linux documentation

This linux documentation section is just beginning. The plan is to develop a thorough linux admin site with summary and indepth information so linux users can put together a solid environment from beginning to end without grasping for straws "googling" information.-

installation

Right now this section has the grub documentation, very soon I'll add the fedora installation.

introduction to grub

Briefly, a boot loader is the first software program that runs when a computer starts. It is responsible for loading and transferring control to an operating system kernel software (such as Linux or GNU Mach). The kernel, in turn, initializes the rest of the operating system (e.g. a GNU system).

GNU GRUB is a very powerful boot loader, which can load a wide variety of free operating systems, as well as proprietary operating systems with chain-loading(1). GRUB is designed to address the complexity of booting a personal computer; both the program and this manual are tightly bound to that computer platform, although porting to other platforms may be addressed in the future.

One of the important features in GRUB is flexibility; GRUB understands filesystems and kernel executable formats, so you can load an arbitrary operating system the way you like, without recording the physical position of your kernel on the disk. Thus you can load the kernel just by specifying its file name and the drive and partition where the kernel resides.

When booting with GRUB, you can use either a command-line interface (see section 12.1 The flexible command-line interface), or a menu interface (see section 12.2 The simple menu interface). Using the command-line interface, you type the drive specification and file name of the kernel manually. In the menu interface, you just select an OS using the arrow keys. The menu is based on a configuration file which you prepare beforehand (see section 5. Configuration). While in the menu, you can switch to the command-line mode, and vice-versa. You can even edit menu entries before using them.

In the following chapters, you will learn how to specify a drive, a partition, and a file name (see section 2. Naming convention) to GRUB, how to install GRUB on your drive (see section 3. Installation), and how to boot your OSes (see section 4. Booting), step by step.

Besides the GRUB boot loader itself, there is a grub shell grub (see section 15. Invoking the grub shell) which can be run when you are in your operating system. It emulates the boot loader and can be used for installing the boot loader.

grub features

The primary requirement for GRUB is that it be compliant with the Multiboot Specification, which is described in section `Motivation' in The Multiboot Specification.

The other goals, listed in approximate order of importance, are:

Basic functions must be straightforward for end-users.
Rich functionality to support kernel experts and designers.
Backward compatibility for booting FreeBSD, NetBSD, OpenBSD, and Linux. Proprietary kernels (such as DOS, Windows NT, and OS/2) are supported via a chain-loading function.

Except for specific compatibility modes (chain-loading and the Linux piggyback format), all kernels will be started in much the same state as in the Multiboot Specification. Only kernels loaded at 1 megabyte or above are presently supported. Any attempt to load below that boundary will simply result in immediate failure and an error message reporting the problem.

In addition to the requirements above, GRUB has the following features (note that the Multiboot Specification doesn't require all the features that GRUB supports):

Recognize multiple executable formats: Support many of the a.out variants plus ELF. Symbol tables are also loaded.
Support non-Multiboot kernels: Support many of the various free 32-bit kernels that lack Multiboot compliance (primarily FreeBSD, NetBSD, OpenBSD, and Linux). Chain-loading of other boot loaders is also supported.
Load multiples modules: Fully support the Multiboot feature of loading multiple modules.
Load a configuration file: Support a human-readable text configuration file with preset boot commands. You can also load another configuration file dynamically and embed a preset configuration file in a GRUB image file. The list of commands (see section 13. The list of available commands) are a superset of those supported on the command-line. An example configuration file is provided in 5. Configuration.
Provide a menu interface: A menu interface listing preset boot commands, with a programmable timeout, is available. There is no fixed limit on the number of boot entries, and the current implementation has space for several hundred.
Have a flexible command-line interface: A fairly flexible command-line interface, accessible from the menu, is available to edit any preset commands, or write a new boot command set from scratch. If no configuration file is present, GRUB drops to the command-line.
The list of commands (see section 13. The list of available commands) are a subset of those supported for configuration files. Editing commands closely resembles the Bash command-line (see section `Command Line Editing' in Bash Features), with TAB-completion of commands, devices, partitions, and files in a directory depending on context.
Support multiple filesystem types: Support multiple filesystem types transparently, plus a useful explicit blocklist notation. The currently supported filesystem types are BSD FFS, DOS FAT16 and FAT32, Minix fs, Linux ext2fs, ReiserFS, JFS, XFS, and VSTa fs. See section 11. Filesystem syntax and semantics, for more information.
Support automatic decompression: Can decompress files which were compressed by gzip. This function is both automatic and transparent to the user (i.e. all functions operate upon the uncompressed contents of the specified files). This greatly reduces a file size and loading time, a particularly great benefit for floppies.(2)
It is conceivable that some kernel modules should be loaded in a compressed state, so a different module-loading command can be specified to avoid uncompressing the modules.
Access data on any installed device: Support reading data from any or all floppies or hard disk(s) recognized by the BIOS, independent of the setting of the root device.
Be independent of drive geometry translations: Unlike many other boot loaders, GRUB makes the particular drive translation irrelevant. A drive installed and running with one translation may be converted to another translation without any adverse effects or changes in GRUB's configuration.
Detect all installed RAM: GRUB can generally find all the installed RAM on a PC-compatible machine. It uses an advanced BIOS query technique for finding all memory regions. As described on the Multiboot Specification (see section `Motivation' in The Multiboot Specification), not all kernels make use of this information, but GRUB provides it for those who do.
Support Logical Block Address mode: In traditional disk calls (called CHS mode), there is a geometry translation problem, that is, the BIOS cannot access over 1024 cylinders, so the accessible space is limited to at least 508 MB and to at most 8GB. GRUB can't universally solve this problem, as there is no standard interface used in all machines. However, several newer machines have the new interface, Logical Block Address (LBA) mode. GRUB automatically detects if LBA mode is available and uses it if available. In LBA mode, GRUB can access the entire disk.
Support network booting: GRUB is basically a disk-based boot loader but also has network support. You can load OS images from a network by using the TFTP protocol.
Support remote terminals: To support computers with no console, GRUB provides remote terminal support, so that you can control GRUB from a remote host. Only serial terminal support is implemented at the moment.

