Difference between pages "IPv6 Networking" and "Building a Kernel from Source"

(Difference between pages)
 
m (build the better-initramfs)
 
Line 1: Line 1:
= Introduction =
+
Setting up a proper kernel yourself - lean, mean and tailored to your hardware,  is the challenge by which a linux user can graduate to becoming a Funtoo knight ;-)
  
[[wikipedia:IPv6|IPv6]] is an redesigned and improved version of the IPv4 protocol, and is intended to start replacing IPv4 in 2011 and beyond as the [[wikipedia:IPv4_address_exhaustion|IPv4 global address space becomes exhausted]]. IPv6 includes a number of improvements over IPv4, including most notably 128-bit addressing, simplified protocol header, integrated IPSec and Multicast implementations, improved discovery, flexibility and router interaction, and improved facilities for auto-configuration. IPv6 also marks the end of [[wikipedia:Network_address_translation|Network Address Translation]] (NAT), which is not recommended or necessary with IPv6. While it's possible to use non-routable addresses with IPv6, this is not a requirement and it is possible for any IPv6 device to have its own globally routable IP address if desired.
+
Even though many of us are using enterprise-ready kernels in datacenters, there is almost nobody who hasn't at least considered building a kernel for his laptop / PC.
 +
We are showing here how an intermediate Linux user can use an alternative to the standard beginners "genkernel" approach, to compile a custom kernel, in a relatively still speedy and easy set up.
  
== Addressing ==
+
=== Minimum Requirements ===
 +
You should understand the way how things work in a terminal and how to use an editor and tweak config files. This is crucial.
 +
You don't need much knowledge about the linux kernel and it's internals. Nevertheless, you have to know at least where the files are located, how they are used and what is the file logic behind the overall structure. Otherwise you should consider using a non source based linux distribution.
 +
If you are scared now, don't worry - we are going to build a kernel the Funtoo way and you will pick up everthing necessary to accomplish this challenge, step by step, so the next time you do it yourself and become a real Funtoo knight!
  
IPv6 addresses consist of 128 bits. The first 64 bits are used for the network and subnet portion of the address, while the remaining 64 bits are used for the host portion of the address. For more information on how to represent IPv6 addresses, please see the Presentation section of the [[wikipedia:IPv6_address|IPv6 address]] page on Wikipedia.  
+
=== Assumptions ===
 +
You start from an installed Funtoo system on the disk, or at least, you are on stage3 in a chrooted environment from a live cd, following somehow the Funto [[Installation (Tutorial)|Installation Tutorial]].
  
=== Network Masks ===
+
In this case we are building a kernel that is booting root in LVM over encrypted LUKS container.
 +
If you don't have this setup, don't worry, you just don't need all the modules, but everything else is similar.
  
IPv6 addresses also have an associated network mask, which is typically written as a trailing "/64" or "/48" at the end of the address, which specifies what bits of the address are used for network and subnet parts. For example, a "/48" mask specifies that addresses use a 48-bit network part, followed by a 16-bit subnet part (allowing for 2^16 subnets), followed by a 64-bit host part (allowing for up to 2<sup>64</sup> hosts for each of the 2<sup>16</sup> subnets to be specified.) In contrast, a "/64" mask specifies that addresses use a 64-bit network part, no subnet part, and a 64-bit host part (allowing up to 2<sup>64</sup> hosts total to be specified.) This means that if you are issued a "/64" set of addresses, you will not be able to define any subnets, but if you are issued a "/48" set of addresses, you will be able to define up to 2<sup>16</sup> subnets.
 
  
=== Address Space and Security ===
+
= Getting everything in order to start =
  
IPv6 also uses a global, flat address space. IPv6 is designed so that any device that needs to communicate on the Internet is able to have a unique globally-routable address. With IPv6, there is no need for using [[wikipedia:Network_address_translation|Network Address Translation]] (NAT). With IPv4, NAT is often used as a means of protecting systems from being accessed by malicious users. With IPv6, firewalls are typically used instead of NAT for restricting access to systems. With IPv6, it is normal for all machines on your home network to have "globally routable" addresses, the equivalent of a "public IP" in the world of IPv4. It is important to understand that this is the way that IPv6 is intended to be used for the majority of users, and that an IPv6-enabled router will no longer be performing NAT for you.
+
First there is the decision which linux kernel sources we need.
 +
There are plenty of them in the repositories around, often it is not easy to distinguish between them.
  
=== Using IPv6 ===
+
I would always trust my distribution of choice and take what is has to offer - and funtoo has a lot to offer!
  
There are several ways to use IPv6 with Funtoo Linux. Here are some possibilities:
+
I really do recommend (especially if it is your first time) to build a debian-sourced genkernel like described in chapter 5 "Using Debian-Sources with Genkernel" in the [[Funtoo_Linux_Kernels| Funtoo Kernels Tutorial]].
  
* Participating in an existing IPv6 network
+
From there you should have a running system booting nicely from your own build (just little bit bloated) kernel. This is more than you can expect from any other ready to go distribution.
* Creating a local IPv6 over IPv4 tunnel
+
* Enabling IPv6 on your router, possibly via a tunnel (several ISP uses '''6rd'''...)
+
* Unique Local IPv6 Unicast Addresses (site local)
+
  
==== Participating in IPv6 Network ====
+
{{Note}} We are using RedHat's dracut in order to build a nice initramfs (containing all the necessary tools and extra drivers our kernel might need to start the system). Although dracut is the way to go, more sophisticated and not as buggy as gentoo's genkernel approach, more and more funtoo geeks start using slashbeast's better-initramfs, which we will cover at the end of this howto! So after having set up a genkernel from debian or gentoo sources we are going to build a kernel with either (or both) dracut or/and better-initramfs. So gentoo sources with genkernel is always my backup if anything is not working correctly on my system. For the slightly more geeky approach with my own initram I am using pf-sources, ck-sources or any other more or less heavily patched sources.
  
The first approach is an option if your Funtoo Linux system happens to be on an IPv6 network, or you desire to set up an IPv6 network. In this case, the Funtoo Linux system simply needs to be configured to participate in this IPv6 network -- and can also participate in an IPv4 network simultaneously. If you will be configuring an IPv6-compatible router, then you will simply configure your Funtoo Linux system to participate in this network.
+
Let's go!
  
==== Local IPv6 over IPv4 Tunnel ====
+
== Kernel Sources ==
 +
We are going to use the kernel sources from the funtoo git repository.
  
