From b1f78adfe84a641cab003b115de54328d634e13f Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Fri, 23 Feb 2018 14:11:23 +0000 Subject: core dracut back to reboot --- core/reboot.html | 46 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) (limited to 'core/reboot.html') diff --git a/core/reboot.html b/core/reboot.html index aa45a0f..d8793a6 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -31,7 +31,7 @@ /bin/bash --login -

1.4.1. Port kernel

+

1.4.1. Kernel

Core ports have two linux kernels, @@ -54,7 +54,48 @@ # pkgadd /usr/ports/packages/linux-libre#4.9.11-2.pkg.tar.gz -

1.4.3. Configuring Grub2

+

1.4.2. Initram

+ +

Install dracut;

+ + 
+        # cd /usr/ports/c9-ports/dracut
+        # pkgmk -d
+        # pkgadd /usr/ports/packages/dracut#044-2.pkg.tar.gz
+
+ +

Review configuration file;

+ + 
+        # PUT YOUR CONFIG IN separate files
+        # in /etc/dracut.conf.d named ".conf"
+
+        # Equivalent to -H
+        hostonly="yes"
+
+        # Mount / and /usr read-only by default.
+        ro_mnt="no"
+
+        # Equivalent to -m "module module module"
+        dracutmodules+="dash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown"
+
+        # Equivalent to -a "module"
+        add_dracutmodules+="caps debug"
+
+        # Equivalent to -o "module"
+        #omit_dracutmodules+="systemd systemd-bootchart systemd-networkd systemd-initrd"
+
+        # SEE man dracut.conf(5) for options
+
+ +

Run dracut to create init ram filesystem for + port linux-blob kernel;

+ + 
+        # dracut -v /boot/initramfs-4.9.9-blob.img 4.9.9-blob
+
+ +

1.4.3. Grub

Create grub file in /etc/default/grub with values;

@@ -127,6 +168,7 @@ linux (loop)/boot/vmlinuz64 loglevel=3 cde initrd (loop)/boot/corepure64.gz } +

1.4.4. Checkup

-- cgit 1.4.1-2-gfad0 From d2a0dfc5173d2a28dab2dde89280c154755f876c Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Thu, 8 Mar 2018 18:21:30 +0000 Subject: core reboot and linux revision --- core/index.html | 2 +- core/linux.html | 61 ++++++++++++++++++++------------------------------------ core/reboot.html | 44 +++++++++++++++++++--------------------- 3 files changed, 44 insertions(+), 63 deletions(-) (limited to 'core/reboot.html') diff --git a/core/index.html b/core/index.html index 7a1d21e..5b6ec2d 100644 --- a/core/index.html +++ b/core/index.html @@ -62,7 +62,7 @@ diff --git a/core/linux.html b/core/linux.html index 94c98f0..d98507a 100644 --- a/core/linux.html +++ b/core/linux.html @@ -7,6 +7,7 @@ Core OS Index +

2.1. Kernel Linux

Linux is a monolith kernel, a big one ! Visit @@ -18,12 +19,13 @@

2.1.1. Port Linux Libre

Default crux configuration can be obtained from iso, - kernel port depends on dracut and grub - but is not required to install them. To build and install this port - using prt-get;

+ kernel port don't depend on + dracut and grub2 + is recommended to install them. To build and install this port + use prt-get;

-        $ prt-get depinst linux-libre
+        $ prt-get depinst linux-gnu

2.1.2. Manual Install

@@ -32,46 +34,27 @@ linux libre, or using the port system;

-

Crux iso comes with config that is more generic than used on - linux-libre port, crux default is a good starting point to - personalize according to your needs (build default, detect modules - needed);

+

Linux-gnu port comes with default config that is a good starting + point to personalize according to your needs.

         $ mkdir ~/kernel
         $ cd ~/kernel
-        $ tar xf /usr/ports/distfiles/linux-libre-4.9.12-grsec.tar.xz
-        $ cd linux-4.9.12/
+        $ cd linux-4.9.86/
-

Grsecurity patch for - 4.9.12. - Gcc graysky2 kernel_gcc_patch (master.zip) - that adds more cpu options (FLAGS native). - Check Pkgfile - for instructions and more patches used on linux-libre port. - Read patching your kernel with - gresecurity.

- -

Apply grsecurity patch;

- - 
-        $ patch -p1 < ../grsecurity-3.1-4.9.12-201702231830.patch
-
- -

Set correct version;

- - 
-        $ rm localversion-grsec
-
+

Gcc graysky2 kernel_gcc_patch (master.zip) + that adds more cpu options (FLAGS) for native builds. + Check Pkgfile + for instructions how linux-gnu port is built.