1.4 The role of a boot loader

The following is a quotation from Gordon Matzigkeit, a GRUB fanatic:

Some people like to acknowledge both the operating system and kernel when they talk about their computers, so they might say they use "GNU/Linux" or "GNU/Hurd". Other people seem to think that the kernel is the most important part of the system, so they like to call their GNU operating systems "Linux systems."

I, personally, believe that this is a grave injustice, because the boot loader is the most important software of all. I used to refer to the above systems as either "LILO"(3) or "GRUB" systems.

Unfortunately, nobody ever understood what I was talking about; now I just use the word "GNU" as a pseudonym for GRUB.

So, if you ever hear people talking about their alleged "GNU" systems, remember that they are actually paying homage to the best boot loader around... GRUB!

We, the GRUB maintainers, do not (usually) encourage Gordon's level of fanaticism, but it helps to remember that boot loaders deserve recognition. We hope that you enjoy using GNU GRUB as much as we did writing it.

naming convention

GRUB Naming convention

The device syntax used in GRUB is a wee bit different from what you may have seen before in your operating system(s), and you need to know it so that you can specify a drive/partition.

Look at the following examples and explanations:

(fd0)

First of all, GRUB requires that the device name be enclosed with `(' and `)'. The `fd' part means that it is a floppy disk. The number `0' is the drive number, which is counted from zero. This expression means that GRUB will use the whole floppy disk.

(hd0,1)

Here, `hd' means it is a hard disk drive. The first integer `0' indicates the drive number, that is, the first hard disk, while the second integer, `1', indicates the partition number (or the PC slice number in the BSD terminology). Once again, please note that the partition numbers are counted from zero, not from one. This expression means the second partition of the first hard disk drive. In this case, GRUB uses one partition of the disk, instead of the whole disk.

(hd0,4)

This specifies the first extended partition of the first hard disk drive. Note that the partition numbers for extended partitions are counted from `4', regardless of the actual number of primary partitions on your hard disk.

(hd1,a)

This means the BSD `a' partition of the second hard disk. If you need to specify which PC slice number should be used, use something like this: `(hd1,0,a)'. If the PC slice number is omitted, GRUB searches for the first PC slice which has a BSD `a' partition.

Of course, to actually access the disks or partitions with GRUB, you need to use the device specification in a command, like `root (fd0)' or `unhide (hd0,2)'. To help you find out which number specifies a partition you want, the GRUB command-line (see section 12.1 The flexible command-line interface) options have argument completion. This means that, for example, you only need to type

root (

followed by a TAB, and GRUB will display the list of drives, partitions, or file names. So it should be quite easy to determine the name of your target partition, even with minimal knowledge of the syntax.

Note that GRUB does not distinguish IDE from SCSI - it simply counts the drive numbers from zero, regardless of their type. Normally, any IDE drive number is less than any SCSI drive number, although that is not true if you change the boot sequence by swapping IDE and SCSI drives in your BIOS.

Now the question is, how to specify a file? Again, consider an example:

(hd0,0)/vmlinuz

This specifies the file named `vmlinuz', found on the first partition of the first hard disk drive. Note that the argument completion works with file names, too.