Another approach for using IPv6 is to configure an IPv6 over IPv4 tunnel locally on your Funtoo Linux system, in cooperation with a tunnel provider. This will allow you to use an existing IPv4 network to connect a single Funtoo Linux system to IPv6. It is also possible to configure this system to serve as an IPv6 router.
+
The source you use on your system is up to you and your needs.
 +
For a laptop or desktop system, we recommend the following:
  
==== Enabling IPv6 on Your Router ====
+
* '''sys-kernel/pf-sources'''
 +
* '''sys-kernel/ck-sources'''
 +
* '''sys-kernel/gentoo-sources'''
 +
* '''sys-kernel/git-sources'''
 +
* '''sys-kernel/sysrescue-std-sources'''
 +
* '''sys-kernel/debian-sources'''
  
If you have a router that is capable of supporting IPv6, then it is possible to configure your router so that an IPv6 network is available, at which point you can simply configure your Funtoo Linux system to participate in it. Note that many popular home/office routers can be configured to use an IPv6 over IPv4 tunnel, which provides a convenient option for home networks or smaller organizations to participate in IPv6. Using this approach, your computer systems behind the router are simply configured to participate in an IPv6 network, and your router handles tunneling the IPv6 traffic back and forth between your tunnel provider. This is typically the most flexible option for exploring IPv6 as it allows you to have multiple computer systems in your home or office to participate in an IPv6 network while your router takes care of everything transparently.
+
Please, have a look in the ebuild description, look onto their homepage and take the one that suits you best!
 +
If you are unsure for now, use sys-kernel/gentoo-sources. That's always a safe bet for a general system.
  
==== Using Unique Local IPv6 Unicast Addresses ====
+
It is not a problem to have various kernels installed parallel, so go on with any one of them.
  
If you don't have public IPv6 connectivity or you don't wish to open an IPv6 tunnel over an IPv4 network, you can use a mechanism similar to IPv4 private addresses ranges. This mechanism consists of concatenating the prefix FC00::/7 with a globally unique identifier and a subnet identifier to form the upper 64 bits of the IPv6 address. Details of the mechanisms to forge a unique local IPv6 unicast address are documented in [http://tools.ietf.org/html/rfc4193 RFC 4193], however unique local IPv6 unicast addresses are made of the following components:
+
I am going to use the sys-kernel/pf-sources now, as I already had the gentoo-sources installed.
  
<pre>
+
== Prerequisites ==
      | 7 bits |1|  40 bits  |  16 bits  |          64 bits          |
+
      +--------+-+------------+-----------+----------------------------+
+
      | Prefix |L| Global ID  | Subnet ID |        Interface ID        |
+
      +--------+-+------------+-----------+----------------------------+
+
</pre>
+
  
* Prefix (7 bits): always FC00::/7
+
I don't know which tools you have already installed, so some information here might be redundant.
* L (1 bits): must be set to 1 (1 = prefix is locally assigned, 0 is undefined so far and must not be used)
+
It doesn't harm to just copy and paste and do some steps again.
* Global ID: A random identifier (see [http://tools.ietf.org/html/rfc4193 RFC 4193] for details about the generation algorithm
+
* Interface ID: Host interface ID as defined in [http://tools.ietf.org/html/rfc3513 RFC 3513]
+
  
{{Fancynote| Just like with private IPv4 addresses, an IPv6 router must not route a unique local IPv6 unicast address outside the organization local network.}}
+
First, we look into our <code>/etc/make.conf</code>:
  
==== ICMPv6 ====
+
<console>
 +
###i## nano /etc/make.conf
 +
#These compiler flags are just tweaking (optimazation) and NOT necessary:
 +
CFLAGS="-O2 -pipe -march=native -ftracer -fforce-addr"
 +
CXXFLAGS="${CFLAGS} -fpermissive -fomit-frame-pointer"
 +
KDIR=/usr/src/linux
 +
KERNEL="symlink build"
 +
USE="$KERNEL ....here are your use flags...."
 +
## These modules are available:
 +
## DRACUT_MODULES="dracut_modules_biosdevname dracut_modules_btrfs dracut_modules_caps dracut_modules_crypt dracut_modules_crypt-gpg dracut_modules_dmraid dracut_modules_dmsquash-live dracut_modules_gensplash dracut_modules_iscsi dracut_modules_livenet dracut_modules_lvm dracut_modules_mdraid dracut_modules_multipath dracut_modules_nbd dracut_modules_nfs dracut_modules_plymouth dracut_modules_ssh-client dracut_modules_syslog"
 +
## We will use these modules for LVM / LUKS:
 +
DRACUT_MODULES="crypt lvm plymouth biosdevname dmraid crypt-gpg dmsquash-live ssh-client syslog"
 +
</console>
  
Some network administrators are pretty aggressive with ICMP filtering on their networks. Do not misunderstand us: ICMP is an integral part of the TCP/IP protocol stack and a necessary gear for its correct operation. ICMP messages are even more fundamental in IPv6 because some TCP/IP core mechanisms like have been replaced by ICMPv6 messages: ARP is no longer in use in an IPv6 world, instead a set of of ICMPv6 messages have been created to assume the same functionality (''Neighbor Discovery Protocol'' or ''NDP'').  Also no fragmentation can be done in IPv6 and blocking ICMPv6 messages like ''Packet too big'' is not a good idea. In general: '''do not block any other ICMPv6 messages than ''echo request'' and ''echo reply'' '''.
+
Next, we set the package keywords:
 +
<console>
 +
###i## nano /etc/portage/package.use/dracut
 +
sys-kernel/dracut dm net device-mapper crypt lvm
 +
</console>
  
=== Stateful vs stateless ===
+
{{Note}} If you don't have lvm over encrypted LUKS you probably just add the "net" keyword here, or "selinux".
 +
 
 +
 
 +
After that we are going to build our packages:
 +
<console>
 +
###i## emerge -av app-portage/gentoolkit sys-kernel/pf-sources sys-kernel/dracut sys-boot/plymouth sys-boot/plymouth-openrc-plugin
 +
</console>
  
There are several ways to assign IPv6 addresses on a network :
+
Finished? Well, then let's go on and
* Stateful: a DHCPv6 server is responsible of leasing and following all assigned IPv6 addresses. It works the same way of the well known traditional DHCP with some minor variations but the idea beneath is exactly the same.
+
* Stateless: Nothing leases or tracks assigned IPv6 addresses on the network. Instead, machines use either an IPv6 address manually entered by the network administrator either a combo of Router Advertisement messages with a magic calculation of their network adapter's MAC address (EUI-64).
+
  
= Requirements =
+
== Preparing the kernel ==
  
IPv6 requires CONFIG_IPV6 to be enabled in your kernel (either compiled in or as a module). If compiled as a module (e.g. if your kernel was compiled by genkernel), ensure the module is loaded.
+
We go now to the sources directory and enter the following commands to update the kernel's  .config  file:
 
<console>
 
<console>
###i## lsmod | grep ipv6
+
###i## cd /usr/src/linux/
 +
###i## make clean
 +
  CLEAN  .
 +
  CLEAN  arch/x86/kernel/acpi/realmode
 +
  CLEAN  arch/x86/kernel/cpu
 +
  CLEAN  arch/x86/kernel
 +
  CLEAN  arch/x86/vdso
 +
  CLEAN  arch/x86/lib
 +
  CLEAN  drivers/gpu/drm/radeon
 +
  CLEAN  drivers/net/wan
 +
  CLEAN  drivers/scsi/aic7xxx
 +
  CLEAN  drivers/tty/vt
 +
  CLEAN  drivers/video/logo
 +
  CLEAN  firmware
 +
  CLEAN  kernel
 +
  CLEAN  lib/raid6
 +
  CLEAN  lib
 +
  CLEAN  security/apparmor
 +
  CLEAN  security/selinux
 +
  CLEAN  usr
 +
  CLEAN  arch/x86/boot/compressed
 +
  CLEAN  arch/x86/boot
 +
  CLEAN  .tmp_versions
 +
  CLEAN  vmlinux System.map .tmp_kallsyms2.S .tmp_kallsyms1.o .tmp_kallsyms2.o .tmp_kallsyms1.S .tmp_vmlinux1 .tmp_vmlinux2 .tmp_System.map
 +
###i## zcat /proc/config.gz > /usr/src/linux/.config
 
