|
| |
|
|
|
|
|
|
|
|
|
|
|
|
The Linux kernel is the core of the Linux operating system. The Kernel controls all the central system functions and is the heart of your firewall system. Each distribution comes with its own specially designed version of the kernel, based on the feature set the designers wish to offer. Unlike many commercial operating systems however, the kernel source itself is freely available, and you can download and create your own specialized versions.
Why should you build a custom kernel?
- The kernel developers are a great group that work tirelessly improving the operating system. Each new version brings literally thousands of bug fixes and enhancements that your system can benefit from.
- Streamline your system! When building a specialized system like a firewall, there are a lot of features your operating system doesn't need to support. Why waste memory and clock cycles running an operating system with multimedia and peripheral support that it will never use? Instead, a custom kernel will be extra efficient by supporting only the necessary hardware and features, allowing you to make the most of your resources.
- Patch in new features: lots of development is done outside the official kernel. Building your own allows you to add external patches for non-official features.
- Cutting edge technology: most distributions (including Debian) stick with the same kernel version for a prolonged period of time. This isn't a bad thing if you're looking for stability and support, but if you like the latest and greatest, the best way to get it is straight from the (kernel) source.
Why should you not build a custom kernel?
- The distribution kernels are usually expertly planned to be stable. While kernel developers do a great job fixing bugs, the cutting edge kernel releases are far from perfect. If you're not willing to accept some occasional bugs and down time, stick with a more mature and professional kernel build.
- If you're really new to Linux. Of course, you can't learn unless you try! And with proper caution, this is all perfectly safe. However if you have no previous Linux experience, you may be well advised to spend a little time poking around with the generic system before you dive too deep.
- If you're not familiar with the hardware and software already in your system. Customizing the kernel requires you pick and choose what features your system will support. If you don't know what elements you need, you won't have much of a chance designing a functional kernel.
You can always retrieve the latest source from the kernel website: http://www.kernel.org. The 2.6 branch is the latest, while the 2.4 branch is the previous series. I recommend 2.6 for all new systems. I also recommend running the "stable" releases, unless you really know what you're doing and are willing to report bugs to the developers. As of the time of this writing 2.6.15 is the current stable release.
First, we need to install some software that will be necessary to compile the kernel. Bzip2 is needed to unpack the source. libncurses5-dev is needed by the configuration menus. GCC and make are needed to compile the source.
Firewall:~# apt-get install bzip2
Firewall:~# apt-get install libncurses5-dev
Firewall:~# apt-get install gcc
Firewall:~# apt-get install make
Now we download the full source package (the "F" link on the source page). You should change the URL below to match the address for the current stable source package.
Firewall:~# cd /usr/src
Firewall:/usr/src# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.15.tar.bz2
Unpack the source (using the appropriate filename):
Firewall:/usr/src# tar -xjf linux-2.6.15.tar.bz2
Change into the source directory:
Firewall:/usr/src# cd linux-2.6.15
The kernel configuration is stored in the .config file. Luckily, the kernel comes with a handy text-based configuration menu which makes navigating the hundreds of options much simpler. To enter the menus, run a "make menuconfig":
Firewall:/usr/src/linux-2.6.15# make menuconfig
Now you should be in a text-based menu. What you do from here is largely up to you. There's little point in attempting to cover all the options, as everyone will want a different configuration. Instead, here are some important guidelines and tips:
- There are two ways to include a feature in the kernel. All items can be built directly into the kernel by placing an asterisk next to the item [*]. Items preceded with angled brackets <> can also be built as modules. Modules can be dynamically loaded and unloaded, and are the preferred method of building device drivers and optional system components. To build as a module, place an <M> next to the item.
- When you wish to exclude an item from your kernel, simply clear the brackets next to it.