That was easy, admit it. Now read the next chapter, to find out how to actually install GRUB on your drive.

Installation

In order to install GRUB as your boot loader, you need to first install the GRUB system and utilities under your UNIX-like operating system (see section A. How to obtain and build GRUB). You can do this either from the source tarball, or as a package for your OS.

After you have done that, you need to install the boot loader on a drive (floppy or hard disk). There are two ways of doing that - either using the utility grub-install (see section 16. Invoking grub-install) on a UNIX-like OS, or by running GRUB itself from a floppy. These are quite similar, however the utility might probe a wrong BIOS drive, so you should be careful.

Also, if you install GRUB on a UNIX-like OS, please make sure that you have an emergency boot disk ready, so that you can rescue your computer if, by any chance, your hard drive becomes unusable (unbootable).

GRUB comes with boot images, which are normally put in the directory `/usr/share/grub/i386-pc'. If you do not use grub-install, then you need to copy the files `stage1', `stage2', and `*stage1_5' to the directory `/boot/grub'. Hereafter, the directory where GRUB images are initially placed (normally `/usr/share/grub/i386-pc') will be called the image directory, and the directory where the boot loader needs to find them (usually `/boot/grub') will be called the boot directory.

3.1 Creating a GRUB boot floppy
3.2 Installing GRUB natively
3.3 Installing GRUB using grub-install
3.4 Making a GRUB bootable CD-ROM

3.1 Creating a GRUB boot floppy

To create a GRUB boot floppy, you need to take the files `stage1' and `stage2' from the image directory, and write them to the first and the second block of the floppy disk, respectively.

Caution: This procedure will destroy any data currently stored on the floppy.

On a UNIX-like operating system, that is done with the following commands:

# cd /usr/share/grub/i386-pc
# dd if=stage1 of=/dev/fd0 bs=512 count=1
1+0 records in
1+0 records out
# dd if=stage2 of=/dev/fd0 bs=512 seek=1
153+1 records in
153+1 records out
#

The device file name may be different. Consult the manual for your OS.

3.2 Installing GRUB natively

Caution: Installing GRUB's stage1 in this manner will erase the normal boot-sector used by an OS.

GRUB can currently boot GNU Mach, Linux, FreeBSD, NetBSD, and OpenBSD directly, so using it on a boot sector (the first sector of a partition) should be okay. But generally, it would be a good idea to back up the first sector of the partition on which you are installing GRUB's stage1. This isn't as important if you are installing GRUB on the first sector of a hard disk, since it's easy to reinitialize it (e.g. by running `FDISK /MBR' from DOS).

If you decide to install GRUB in the native environment, which is definitely desirable, you'll need to create a GRUB boot disk, and reboot your computer with it. Otherwise, see 3.3 Installing GRUB using grub-install.

Once started, GRUB will show the command-line interface (see section 12.1 The flexible command-line interface). First, set the GRUB's root device(4) to the partition containing the boot directory, like this:

grub> root (hd0,0)

If you are not sure which partition actually holds this directory, use the command find (see section 13.3.11 find), like this:

grub> find /boot/grub/stage1

This will search for the file name `/boot/grub/stage1' and show the devices which contain the file.

Once you've set the root device correctly, run the command setup (see section 13.3.34 setup):

grub> setup (hd0)

This command will install the GRUB boot loader on the Master Boot Record (MBR) of the first drive. If you want to put GRUB into the boot sector of a partition instead of putting it in the MBR, specify the partition into which you want to install GRUB:

grub> setup (hd0,0)

If you install GRUB into a partition or a drive other than the first one, you must chain-load GRUB from another boot loader. Refer to the manual for the boot loader to know how to chain-load GRUB.

After using the setup command, you will boot into GRUB without the GRUB floppy. See the chapter 4. Booting to find out how to boot your operating systems from GRUB.

3.3 Installing GRUB using grub-install

Caution: This procedure is definitely less safe, because there are several ways in which your computer can become unbootable. For example, most operating systems don't tell GRUB how to map BIOS drives to OS devices correctly--GRUB merely guesses the mapping. This will succeed in most cases, but not always. Therefore, GRUB provides you with a map file called the device map, which you must fix if it is wrong. See section 15.3 The map between BIOS drives and OS devices, for more details.

If you still do want to install GRUB under a UNIX-like OS (such as GNU), invoke the program grub-install (see section 16. Invoking grub-install) as the superuser (root).