</console>
 
</console>
  
If this returns nothing, load the module with:
 
 
<console>
 
<console>
###i## modprobe ipv6
+
###i## make localmodconfig
 
</console>
 
</console>
  
= Commands =
+
You will get some questions which you can answer mostly with either M (compiled as a module) or Y (compiled directly into the kernel).
 +
<pre>
 +
Enable different security models (SECURITY) [Y/n/?] y
 +
Enable the securityfs filesystem (SECURITYFS) [Y/?] y
 +
Socket and Networking Security Hooks (SECURITY_NETWORK) [Y/?] y
 +
Security hooks for pathname based access control (SECURITY_PATH) [Y/?] y
 +
Low address space for LSM to protect from user allocation (LSM_MMAP_MIN_ADDR) [65536] 65536
 +
NSA SELinux Support (SECURITY_SELINUX) [Y/n/?] y
 +
  NSA SELinux boot parameter (SECURITY_SELINUX_BOOTPARAM) [N/y/?] n
 +
  NSA SELinux runtime disable (SECURITY_SELINUX_DISABLE) [N/y/?] n
 +
  NSA SELinux Development Support (SECURITY_SELINUX_DEVELOP) [Y/n/?] y
 +
  NSA SELinux AVC Statistics (SECURITY_SELINUX_AVC_STATS) [Y/n/?] y
 +
  NSA SELinux checkreqprot default value (SECURITY_SELINUX_CHECKREQPROT_VALUE) [1] 1
 +
  NSA SELinux maximum supported policy format version (SECURITY_SELINUX_POLICYDB_VERSION_MAX) [Y/n/?] y
 +
    NSA SELinux maximum supported policy format version value (SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE) [19] 19
 +
TOMOYO Linux Support (SECURITY_TOMOYO) [Y/n/?] y
 +
  Default maximal count for learning mode (SECURITY_TOMOYO_MAX_ACCEPT_ENTRY) [2048] 2048
 +
  Default maximal count for audit log (SECURITY_TOMOYO_MAX_AUDIT_LOG) [1024] 1024
 +
  Activate without calling userspace policy loader. (SECURITY_TOMOYO_OMIT_USERSPACE_LOADER) [Y/n/?] y
 +
AppArmor support (SECURITY_APPARMOR) [Y/n/?] y
 +
  AppArmor boot parameter default value (SECURITY_APPARMOR_BOOTPARAM_VALUE) [1] 1
 +
Integrity Measurement Architecture(IMA) (IMA) [Y/n/?] y
 +
EVM support (EVM) [N/y/?] (NEW)
 +
Default security module
 +
  1. SELinux (DEFAULT_SECURITY_SELINUX)
 +
  2. TOMOYO (DEFAULT_SECURITY_TOMOYO)
 +
  3. AppArmor (DEFAULT_SECURITY_APPARMOR)
 +
> 4. Unix Discretionary Access Controls (DEFAULT_SECURITY_DAC)
 +
choice[1-4?]: 4
 +
warning: (ACPI_HOTPLUG_CPU) selects ACPI_CONTAINER which has unmet direct dependencies (ACPI && EXPERIMENTAL)
 +
warning: (MEDIA_TUNER) selects MEDIA_TUNER_TEA5761 which has unmet direct dependencies (MEDIA_SUPPORT && VIDEO_MEDIA && I2C && EXPERIMENTAL)
 +
#
 +
# configuration written to .config
 +
#
 +
warning: (GFS2_FS) selects DLM which has unmet direct dependencies (EXPERIMENTAL && INET && SYSFS && CONFIGFS_FS && (IPV6 || IPV6=n))
 +
warning: (IMA) selects TCG_TPM which has unmet direct dependencies (HAS_IOMEM && EXPERIMENTAL)
 +
warning: (MEDIA_TUNER) selects MEDIA_TUNER_TEA5761 which has unmet direct dependencies (MEDIA_SUPPORT && VIDEO_MEDIA && I2C && EXPERIMENTAL)
 +
warning: (ACPI_HOTPLUG_CPU) selects ACPI_CONTAINER which has unmet direct dependencies (ACPI && EXPERIMENTAL)
 +
root@[~src/linux] #
  
; ping6
+
</pre>
: IPv6 ping command
+
; route -6
+
: show IPv6 routes
+
; ip -6 neigh show
+
: show all IPv6 neighbors on the local LAN
+
  
= Configuration =
+
Now comes the most adventurous part!
  
== Participating in an Existing IPv6 Network ==
+
= Building the Kernel =
 +
<console>
 +
###i## make -j8  bzImage
 +
###i## make -j8 modules
 +
###i## make modules_install
 +
###i## make install
 +
</console>
  
If your local network already supports IPv6, then you can simply configure Funtoo Linux to participate in this IPv6 network. Here is a sample configuration that might be used to configure an ethernet interface (netif.eth0) to participate in both an IPv4 and IPv6 network. Edit the file <tt>/etc/netif.d/netif.eth0</tt>:
 
  
<pre>
+
'''Building an initramfs or not?'''
template="interface"
+
ipaddr="10.0.1.200/24 2001:470:d:c2c:218:51ff:feea:ee21/64"
+
gateway="10.0.1.1"
+
nameservers="10.0.1.1 2001:470:20::2"
+
domain="funtoo.org"
+
multicast="yes"
+
routes="2000::/3 via fe80::daa2:5eff:fe7a:83de dev eth0"
+
</pre>
+
  
Above, we use the <tt>interface</tt> template, and specify both an IPv4 and IPv6 address (with network mask) for <tt>ipaddr</tt>. In addition, an IPv4 and IPv6 nameserver is specified. For routing, we use the <tt>gateway</tt> command to specify an IPv4 gateway, while we use the <tt>routes</tt> command to specify a route to our router, which in this case has address <tt>fe80::daa2:5eff:fe7a:83de</tt> and is reachable on device eth0.
+
The reason to build a kernel with an initramfs is mostly for interoperability (e.g. live-cd's) and special features like an included busybox, ssh, etc. But mostly, and that's why we are doing this here now, to have a proper kernel up and running quick'n dirty in a reasonable time without fighting hours and days until a more or less exotic hardware is perfectly run by the kernel.  
 +
After having a proper basic kernel running with the help of an initramfs, I really recommend you to go a step further and build a true kernel with all features includes without an initramfs. But this could be pain in the ass and very time consuming - so we do it the funtoo way here - at least in the second example when we stick to better-initramfs instead of Red-Hat's ''dracut''.
  
