a .git directory, but a reference to the (still pristine) submodule:
	98
d53796d6	99	$ cat build/ubuntu-kernel/.git
fd921db9 TL	100
	101	If you mistakenly cloned the upstream repo as "normal" clone (not via the
	102	submodule mechanics) this means that you have a real .git directory with its
	103	independent objects and tracking info when copying for building, thus git
	104	operates on the copied directory - and "sees" that it was dirtied by `patch`,
	105	and thus the kernel buildsystem sees this too and will add a '+' to the version
	106	as a result. This changes the output directories for modules and other build
	107	artefacts and let's then the build fail on packaging.
	108
	109	So always ensure that you really checked it out as submodule, not as full
	110	"normal" clone. You can also explicitly set the LOCALVERSION variable to
	111	undefined with: `export LOCALVERSION= but that should only be done for test
	112	builds.
	113
44403fcc FG	114	RELATED PACKAGES:
	115	=================
	116
	117	proxmox-ve
	118	----------
ba2f1a67	119
44403fcc	120	top level meta package, depends on current default kernel series meta package.
ba2f1a67	121
44403fcc	122	git clone git://git.proxmox.com/git/proxmox-ve.git
ba2f1a67	123
25b7be41 FG	124	proxmox-default-kernel
25b7be41 FG	125	----------------------
ba2f1a67	126
25b7be41 FG	127	Depends on default kernel and header meta package, e.g., proxmox-kernel-6.2 /
25b7be41 FG	128	proxmox-headers-6.2.
ba2f1a67	129
44403fcc	130	git clone git://git.proxmox.com/git/pve-kernel-meta.git
ba2f1a67	131
25b7be41 FG	132	proxmox-kernel-X.Y
	133	------------------
	134
	135	Depends on the latest kernel (or header, in case of proxmox-headers-X.Y)
	136	package within a certain series.
	137
	138	e.g., proxmox-kernel-6.2 depends on proxmox-kernel-6.2.16-6-pve
	139
5ba48a84 TL	140	NOTE: Since Proxmox VE 8, based on Debian 12 Bookworm, the kernel ABI is bumped
	141	with every version bump due to module signing. Since then the meta package was
	142	pulled into the kernel repo, before that it lived in pve-kernel-meta.git.
	143
44403fcc FG	144	pve-firmware
44403fcc FG	145	------------
ba2f1a67	146
d53796d6	147	Contains the firmware for all released PVE kernels.
ba2f1a67	148
44403fcc	149	git clone git://git.proxmox.com/git/pve-firmware.git
ba2f1a67	150
ba2f1a67	151
44403fcc FG	152	NOTES:
44403fcc FG	153	======
ba2f1a67	154
8b4e1fa9 SI	155	ABI versions, package versions and package name:
	156	------------------------------------------------
	157
	158	We follow debian's versioning w.r.t ABI changes:
	159
	160	https://kernel-team.pages.debian.net/kernel-handbook/ch-versions.html
	161	https://wiki.debian.org/DebianKernelABIChanges
	162
	163	The debian/rules file has a target comparing the build kernel's ABI against the
	164	version stored in the repository and indicates when an ABI bump is necessary.
	165	An ABI bump within one upstream version consists of incrementing the KREL
	166	variable in the Makefile, rebuilding the packages and running 'make abiupdate'
	167	(the 'abiupdate' target in 'Makefile' contains the steps for consistently
	168	updating the repository).
	169
ba2f1a67 FG	170	Watchdog blacklist
	171	------------------
	172
	173	By default, all watchdog modules are black-listed because it is totally undefined
	174	which device is actually used for /dev/watchdog.
25b7be41	175	We ship this list in /lib/modprobe.d/blacklist_proxmox-kernel-<VERSION>.conf
ba2f1a67 FG	176	The user typically edit /etc/modules to enable a specific watchdog device.
ba2f1a67 FG	177
1a9e23ff FG	178	Debug kernel and modules
	179	------------------------
	180
	181	In order to build a -dbgsym package containing an unstripped copy of the kernel
25b7be41 FG	182	image and modules, enable the 'pkg.proxmox-kernel.debug' build profile (e.g. by
25b7be41 FG	183	exporting DEB_BUILD_PROFILES='pkg.proxmox-kernel.debug'). The resulting package can
1a9e23ff FG	184	be used together with 'crash'/'kdump-tools' to debug kernel crashes.
1a9e23ff FG	185
25b7be41	186	Note: the -dbgsym package is only valid for the proxmox-kernel packages produced by
1a9e23ff FG	187	the same build. A kernel/module from a different build will likely not match,
	188	even if both builds are of the same kernel and package version.
	189
ba2f1a67 FG	190	Additional information
	191	----------------------
	192
	193	We use the default configuration provided by Ubuntu, and apply
44403fcc FG	194	the following modifications:
44403fcc FG	195
043808ec	196	NOTE: For the exact and current list see debian/rules (PVE_CONFIG_OPTS)
44403fcc FG	197
44403fcc FG	198	- enable INTEL_MEI_WDT=m (to allow disabling via patch)
ba2f1a67	199
44403fcc FG	200	- disable CONFIG_SND_PCM_OSS (enabled by default in Ubuntu, not needed)
	201
	202	- switch CONFIG_TRANSPARENT_HUGEPAGE to MADVISE from ALWAYS
ba2f1a67 FG	203
	204	- enable CONFIG_CEPH_FS=m (request from user)
	205
	206	- enable common CONFIG_BLK_DEV_XXX to avoid hardware detection
0b82622c	207	problems (udev, update-initramfs have serious problems without that)
ba2f1a67 FG	208
	209	CONFIG_BLK_DEV_SD=y
	210	CONFIG_BLK_DEV_SR=y
	211	CONFIG_BLK_DEV_DM=y
	212
ba2f1a67 FG	213	- compile NBD and RBD modules
	214	CONFIG_BLK_DEV_NBD=m
	215	CONFIG_BLK_DEV_RBD=m
	216
043808ec	217	- enable IBM JFS file system as module
5d602710	218	requested by users (bug #64)
ba2f1a67	219
043808ec	220	- enable apple HFS and HFSPLUS as module
5d602710	221	requested by users
ba2f1a67 FG	222
	223	- enable CONFIG_BCACHE=m (requested by user)
	224
	225	- enable CONFIG_BRIDGE=y
5d602710	226	to avoid warnings on boot, e.g. that net.bridge.bridge-nf-call-iptables is an unknown key
ba2f1a67 FG	227
ba2f1a67 FG	228	- enable CONFIG_DEFAULT_SECURITY_APPARMOR
ba2f1a67	229	We need this for lxc
44403fcc	230
ba2f1a67	231	- set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
ba2f1a67 FG	232	because if not set, it can give some dynamic memory or cpu frequencies
ba2f1a67 FG	233	change, and vms can crash (mainly windows guest).
ba2f1a67 FG	234	see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273
	235
	236	- use 'deadline' as default scheduler
5d602710	237	This is the suggested setting for KVM. We also measure bad fsync performance with ext4 and cfq.
ba2f1a67 FG	238
ba2f1a67 FG	239	- disable CONFIG_INPUT_EVBUG
5d602710 TL	240	Module evbug is not blacklisted on debian, so we simply disable it to avoid
5d602710 TL	241	key-event logs (which is a big security problem)
ba2f1a67	242
44403fcc FG	243	- enable CONFIG_MODVERSIONS (needed for ABI tracking)
	244
	245	- switch default UNWINDER to FRAME_POINTER
44403fcc	246	the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS
ba2f1a67	247
44403fcc	248	- enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)