The usage is basically very simple. You only need to specify one argument to the program, namely, where to install the boot loader. The argument can be either a device file (like `/dev/hda') or a partition specified in GRUB's notation. For example, under Linux the following will install GRUB into the MBR of the first IDE disk:

# grub-install /dev/hda

Likewise, under GNU/Hurd, this has the same effect:

# grub-install /dev/hd0

If it is the first BIOS drive, this is the same as well:

# grub-install '(hd0)'

Or you can omit the parentheses:

# grub-install hd0

But all the above examples assume that GRUB should use images under the root directory. If you want GRUB to use images under a directory other than the root directory, you need to specify the option `--root-directory'. The typical usage is that you create a GRUB boot floppy with a filesystem. Here is an example:

# mke2fs /dev/fd0
# mount -t ext2 /dev/fd0 /mnt
# grub-install --root-directory=/mnt fd0
# umount /mnt

Another example is when you have a separate boot partition which is mounted at `/boot'. Since GRUB is a boot loader, it doesn't know anything about mountpoints at all. Thus, you need to run grub-install like this:

# grub-install --root-directory=/boot /dev/hda

By the way, as noted above, it is quite difficult to guess BIOS drives correctly under a UNIX-like OS. Thus, grub-install will prompt you to check if it could really guess the correct mappings, after the installation. The format is defined in 15.3 The map between BIOS drives and OS devices. Please be quite careful. If the output is wrong, it is unlikely that your computer will be able to boot with no problem.

Note that grub-install is actually just a shell script and the real task is done by the grub shell grub (see section 15. Invoking the grub shell). Therefore, you may run grub directly to install GRUB, without using grub-install. Don't do that, however, unless you are very familiar with the internals of GRUB. Installing a boot loader on a running OS may be extremely dangerous.

3.4 Making a GRUB bootable CD-ROM

GRUB supports the no emulation mode in the El Torito specification(5). This means that you can use the whole CD-ROM from GRUB and you don't have to make a floppy or hard disk image file, which can cause compatibility problems.

For booting from a CD-ROM, GRUB uses a special Stage 2 called `stage2_eltorito'. The only GRUB files you need to have in your bootable CD-ROM are this `stage2_eltorito' and optionally a config file `menu.lst'. You don't need to use `stage1' or `stage2', because El Torito is quite different from the standard boot process.

Here is an example of procedures to make a bootable CD-ROM image. First, make a top directory for the bootable image, say, `iso':

$ mkdir iso

Make a directory for GRUB:

$ mkdir -p iso/boot/grub

Copy the file `stage2_eltorito':

$ cp /usr/share/grub/i386-pc/stage2_eltorito iso/boot/grub

If desired, make the config file `menu.lst' under `iso/boot/grub' (see section 5. Configuration), and copy any files and directories for the disc to the directory `iso/'.

Finally, make a ISO9660 image file like this:

$ mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot \
-boot-load-size 4 -boot-info-table -o grub.iso iso

This produces a file named `grub.iso', which then can be burned into a CD (or a DVD). mkisofs has already set up the disc to boot from the boot/grub/stage2_eltorito file, so there is no need to setup GRUB on the disc. (Note that the -boot-load-size 4 bit is required for compatibility with the BIOS on many older machines.)

You can use the device `(cd)' to access a CD-ROM in your config file. This is not required; GRUB automatically sets the root device to `(cd)' when booted from a CD-ROM. It is only necessary to refer to `(cd)' if you want to access other drives as well.

booting

GRUB can load Multiboot-compliant kernels in a consistent way, but for some free operating systems you need to use some OS-specific magic.

4.1 How to boot operating systems How to boot OSes with GRUB generally
4.2 Some caveats on OS-specific issues Notes on some operating systems

4.1 How to boot operating systems

GRUB has two distinct boot methods. One of the two is to load an operating system directly, and the other is to chain-load another boot loader which then will load an operating system actually. Generally speaking, the former is more desirable, because you don't need to install or maintain other boot loaders and GRUB is flexible enough to load an operating system from an arbitrary disk/partition. However, the latter is sometimes required, since GRUB doesn't support all the existing operating systems natively.

4.1.1 How to boot an OS directly with GRUB
4.1.2 Load another boot loader to boot unsupported operating systems

4.1.1 How to boot an OS directly with GRUB

Multiboot (see section `Motivation' in The Multiboot Specification) is the native format supported by GRUB. For the sake of convenience, there is also support for Linux, FreeBSD, NetBSD and OpenBSD. If you want to boot other operating systems, you will have to chain-load them (see section 4.1.2 Load another boot loader to boot unsupported operating systems).

Generally, GRUB can boot any Multiboot-compliant OS in the following steps:

1. Set GRUB's root device to the drive where the OS images are stored with the command root (see section 13.3.31 root).

2. Load the kernel image with the command kernel (see section 13.3.20 kernel).

3. If you need modules, load them with the command module (see section 13.3.25 module) or modulenounzip (see section 13.3.26 modulenounzip).