Note that we specify a route for "2000::/3" rather than "::/0" or "default", and this is a bit unusual. This is to work around a bug in many Linux kernels that prevents the default route from being handled properly. "2000::/3" maps to all routable IP addresses and has the benefit of being compatible with all Linux kernels.
+
= Option one: Initrd with dracut =
  
=== Many Addresses and Stateless Autoconfiguration ===
+
To build the initrd we just execute
  
Also note that if we did not specify an IPv6 address in the <tt>ipaddr</tt> variable, then eth0 would still get at least one IPv6 address anyway. First, it would get a link-local address, starting in <tt>fe80::/16</tt>, and it would also automatically use ''stateless autoconfiguration'' to grab an unused IPv6 address from the range used by your IPv6 router. This works similarly to the way a DHCP client works with IPv4, but is built-in to the IPv6 protocol and does not require a DHCP server to function. It works because with IPv6, routers send out ICMP packets to advertise themselves to systems on your network, and your Funtoo Linux system can use this information to automatically grab an unused address. It is important to understand this behavior because it means that by default, your Funtoo Linux system will grab a globally-routable ("public") IPv6 address from your router with no steps necessary on your part and thus may be accessible from the Internet if no firewall is in place. However, in most cases the default IPv6 route must be specified in the <tt>routes</tt> variable for IPv6 to function properly, so this auto-configuration isn't completely automatic at this time.
+
<console>
 +
# ##i##dracut -f --fstab --xz /boot/initramfs-3.2.6-pf.img  3.2.6-pf
 +
</console>
  
== Local IPv6 over IPv4 Tunnelling ==
+
Generally, this really should be enough!
 +
If you experience booting problems like missing modules / drivers then just boot from the genkernel section and fix the initrd building. You can look into the man page to tweak the command a bit (e.g. --add-drivers "xz dm_crypt" etc...).
  
Tunnelling is the process of encapsulating IPv6 packets within an IPv4 packet so that it can be transmitted over an IPv4 network. This process happens at a local ''tunnel entry point'', which can be a Linux machine or a router, such as an Apple AirPort. The packet then traverses the IPv4 network, until reaches the ''tunnel endpoint'', which ''de-encapsulates'' the packet and places it on an IPv6 network. There are several different types of IPv6 tunnels. There are also several IPv6 tunnel providers that offer free tunnelling services, making it convenient to start using IPv6, even on your home network.
+
Ok let's go on and finish the taks, we are going to tell now grub how to boot off correctly!
  
Note that if you want configure an IPv6 over IPv4 tunnel on your router, such as an Apple AirPort, then you will simply need to sign up with one of the tunnel providers and use their instructions to configure your router. At this point, your router will be IPv6 enabled and you can then configure your Funtoo Linux system to participate in an existing IPv6 network using the instructions in the previous section. If this is not an option for you, then it is also possible to set up the IPv6 over IPv4 tunnel directly on your Funtoo Linux system. This means that only your Funtoo Linux system will be able to participate in IPv6, at least to start (later, you could configure your Funtoo Linux system to route IPv6 for other machines on your network) Follow the instructions in this section to set up local tunneling on your Funtoo Linux system.
+
<console>
 +
###i## nano /etc/boot.conf
  
=== Tunnel providers ===
+
boot {
; [http://gogonet.gogo6.com/page/freenet6-tunnelbroker freenet6]
+
        generate grub
: Supports anonymous tunnels and works behind NAT. You can connect to with your login or as anonymous from anywhere. This can be configured under Funtoo Linux by emerging the '''net-misc/gogoc''' ebuild.
+
        default "Funtoo Linux dracut"
; [http://tunnelbroker.net/ Hurricane Electric]
+
        timeout 3
: Configured '''6in4''' tunnel, with support for dynamic IPv4 addresses, and Apple AirPorts can be configured to use this tunnel - see [http://www.nedprod.com/Niall_stuff/addingIPv6toyourhome.html this link]. Also see [http://ipv6.he.net/certification/faq.php ipv6.he.net FAQ] You can setup this tunnel with ifconfig and iproute2, or configure your router to be the tunnel entry point  -- the point at which IPv6 traffic is encapsulated/de-encapsulated.
+
}
; [http://en.wikipedia.org/wiki/Teredo_tunneling Teredo]/[http://www.remlab.net/miredo/ Miredo]
+
: [http://tools.ietf.org/html/rfc4380 RFC4380] mandated transition mechanism. Works behind NAT. Assigns one "/128" per host.
+
  
=== Getting Started with gogoc ===
+
"Funtoo Linux genkernel" {
 +
        kernel kernel-genkernel[-v]
 +
        initrd initramfs-genkernel[-v]
 +
        params = quiet rootfstype=ext4
 +
        params += luks enc_root=/dev/sda3
 +
        params += lvm root=/dev/mapper/vg-root
 +
}
  
Freenet6 is a free IPv6 access service provided by gogo6 via the [http://en.wikipedia.org/wiki/Tunnel_Setup_Protocol TSP tunnelling protocol].
+
"Funtoo Linux dracut" {
<code>gogoc</code> supports any TSP tunnel; perhaps one is provided by your ISP. We will focus on an anonymous tunnel via freenet6.
+
        kernel vmlinuz[-v]
 +
## this is the better-initramfs generated initrd
 +
        initrd initramfs[-v].img
 +
        params  = quiet rootfstype=ext4
 +
        params += luks enc_root=/dev/sda3
 +
        params += lvm root=/dev/mapper/vg-root
 +
}
 +
</console>
  
You need ipv6 to be enabled in your kernel as well as the TUN module.
+
That's it almost!
  
You can quickly get started by emerging {{Package|net-misc/gogoc}}, adding <code>gogoc</code> to your startup scripts and starting it.
+
Now write to the <code>grub.cfg</code> with the new handy boot-update script from funtoo:
{{Package|net-misc/gogoc}} is currently keyworded unstable (on some architectures, see [https://bugs.gentoo.org/362549 gentoo bug #362549]). If you are running stable Funtoo, you may want to put an entry into your package.keywords/package.accept_keywords file.
+
 
<console>
 
<console>
###i## emerge gogoc
+
###i## boot-update -v
###i## bzcat /usr/share/doc/gogoc-*/gogoc.conf.sample.bz2 >/etc/gogoc/gogoc.conf
+
###i## rc-update add gogoc default
+
###i## /etc/init.d/gogoc start
+
</console>
+
  
{{Fancynote| By default, <code>gogoc</code> will use an anonymous tunnel. If you wish to authenticate yourself, read and edit <code>/etc/gogoc/gogoc.conf</code>.}}
+
boot-update 1.5.2 / Copyright 2009-2011 Funtoo Technologies
  
=== Getting started with Teredo ===
+
[use option "-l" for license info, "-h" for help]
  
While this mechanism is officially called Teredo, the implementation of the Teredo service we will be using is called Miredo.
+
* Generating config for grub...
{{Fancynote| {{Package|net-misc/miredo}} is currently keyworded unstable. If you are running stable Funtoo, you may want to put an entry into your package.keywords/package.accept_keywords file.}}
+
  
Emerge <tt>net-misc/miredo</tt> and start it up (you can add it to your default runlevel if you wish):
+
DEFAULT > Funtoo Linux - vmlinuz-3.2.6-pf
<console>
+
          Funtoo Linux genkernel - kernel-genkernel-x86_64-3.2.6-pf
###i## emerge net-misc/miredo
+
###i## /etc/init.d/miredo start
+
</console>
+
  
{{Fancynote| Miredo requires <code>CONFIG_TUN</code> enabled in your kernel. If it is compiled as a module, ensure the <tt>tun</tt> module is loaded.}}
+
* Completed successfully.
 