-

Edit Makefile and replace EXTRAVERSION;

+

Check version on Makefile;

         VERSION = 4
         PATCHLEVEL = 9
-        SUBLEVEL = 12
-        EXTRAVERSION = -grsec
+        SUBLEVEL = 86
+        EXTRAVERSION = -gnu
         NAME = Roaring Lionus
@@ -272,8 +255,8 @@ 
         $ make -j $(nproc) bzImage modules
         $ sudo make modules_install
-        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.12-grsec
-        $ sudo cp System.map /boot/System.map-4.9.12-grsec
+        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu
+        $ sudo cp System.map /boot/System.map-4.9.86-gnu

Update grub;

@@ -285,14 +268,14 @@

2.1.3. Manual Remove

-        $ sudo rm -r /lib/modules/4.9.12-grsec
-        $ sudo rm /boot/vmlinuz-4.9.12-grsec
-        $ sudo rm /boot/System.map-4.9.12-grsec
+        $ sudo rm -r /lib/modules/4.9.86-gnu
+        $ sudo rm /boot/vmlinuz-4.9.86-gnu
+        $ sudo rm /boot/System.map-4.9.86-gnu
Core OS Index

This is part of the c9-doc Manual. - Copyright (C) 2017 + Copyright (C) 2018 c9 team. See the file Gnu Free Documentation License for copying conditions.

diff --git a/core/reboot.html b/core/reboot.html index d8793a6..210c20f 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -33,28 +33,26 @@

1.4.1. Kernel

-

Core ports have two - linux kernels, - linux-libre and - linux-blob. - Port linux-libre kernel is a true source based kernel that - respects your freedoms, is x86_64 but not generic configured, - select modules (drivers) for your hardware, for example - correct graphic driver and disk. Port linux-blob is dangerous, - contain blobs (from bad corporations).

- -

Both ports apply grsecurity patch and are configured in - a way that break building some packages and have performance - impact in building process. Solution is to have several kernels, - production, testing, debug with one of them without grsecurity.

- - 
-        # cd /usr/ports/c9-ports/linux-libre
+        
There is possible to install kernel using a port,
+        c9-ports have a linux-gnu
+        port for that. Linux-gnu kernel is a true source based kernel that
+        respects your freedoms, is x86_64 and generic configured. Read
+        linux kernel for more information.

+
+        
If you don't have the binary package;

+
+        
+        # cd /usr/ports/c9-ports/linux-gnu
         # pkgmk -d
-        # pkgadd /usr/ports/packages/linux-libre#4.9.11-2.pkg.tar.gz
         

 
-        
1.4.2. Initram

+        
Install kernel;

+
+        
+        # pkgadd /usr/ports/packages/linux-gnu#4.9.86-2.pkg.tar.gz
+        

+
+        
1.4.2. Dracut

 
         
Install dracut;

 
@@ -92,7 +90,7 @@
         port linux-blob kernel;

 
         
-        # dracut -v /boot/initramfs-4.9.9-blob.img 4.9.9-blob
+        # dracut -v /boot/initramfs-4.9.86-gnu.img 4.9.86-gnu
         

 
         
1.4.3. Grub

@@ -126,8 +124,8 @@
         
         # grub-mkconfig -o /boot/grub/grub.cfg
         Generating grub.cfg ...
-        Found linux image: /boot/vmlinuz-4.1.30-crux
-        Found initrd image: /boot/initramfs-4.1.30-crux.img
+        Found linux image: /boot/vmlinuz-4.9.86-gnu
+        Found initrd image: /boot/initramfs-4.9.86-gnu.img
         done
         #
         

@@ -184,7 +182,7 @@
         
Debug initram

 
         
-        /usr/lib/dracut/skipcpio /boot/initramfs-4.9.11-blob.img | gunzip -c | cpio -i -d
+        /usr/lib/dracut/skipcpio /boot/initramfs-4.9.86-gnu.img | gunzip -c | cpio -i -d
         36875 blocks
         

 
-- 
cgit 1.4.1-2-gfad0


From 29cb6d06ec42e1723bc6f89d6accdf8899b53e95 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Thu, 8 Mar 2018 19:10:53 +0000
Subject: core linux and reboot revision

---
 core/linux.html  |  7 +++----
 core/reboot.html | 14 +++++++-------
 2 files changed, 10 insertions(+), 11 deletions(-)

(limited to 'core/reboot.html')

diff --git a/core/linux.html b/core/linux.html
index d98507a..3be6d77 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -19,10 +19,9 @@
         
2.1.1. Port Linux Libre

 
         
Default crux configuration can be obtained from iso,
-        kernel port don't depend on
-        dracut and grub2
-        is recommended to install them. To build and install this port
-        use prt-get;

+        kernel port depend on dracut, grub2
+        and grub2-efi. You don't need them to build with pkgmk, to install
+        boot related tools use prt-get;

 
         
         $ prt-get depinst linux-gnu
diff --git a/core/reboot.html b/core/reboot.html
index 210c20f..c7e8d9c 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -34,12 +34,12 @@
         
1.4.1. Kernel

 
         
There is possible to install kernel using a port,
-        c9-ports have a linux-gnu
-        port for that. Linux-gnu kernel is a true source based kernel that
-        respects your freedoms, is x86_64 and generic configured. Read
-        linux kernel for more information.

+        c9-ports have linux-gnu
+        port of linux libre,a true source based kernel that
+        respects your freedoms. Read linux kernel 
+        for more information.