4. Run the command boot (see section 13.3.2 boot).

Linux, FreeBSD, NetBSD and OpenBSD can be booted in a similar manner. You load a kernel image with the command kernel and then run the command boot. If the kernel requires some parameters, just append the parameters to kernel, after the file name of the kernel. Also, please refer to 4.2 Some caveats on OS-specific issues, for information on your OS-specific issues.

4.1.2 Load another boot loader to boot unsupported operating systems

If you want to boot an unsupported operating system (e.g. Windows 95), chain-load a boot loader for the operating system. Normally, the boot loader is embedded in the boot sector of the partition on which the operating system is installed.

1. Set GRUB's root device to the partition by the command rootnoverify (see section 13.3.32 rootnoverify):

grub> rootnoverify (hd0,0)

2. Set the active flag in the partition using the command makeactive(6) (see section 13.3.22 makeactive):

grub> makeactive

3. Load the boot loader with the command chainloader (see section 13.3.4 chainloader):

grub> chainloader +1

`+1' indicates that GRUB should read one sector from the start of the partition. The complete description about this syntax can be found in 11.3 How to specify block lists.

4. Run the command boot (see section 13.3.2 boot).

However, DOS and Windows have some deficiencies, so you might have to use more complicated instructions. See section 4.2.6 DOS/Windows, for more information.

4.2 Some caveats on OS-specific issues

Here, we describe some caveats on several operating systems.

4.2.1 GNU/Hurd
4.2.2 GNU/Linux

4.2.1 GNU/Hurd

Since GNU/Hurd is Multiboot-compliant, it is easy to boot it; there is nothing special about it. But do not forget that you have to specify a root partition to the kernel.

1. Set GRUB's root device to the same drive as GNU/Hurd's. Probably the command find /boot/gnumach or similar can help you (see section 13.3.11 find).

2. Load the kernel and the module, like this:

grub> kernel /boot/gnumach root=hd0s1
grub> module /boot/serverboot

3. Run the command boot (see section 13.3.2 boot).

4.2.2 GNU/Linux

It is relatively easy to boot GNU/Linux from GRUB, because it somewhat resembles to boot a Multiboot-compliant OS.

1. Set GRUB's root device to the same drive as GNU/Linux's. Probably the command find /vmlinuz or similar can help you (see section 13.3.11 find).

2. Load the kernel:

grub> kernel /vmlinuz root=/dev/hda1

If you need to specify some kernel parameters, just append them to the command. For example, to set `vga' to `ext', do this:

grub> kernel /vmlinuz root=/dev/hda1 vga=ext

See the documentation in the Linux source tree for complete information on the available options.

3. If you use an initrd, execute the command initrd (see section 13.3.17 initrd) after kernel:

grub> initrd /initrd

4. Finally, run the command boot (see section 13.3.2 boot).

Caution: If you use an initrd and specify the `mem=' option to the kernel to let it use less than actual memory size, you will also have to specify the same memory size to GRUB. To let GRUB know the size, run the command uppermem before loading the kernel. See section 13.3.37 uppermem, for more information.

configuration

You've probably noticed that you need to type several commands to boot your OS. There's a solution to that - GRUB provides a menu interface (see section 12.2 The simple menu interface) from which you can select an item (using arrow keys) that will do everything to boot an OS.

To enable the menu, you need a configuration file, `menu.lst' under the boot directory. We'll analyze an example file.

The file first contains some general settings, the menu interface related options. You can put these commands (see section 13.1 The list of commands for the menu only) before any of the items (starting with title (see section 13.1.5 title)).

#
# Sample boot menu configuration file
#

As you may have guessed, these lines are comments. Lines starting with a hash character (`#'), and blank lines, are ignored by GRUB.

# By default, boot the first entry.
default 0

The first entry (here, counting starts with number zero, not one!) will be the default choice.

# Boot automatically after 30 secs.
timeout 30

As the comment says, GRUB will boot automatically in 30 seconds, unless interrupted with a keypress.

# Fallback to the second entry.
fallback 1

If, for any reason, the default entry doesn't work, fall back to the second one (this is rarely used, for obvious reasons).

Note that the complete descriptions of these commands, which are menu interface specific, can be found in 13.1 The list of commands for the menu only. Other descriptions can be found in 13. The list of available commands.

Now, on to the actual OS definitions. You will see that each entry begins with a special command, title (see section 13.1.5 title), and the action is described after it. Note that there is no command boot (see section 13.3.2 boot) at the end of each item. That is because GRUB automatically executes boot if it loads other commands successfully.