+
If all goes well, you can check the assignment of an IPv6 address using <tt>/sbin/ip</tt>, for example:
+
<console>
+
###i## /sbin/ip addr show dev teredo
+
4: teredo: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN qlen 500
+
    link/none
+
    inet6 2001:0:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/32 scope global
+
      valid_lft forever preferred_lft forever
+
    inet6 fe80::ffff:ffff:ffff/64 scope link
+
      valid_lft forever preferred_lft forever
+
 
</console>
 
</console>
  
=== Tunnelling 6to4 ===
+
Okay,... here you go..! :)
  
6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels.
+
Reboot and see how it works!
When using 6to4 your IPv6 golablly addressable IP is generated from you IPv4 IP address.
+
  
The anycast address of 192.88.99.1 has been allocated for the purpose of sending packets to a 6to4 relay router. Note that when converted to a 6to4 IPv6 address with the subnet and hosts fields set to zero this IPv4 address (192.88.99.1) becomes the IPv6 address 2002:c058:6301::.
+
= Option two: using better-initramfs =
  
To use the funtoo network template method, write the config file for the interface <tt>/etc/conf.d/netif.6to4</tt> (which will also handle the converting of your IPv4 address to your IPv6 address). Make sure you change "WAN" to your correct internet facing interface.
+
Piotr's better-initramfs is another approach that is tiny, nice and shiny and seems to become more and more a favourite among funtoo'ers. The biggest plus is that, once built it is kernel version independant.
  
 +
For using this you just do the following steps:
 
<pre>
 
<pre>
template=ipv6-tunnel
+
1. download sources
WAN="eth0"
+
2. build kernel with "make bzImage"
MTU="1280"
+
3. download better-initramfs
ipv4=`ifconfig $WAN | sed -ne 's/[[:space:]]*inet addr:\([0-9.]*\).*/\1/p'`
+
4. run better-initramfs
ipv6=`printf "2002:%02x%02x:%02x%02x::1" \`echo $ipv4 | tr "." " "\``
+
5. adjust /etc/boot.conf
remote=192.88.99.1
+
local="$ipv4/24"
+
ipaddr="$ipv6/48"
+
routes="2000::/3 via 2002:c058:6301:: dev $WAN"
+
 
</pre>
 
</pre>
  
Then create the netif.6to4 symlink and add it to the default runlevel
+
Here is how in detail:
 +
 
 +
Assuming you did install already a genkernel backup or at least you have a working bzImage + modules installed, we rush forward to step 3:
 +
 
 +
=== Downloading Better-initramfs ===
 +
 
 
<console>
 
<console>
###i## ln -s /etc/init.d/netif.tmpl /etc/init.d/netif.6to4
+
###i## cd /usr/src/;
###i## rc-update add netif.6to4 default
+
###i## git clone https://github.com/slashbeast/better-initramfs.git
###i## /etc/init.d/netif.6to4 start
+
###i## /src #  cd better-initramfs
 +
###i## better-initramfs git:(master) ls
 +
AUTHORS    LICENSE  README.rst  bootstrap  output  sourceroot
 +
ChangeLog  Makefile  TODO        examples  scripts
 
</console>
 
</console>
  
You should now be capable of connecting via IPv6:
+
=== build the better-initramfs ===
 
<console>
 
<console>
###i## ping6 ipv6.google.com
+
###i## better-initramfs git:(master) sudo bootstrap/bootstrap-all
 +
###i## sudo make prepare
 +
###i## sudo make image
 +
###i## sudo mv output/initramfs.cpio.gz /boot
 
</console>
 
</console>
  
To allow this host to be a router, a modified template is required. Edit the file <tt>/etc/netif.d/ipv6-tunnel</tt>:
+
=== adjust grub ===
  
 +
Taking the above setup we edit the /etc/boot.conf
 +
as I installed genkernel first, and dracut after - you see this setup:
  
 
<pre>
 
<pre>
#!/bin/sh
+
boot {
 
+
         generate grub
netif_pre_up() {
+
         default "Funtoo Linux"
         require local remote
+
         timeout 3
        try ip tunnel add $interface mode sit remote $remote local $local ttl 255
+
         try ip addr add $ipaddr dev $interface
+
         try ip addr add $ipaddr4 dev $interface
+
 
}
 
}
  
netif_post_up() {
+
# Rootfs over lvm over luks
        try ip route add ::/0 dev $interface
+
# /dev/sda3 - encrypted lvm's pv
}
+
# /dev/mapper/vg-root - rootfs's lv
  
netif_pre_down() {
+
"Funtoo Linux" {
         ip route del ::/0 dev $interface
+
         kernel bzImage[-v]
 +
## this is the better-initramfs generated initrd
 +
        initrd initramfs.cpio.gz
 +
        params  = quiet rootfstype=ext4
 +
        params += luks enc_root=/dev/sda3
 +
        params += lvm root=/dev/mapper/vg-root
 
}
 
}
  
netif_post_down() {
+
"Funtoo Linux dracut" {
         ip tunnel del $interface
+
         kernel vmlinuz[-v]
 +
## this is the dracut generated initrd
 +
        initrd initramfs[-v].img
 +
        params  = quiet rootfstype=ext4
 +
        params += luks enc_root=/dev/sda3
 +
        params += lvm root=/dev/mapper/vg-root
 
}
 
}
}}
 
  
Then add the following line to <tt>/etc/conf.d/netif.6to4</tt>:
 
  
 
+
"Funtoo Linux genkernel" {
<pre>
+
        kernel kernel-genkernel[-v]
ipaddr4="$ipv4/24"
+
        initrd initramfs-genkernel[-v]
 +
        params = quiet rootfstype=ext4
 +
        params += luks enc_root=/dev/sda3
 +
        params += lvm root=/dev/mapper/vg-root
 +
}
 
</pre>
 
</pre>
 +
Okay,... here you go..! :)
 +
 +
update the grub.cfg, then reboot and see how it works!
  
After restarting the 6to4 interface radvd can be started:
 
 
<console>
 
<console>
###i## /etc/init.d/netif.6to4 restart
+
root@[~src/linux-3.2.6-pf] # boot-update -v   
###i## /etc/init.d/radvd start
+
</console>
+
  
== Optimization ==
+
boot-update 1.5.2 / Copyright 2009-2011 Funtoo Technologies
  
=== Prefer IPv4 over IPv6 ===
+
[use option "-l" for license info, "-h" for help]
  
Generally if your IPv6 connection is through a tunnel, it will be slower than an IPv4 connection. For this reason, if you are using an IPv6 tunnel, it can be best to configure your systems to ''prefer'' IPv4 if an IPv4 version of the site is available, and use IPv6 only when necessary. This way, you will avoid unnecessary encapsulation and de-encapsulation of IPv4 traffic. Here's how to do this for a number of operating systems:
+
* Generating config for grub...
  
