Fedora / RedHat / CentOS7 / CentOS8 – compiling

the latest kernel – updated 2020-01

30.Jun.2017
Administration / Server, Fedora / RedHat / CentOS, free software, FSF Free Software
Foundation, GNU-Linux, OpenSource, OperatingSystems / OS

https://www.youtube.com/watch?v=MShbP3OpASA

… one also likes beauty and simplicity… this tutorial has not exactly grown into beauty –
rather the beauty has grown into a beast and just as with software beyond a certain point –
it needs to be split into separate CentOS7 and CentOS8 articles and rewrite from scratch.

CentOS7: tested and works

CentOS8: compiling latest (5.4.11)
kernel: works!
intro:

(if one wants the latest kernel for Debian: debian9 stretch go here)
it seems very relevant to have the late as possible kernel up and
running: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-
linux.html
 first: backup
one’s system!
on boot time (under „Advanced“ for Debian) one can chose to boot the old kernel – never
the less – backup one’s system completely before progressing.

hardware requirements:
one will need AT LEAST 15GB of free disk space, better 20GB. (yes one can free disk
space again after compilation…)

also:
it works, but one should not compile as root. (says Owl River Company)
while installing dependencies and „make install“ the new kernel requires root.

One should not compile as root so we create a new non-root user: (across distribution
Debian8, RedHat(CentOS7), Suse12)
# add user and create home directory
useradd -m username;
# one will have to asign a password for the user straight afterwards
passwd username;
# probably would also want to change default-login-shell of username
to bash
usermod -s /bin/bash username;
# change permissions, so non-root user may do things
chown -R username:username /usr/src/linux*
# become this new user when one needs to
su username;
the installation of the kernel and modules needs to be done as root (of course one are
modifying the system) but not the compilation itself.
du -h --max-depth=0 /usr/src/linux-4.17.12
12G /usr/src/linux-4.17.12

# space requirements of sources

du -hs /usr/src/linux-5.1.15
12G /usr/src/linux-5.1.15

du -hs /usr/src/linux-5.4.11
14G /usr/src/linux-5.4.11

CentOS7 only: upgrade to gcc 7.X

(this step is not needed under CentOS8 which comes with gcc 8.X per default)

if one wants the LATEST Kernel ( above  4.17.19) one will need also gcc version > 4.5 or
one might run into
arch/x86/Makefile:184: *** Compiler lacks asm-goto support.. Stop.
(src)
about x86: Force asm-goto: „We want to start using asm-goto to guarantee the absence of
dynamic branches (and thus speculation).
A primary prerequisite for this is of course that the compiler supports asm-goto.
This effecively lifts the minimum GCC version to build an x86 kernel to gcc-4.5. Signed-off-
by: Peter Zijlstra (Intel) <peterz@xxxxx.org> Signed-off-by: Thomas Gleixner
of: linutronix.de 
Link: https://lkml.kernel.org/r/20180319201327.GJ4043@hirez.programming.kicks-ass.net
in this case we install the old version and override with the new one, you could probably
also just softlink to it. (untested)
# under Centos7/Redhat/Fedora this seems to be done like this: (src)
# become root
su
# install the old gcc 4.X
yum install gcc
which gcc
/usr/bin/gcc
gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-36)
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is
NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.

# override with new gcc 7.X

yum install centos-release-scl
yum install devtoolset-7-gcc*
scl enable devtoolset-7 bash
which gcc
/opt/rh/devtoolset-7/root/usr/bin/gcc
gcc --version
gcc (GCC) 7.3.1 20180303 (Red Hat 7.3.1-5)
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is
NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
tested with:
CentOS-7-x86_64-Minimal-1810.iso
sha256sum: 38d5d51d9d100fd73df031ffd6bd8b1297ce24660dc8c13a3b8b4534a4bd291c

WorkFlow:
it seems to pretty much be always the same process:

1. setup build environment

2. change to /usr/src
3. pull latest kernel sources from kernel.org
4. create softlink with name „linux“ to the folder with the latest kernel sources
5. try make menuconfig
6. install missing packages until make menuconfig works
7. make kernel
8. install kernel and kernel modules
in this example i try to compile the latest kernel from kernel.org on CentOS7

it compiles… and boots up…

hit ESC or other keys to see the verbose kernel output instead of the loading bar…
hostnamectl; # tested on
Static hostname: CentOS7
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-514.26.1.el7.x86_64
Architecture: x86-64

# also tested on
Kernel: Linux 3.10.0-693.11.6.el7.x86_64
# also tested 2018-02-06 on
Kernel: Linux 3.10.0-693.17.1.el7.x86_64
# also tested on 2018-07
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-862.6.3.el7.x86_64
# also tested on:
hostnamectl
Operating System: CentOS Linux 8 (Core)
CPE OS Name: cpe:/o:centos:centos:8
Kernel: Linux 4.18.0-80.11.2.el8_0.x86_64
Architecture: x86-64
su; # become root
yum update; # update system

yum search kernel-devel; # search for kernel headers

yum install kernel-devel.x86_64; # install kernel headers required by
gcc
yum search ncurses; # search for devel and i386 (32bit) or 64Bit
yum install wget ncurses-devel.x86_64; # install ncurses
cd /usr/src/
# now visit http://kernel.org/ and get the link to the latest kernel

wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.12.tar.xz
wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.12.tar.sign
# or in case of kernel 5.4.11
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.4.11.tar.xz
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-
5.4.11.tar.sign

# unpack step1
unxz linux-5.4.11.tar.xz
# verify the file
gpg --verify linux-5.4.11.tar.sign
# it will say that it can not verify because key with id
647F28654894E3BD457199BE38DBBDC86092693E is missing
# get the key (from gpg default keyserver)
gpg --recv-keys 647F28654894E3BD457199BE38DBBDC86092693E
gpg: key 38DBBDC86092693E: 179 signatures not checked due to missing
keys
gpg: key 38DBBDC86092693E: "Greg Kroah-Hartman" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

# then run verify again

gpg --verify linux-5.4.11.tar.sign
# should look like this: (the user's mail was deleted for anti-spam
reasons)
gpg: assuming signed data in 'linux-5.4.11.tar'
gpg: Signature made Sun 12 Jan 2020 06:24:28 AM EST
gpg: using RSA key
647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman
gpg: aka "Greg Kroah-Hartman
gpg: aka "Greg Kroah-Hartman (Linux kernel stable
release signing key) [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092
693E

# Good signature means: nobody but Greg inserted any backdoors (just
kidding X-D)
# so one may proceed safely
# unpack step2
tar fxv linux-5.4.11.tar
tar fxvJ linux-4.12.tar.xz
ln -sv linux-4.12 linux
cd linux
uname -r;
# this is our current kernel version
3.10.0-862.6.3.el7.x86_64

# reuse the currently used kernel.config

# if one has already a custom kernel in place
# one will have to find version number manually
# (use latest from /boot/config-...)
#
cp -v /boot/config-$(uname -r) .config;

this is pretty critical

 
if there is no good .config under boot use the .config from last kernel compilation
or not all modules might get compiled and one’s new kernel won’t boot
if compilation process quits after 16min on 2x Xeon Cores
probably not all modules needed were compiled
during boot menu one can choose to boot old kernel
and redo compilation process with different .config
if one compiles kernel 4 config from kernel 3 should work
if one compiles kernel 5 config from kernel 4 should work
# for example, last time 2372 modules were compiled
find /usr/src/linux-5.2.8/ -name *.ko -type f| wc -l
2372

# under CentOS 8 kernel 4.18 this error happened:

make[2]: *** No rule to make target needed by
'certs/x509_certificate_list'. Stop
# solution according to unix.stackexchange.com
# is to open
vim .config
# and comment out those two lines
# CONFIG_SYSTEM_TRUSTED_KEYS="certs/signing_key.pem"
# CONFIG_MODULE_SIG_KEY="certs/rhel.pem"