The argument for the command title is used to display a short title/description of the entry in the menu. Since title displays the argument as is, you can write basically anything there.

# For booting GNU/Hurd
title GNU/Hurd
root (hd0,0)
kernel /boot/gnumach.gz root=hd0s1
module /boot/serverboot.gz

This boots GNU/Hurd from the first hard disk.

# For booting GNU/Linux
title GNU/Linux
kernel (hd1,0)/vmlinuz root=/dev/hdb1

This boots GNU/Linux, but from the second hard disk.

# For booting Mach (getting kernel from floppy)
title Utah Mach4 multiboot
root (hd0,2)
pause Insert the diskette now^G!!
kernel (fd0)/boot/kernel root=hd0s3
module (fd0)/boot/bootstrap

This boots Mach with a kernel on a floppy, but the root filesystem at hd0s3. It also contains a pause line (see section 13.3.27 pause), which will cause GRUB to display a prompt and delay, before actually executing the rest of the commands and booting.

downloading OS images from a network

6. Downloading OS images from a network

Although GRUB is a disk-based boot loader, it does provide network support. To use the network support, you need to enable at least one network driver in the GRUB build process. For more information please see `netboot/README.netboot' in the source distribution.

6.1 How to set up your network

GRUB requires a file server and optionally a server that will assign an IP address to the machine on which GRUB is running. For the former, only TFTP is supported at the moment. The latter is either BOOTP, DHCP or a RARP server(7). It is not necessary to run both the servers on one computer. How to configure these servers is beyond the scope of this document, so please refer to the manuals specific to those protocols/servers.

If you decided to use a server to assign an IP address, set up the server and run bootp (see section 13.2.1 bootp), dhcp (see section 13.2.4 dhcp) or rarp (see section 13.2.11 rarp) for BOOTP, DHCP or RARP, respectively. Each command will show an assigned IP address, a netmask, an IP address for your TFTP server and a gateway. If any of the addresses is wrong or it causes an error, probably the configuration of your servers isn't set up properly.

Otherwise, run ifconfig, like this:

grub> ifconfig --address=192.168.110.23 --server=192.168.110.14

You can also use ifconfig in conjuction with bootp, dhcp or rarp (e.g. to reassign the server address manually). See section 13.2.6 ifconfig, for more details.

Finally, download your OS images from your network. The network can be accessed using the network drive `(nd)'. Everything else is very similar to the normal instructions (see section 4. Booting).

Here is an example:

grub> bootp
Probing... [NE*000]
NE2000 base ...
Address: 192.168.110.23 Netmask: 255.255.255.0
Server: 192.168.110.14 Gateway: 192.168.110.1

grub> root (nd)
grub> kernel /tftproot/gnumach.gz root=sd0s1
grub> module /tftproot/serverboot.gz
grub> boot

6.2 Booting from a network

It is sometimes very useful to boot from a network, especially when you use a machine which has no local disk. In this case, you need to obtain a kind of Net Boot ROM, such as a PXE ROM or a free software package like Etherboot. Such a Boot ROM first boots the machine, sets up the network card installed into the machine, and downloads a second stage boot image from the network. Then, the second image will try to boot an operating system actually from the network.

GRUB provides two second stage images, `nbgrub' and `pxegrub' (see section 10. GRUB image files). These images are the same as the normal Stage 2, except that they set up a network automatically, and try to load a configuration file from the network, if specified. The usage is very simple: If the machine has a PXE ROM, use `pxegrub'. If the machine has an NBI loader such as Etherboot, use `nbgrub'. There is no difference between them except their formats. Since the way to load a second stage image you want to use should be described in the manual on your Net Boot ROM, please refer to the manual, for more information.

However, there is one thing specific to GRUB. Namely, how to specify a configuration file in a BOOTP/DHCP server. For now, GRUB uses the tag `150', to get the name of a configuration file. The following is an example with a BOOTP configuration:

.allhost:hd=/tmp:bf=null:\
:ds=145.71.35.1 145.71.32.1:\
:sm=255.255.254.0:\
:gw=145.71.35.1:\
:sa=145.71.35.5:

foo:ht=1:ha=63655d0334a7:ip=145.71.35.127:\
:bf=/nbgrub:\
:tc=.allhost:\
:T150="(nd)/tftpboot/menu.lst.foo":

Note that you should specify the drive name (nd) in the name of the configuration file. This is because you might change the root drive before downloading the configuration from the TFTP server when the preset menu feature is used (see section 8. Embedding a configuration file into GRUB).