==== Linux ====
+
DEFAULT > Funtoo Linux better-initramfs - vmlinuz-3.2.6-pf
 +
          Funtoo Linux dracut - vmlinuz-3.2.6-pf
 +
          Funtoo Linux genkernel - kernel-genkernel-x86_64-3.2.6-ck
  
Linux will prefer IPv6 if IPv6 support is enabled in the kernel. To prefer IPv4, edit <tt>/etc/gai.conf</tt> and add this line:
+
* Completed successfully.
  
<pre>
+
root@[~src/linux-3.2.6-pf] #
precedence ::ffff:0:0/96 100
+
</pre>
+
  
==== Windows 7, Server 2008, Vista ====
+
root@[~src/linux-3.2.6-pf] # reboot
  
These operating systems prefer IPv6 by default. See [http://msdn.microsoft.com/en-us/library/bb756941.aspx this link]. To prefer IPv4, use the following steps:
+
System going down for reboot!
  
# Start <tt>regedit.exe</tt>.
+
</console>
# Navigate to <tt>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters</tt>.
+
# Create a new DWORD named <tt>DisabledComponents</tt>. Edit this new DWORD and set it to HEX value of <tt>20</tt> or a DECIMAL value of <tt>32</tt>.
+
# Restart your computer.
+
 
+
== ISPs who currently have IPv6 enabled for residential customers ==
+
 
+
* Canada:
+
** '''Videotron''': Videotron has a [http://support.videotron.com/residential/internet/ipv6/videotron-ipv6 beta-program] for residential customers who want to test IPv6 (no official technical support, it is possible they don't have enabled it in your area so check first before investing in new hardware). Although  at date of writing, a large part of their networks are IPv6, '''you must go through a 6rd tunnel''' because they still need to upgrade some of their equipments and '''your router must support the 6rd protocol''' (this requirement is documented). Videotron sells you a D-Link DIR-825 with a modified firmware however this model has a weird gotcha: it does not support IPv6 firewalling.''' This is not a Videotron specific issue''' (even the genuine firmwares coming  from the manufacturer has no support for IPv6 firewalling as of June 2011). A good alternative to recommend is the CISCO/LinkSYS E4200, more expensive (MSRP ~$180 US/CDN) but has IPv6 firewalling support.  Once the E4200 firmware has been upgraded go in Setup/IPv6 Setup disable "IPv6 - Automatic" (you should then see an IPv6 address in the DUID field) and leave "automatic" for the 6rd configuration. You should be in business and see all of the hosts on your network with an IPv6 stack enabled being assigned a public IPv6 address starting with 2607:f048.
+
** '''Teksavvy''' : TekSavvy has a [http://teksavvy.com/ipv6 IPv6 beta-program] for residential customers who use their DSL service (no statement found for cable connections). Just ask them to enable IPv6 to your subscription and it should be available within the next 24 hours. Their IPv6 connectivity is native so you don't need to setup a tunnel.
+
** '''Shaw''' (?)
+
** '''Cogeco cable''' (?)
+
** '''Telus''' (?)
+
** '''Bell''' : Bell appears to have an official IPv6 support especially for its business subscribers (See http://ipv6.bell.ca) via a toolkit and various web pages on the subject.
+
 
+
* France
+
** '''Free'''
+
** '''Nerim'''
+
** '''the French Data Network (FDN)'''
+
* United States:
+
** '''Comcast''' (limited pilot in some areas only)
+
 
+
== Home routers compatible with IPv6 ==
+
  
A few residential routers have support for IPv6 at date of writing and many more home networking devices will have robust IPv6 support in a more or less near futures. The following does not pretend to be exhaustive:
 
* '''D-Link DIR-825 rev. 1B''' (June 2011): Has IPv6 support out of the box, however for somewhat reason the router has no support for IPv6 firewalling even with teh 2.05N revision of the firmware. Consequence for you is you have to deploy an IPv6 firewall on each of hosts concerned with a public IPv6 connectivity. The canadian ISP Videotron is selling a DIR-825 with a customized firmware as unfortunately, like with the genuine manufacturer firmware, no IPv6 firewalling possible :( .
 
* '''CISCO/LinkSys E4200''' (June 2011): Advertised as being IPv6 compatible with a firmware update (available as of June 14th 2011 -> check for the version tagged 1.0.02 build 13 or later on the manufacturer website). The device supports native IPv6 and IPv6 through a 6rd tunnel (no support for any other tunneling protocol).
 
  
== Resources ==
 
*[http://ipv6.he.net/certification/cert-main.php free ipv6 certification program]
 
*[http://ipv6-test.com/ Test ipv6 (ipv6-test.com)]
 
*[http://test-ipv6.com/ Test ipv6 (test-ipv6.com)]
 
*[http://www.comcast6.net/ Comcast's IPv6 page]
 
*[http://tunnelbroker.net/ Hurricane Electric Tunnel Broker ]
 
*[http://www.gentoo-wiki.info/HOWTO_IPv6 Gentoo Wiki IPv6 ]
 
*[http://www.gentoo.org/doc/en/ipv6.xml Gentoo IPv6 Guide]
 
with Apple airport extreme, etc:
 
*[http://www.tunnelbroker.net/forums/index.php?topic=680.0 tunnelbroker.net forums post - airport config ]
 
*[http://www.nedprod.com/Niall_stuff/addingIPv6toyourhome.html Adding IPv6 Support To Your Home]
 
*[http://www.tunnelbroker.net/forums/index.php?topic=273.0 tunnelbroker.net forums post - Gentoo config (won't work in Funtoo)]
 
Nice Overview over IPv6
 
* [http://www.linux.com/learn/tutorials/428331-ipv6-crash-course-for-linux IPv6 Crash Course for Linux] and page 2 [http://www.linux.com/learn/tutorials/432537:another-ipv6-crash-course-for-linux-real-ipv6-addresses-routing-name-services IPv6 Crash Course for routing name services]
 
* [http://livre.g6.asso.fr/index.php/Accueil IPv6 Théorie et Pratique (in french only)] revised online version of the O'Reilly book published in 2005 by a collective researchers and IT actors.
 
 
[[Category:HOWTO]]
 
[[Category:HOWTO]]
[[Category:Networking]]
 
 
[[Category:Featured]]
 
[[Category:Featured]]
 +
[[Category:Kernel]]

Revision as of 17:51, January 9, 2014

Setting up a proper kernel yourself - lean, mean and tailored to your hardware, is the challenge by which a linux user can graduate to becoming a Funtoo knight ;-)

Even though many of us are using enterprise-ready kernels in datacenters, there is almost nobody who hasn't at least considered building a kernel for his laptop / PC. We are showing here how an intermediate Linux user can use an alternative to the standard beginners "genkernel" approach, to compile a custom kernel, in a relatively still speedy and easy set up.

Minimum Requirements

You should understand the way how things work in a terminal and how to use an editor and tweak config files. This is crucial. You don't need much knowledge about the linux kernel and it's internals. Nevertheless, you have to know at least where the files are located, how they are used and what is the file logic behind the overall structure. Otherwise you should consider using a non source based linux distribution. If you are scared now, don't worry - we are going to build a kernel the Funtoo way and you will pick up everthing necessary to accomplish this challenge, step by step, so the next time you do it yourself and become a real Funtoo knight!