 
-        
If you don't have the binary package;

+        
If you don't have the port binary package build it;

 
         
         # cd /usr/ports/c9-ports/linux-gnu
@@ -69,7 +69,7 @@
         # in /etc/dracut.conf.d named ".conf"
 
         # Equivalent to -H
-        hostonly="yes"
+        hostonly="no"
 
         # Mount / and /usr read-only by default.
         ro_mnt="no"
@@ -90,7 +90,7 @@
         port linux-blob kernel;

 
         
-        # dracut -v /boot/initramfs-4.9.86-gnu.img 4.9.86-gnu
+        # dracut --kver 4.9.86-gnu
         

 
         
1.4.3. Grub

-- 
cgit 1.4.1-2-gfad0


From 7e21c0085fec669979039856ea3754ac9573bbf3 Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Sat, 10 Mar 2018 14:55:29 +0000
Subject: core linux better config documentation

---
 core/index.html  | 283 +++++++++++----------
 core/linux.html  | 731 ++++++++++++++++++++++++++++++++++++++++++++++---------
 core/reboot.html |  14 +-
 3 files changed, 786 insertions(+), 242 deletions(-)

(limited to 'core/reboot.html')

diff --git a/core/index.html b/core/index.html
index 217ae01..7818109 100644
--- a/core/index.html
+++ b/core/index.html
@@ -1,139 +1,162 @@
 
 
     
-        
-        c9 Core OS
+	
+	c9 Core OS
     
     
 
-        Documentation Index
-
-        
c9 Core OS

-
-        
c9 Core OS covers installation and configuration of
-        basic functionality of Crux 3.3 Gnu\Linux operating system.
-        This documentation try's to follow Crux HandBook installation
-        method diverges, for example, by only installing and
-        documenting gpt and grub2.

-
-        
Read Crux HandBook,
-        you can ask for help on freenode #crux. Check scripts
-        folder the install process is automated and ports
-        for extra ports used during the installation.

-
-        
1. Install Crux 3.3 Gnu/Linux

-
-        
-
-        
2. System Administration

-
-        
-
-        Documentation Index
-
-        

-        This is part of the c9-doc Manual.
-        Copyright (C) 2017
-        c9 team.
-        See the file Gnu Free Documentation License
-        for copying conditions.

+	Documentation Index
+
+	
c9 Core OS

+
+	
c9 Core OS covers installation and configuration of
+	basic functionality of Crux 3.3 Gnu\Linux operating system.
+	This documentation try's to follow Crux HandBook installation
+	method diverges, for example, by only installing and
+	documenting gpt and grub2.

+
+	
Read Crux HandBook,
+	you can ask for help on freenode #crux. Check scripts
+	folder the install process is automated and ports
+	for extra ports used during the installation.

+
+	
1. Install Crux 3.3 Gnu/Linux

+
+	
+
+	
2. System Administration

+
+	
+
+	Documentation Index
+
+	

+	This is part of the c9-doc Manual.
+	Copyright (C) 2017
+	c9 team.
+	See the file Gnu Free Documentation License
+	for copying conditions.

 
     
 
diff --git a/core/linux.html b/core/linux.html
index 3be6d77..de41572 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -1,4 +1,4 @@
- 
+
 
     
         
@@ -16,26 +16,17 @@
         Linux Non-Libre pages for more links
         and information.

 
-        
2.1.1. Port Linux Libre

-
-        
Default crux configuration can be obtained from iso,
-        kernel port depend on dracut, grub2
-        and grub2-efi. You don't need them to build with pkgmk, to install
-        boot related tools use prt-get;

-
+        
Spectre-meltdown checker;

         
-        $ prt-get depinst linux-gnu
+        https://github.com/speed47/spectre-meltdown-checker/
         

 
-        
2.1.2. Manual Install

+        
2.1.1. Download Linux Libre

 
         
Download Linux Source from
         linux libre,
         or using the port system;

 
-        
Linux-gnu port comes with default config that is a good starting
-        point to personalize according to your needs.

-
         
         $ mkdir ~/kernel
         $ cd ~/kernel
@@ -75,15 +66,34 @@
         $ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
         

 
-        
Configure kernel according to your current kernel
-        hardware support;

+        
Cleaning targets:

+
+        
+        clean           - Remove most generated files but keep the config and
+                    enough build support to build external modules
+        mrproper        - Remove all generated files + config + various backup files
+        distclean       - mrproper + remove editor backup and patch files
+        

+
+        
Prepare sources for configuration;

+
+        
+        $ make distclean
+        

+
+        
2.1.2. Configure

+
+        
Port linux-gnu port comes with default configuration file  that is
+        a good starting point to tune kernel according to your needs. To
+        automatically configure kernel with support to your hardware
+        based on modules loaded by current kernel run.