See the manual of your BOOTP/DHCP server for more information. The exact syntax should differ a little from the example.

embedding grub configuration file

Embedding a configuration file into GRUB

GRUB supports a preset menu which is to be always loaded before starting. The preset menu feature is useful, for example, when your computer has no console but a serial cable. In this case, it is critical to set up the serial terminal as soon as possible, since you cannot see any message until the serial terminal begins to work. So it is good to run the commands serial (see section 13.2.12 serial) and terminal (see section 13.2.14 terminal) before anything else at the start-up time.

How the preset menu works is slightly complicated:

1. GRUB checks if the preset menu feature is used, and loads the preset menu, if available. This includes running commands and reading boot entries, like an ordinary configuration file.

2. GRUB checks if the configuration file is available. Note that this check is performed regardless of the existence of the preset menu. The configuration file is loaded even if the preset menu was loaded.

3. If the preset menu includes any boot entries, they are cleared when the configuration file is loaded. It doesn't matter whether the configuration file has any entries or no entry. The boot entries in the preset menu are used only when GRUB fails in loading the configuration file.

To enable the preset menu feature, you must rebuild GRUB specifying a file to the configure script with the option `--enable-preset-menu'. The file has the same semantics as normal configuration files (see section 5. Configuration).

Another point you should take care is that the diskless support (see section 6.2 Booting from a network) diverts the preset menu. Diskless images embed a preset menu to execute the command bootp (see section 13.2.1 bootp) automatically, unless you specify your own preset menu to the configure script. This means that you must put commands to initialize a network in the preset menu yourself, because diskless images don't set it up implicitly, when you use the preset menu explicitly.

Therefore, a typical preset menu used with diskless support would be like this:

# Set up the serial terminal, first of all.
serial --unit=0 --speed=19200
terminal --timeout=0 serial

# Initialize the network.
dhcp

protection from cracking

Protecting your computer from cracking

You may be interested in how to prevent ordinary users from doing whatever they like, if you share your computer with other people. So this chapter describes how to improve the security of GRUB.

One thing which could be a security hole is that the user can do too many things with GRUB, because GRUB allows one to modify its configuration and run arbitrary commands at run-time. For example, the user can even read `/etc/passwd' in the command-line interface by the command cat (see section 13.3.3 cat). So it is necessary to disable all the interactive operations.

Thus, GRUB provides a password feature, so that only administrators can start the interactive operations (i.e. editing menu entries and entering the command-line interface). To use this feature, you need to run the command password in your configuration file (see section 13.2.10 password), like this:

password --md5 PASSWORD

If this is specified, GRUB disallows any interactive control, until you press the key p and enter a correct password. The option `--md5' tells GRUB that `PASSWORD' is in MD5 format. If it is omitted, GRUB assumes the `PASSWORD' is in clear text.

You can encrypt your password with the command md5crypt (see section 13.3.24 md5crypt). For example, run the grub shell (see section 15. Invoking the grub shell), and enter your password:

grub> md5crypt
Password: **********
Encrypted: $1$U$JK7xFegdxWH6VuppCUSIb.

Then, cut and paste the encrypted password to your configuration file.

Also, you can specify an optional argument to password. See this example:

password PASSWORD /boot/grub/menu-admin.lst

In this case, GRUB will load `/boot/grub/menu-admin.lst' as a configuration file when you enter the valid password.

Another thing which may be dangerous is that any user can choose any menu entry. Usually, this wouldn't be problematic, but you might want to permit only administrators to run some of your menu entries, such as an entry for booting an insecure OS like DOS.

GRUB provides the command lock (see section 13.3.21 lock). This command always fails until you enter the valid password, so you can use it, like this:

title Boot DOS
lock
rootnoverify (hd0,1)
makeactive
chainload +1

You should insert lock right after title, because any user can execute commands in an entry until GRUB encounters lock.

You can also use the command password instead of lock. In this case the boot process will ask for the password and stop if it was entered incorrectly. Since the password takes its own PASSWORD argument this is useful if you want different passwords for different entries.

grub image file

GRUB image files

GRUB consists of several images: two essential stages, optional stages called Stage 1.5, one image for bootable CD-ROM, and two network boot images. Here is a short overview of them. See section D. Hacking GRUB, for more details.

`stage1'
This is an essential image used for booting up GRUB. Usually, this is embedded in an MBR or the boot sector of a partition. Because a PC boot sector is 512 bytes, the size of this image is exactly 512 bytes.

All `stage1' must do is to load Stage 2 or Stage 1.5 from a local disk. Because of the size restriction, `stage1' encodes the location of Stage 2 (or Stage 1.5) in a block list format, so it never understand any filesystem structure.

`stage2'
This is the core image of GRUB. It does everything but booting up itself. Usually, this is put in a filesystem, but that is not required.