Assumptions

You start from an installed Funtoo system on the disk, or at least, you are on stage3 in a chrooted environment from a live cd, following somehow the Funto Installation Tutorial.

In this case we are building a kernel that is booting root in LVM over encrypted LUKS container. If you don't have this setup, don't worry, you just don't need all the modules, but everything else is similar.


Getting everything in order to start

First there is the decision which linux kernel sources we need. There are plenty of them in the repositories around, often it is not easy to distinguish between them.

I would always trust my distribution of choice and take what is has to offer - and funtoo has a lot to offer!

I really do recommend (especially if it is your first time) to build a debian-sourced genkernel like described in chapter 5 "Using Debian-Sources with Genkernel" in the Funtoo Kernels Tutorial.

From there you should have a running system booting nicely from your own build (just little bit bloated) kernel. This is more than you can expect from any other ready to go distribution.

Note

{{{1}}}

We are using RedHat's dracut in order to build a nice initramfs (containing all the necessary tools and extra drivers our kernel might need to start the system). Although dracut is the way to go, more sophisticated and not as buggy as gentoo's genkernel approach, more and more funtoo geeks start using slashbeast's better-initramfs, which we will cover at the end of this howto! So after having set up a genkernel from debian or gentoo sources we are going to build a kernel with either (or both) dracut or/and better-initramfs. So gentoo sources with genkernel is always my backup if anything is not working correctly on my system. For the slightly more geeky approach with my own initram I am using pf-sources, ck-sources or any other more or less heavily patched sources.

Let's go!

Kernel Sources

We are going to use the kernel sources from the funtoo git repository.

The source you use on your system is up to you and your needs. For a laptop or desktop system, we recommend the following:

  • sys-kernel/pf-sources
  • sys-kernel/ck-sources
  • sys-kernel/gentoo-sources
  • sys-kernel/git-sources
  • sys-kernel/sysrescue-std-sources
  • sys-kernel/debian-sources

Please, have a look in the ebuild description, look onto their homepage and take the one that suits you best! If you are unsure for now, use sys-kernel/gentoo-sources. That's always a safe bet for a general system.

It is not a problem to have various kernels installed parallel, so go on with any one of them.

I am going to use the sys-kernel/pf-sources now, as I already had the gentoo-sources installed.

Prerequisites

I don't know which tools you have already installed, so some information here might be redundant. It doesn't harm to just copy and paste and do some steps again.

First, we look into our /etc/make.conf:

# nano /etc/make.conf
#These compiler flags are just tweaking (optimazation) and NOT necessary:
CFLAGS="-O2 -pipe -march=native -ftracer -fforce-addr"
CXXFLAGS="${CFLAGS} -fpermissive -fomit-frame-pointer"
KDIR=/usr/src/linux
KERNEL="symlink build"
USE="$KERNEL ....here are your use flags...."
## These modules are available:
## DRACUT_MODULES="dracut_modules_biosdevname dracut_modules_btrfs dracut_modules_caps dracut_modules_crypt dracut_modules_crypt-gpg dracut_modules_dmraid dracut_modules_dmsquash-live dracut_modules_gensplash dracut_modules_iscsi dracut_modules_livenet dracut_modules_lvm dracut_modules_mdraid dracut_modules_multipath dracut_modules_nbd dracut_modules_nfs dracut_modules_plymouth dracut_modules_ssh-client dracut_modules_syslog"
## We will use these modules for LVM / LUKS:
DRACUT_MODULES="crypt lvm plymouth biosdevname dmraid crypt-gpg dmsquash-live ssh-client syslog"

Next, we set the package keywords:

# nano /etc/portage/package.use/dracut
sys-kernel/dracut dm net device-mapper crypt lvm

Note

{{{1}}}

If you don't have lvm over encrypted LUKS you probably just add the "net" keyword here, or "selinux".


After that we are going to build our packages:

# emerge -av app-portage/gentoolkit sys-kernel/pf-sources sys-kernel/dracut sys-boot/plymouth sys-boot/plymouth-openrc-plugin

Finished? Well, then let's go on and

Preparing the kernel

We go now to the sources directory and enter the following commands to update the kernel's .config file:

# cd /usr/src/linux/
# make clean
  CLEAN   .
  CLEAN   arch/x86/kernel/acpi/realmode
  CLEAN   arch/x86/kernel/cpu
  CLEAN   arch/x86/kernel
  CLEAN   arch/x86/vdso
  CLEAN   arch/x86/lib
  CLEAN   drivers/gpu/drm/radeon
  CLEAN   drivers/net/wan
  CLEAN   drivers/scsi/aic7xxx
  CLEAN   drivers/tty/vt
  CLEAN   drivers/video/logo
  CLEAN   firmware
  CLEAN   kernel
  CLEAN   lib/raid6
  CLEAN   lib
  CLEAN   security/apparmor
  CLEAN   security/selinux
  CLEAN   usr
  CLEAN   arch/x86/boot/compressed
  CLEAN   arch/x86/boot
  CLEAN   .tmp_versions
  CLEAN   vmlinux System.map .tmp_kallsyms2.S .tmp_kallsyms1.o .tmp_kallsyms2.o .tmp_kallsyms1.S .tmp_vmlinux1 .tmp_vmlinux2 .tmp_System.map
# zcat /proc/config.gz > /usr/src/linux/.config
# make localmodconfig

You will get some questions which you can answer mostly with either M (compiled as a module) or Y (compiled directly into the kernel).

