is a grsec enabled Kernel planned?
Hi @tze, not for the C1, see https://github.com/scaleway/kernel-tools/issues/142.
The current official GRSEC support is for linux kernels up to 3.14, however, the minimal mainline kernel we can run on the C1 is 3.18.
You can use alternatives: selinux or apparmor on C1 or wait for new hardware
Thanks for the response, i know that stable grsec is available only till 3.14
It would still be great to get an “unstable” grsec enabled newer Kernel.
As of now Alpine Linux is using 3.18.X enabled with the “unstable” grsec patches.
Just food for thought, i think a lot of Alpine Users would welcome this.
Ok, I created this issue to follow up: https://github.com/scaleway/kernel-tools/issues/164
I was asking before, but got no response.
What about kexec kernel option?
Could you please enable zram module (Compressed RAM block device)?
Ubuntu 16.04 supports the ZFS filesystem. The stock kernel in 16.04 has ZFS compiled in as a module.
ZFS is essential for those that want to use containers and LXD on Ubuntu 16.04.
Without ZFS, a customer would need to use the inefficient ‘dir’ method to store the containers.
For more about LXD on Ubuntu 16.04, see https://linuxcontainers.org/lxd/try-it/ and https://www.stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/
Could you please add ZFS to the Scaleway Linux kernel?
Would it be possible to enable the various kernel modules needed in order to get criu working?
CONFIG_CHECKPOINT_RESTORE=y (Checkpoint/restore support)
CONFIG_NAMESPACES=y (Namespaces support)
CONFIG_UTS_NS=y (Namespaces support -> UTS namespace)
CONFIG_IPC_NS=y (Namespaces support -> IPC namespace)
CONFIG_PID_NS=y (Namespaces support -> PID namespaces)
CONFIG_NET_NS=y (Namespaces support -> Network namespace)
CONFIG_FHANDLE=y (Open by fhandle syscalls)
CONFIG_EVENTFD=y (Enable eventfd() system call)
CONFIG_EPOLL=y (Enable eventpoll support)
Networking support -> Networking options options for sock-diag subsystem
CONFIG_UNIX_DIAG=y (Unix domain sockets -> UNIX: socket monitoring interface)
CONFIG_INET_DIAG=y (TCP/IP networking -> INET: socket monitoring interface)
CONFIG_INET_UDP_DIAG=y (TCP/IP networking -> INET: socket monitoring interface -> UDP: socket monitoring interface)
CONFIG_PACKET_DIAG=y (Packet socket -> Packet: sockets monitoring interface)
CONFIG_NETLINK_DIAG=y (Netlink socket -> Netlink: sockets monitoring interface)
CONFIG_INOTIFY_USER=y (File systems -> Inotify support for userspace)
CONFIG_IA32_EMULATION=y (x86 only) (Executable file formats -> Emulations -> IA32 Emulation)
I need support for unmanged L2TP tunnels:
CONFIG_L2TP_V3=y CONFIG_L2TP_IP=m CONFIG_L2TP_ETH=m
Please enable it.
can you please enable
CONFIG_KEXEC please? I’m trying to boot into a custom initramfs as I wasn’t able to find any information regarding this on your documentation. Only some (old?) threads about future support for this feature.
I was considering using calico to drive an overlay network for my containers, but that’s currently blocked because the xt_set module is missing:
i need ebtables netfilter. Can you enable the module, please.
Is there any way to boot / build a kernel for arm machines? for instance, I want to build and test ubuntu snaps, and it fails with
[14731.123184] squashfs: SQUASHFS error: Filesystem uses “xz” compression. This is not supported
looking at .config on github, CONFIG_SQUASHFS_XZ is, indeed, disabled
You can’t build your own kernel at the moment but open an issue a GitHUb, to get
CONFIG_SQUASHFS_XZ enabled. We will see if we can activate it.
looks like there is already an issue related to this, I commented on that one: https://github.com/scaleway/kernel-tools/issues/334
btw, I think apparmor is also needed for snaps, and I don’t see it in the arm kernel…
edit: nevermind, found the bootscript thingy
edit2: armv7l 4.10.8 apparmor seems to include xz support
I am testing the new ARMv8 cloud servers and I noticed that the Linux kernel for Ubuntu has differences from the original Ubuntu Linux kernel.
This issue becomes evident when a user tries to run LXD containers on ARMv8.
Specifically, some required patches for AppArmor are not in mainline Linux yet (thus, not in the current Scaleway kernel). Also, ZFS (default in Ubuntu 16.04 and onwards) is not available in the current Scaleway kernel either.
I wrote about these on my blog, https://blog.simos.info/a-closer-look-at-the-new-arm64-scaleway-servers-and-lxd/
The solution appears to be to set up a new bootscript for the original Ubuntu Linux kernel, which is found at
Ubuntu 16.04 LTS was released with Linux kernel 4.4.0. The Hardware Enablement stack (HWE) version is at 4.8.0 (i.e. branch “hwe”).
Could you please add a bootscript with the shipped Ubuntu 16.04 Linux kernel?
Thanks in advance!
What about enabling KSM in the Scaleway kernels? It wil help alot in reducing memory use on high load instances.
As explained in github ticket https://github.com/scaleway/image-centos/issues/19 and in my support ticket, we really need SELinux enabled on CentOS 7 images. Some applications doesn’t start without that.
Booting on Fedora kernel activate SELinux but others problems happends (device mapper problems, and so on…)
That’s really important to not deactivate it => https://stopdisablingselinux.com/
At this time, I’m unable to work with my servers since I’ve made some upgrades on certain services that needs selinux.
Note that SELinux should be activated with docker Kernel also, whitout that we will have no other choice to quit Scaleway and that’s a pitty.