# before:

# after:

# or make modules_install will fail like this:

kernel compiles fine, but make modules_install fails:
has to do with kernel modules need to be „signed“ for UEFI
SecureBoot: https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html
(security feature: prevent unsigned modules to be loaded into kernel)

https://wiki.gentoo.org/wiki/Signed_kernel_module_support
http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/
luckily when one comments out those two lines in .config, the build process will just auto-
generate keys for signing.
# CentOS8 when modules make_install succeeds, followed by make install
(install kernel)

# using config from: Linux 4.14.14 to compile Linux 5.2.8 worked

# now one could become "normal" user2start compilation
su username

# CentOS8 comes with gcc 8, so one does not need to upgrade to gcc 7.X
gcc --version
gcc (GCC) 8.2.1 20180905 (Red Hat 8.2.1-3)

# need to enable gcc 7 for this user as well

scl enable devtoolset-7 bash
# check if right gcc version (7) is used
gcc --version
# build environment under CentOS7 needs to be modified so it will use
gcc 7.X
gcc (GCC) 7.3.1 20180303 (Red Hat 7.3.1-5)

# make sure non root user is in

cd /usr/linux
make clean
make menuconfig
# gave me this error:
HOSTCC scripts/basic/fixdep
HOSTCC scripts/kconfig/mconf.o
YACC scripts/kconfig/zconf.tab.c
/bin/sh: bison: command not found
make[1]: *** [scripts/kconfig/zconf.tab.c] Error 127
make: *** [menuconfig] Error 2
# become super user again (Ctrl+D) and fix it
yum install bison

# become normal user again

su username
# rerun
make menuconfig
# gave me this error
YACC scripts/kconfig/zconf.tab.c
LEX scripts/kconfig/zconf.lex.c
/bin/sh: flex: command not found
make[1]: *** [scripts/kconfig/zconf.lex.c] Error 127
make: *** [menuconfig] Error 2
# become super user again (Ctrl+D) and fix it
yum install flex
# for compile to work one needs additional packages, screen package is
optional
yum install elfutils-libelf-devel.x86_64 openssl-devel.x86_64 bc
screen

# rerun
su username
make menuconfig
# now finally worked:
# kernel5
# usually i do not modify anything here
# just hit exit and save the .config

# starting a new screen session with this name

screen -S compiling_kernel;
make clean;
# LET THE MAGIC BEGIN!
# compile using 4 cpu cores (faster than with one)
time make -j4;
# watch the magic for a while...
# Ctrl+A then D = detach from current screen session
# so one can let the compilation run in the background and do other
stuff
# while it is compiling
# for example: what cpu does one have?
cat /proc/cpuinfo
lscpu
# benchmarks:
# (if this process quits a bit too fast in comparison to these figures
# one were probably using the wrong .config and not building all
modules = bad won't boot)
## kernel 5.1 using 4x core of Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
### took real 46m39.147s
## kernel 4.17.4 using 2x cores of Xeon (Skylake, IBRS) 2GHZ 16MByte
Cache
### took real 85minutes
screen -ls; # show current screen sessions
screen -R compiling_kernel; # resume this screen session
# how to install htop in centos
yum install epel-release
yum install htop

watching kernel 4.12.13 compiling under centos7 with 8x xeon E5504 at 2.00GHz cores on supermicro X8DT3
server (2018-01) good way to stress test one’s system 😀  real: 24m48.755s … not too bad 😀

# compiling kernel 5.1.25 on HP ProLiant DL360 G6

# full throttle on all cpus

the HP ProLiant DL360 G6 made a build of 5.1.15 in real 16m4.780s

lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 16
On-line CPU(s) list: 0-15
Thread(s) per core: 2
Core(s) per socket: 4
Socket(s): 2
NUMA node(s): 2
Vendor ID: GenuineIntel
CPU family: 6
Model: 26
Model name: Intel(R) Xeon(R) CPU E5540 @ 2.53GHz