 
         
         $ make localmodconfig
         

 
-        
Get information about your hardware, for example information
-        about which graphic module (driver) is in use
+        
To get more information about the hardware, for example
+        information about which graphic module (driver) is in use
         as root run;

 
         
@@ -91,101 +101,602 @@
         Kernel driver in use: i915
         

 
-        
Before start compiling check configuration;

+        
Make configuration targets;

+
+        
+        config          - Update current config utilising a line-oriented program
+        nconfig         - Update current config utilising a ncurses menu based program
+        menuconfig      - Update current config utilising a menu based program
+        xconfig         - Update current config utilising a Qt based front-end
+        gconfig         - Update current config utilising a GTK+ based front-end
+        oldconfig       - Update current config utilising a provided .config as base
+        localmodconfig  - Update current config disabling modules not loaded
+        localyesconfig  - Update current config converting local mods to core
+        silentoldconfig - Same as oldconfig, but quietly, additionally update deps
+        defconfig       - New config with default from ARCH supplied defconfig
+        savedefconfig   - Save current config as ./defconfig (minimal config)
+        allnoconfig     - New config where all options are answered with no
+        allyesconfig    - New config where all options are accepted with yes
+        allmodconfig    - New config selecting modules when possible
+        alldefconfig    - New config with all symbols set to default
+        randconfig      - New config with random answer to all options
+        listnewconfig   - List new options
+        olddefconfig    - Same as silentoldconfig but sets new symbols to their default value
+        kvmconfig       - Enable additional options for kvm guest kernel support
+        xenconfig       - Enable additional options for xen dom0 and guest kernel support
+        tinyconfig      - Configure the tiniest possible kernel
+        

+
+        
Following configuration try's to be generic about the hardware
+        support  while addressing the requirements of applications such as
+        qemu, docker, etc. For more information about hardening options read
+        kernsec.org. Configure kernel
+        using ncurses;

 
         
         $ make nconfig
         

 
+        
+            CONFIG_BUG_ON_DATA_CORRUPTION=y
+
+            # Perform extensive checks on reference counting.
+            CONFIG_REFCOUNT_FULL=y
+
+            # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
+            CONFIG_FORTIFY_SOURCE=y
+
+        

+
+        
2.1.2.1 General Setup

+        

+            
CONFIG_POSIX_MQUEUE=y

+            
POSIX Message Queues

+
+            
CONFIG_VMAP_STACK=y

+            
Use a virtually-mapped stack

+            
Adds guard pages to kernel stacks (not all architectures
+            support this yet).

+
+            
CONFIG_CGROUPS=y

+            
Control Group support

+
+            
CONFIG_MEMCG=y

+            
Memory controller

+
+            
CONFIG_MEMCG_SWAP=y

+            
Swap controller

+
+            
CONFIG_MEMCG_SWAP_ENABLED=y

+            
Swap controller enabled by default

+
+            
CONFIG_BLK_CGROUP=y

+            
IO controller

+
+            
CGROUP_SCHED=y

+            
CPU controller

+
+            
FAIR_GROUP_SCHED=y

+            
Group scheduling for SCHED_OTHER

+
+            
CONFIG_CFS_BANDWIDTH=y

+            
CPU bandwidth provisioning for FAIR_GROUP_SCHED

+
+            
CONFIG_RT_GROUP_SCHED=y

+            
Group scheduling for SCHED_RR/FIFO

+
+            
CONFIG_CGROUP_PIDS=y

+            
PIDs controller

+
+            
Freezer controller

+            
HugeTLB controller

+            
Cpuset controller

+            
Include legacy /proc//cpuset file

+            
Device controller

+            
Simple CPU accounting controller

+            
Perf controller

+        

+
+        
Namespaces support

+        

+            
UTS namespace

+            
IPC namespace

+            
User namespace

+            
PID Namespaces

+            
Network namespace

+        

+
+        

+
+            
CONFIG_COMPAT_BRK=n

+            
Disable heap randomization

+            
Dangerous; enabling this disables brk ASLR.

+
+            
CONFIG_SLAB_FREELIST_RANDOM=y

+            
Randomize allocator freelists, harden metadata.

+
+            
CONFIG_SLAB_FREELIST_HARDENED=y

+            
Randomize allocator freelists, harden metadata.

+
+            
CONFIG_SLUB_DEBUG=y

+            
Enable SLUB debugging support

+            
Allow allocator validation checking to be enabled
+            (see "slub_debug=P" below).

+
+            
CONFIG_CC_STACKPROTECTOR=y

+            
Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.

+
+            
CONFIG_CC_STACKPROTECTOR_STRONG=y

+            
Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.

+        

+
+
+        
2.1.2.2 Enable loadable module support

+        

+
+            
CONFIG_MODULES=y

+            
Enable loadable module support
+            
Keep root from altering kernel memory via loadable modules.
+            set CONFIG_MODULES=n

+            
But if CONFIG_MODULE=y is needed, at least they must be
+            signed with a per-build key.

+
+            
CONFIG_DEBUG_SET_MODULE_RONX=y

+            
(prior to v4.11)

+
+            
CONFIG_STRICT_MODULE_RWX=y

+            
(since v4.11)

+
+            
CONFIG_MODULE_SIG=y

+            
Module signature verification

+
+            
CONFIG_MODULE_SIG_FORCE=y

+            
Require modules to be validly signed

+
+            
CONFIG_MODULE_SIG_ALL=y

+            
Automatically sign all modules

+
+            
CONFIG_MODULE_SIG_SHA512=y

+            
Sign modules with SHA-512

+        

+
+        
2.1.2.3 Enable the block layer

+        

+            
BLK_DEV_THROTTLING=y

+            
Block layer bio throttling support

+
+            
IOSCHED_CFQ=y

+            
CFQ IO scheduler

+
+            
CONFIG_CFQ_GROUP_IOSCHED=y

+            
CFQ Group Scheduling support

+        

+
+        
2.1.2.4 Processor type and features

+
+        

+            
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

+            
Low address space to protect from user allocation

+            
Disallow allocating the first 64k of memory.

