[pve-kernel.git] / README

KERNEL SOURCE:
==============

We currently use the Ubuntu kernel sources, available from:

 http://kernel.ubuntu.com/git/ubuntu/ubuntu-bionic.git/

Ubuntu will maintain those kernels till:

 https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable


Additional/Updated Modules:
---------------------------

- include latest e1000e driver from intel/sourceforge

- include latest igb driver from intel/sourceforge

- include native OpenZFS filesystem kernel modules for Linux

  * https://github.com/zfsonlinux/

  For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ


SUBMODULE
=========

We track the current upstream repository as submodule. Besides obvious
advantages over tracking binary tar archives this also has some implications.

For building the submodule directory gets copied into build/ and a few patches
get applied with the `patch` tool. From a git point-of-view, the copied
directory remains clean even with extra patches applied since it does not
contain a .git directory, but a reference to the (still pristine) submodule:

$ cat build/ubuntu-bionic/.git

If you mistakenly cloned the upstream repo as "normal" clone (not via the
submodule mechanics) this means that you have a real .git directory with its
independent objects and tracking info when copying for building, thus git
operates on the copied directory - and "sees" that it was dirtied by `patch`,
and thus the kernel buildsystem sees this too and will add a '+' to the version
as a result. This changes the output directories for modules and other build
artefacts and let's then the build fail on packaging.

So always ensure that you really checked it out as submodule, not as full
"normal" clone. You can also explicitly set the LOCALVERSION variable to
undefined with: `export LOCALVERSION= but that should only be done for test
builds.

RELATED PACKAGES:
=================

proxmox-ve
----------

top level meta package, depends on current default kernel series meta package.

git clone git://git.proxmox.com/git/proxmox-ve.git

pve-kernel-meta
---------------

depends on latest kernel and header package within a certain kernel series,
e.g., pve-kernel-4.15 / pve-headers-4.15

git clone git://git.proxmox.com/git/pve-kernel-meta.git

pve-firmware
------------

contains the firmware for all released PVE kernels.

git clone git://git.proxmox.com/git/pve-firmware.git


NOTES:
======

ABI versions, package versions and package name:
------------------------------------------------

We follow debian's versioning w.r.t ABI changes:

https://kernel-team.pages.debian.net/kernel-handbook/ch-versions.html
https://wiki.debian.org/DebianKernelABIChanges

The debian/rules file has a target comparing the build kernel's ABI against the
version stored in the repository and indicates when an ABI bump is necessary.
An ABI bump within one upstream version consists of incrementing the KREL
variable in the Makefile, rebuilding the packages and running 'make abiupdate'
(the 'abiupdate' target in 'Makefile' contains the steps for consistently
updating the repository).

Watchdog blacklist
------------------

By default, all watchdog modules are black-listed because it is totally undefined
which device is actually used for /dev/watchdog.
We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
The user typically edit /etc/modules to enable a specific watchdog device.

Additional information
----------------------

We use the default configuration provided by Ubuntu, and apply
the following modifications:

NOTE: For the exact and current list see debian/rules (PVE_CONFIG_OPTS)

- enable INTEL_MEI_WDT=m (to allow disabling via patch)

- disable CONFIG_SND_PCM_OSS (enabled by default in Ubuntu, not needed)

- switch CONFIG_TRANSPARENT_HUGEPAGE to MADVISE from ALWAYS

- enable CONFIG_CEPH_FS=m (request from user)

- enable common CONFIG_BLK_DEV_XXX to avoid hardware detection
  problems (udev, update-initramfs have serious problems without that)

  	 CONFIG_BLK_DEV_SD=y
  	 CONFIG_BLK_DEV_SR=y
  	 CONFIG_BLK_DEV_DM=y

- add workaround for Debian bug #807000 (see
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807000)

  	 CONFIG_BLK_DEV_NVME=y

- compile NBD and RBD modules
	 CONFIG_BLK_DEV_NBD=m
	 CONFIG_BLK_DEV_RBD=m

- enable IBM JFS file system as module

  enable it as requested by users (bug #64)

- enable apple HFS and HFSPLUS as module

  enable it as requested by users

- enable CONFIG_BCACHE=m (requested by user)

- enable CONFIG_BRIDGE=y

  Else we get warnings on boot, that
  net.bridge.bridge-nf-call-iptables is an unknown key

- enable CONFIG_DEFAULT_SECURITY_APPARMOR

  We need this for lxc

- set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y

  because if not set, it can give some dynamic memory or cpu frequencies 
  change, and vms can crash (mainly windows guest).

  see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273

- use 'deadline' as default scheduler

  This is the suggested setting for KVM. We also measure bad fsync
  performance with ext4 and cfq.

- disable CONFIG_INPUT_EVBUG

  Module evbug is not blacklisted on debian, so we simply disable it
  to avoid key-event logs (which is a big security problem)

- enable CONFIG_MODVERSIONS (needed for ABI tracking)