# the time has come

# when one will definitely
# need to be root to progress
su
make modules_install

# kernel build went good, but make modules_install failed on CentOS8

with:
blowfish-x86_64.ko SSL error 02001002 system library fopen No such
file or directory crypto bio bss_file.c

make install

# depending if one is in front of the server

# one can select the new kernel at grub boot menu
# if not one would want to check if the new kernel
# is the default kernel to boot on reboot, before reboot
# make sure those orange lines are present
# so it will automatically remember
# the last kernel one have chosen (the chosen one)
# imho would remove the "quiet" parameter
# imho would change GRUB_TIMEOUT=5 to 1 (less wait during boot)
# so one get a more verbose output during boot
vi /etc/default/grub;
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_SAVEDEFAULT=true
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root
rd.lvm.lv=centos/swap rhgb quiet"
GRUB_DISABLE_RECOVERY="true"
# :wq save quit vi/vim
# can show one what the boot menu looks like and what entry should be
default
awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
0 : CentOS Linux (4.10.0-862.14.4.el7.x86_64) 7 (Core)
1 : CentOS Linux (3.10.0-862.9.1.el7.x86_64) 7 (Core)
2 : CentOS Linux (0-rescue-9063ac396d784f4c997ceacdd0590c25) 7 (Core)

# show what is current default kernel

grub2-editenv list
saved_entry=CentOS Linux (3.10.0-862.14.4.el7.x86_64) 7 (Core)

grub2-set-default 0

# centos7 update grub config and menu

grub2-mkconfig -o /boot/grub2/grub.cfg

# or if one have access to the server directly:

# reboot select new kernel and it should be set to default
# after
# yes one could just hit reboot now
# but we want to be gracefull
mkdir /scripts
echo 'sync; shutdown -r now "system reboot"' > /scripts/reboot.sh
echo 'sync; shutdown -P now "system poweroff"' > /scripts/poweroff.sh
# usually with shutdown one means also poweroff
ln -sv /scripts/poweroff.sh /scripts/shutdown.sh
chmod +x /scripts/*.sh
# reboot
/scripts/reboot.sh

# if that worked one might want to make it boot the new kernel per
default

# and all goes well

# CONGRATULATIONS! :)
# one's server should now be running THE latest kernel
modules and kernel install fine – after reboot i can select the new kernel 4.12 and it boots
up fine.
hostnamectl
Static hostname: CentOSworkstation.localdomain
Icon name: computer-laptop
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 4.14.12 (recent in 2017-01)
Architecture: x86-64

hostnamectl
Static hostname: hostname
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
 Kernel: Linux 5.2.9 (recent in 2019-08)
Architecture: x86-64

CONGRATULATIONS! 🙂
cleaning up:
# to avoid overwriting one's custom compiled kernel with the next
update add this
vim /etc/yum.conf 
exclude=kernel*
# if it is a desktop workstation one might also want to
exclude=icedove* firefox* libreoffice*

benchmark:
a quadcore Intel(R) Core(TM) i5-3470T CPU @ 2.90GHz needs real 36m58.294s to
compile linux-4.15.1

….not sure what those messages are about:

full error message:

SELinux is preventing /usr/libexec/accounts-daemon from using the
dac_read_search capability.

***** Plugin dac_override (91.4 confidence) suggests

**********************

If sie berprfen wollen, ob Domne diesen Zugriff bentigt oder Sie eine
Datei mit den falschen Berechtigungen auf Ihrem System haben
Then aktivieren Sie die vollstndige Audit-Funktion, um die Pfad-
Information der problematischen Datei zu erhalten. Dann reproduzieren
Sie den Fehler erneut.
Do

Volle Audit-Funktion aktivieren

# auditctl -w /etc/shadow -p w
Versuchen Sie AVC zu reproduzieren. Fhren Sie dann folgendes aus
# ausearch -m avc -ts recent
Falls PATH record ersichtlich ist, berprfen Sie Eigentmer/
Berechtigungen der Datei und korrigieren Sie dies,
anderenfalls melden Sie dies an Bugzilla.