+
+            
X86_VSYSCALL_EMULATION=n

+            
Enable vsyscall emulation

+            
Required by programs before 2013, some programs my
+            require.

+            
Remove additional attack surface, unless you really
+            need them.

+
+            
CONFIG_SECCOMP=y

+            
Enable seccomp to safely compute untrusted bytecode

+            
Provide userspace with seccomp BPF API for syscall attack surface reduction.

+
+            
CONFIG_SECCOMP_FILTER=y

+            
Provide userspace with seccomp BPF API for syscall attack surface reduction.

+
+            
CONFIG_KEXEC=n

+            
kexec system call

+            
Dangerous; enabling this allows replacement
+            of running kernel.

+
+            
CONFIG_RANDOMIZE_BASE=y

+            
Randomize the address of the kernel image (KASLR)

+
+            
CONFIG_RANDOMIZE_MEMORY=y

+            
Randomize the kernel memory sections

+
+            
CONFIG_LEGACY_VSYSCALL_NONE=y

+            
vsyscall table for legacy applications (None)

+            
Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.

+
+            
CONFIG_COMPAT_VDSO=n

+            
Disable the 32-bit vDSO (needed for glibc 2.3.3)

+            
Dangerous; enabling this disables VDSO ASLR.

+
+            
CONFIG_MODIFY_LDT_SYSCALL=n

+            
Enable the LDT (local descriptor table)

+            
Remove additional attack surface, unless you really need them.

+        

+
+        
2.1.2.5 Power management and ACPI options

+
+        

+            
CONFIG_HIBERNATION=n

+            
Hibernation (aka 'suspend to disk')

+            
Dangerous; enabling this allows replacement of running
+            kernel.

+
+            
CONFIG_ACPI_CUSTOM_METHOD=n

+            
Allow ACPI methods to be inserted/replaced at run time

+            
Dangerous; enabling this allows direct physical
+            memory writing.

+        

+
+
+        
2.1.2.6 Bus options (PCI etc.)

+        
2.1.2.7 Executable file formats / Emulations

+        

+
+            
CONFIG_BINFMT_MISC=n

+            
Kernel support for MISC binaries

+            
Easily confused by misconfigured userspace, keep off.

+
+            
CONFIG_IA32_EMULATION

+            
Remove additional attack surface, unless you really need them.

+            
CONFIG_X86_X32

+            
Remove additional attack surface, unless you really need them.

+        

+
+        
2.1.2.8 Networking support

+        
Networking options

+        

+            
CONFIG_INET_DIAG=m

+            
INET: socket monitoring interface

+            
Support for INET (TCP, DCCP, etc) socket monitoring
+            interface used by native Linux tools such as ss. ss is
+            included in iproute2

+            
Prior to v4.1, assists heap memory attacks;
+            best to keep interface disabled.

+
+            
CONFIG_BRIDGE=y

+            
802.1d Ethernet Bridging

+
+            
CONFIG_NET_SCHED=y

+            
QoS and/or fair queueing

+
+            
CONFIG_NET_CLS_CGROUP=y

+            
Control Group Classifier

+
+            
CONFIG_VSOCKETS=y

+            
Virtual Socket protocol

+
+            
CONFIG_VIRTIO_VSOCKETS=y

+            
virtio transport for Virtual Sockets

+
+            
CONFIG_NET_L3_MASTER_DEV=y

+            
L3 Master device support

+
+            
CONFIG_CGROUP_NET_PRIO=y

+            
Network priority cgroup

+
+            
CGROUP_NET_CLASSID=y

+            
Network classid cgroup

+
+        

+
+        

+            
CONFIG_NETFILTER=y

+            
Network packet filtering framework (Netfilter)

+
+            
CONFIG_NETFILTER_ADVANCED=y

+            
Advanced netfilter configuration

+
+            
BRIDGE_NETFILTER=y

+            
Bridged IP/ARP packets filtering

+
+            
NF_CONNTRACK=y

+            
Netfilter connection tracking support

+
+            
NETFILTER_XT_MATCH_ADDRTYPE=y

+            
"addrtype" address type match support

+
+            
NETFILTER_XT_MATCH_CONNTRACK=y

+            
"conntrack" connection tracking match support

+
+            
CONFIG_NETFILTER_XT_MATCH_IPVS=y

+            
"ipvs" match support

+
+            
CONFIG_IP_VS=y

+            
IP virtual server support

+
+            
IP_VS_PROTO_TCP=y

+            
TCP load balancing support

+
+            
IP_VS_PROTO_UDP=y

+            
UDP load balancing support

+
+            
IP_VS_RR=y

+            
round-robin scheduling

+
+            
IP_VS_NFCT=y

+            
Netfilter connection tracking

+
+            
CONFIG_NF_CONNTRACK_IPV4=y

+            
IPv4 connection tracking support (required for NAT)