- switch default UNWINDER to FRAME_POINTER

  the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS

- enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)
Commit	Line	Data
	1	KERNEL SOURCE:
	2	==============
	3
	4	We currently use the Ubuntu kernel sources, available from:
	5
	6	http://kernel.ubuntu.com/git/ubuntu/ubuntu-bionic.git/
	7
	8	Ubuntu will maintain those kernels till:
	9
	10	https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
	11
	12
	13	Additional/Updated Modules:
	14	---------------------------
	15
	16	- include latest e1000e driver from intel/sourceforge
	17
	18	- include latest igb driver from intel/sourceforge
	19
	20	- include native OpenZFS filesystem kernel modules for Linux
	21
	22	* https://github.com/zfsonlinux/
	23
	24	For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ
	25
	26
	27	SUBMODULE
	28	=========
	29
	30	We track the current upstream repository as submodule. Besides obvious
	31	advantages over tracking binary tar archives this also has some implications.
	32
	33	For building the submodule directory gets copied into build/ and a few patches
	34	get applied with the `patch` tool. From a git point-of-view, the copied
	35	directory remains clean even with extra patches applied since it does not
	36	contain a .git directory, but a reference to the (still pristine) submodule:
	37
	38	$ cat build/ubuntu-bionic/.git
	39
	40	If you mistakenly cloned the upstream repo as "normal" clone (not via the
	41	submodule mechanics) this means that you have a real .git directory with its
	42	independent objects and tracking info when copying for building, thus git
	43	operates on the copied directory - and "sees" that it was dirtied by `patch`,
	44	and thus the kernel buildsystem sees this too and will add a '+' to the version
	45	as a result. This changes the output directories for modules and other build
	46	artefacts and let's then the build fail on packaging.
	47
	48	So always ensure that you really checked it out as submodule, not as full
	49	"normal" clone. You can also explicitly set the LOCALVERSION variable to
	50	undefined with: `export LOCALVERSION= but that should only be done for test
	51	builds.
	52
	53	RELATED PACKAGES:
	54	=================
	55
	56	proxmox-ve
	57	----------
	58
	59	top level meta package, depends on current default kernel series meta package.
	60
	61	git clone git://git.proxmox.com/git/proxmox-ve.git
	62
	63	pve-kernel-meta
	64	---------------
	65
	66	depends on latest kernel and header package within a certain kernel series,
	67	e.g., pve-kernel-4.15 / pve-headers-4.15
	68
	69	git clone git://git.proxmox.com/git/pve-kernel-meta.git
	70
	71	pve-firmware
	72	------------
	73
	74	contains the firmware for all released PVE kernels.
	75
	76	git clone git://git.proxmox.com/git/pve-firmware.git
	77
	78
	79	NOTES:
	80	======
	81
	82	ABI versions, package versions and package name:
	83	------------------------------------------------
	84
	85	We follow debian's versioning w.r.t ABI changes:
	86
	87	https://kernel-team.pages.debian.net/kernel-handbook/ch-versions.html
	88	https://wiki.debian.org/DebianKernelABIChanges
	89
	90	The debian/rules file has a target comparing the build kernel's ABI against the
	91	version stored in the repository and indicates when an ABI bump is necessary.
	92	An ABI bump within one upstream version consists of incrementing the KREL
	93	variable in the Makefile, rebuilding the packages and running 'make abiupdate'
	94	(the 'abiupdate' target in 'Makefile' contains the steps for consistently
	95	updating the repository).
	96
	97	Watchdog blacklist
	98	------------------
	99
	100	By default, all watchdog modules are black-listed because it is totally undefined
	101	which device is actually used for /dev/watchdog.
	102	We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
	103	The user typically edit /etc/modules to enable a specific watchdog device.
	104
	105	Additional information
	106	----------------------
	107
	108	We use the default configuration provided by Ubuntu, and apply
	109	the following modifications:
	110
	111	NOTE: For the exact and current list see debian/rules (PVE_CONFIG_OPTS)
	112
	113	- enable INTEL_MEI_WDT=m (to allow disabling via patch)
	114
	115	- disable CONFIG_SND_PCM_OSS (enabled by default in Ubuntu, not needed)
	116
	117	- switch CONFIG_TRANSPARENT_HUGEPAGE to MADVISE from ALWAYS
	118
	119	- enable CONFIG_CEPH_FS=m (request from user)
	120
	121	- enable common CONFIG_BLK_DEV_XXX to avoid hardware detection
	122	problems (udev, update-initramfs have serious problems without that)
	123
	124	CONFIG_BLK_DEV_SD=y
	125	CONFIG_BLK_DEV_SR=y
	126	CONFIG_BLK_DEV_DM=y
	127
	128	- add workaround for Debian bug #807000 (see
	129	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807000)
	130
	131	CONFIG_BLK_DEV_NVME=y
	132
	133	- compile NBD and RBD modules
	134	CONFIG_BLK_DEV_NBD=m
	135	CONFIG_BLK_DEV_RBD=m
	136
	137	- enable IBM JFS file system as module
	138
	139	enable it as requested by users (bug #64)
	140
	141	- enable apple HFS and HFSPLUS as module
	142
	143	enable it as requested by users
	144
	145	- enable CONFIG_BCACHE=m (requested by user)
	146
	147	- enable CONFIG_BRIDGE=y
	148
	149	Else we get warnings on boot, that
	150	net.bridge.bridge-nf-call-iptables is an unknown key
	151
	152	- enable CONFIG_DEFAULT_SECURITY_APPARMOR
	153
	154	We need this for lxc
	155
	156	- set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
	157
	158	because if not set, it can give some dynamic memory or cpu frequencies
	159	change, and vms can crash (mainly windows guest).
	160
	161	see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273
	162
	163	- use 'deadline' as default scheduler
	164
	165	This is the suggested setting for KVM. We also measure bad fsync
	166	performance with ext4 and cfq.
	167
	168	- disable CONFIG_INPUT_EVBUG
	169
	170	Module evbug is not blacklisted on debian, so we simply disable it
	171	to avoid key-event logs (which is a big security problem)
	172
	173	- enable CONFIG_MODVERSIONS (needed for ABI tracking)
	174
	175	- switch default UNWINDER to FRAME_POINTER
	176
	177	the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS
	178
	179	- enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)