***** Plugin catchall (9.59 confidence) suggests

**************************

If sie denken, dass accounts-daemon standardmig dac_read_search

Berechtigung haben sollten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, knnen Sie ein lokales Richtlinien-Modul
erstellen.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-
accountsdaemon
# semodule -i my-accountsdaemon.pp

Additional Information:
Source Context system_u:system_r:accountsd_t:s0
Target Context system_u:system_r:accountsd_t:s0
Target Objects Unknown [ capability ]
Source accounts-daemon
Source Path /usr/libexec/accounts-daemon
Port
Host CentOS7
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-
102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name CentOS7
Platform Linux CentOS7 4.12.0cuztom #1 SMP Mon
Jul 3
12:01:05 CEST 2017 x86_64 x86_64
Alert Count 6
First Seen 2017-07-03 15:13:18 CEST
Last Seen 2017-07-03 15:13:52 CEST
Local ID 286945cd-6cfc-4233-a5b4-747cfe5afe79
Raw Audit Messages
type=AVC msg=audit(1499087632.710:111): avc: denied
{ dac_read_search } for pid=782 comm="accounts-daemon" capability=2
scontext=system_u:system_r:accountsd_t:s0
tcontext=system_u:system_r:accountsd_t:s0 tclass=capability
permissive=0

Hash: accounts-
daemon,accountsd_t,accountsd_t,capability,dac_read_search

important or simply cool and probably

related links 🙂
watch Linus Torvalds at work at
kernel.org: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
all kernel changes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/
http://www.kroah.com/log/blog/2018/02/05/linux-kernel-release-model/
https://www.heise.de/ct/artikel/Die-Neuerungen-von-Linux-4-12-3712705.html
Among the material likely coming for Linux 4.13 that we have already covered on Phoronix
includes:

– Initial AMD Raven Ridge graphics support (sans no display due to no DC/DAL yet), Vega
fixes, and other updates.
– Many Allwinner DRM changes.
– DRM sync objects are landing.
– Raspberry Pi / VC4 improvements.
– Various updates to the Intel DRM driver.
– Large directory support for EXT4.
– XPad updates and Google Rose Touchpad support.
– AES-128-CBC support in Fscrypt, the file-system generic crypto code currently utilized by
EXT4 and F2FS.
– Possibly the AMD SME/SEV security features supported by new EPYC CPUs.
– Continued push for more HDMI CEC drivers.
Stay tuned for thorough Linux 4.13 kernel feature coverage once the merge window opens
following the 4.12 debut.

src: http://www.phoronix.com/scan.php?page=news_item&px=Linux-4.13-Early-Look

About Greg the Kernel Monkey:

„Who are you, and what do you do?“

„I’m Greg Kroah-Hartman. I am a Linux kernel developer working for The Linux

Foundation as a Fellow. I’m responsible for different parts of the Linux kernel as a
maintainer (USB, driver core, staging area, other various bits), and I do the Linux kernel
stable releases every week or so, taking the bug fixes from the latest development tree and
backporting them to the last released kernel for all to use.
I started the Linux Driver Project many years ago while I was working at Novell/SuSE which
provides free Linux drivers for any company that wants them. That project still continues
today, writing a handful of new drivers every year.“

„What hardware do you use?“

„My laptop is a MacBook Pro Retina. My workstation is an old pieced-together Intel

machine, the parts selected for the size and lack of noise more than anything else, with two
large monitors connected. The laptop and the workstation all only have SSD drives in them.
I have an old Dell workstation as a build machine for kernel testing, with an extremely fast
Micron Flash PCI drive in it for building kernels. Thanks to Amazon’s generosity, I’ve been
doing a lot more kernel build testing on their AWS systems, utilizing a 32 processor, 64Gb
virtual machine, allowing me to build multiple kernels at the same time all on a RAM disk in
minutes. That has enabled me to be more productive while traveling.“
src: https://usesthis.com/interviews/greg.kh/