Enable different security models (SECURITY) [Y/n/?] y
Enable the securityfs filesystem (SECURITYFS) [Y/?] y
Socket and Networking Security Hooks (SECURITY_NETWORK) [Y/?] y
Security hooks for pathname based access control (SECURITY_PATH) [Y/?] y
Low address space for LSM to protect from user allocation (LSM_MMAP_MIN_ADDR) [65536] 65536
NSA SELinux Support (SECURITY_SELINUX) [Y/n/?] y
  NSA SELinux boot parameter (SECURITY_SELINUX_BOOTPARAM) [N/y/?] n
  NSA SELinux runtime disable (SECURITY_SELINUX_DISABLE) [N/y/?] n
  NSA SELinux Development Support (SECURITY_SELINUX_DEVELOP) [Y/n/?] y
  NSA SELinux AVC Statistics (SECURITY_SELINUX_AVC_STATS) [Y/n/?] y
  NSA SELinux checkreqprot default value (SECURITY_SELINUX_CHECKREQPROT_VALUE) [1] 1
  NSA SELinux maximum supported policy format version (SECURITY_SELINUX_POLICYDB_VERSION_MAX) [Y/n/?] y
    NSA SELinux maximum supported policy format version value (SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE) [19] 19
TOMOYO Linux Support (SECURITY_TOMOYO) [Y/n/?] y
  Default maximal count for learning mode (SECURITY_TOMOYO_MAX_ACCEPT_ENTRY) [2048] 2048
  Default maximal count for audit log (SECURITY_TOMOYO_MAX_AUDIT_LOG) [1024] 1024
  Activate without calling userspace policy loader. (SECURITY_TOMOYO_OMIT_USERSPACE_LOADER) [Y/n/?] y
AppArmor support (SECURITY_APPARMOR) [Y/n/?] y
  AppArmor boot parameter default value (SECURITY_APPARMOR_BOOTPARAM_VALUE) [1] 1
Integrity Measurement Architecture(IMA) (IMA) [Y/n/?] y
EVM support (EVM) [N/y/?] (NEW)
Default security module
  1. SELinux (DEFAULT_SECURITY_SELINUX)
  2. TOMOYO (DEFAULT_SECURITY_TOMOYO)
  3. AppArmor (DEFAULT_SECURITY_APPARMOR)
> 4. Unix Discretionary Access Controls (DEFAULT_SECURITY_DAC)
choice[1-4?]: 4
warning: (ACPI_HOTPLUG_CPU) selects ACPI_CONTAINER which has unmet direct dependencies (ACPI && EXPERIMENTAL)
warning: (MEDIA_TUNER) selects MEDIA_TUNER_TEA5761 which has unmet direct dependencies (MEDIA_SUPPORT && VIDEO_MEDIA && I2C && EXPERIMENTAL)
#
# configuration written to .config
#
warning: (GFS2_FS) selects DLM which has unmet direct dependencies (EXPERIMENTAL && INET && SYSFS && CONFIGFS_FS && (IPV6 || IPV6=n))
warning: (IMA) selects TCG_TPM which has unmet direct dependencies (HAS_IOMEM && EXPERIMENTAL)
warning: (MEDIA_TUNER) selects MEDIA_TUNER_TEA5761 which has unmet direct dependencies (MEDIA_SUPPORT && VIDEO_MEDIA && I2C && EXPERIMENTAL)
warning: (ACPI_HOTPLUG_CPU) selects ACPI_CONTAINER which has unmet direct dependencies (ACPI && EXPERIMENTAL)
root@[~src/linux] #

Now comes the most adventurous part!

Building the Kernel

# make -j8  bzImage
# make -j8 modules
# make modules_install
# make install


Building an initramfs or not?

The reason to build a kernel with an initramfs is mostly for interoperability (e.g. live-cd's) and special features like an included busybox, ssh, etc. But mostly, and that's why we are doing this here now, to have a proper kernel up and running quick'n dirty in a reasonable time without fighting hours and days until a more or less exotic hardware is perfectly run by the kernel. After having a proper basic kernel running with the help of an initramfs, I really recommend you to go a step further and build a true kernel with all features includes without an initramfs. But this could be pain in the ass and very time consuming - so we do it the funtoo way here - at least in the second example when we stick to better-initramfs instead of Red-Hat's dracut.

Option one: Initrd with dracut

To build the initrd we just execute

# dracut -f --fstab --xz /boot/initramfs-3.2.6-pf.img  3.2.6-pf

Generally, this really should be enough! If you experience booting problems like missing modules / drivers then just boot from the genkernel section and fix the initrd building. You can look into the man page to tweak the command a bit (e.g. --add-drivers "xz dm_crypt" etc...).

Ok let's go on and finish the taks, we are going to tell now grub how to boot off correctly!

# nano /etc/boot.conf

boot {
        generate grub
        default "Funtoo Linux dracut"
        timeout 3
}

"Funtoo Linux genkernel" {
        kernel kernel-genkernel[-v]
        initrd initramfs-genkernel[-v]
        params = quiet rootfstype=ext4
        params += luks enc_root=/dev/sda3
        params += lvm root=/dev/mapper/vg-root
}

"Funtoo Linux dracut" {
        kernel vmlinuz[-v]
## this is the better-initramfs generated initrd
        initrd initramfs[-v].img
        params  = quiet rootfstype=ext4
        params += luks enc_root=/dev/sda3
        params += lvm root=/dev/mapper/vg-root
}

That's it almost!

Now write to the grub.cfg with the new handy boot-update script from funtoo:

# boot-update -v

 boot-update 1.5.2 / Copyright 2009-2011 Funtoo Technologies

 [use option "-l" for license info, "-h" for help]

 * Generating config for grub...

 DEFAULT > Funtoo Linux - vmlinuz-3.2.6-pf
           Funtoo Linux genkernel - kernel-genkernel-x86_64-3.2.6-pf

 * Completed successfully.

Okay,... here you go..! :)

Reboot and see how it works!

Option two: using better-initramfs

Piotr's better-initramfs is another approach that is tiny, nice and shiny and seems to become more and more a favourite among funtoo'ers. The biggest plus is that, once built it is kernel version independant.

For using this you just do the following steps:

1. download sources
2. build kernel with "make bzImage"
3. download better-initramfs
4. run better-initramfs
5. adjust /etc/boot.conf

Here is how in detail:

Assuming you did install already a genkernel backup or at least you have a working bzImage + modules installed, we rush forward to step 3:

Downloading Better-initramfs

# cd /usr/src/;
# git clone https://github.com/slashbeast/better-initramfs.git
# /src #  cd better-initramfs
# better-initramfs git:(master) ls
AUTHORS    LICENSE   README.rst  bootstrap  output   sourceroot
ChangeLog  Makefile  TODO        examples   scripts

build the better-initramfs

# better-initramfs git:(master) sudo bootstrap/bootstrap-all
# sudo make prepare
# sudo make image
# sudo mv output/initramfs.cpio.gz /boot

adjust grub

Taking the above setup we edit the /etc/boot.conf as I installed genkernel first, and dracut after - you see this setup:

boot {
        generate grub
        default "Funtoo Linux"
        timeout 3
}

# Rootfs over lvm over luks
# /dev/sda3 - encrypted lvm's pv
# /dev/mapper/vg-root - rootfs's lv

"Funtoo Linux" {
        kernel bzImage[-v]
## this is the better-initramfs generated initrd
        initrd initramfs.cpio.gz
        params  = quiet rootfstype=ext4
        params += luks enc_root=/dev/sda3
        params += lvm root=/dev/mapper/vg-root
}

"Funtoo Linux dracut" {
        kernel vmlinuz[-v]
## this is the dracut generated initrd
        initrd initramfs[-v].img
        params  = quiet rootfstype=ext4
        params += luks enc_root=/dev/sda3
        params += lvm root=/dev/mapper/vg-root
}


"Funtoo Linux genkernel" {
        kernel kernel-genkernel[-v]
        initrd initramfs-genkernel[-v]
        params = quiet rootfstype=ext4
        params += luks enc_root=/dev/sda3
        params += lvm root=/dev/mapper/vg-root
}

Okay,... here you go..! :)

update the grub.cfg, then reboot and see how it works!

root@[~src/linux-3.2.6-pf] # boot-update -v     

 boot-update 1.5.2 / Copyright 2009-2011 Funtoo Technologies

 [use option "-l" for license info, "-h" for help]

 * Generating config for grub...

 DEFAULT > Funtoo Linux better-initramfs - vmlinuz-3.2.6-pf
           Funtoo Linux dracut - vmlinuz-3.2.6-pf
           Funtoo Linux genkernel - kernel-genkernel-x86_64-3.2.6-ck

 * Completed successfully.

root@[~src/linux-3.2.6-pf] #

root@[~src/linux-3.2.6-pf] # reboot

System going down for reboot!