+
+            
NF_NAT_IPV4=y

+            
IPv4 NAT

+
+            
NF_NAT_MASQUERADE_IPV4=y

+            
IPv4 masquerade support

+
+            
IP_NF_IPTABLES=y

+            
IP tables support (required for filtering/masq/NAT)

+
+            
IP_NF_FILTER=y

+            
Packet filtering

+
+            
CONFIG_IP_NF_NAT=y

+            
iptables NAT support

+
+            
IP_NF_TARGET_MASQUERADE=y

+            
MASQUERADE target support

+
+            
IP_NF_TARGET_NETMAP=y

+            
NETMAP target support

+
+            
IP_NF_TARGET_REDIRECT=y

+            
REDIRECT target support

+
+            
CONFIG_SYN_COOKIES=y

+            
IP: TCP syncookie support

+            
Provides some protections against SYN flooding.

+
+        

+
+        
2.1.2.9 Device Drivers

+
+        
Multiple devices driver support (RAID and LVM)

+
+        

+            
CONFIG_MD=y

+            
Multiple devices driver support (RAID and LVM)

+            
CONFIG_BLK_DEV_DM=y

+            
Device mapper support

+            
DM_THIN_PROVISIONING=y

+            
Thin provisioning target

+        

+
+        
Network device support

+
+        

+            
CONFIG_NETDEVICES=y

+            
Network device support

+
+            
NET_CORE=y

+            
Network core driver support

+
+            
CONFIG_DUMMY=y

+            
Dummy net driver support

+
+            
CONFIG_MACVLAN=y

+            
MAC-VLAN support

+            
This allows one to create virtual interfaces that map
+            packets to or from specific MAC addresses to a particular
+            interface. Macvlan devices can be added using the "ip" command
+            from the route2 package starting with the iproute2.

+            
ip link add link  [ address MAC ] [ NAME ] type macvlan"

+
+            
CONFIG_VXLAN=y

+            
Virtual eXtensible Local Area Network (VXLAN)

+
+            
CONFIG_TUN=y

+            
Universal TUN/TAP device driver support

+
+            
CONFIG_VETH=y

+            
Virtual ethernet pair device

+
+
+            
IPVLAN=n

+            
IP-VLAN support

+            
Requires ipv6

+        

+
+        
Character devices

+        

+            
CONFIG_DEVMEM=n

+            
/dev/mem virtual device support

+            
Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...)

+
+            
Enable TTY

+            
Unix98 PTY support

+
+            
CONFIG_LEGACY_PTYS=n

+            
Legacy (BSD) PTY support

+            
Use the modern PTY interface (devpts) only.

+
+            
Support multiple instances of devpts

+
+            
CONFIG_DEVKMEM=n

+            
/dev/kmem virtual device support

+            
Dangerous; enabling this allows direct kernel
+            memory writing.

+        

+
+        
2.1.2.10 Firmware Drivers

+        
2.1.2.11 File systems

+        

+            
Overlay filesystem support

+
+            
CONFIG_PROC_KCORE=n

+            
/proc/kcore support

+            
Dangerous; exposes kernel text image layout.

+
+            
HugeTLB file system support

+
+        

+
+        
2.1.2.12 Kernel hacking

+
+        

+            
CONFIG_DEBUG=y

+            
CONFIG_DEBUG_RODATA=y

+
+            
CONFIG_DEBUG_KERNEL=y

+            
Kernel debugging

+            
Make sure kernel page tables have safe permissions.

+
+            
CONFIG_STRICT_KERNEL_RWX=y

+            
since v4.11

+            
Make sure kernel page tables have safe permissions.

+
+            
CONFIG_PANIC_ON_OOPS=y

+            
Panic on Oops

+            
This feature is useful to ensure that the kernel does not do
+            anything erroneous after an oops which could result in data
+            corruption or other issues.

+
+            
CONFIG_PANIC_TIMEOUT=-1

+            
Reboot devices immediately if kernel experiences an Oops.

+
+            
CONFIG_SCHED_STACK_END_CHECK=y

+            
Detect stack corruption on calls to schedule()

+            
Perform additional validation of various commonly targeted structures.

+
+            
CONFIG_DEBUG_LIST=y

+            
Debug linked list manipulation

+            
Perform additional validation of various commonly targeted structures.

+
+            
CONFIG_DEBUG_SG=y

+            
Debug SG table operations

+            
Perform additional validation of various commonly targeted structures.

+
+            
CONFIG_DEBUG_NOTIFIERS=y

+            
Debug notifier call chains

+            
Perform additional validation of various commonly
+            targeted structures.

+
+            
CONFIG_DEBUG_CREDENTIALS=y

+            
Debug credential management

+            
Perform additional validation of various commonly
+            targeted structures.

+
+            
CONFIG_STRICT_DEVMEM=y

+            
Filter access to /dev/mem

+            
Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)

+
+            
CONFIG_IO_STRICT_DEVMEM=y

+            
Filter I/O access to /dev/mem

+            
Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)

+
+            
CONFIG_DEBUG_WX=y

+            
Warn on W+X mappings at boot

+            
Report any dangerous memory permissions
+            (not available on all archs).