- Certain critical system features must be built directly into the kernel (not as modules)! Do not build support for any devices needed to boot the system as modules. This includes (but is not limited to), the motherboard, processor, IDE devices (hard drives), and the hard drive filesystems. If you use PCI controller cards for your drives, they need to be included too. Examples of optional system devices that can be built as modules are sound cards, network cards, video cards, firewall components, and any peripherals (printers, etc).
- By default, Debian 3.1 uses the ext3 filesystem for the system disks. This means you must build ext3 support directly into the kernel, or it will not boot. This is done by placing an asterisk [*] next to the ext3 option. Of course if you chose a different filesystem at install time, you should select the appropriate filesystem support in your kernel.
- Do not uninstall the kernel that came with your distribution. Customizing kernels is prone to error and oversight, even if you've done it before. Always keep one known working kernel installed at all times. That way, if you make a mistake or find a bug and your new kernel won't boot, you can revert to the old kernel straight from the boot menu.
- Try working in steps. If you make major changes, it can be hard to track down an error. Start with a lot of features enabled and remove only a few functions at a time, so you can easily backtrack to a working version.
- Keep backup copies of your configuration files. Once you get a working kernel, simply copy the .config file to a safe place, and you can copy it back whenever you need it.
- The menuconfig includes help documentation for most of the items. If you're not sure what an entry does, try typing an ? to access the help entry. If all else fails, Google it!
- You can easily tell what modules your original system is running by executing the "lsmod" program from the command line. This will, as the name suggests, list all the currently loaded modules. Keep in mind, this won't tell you which options are built directly into the stock kernel.
- The kernel doesn't just support hardware, software functions can be affected as well. For example, make sure to leave some iptables/netfilter options enabled...if you disable them your firewall apps won't run!
- Give each kernel a custom name/version with the [General Setup>Local Version] option in the configuration.
When you finish, exit the menu and save your configuration. You are now ready to compile the new kernel. This is done simply by running "make":
Firewall:/usr/src/linux-2.6.15# make
The kernel will now build. If you're using an old machine, this can take awhile (an hour or two, depending on how large of a kernel you're building). Once it finishes, first install the new modules:
Firewall:/usr/src/linux-2.6.15# make modules_install
Finally, install the kernel itself:
Firewall:/usr/src/linux-2.6.15# make install
Your new kernel has now been copied to the /boot directory and your modules are now in the /lib/modules directory. The final step is to update your bootloader. Debian uses the grub bootloader, and comes with a handy script that will take care of this for you:
Firewall:/usr/src/linux-2.6.15# update-grub
That's it! It's really that simple. Now just reboot your system, and choose the new kernel from the boot screen. If you get an error during booting, try to make note of the error message. Then select your original kernel from the boot prompt, and try again.
When you finish, you can save disk space by deleting the compiled binaries from the source directory. You should also do this after changing the configuration, before re-compiling the kernel.
Firewall:/usr/src/linux-2.6.15# make clean
Kernel updates come out frequently. When you wish to upgrade, download and extract the new source. Copy the .config into the new source directory. Then run "make oldconfig" against the new source:
Firewall:/usr/src/linux-2.6.15# make oldconfig
This command will prompt you for any new, relevant options that may have appeared in the new source, and will make sure your old configuration is appropriate for the new version. After this, simply make and install again.
|
|
|
|
|
|
|
|
|
|
|
|
Checking Installed Kernels: The kernel is installed in the /boot directory. To view your installed kernels, just list the contents:
Firewall:~# ls -l /boot
|
|
|
|
|
|
|
|
|
|
|
|
Removing Installed Kernels: The kernel is installed in the /boot directory, and the modules are installed in a version specific directory in /lib/modules. To remove an installed kernel, just use rm. Replace *version* with the kernel name/version you wish to remove. (When building your kernel, giving each version a different name/number makes this much easier - see the tip above.) Never remove all kernels!:
Firewall:~# rm /boot/*version*
Firewall:~# rm -r /lib/modules/*version*
|
|
|
|
|
|
Back to the Table of Contents |
|
|
|
|
|
|
|
