Skip to content

Install from Sources

Jump to bottom Edit New page
Constantine edited this page Jan 6, 2025 · 42 revisions

Instructions below describe compilation from sources on Ubuntu 24.04, which is the preferred build and execution environment for the moment. With small changes the instruction can be applied to other GNU/Linux distributions.

Build requirements

apt-get install make flex bison gcc g++ libboost-all-dev libssl-dev bc fakeroot dwarves libelf-dev lz4

Warning!

During lifecycle of Ubuntu, utility pahole was updated from version 1.22 to version 1.25. Using updated version leads to kernel build error with message:

load BTF from vmlinux: Invalid argument.

To avoid it:

check version

pahole --version

and if it needed downgrade it

apt install pahole=1.22-8

P.S. Foregoing relates only for building kernels older than version 5.15 on latest Ubuntu. Later kernels require a newer version of pahole

Compiling the patched Kernel

Install build dependencies

The easiest way to install all the build dependencies for the Linux kernel is to use information from sources repository.

Make sure that the line deb-src is present and uncommented in /etc/apt/sources.list

deb-src http://archive.ubuntu.com/ubuntu jammy main restricted

Then all the build dependencies can be simply installed:

apt-get update
apt-get build-dep linux

Obtain kernel sources

For the build of 0.7 (current), get Linux kernel 5.10.35 with Tempesta-Tech patches:

git clone https://github.com/tempesta-tech/linux-5.10.35-tfw

Or apply the patch set to 5.10.35 kernel sources.

Configure Kernel

Before build Linux Kernel must be configured. Recommended way is to reuse current kernel's configuration with TempestaFw-specific changes.

Ensure that the kernel tree is absolutely clean:

cd linux-5.10.35-tfw
make clean && make mrproper

Copy current kernel's configuration:

cp /boot/config-$(uname -r) .config

Comment the following lines in copied .config file in a text editor if set to "y" before proceed:

  • CONFIG_SYSTEM_TRUSTED_KEYRING
  • CONFIG_SYSTEM_TRUSTED_KEYS

Also comment these lines if you wish make olddefconfig to automatically set CONFIG_LSM option:

  • all CONFIG_DEFAULT_SECURITY_* lines
  • CONFIG_LSM line

Use default options:

make olddefconfig

Or update the configuration to suit the sources interactively, this will ask about the differences:

make oldconfig

Or

Use a text editor to manually set all these options to "y" in .config file:

  • CONFIG_SLUB
  • CONFIG_HUGETLB_PAGE
  • CONFIG_SECURITY
  • CONFIG_SECURITY_NETWORK
  • CONFIG_SECURITY_TEMPESTA
  • CONFIG_DEFAULT_SECURITY_TEMPESTA
  • "tempesta" listed first in CONFIG_LSM, e.g.
CONFIG_LSM="tempesta,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"

For Linux kernel 5.10.35 and version 0.7 (current) the following config options should be set as well:

  • CONFIG_SOCK_CGROUP_DATA (Needs CONFIG_NET, CONFIG_CGROUPS and CONFIG_CGROUP_NET_PRIO to be selected)

Also it is better to choose CONFIG_UNWINDER_ORC instead of CONFIG_UNWINDER_FRAME_POINTER and unset CONFIG_FRAME_POINTER, for greater efficiency of some cryptographic functions (it is impossible to use %rbp register for calculations if CONFIG_FRAME_POINTER or CONFIG_UNWINDER_FRAME_POINTER is set).

For integration of HTTP tables with iptables and nftables the following config options should be set as well (Tempesta works without these options):

  • CONFIG_NF_TABLES_IPV4, CONFIG_NF_TABLES_IPV6 and CONFIG_NF_TABLES.

Failover configuration

For high availability setup you need to make the kernel to reboot on any issue preventing it from normal operation.

Set following kernel options:

CONFIG_WATCHDOG=y
CONFIG_SOFTLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=1
CONFIG_HARDLOCKUP_DETECTOR_PERF=y
CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
CONFIG_HARDLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC_VALUE=1
CONFIG_DETECT_HUNG_TASK=y

and set sysctl values in /etc/sysctl.conf:

kernel.panic=1
kernel.panic_on_oops=1
kernel.panic_on_rcu_stall=1
vm.panic_on_oom=1

These settings will reboot the machine on any hung, software crash or out of memory event.

Compile and install Kernel

The recommended way is to compile the kernel and prepare packages to be installed via package manager:

make deb-pkg -j$(nproc)
dpkg -i ../linux-headers-* ../linux-image-*

Traditional way is to compile the kernel and manually install modules and kernel image:

make -j$(nproc)
make modules_install
make install

Compiling TempestaFW

Install build dependencies

Install build dependencies by calling the next command:

apt-get install build-essential libboost-dev libboost-program-options-dev cmake ninja-build libfmt-dev libspdlog-dev

Obtain sources

Get TempestaFW from Github repository:

git clone https://github.com/tempesta-tech/tempesta
cd tempesta

Compile TempestaFW

TempestaFW is out-of-tree kernel module. It is recommended to reboot into Tempesta's patched kernel and install kernel headers before building the module. Simply run make to prepare the module:

make clean
make

It is also possible to build the module against target kernel sources directory:

make clean
make KERNEL=<path-to-kernel>
Add a custom footer

Contents

Clone this wiki locally