+
+
+        

+
+        
Compile-time checks and compiler options

+        

+            
CONFIG_DEBUG_FS=y

+            
Debug Filesystem

+
+        

+
+        
Memory Debugging

+        

+            
CONFIG_PAGE_POISONING=y

+            
Poison pages after freeing

+            
Wipe higher-level memory allocations when they are freed
+            (needs "page_poison=1" command line below).

+
+            
CONFIG_PAGE_POISONING_NO_SANITY=y

+            
Only poison, don't sanity check

+            
(If you can afford even more performance penalty,
+            leave CONFIG_PAGE_POISONING_NO_SANITY=n)

+
+            
CONFIG_PAGE_POISONING_ZERO=y

+            
Use zero for poisoning instead of random data

+
+        

+
+        
2.1.2.13 Security options

+
+        

+            
Enable access key retention support

+            
Enable register of persistent per-UID keyrings

+            
ENCRYPTED KEYS

+            
Diffie-Hellman operations on retained keys

+
+            
CONFIG_SECURITY=y

+            
Enable different security models

+            
Provide userspace with ptrace ancestry protections.

+
+            
CONFIG_HARDENED_USERCOPY=y

+            
Harden memory copies between kernel and userspace

+            
Perform usercopy bounds checking.

+
+            
SECURITY_SELINUX=n

+            
NSA SELinux Support

+            
CONFIG_SECURITY_SELINUX_DISABLE=n

+            
NSA SELinux runtime disable

+            
If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.

+
+            
CONFIG_SECURITY_APPARMOR=y

+            
AppArmor support

+            
This enables the AppArmor security module. Rquired userspace
+            tools (if they are not included in your distribution) and further
+            information may be found at AppArmor

+            
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1

+            
AppArmor boot parameter default value

+
+            
CONFIG_SECURITY_YAMA=y

+            
Yama support

+            
Provide userspace with ptrace ancestry protections.

+        

+
+        
2.1.2.14 Cryptographic API

+        
2.1.2.15 Virtualization

+
+        

+            
CONFIG_KVM=y

+            
Kernel-based Virtual Machine (KVM) support

+
+            
CONFIG_KVM_INTEL=y

+            
KVM for Intel processors support

+            
Provides support for KVM on Intel processors equipped with the VT extensions.

+
+            
CONFIG_KVM_AMD=y

+            
KVM for AMD processors support

+            
Provides support for KVM on AMD processors equipped with the
+            AMD-V (SVM) extensions.

+
+            
CONFIG_KVM_DEVICE_ASSIGNMENT=n

+            
KVM legacy PCI device assignment support (DEPRECATED)

+
+            
CONFIG_VHOST_NET=y

+            
Host kernel accelerator for virtio net

+
+            
CONFIG_VHOST_VSOCK=y

+            
vhost virtio-vsock driver

+
+            
CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y

+            
Cross-endian support for vhost

+        

+
+        
2.1.2.16 Library routines

+
+        
2.1.3. Build

+
         
Make targets;

 
         
-        $ make help
-        Cleaning targets:
-          clean           - Remove most generated files but keep the config and
-                            enough build support to build external modules
-          mrproper        - Remove all generated files + config + various backup files
-          distclean       - mrproper + remove editor backup and patch files
-
-        Configuration targets:
-          config          - Update current config utilising a line-oriented program
-          nconfig         - Update current config utilising a ncurses menu based
-                            program
-          menuconfig      - Update current config utilising a menu based program
-          xconfig         - Update current config utilising a Qt based front-end
-          gconfig         - Update current config utilising a GTK+ based front-end
-          oldconfig       - Update current config utilising a provided .config as base
-          localmodconfig  - Update current config disabling modules not loaded
-          localyesconfig  - Update current config converting local mods to core
-          silentoldconfig - Same as oldconfig, but quietly, additionally update deps
-          defconfig       - New config with default from ARCH supplied defconfig
-          savedefconfig   - Save current config as ./defconfig (minimal config)
-          allnoconfig     - New config where all options are answered with no
-          allyesconfig    - New config where all options are accepted with yes
-          allmodconfig    - New config selecting modules when possible
-          alldefconfig    - New config with all symbols set to default
-          randconfig      - New config with random answer to all options
-          listnewconfig   - List new options
-          olddefconfig    - Same as silentoldconfig but sets new symbols to their
-                            default value
-          kvmconfig       - Enable additional options for kvm guest kernel support
-          xenconfig       - Enable additional options for xen dom0 and guest kernel support
-          tinyconfig      - Configure the tiniest possible kernel
-
         Other generic targets:
           all             - Build all targets marked with [*]
         * vmlinux         - Build the bare kernel
         * modules         - Build all modules
-          modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
-          firmware_install- Install all firmware to INSTALL_FW_PATH
-                            (default: $(INSTALL_MOD_PATH)/lib/firmware)
-          dir/            - Build all files in dir and below
-          dir/file.[ois]  - Build specified target only
-          dir/file.lst    - Build specified mixed source/assembly target only
-                            (requires a recent binutils and recent build (System.map))
-          dir/file.ko     - Build module including final link
-          modules_prepare - Set up for building external modules
-          tags/TAGS       - Generate tags file for editors
-          cscope          - Generate cscope index
-          gtags           - Generate GNU GLOBAL index
-          kernelrelease   - Output the release version string (use with make -s)
-          kernelversion   - Output the version stored in Makefile (use with make -s)
-          image_name      - Output the image name (use with make -s)
-          headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
                             (default: ./usr)
 
-        Static analysers
-          checkstack      - Generate a list of stack hogs
-          namespacecheck  - Name space analysis on compiled kernel
-          versioncheck    - Sanity check on version.h usage
-          includecheck    - Check for duplicate included header files
-          export_report   - List the usages of all exported symbols
-          headers_check   - Sanity check on exported headers
-          headerdep       - Detect inclusion cycles in headers
-          coccicheck      - Check with Coccinelle.
-
-        Kernel selftest
-          kselftest       - Build and run kernel selftest (run as root)
-                            Build, install, and boot kernel before
-                            running kselftest on it
-          kselftest-clean - Remove all generated kselftest files
-          kselftest-merge - Merge all the config dependencies of kselftest to existed
-                            .config.
-
-        Kernel packaging:
-          rpm-pkg             - Build both source and binary RPM kernel packages
-          binrpm-pkg          - Build only the binary kernel RPM package
-          deb-pkg             - Build both source and binary deb kernel packages
-          bindeb-pkg          - Build only the binary kernel deb package
-          tar-pkg             - Build the kernel as an uncompressed tarball
-          targz-pkg           - Build the kernel as a gzip compressed tarball
-          tarbz2-pkg          - Build the kernel as a bzip2 compressed tarball
-          tarxz-pkg           - Build the kernel as a xz compressed tarball
-          perf-tar-src-pkg    - Build perf-4.9.9-gnu.tar source tarball
-          perf-targz-src-pkg  - Build perf-4.9.9-gnu.tar.gz source tarball
-          perf-tarbz2-src-pkg - Build perf-4.9.9-gnu.tar.bz2 source tarball
-          perf-tarxz-src-pkg  - Build perf-4.9.9-gnu.tar.xz source tarball
-
         Documentation targets:
          Linux kernel internal documentation in different formats (Sphinx):
           htmldocs        - HTML
@@ -210,12 +721,6 @@
           installmandocs  - install man pages generated by mandocs
           cleandocs       - clean all generated DocBook files
 
-          make DOCBOOKS="s1.xml s2.xml" [target] Generate only docs s1.xml s2.xml
-          valid values for DOCBOOKS are: z8530book.xml kernel-hacking.xml kernel-locking.xml deviceiobook.xml writing_usb_driver.xml networking.xml kernel-api.xml filesystems.xml lsm.xml usb.xml kgdb.xml gadget.xml libata.xml mtdnand.xml librs.xml rapidio.xml genericirq.xml s390-drivers.xml uio-howto.xml scsi.xml debugobjects.xml sh.xml regulator.xml alsa-driver-api.xml writing-an-alsa-driver.xml tracepoint.xml w1.xml writing_musb_glue_layer.xml crypto-API.xml iio.xml
-
-          make DOCBOOKS="" [target] Don't generate docs from Docbook
-             This is useful to generate only the ReST docs (Sphinx)
-
         Architecture specific targets (x86):
         * bzImage      - Compressed kernel image (arch/x86/boot/bzImage)
           install      - Install kernel using
@@ -244,15 +749,23 @@
                         2: warnings which occur quite often but may still be relevant
                         3: more obscure warnings, can most likely be ignored
                         Multiple levels can be combined with W=12 or W=123
-
-        Execute "make" or "make all" to build all targets marked with [*]
-        For further info see the ./README file
-        $
         

 
 
         
         $ make -j $(nproc) bzImage modules
+        

+
+        
2.1.5. Install

+        
+          modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
+          firmware_install- Install all firmware to INSTALL_FW_PATH
+                            (default: $(INSTALL_MOD_PATH)/lib/firmware)
+          modules_prepare - Set up for building external modules
+          headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
+        

+
+        
         $ sudo make modules_install
         $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu
         $ sudo cp System.map /boot/System.map-4.9.86-gnu
@@ -264,7 +777,7 @@
         # grub-mkconfig -o /boot/grub/grub.cfg
         

 
-        
2.1.3. Manual Remove

+        
2.1.6. Remove

 
         
         $ sudo rm -r /lib/modules/4.9.86-gnu
diff --git a/core/reboot.html b/core/reboot.html
index c7e8d9c..ea174a2 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -33,12 +33,20 @@
 
         
1.4.1. Kernel

 
-        
There is possible to install kernel using a port,
-        c9-ports have linux-gnu
-        port of linux libre,a true source based kernel that
+        
Install linux-gnu port,
+        linux libre kernel is a true source based kernel that
         respects your freedoms. Read linux kernel 
         for more information.

 
+	
Default crux configuration can be obtained from iso,
+	kernel port depend on dracut, grub2
+	and grub2-efi. You don't need them to build with pkgmk, to install
+	boot related tools use prt-get;

+
+	
+	$ prt-get depinst linux-gnu
+	

+
         
If you don't have the port binary package build it;

 
         
-- 
cgit 1.4.1-2-gfad0