`e2fs_stage1_5'
`fat_stage1_5'
`ffs_stage1_5'
`jfs_stage1_5'
`minix_stage1_5'
`reiserfs_stage1_5'
`vstafs_stage1_5'
`xfs_stage1_5'

These are called Stage 1.5, because they serve as a bridge between `stage1' and `stage2', that is to say, Stage 1.5 is loaded by Stage 1 and Stage 1.5 loads Stage 2. The difference between `stage1' and `*_stage1_5' is that the former doesn't understand any filesystem while the latter understands one filesystem (e.g. `e2fs_stage1_5' understands ext2fs). So you can move the Stage 2 image to another location safely, even after GRUB has been installed.

While Stage 2 cannot generally be embedded in a fixed area as the size is so large, Stage 1.5 can be installed into the area right after an MBR, or the boot loader area of a ReiserFS or a FFS.

`stage2_eltorito'
This is a boot image for CD-ROMs using the no emulation mode in El Torito specification. This is identical to Stage 2, except that this boots up without Stage 1 and sets up a special drive `(cd)'.

`nbgrub'
This is a network boot image for the Network Image Proposal used by some network boot loaders, such as Etherboot. This is mostly the same as Stage 2, but it also sets up a network and loads a configuration file from the network.

`pxegrub'
This is another network boot image for the Preboot Execution Environment used by several Netboot ROMs. This is identical to `nbgrub', except for the format.

filesystem syntax and semantics

Filesystem syntax and semantics

GRUB uses a special syntax for specifying disk drives which can be accessed by BIOS. Because of BIOS limitations, GRUB cannot distinguish between IDE, ESDI, SCSI, or others. You must know yourself which BIOS device is equivalent to which OS device. Normally, that will be clear if you see the files in a device or use the command find (see section 13.3.11 find).

How to specify devices

The device syntax is like this:

(device[,part-num][,bsd-subpart-letter])

`[]' means the parameter is optional. device should be either `fd' or `hd' followed by a digit, like `fd0'. But you can also set device to a hexadecimal or a decimal number which is a BIOS drive number, so the following are equivalent:

(hd0)
(0x80)
(128)

part-num represents the partition number of device, starting from zero for primary partitions and from four for extended partitions, and bsd-subpart-letter represents the BSD disklabel subpartition, such as `a' or `e'.

A shortcut for specifying BSD subpartitions is (device,bsd-subpart-letter), in this case, GRUB searches for the first PC partition containing a BSD disklabel, then finds the subpartition bsd-subpart-letter. Here is an example:

(hd0,a)

The syntax `(hd0)' represents using the entire disk (or the MBR when installing GRUB), while the syntax `(hd0,0)' represents using the first partition of the disk (or the boot sector of the partition when installing GRUB).

If you enabled the network support, the special drive, `(nd)', is also available. Before using the network drive, you must initialize the network. See section 6. Downloading OS images from a network, for more information.

If you boot GRUB from a CD-ROM, `(cd)' is available. See section 3.4 Making a GRUB bootable CD-ROM, for details.

How to specify files

There are two ways to specify files, by absolute file name and by block list.

An absolute file name resembles a Unix absolute file name, using `/' for the directory separator (not `\' as in DOS). One example is `(hd0,0)/boot/grub/menu.lst'. This means the file `/boot/grub/menu.lst' in the first partition of the first hard disk. If you omit the device name in an absolute file name, GRUB uses GRUB's root device implicitly. So if you set the root device to, say, `(hd1,0)' by the command root (see section 13.3.31 root), then /boot/kernel is the same as (hd1,0)/boot/kernel.

How to specify block lists

A block list is used for specifying a file that doesn't appear in the filesystem, like a chainloader. The syntax is [offset]+length[,[offset]+length].... Here is an example:

0+100,200+1,300+300

This represents that GRUB should read blocks 0 through 99, block 200, and blocks 300 through 599. If you omit an offset, then GRUB assumes the offset is zero.

Like the file name syntax (see section 11.2 How to specify files), if a blocklist does not contain a device name, then GRUB uses GRUB's root device. So (hd0,1)+1 is the same as +1 when the root device is `(hd0,1)'.

grub's user interface

GRUB's user interface

GRUB has both a simple menu interface for choosing preset entries from a configuration file, and a highly flexible command-line for performing any desired combination of boot commands.

GRUB looks for its configuration file as soon as it is loaded. If one is found, then the full menu interface is activated using whatever entries were found in the file. If you choose the command-line menu option, or if the configuration file was not found, then GRUB drops to the command-line interface.

The flexible command-line interface

The command-line interface provides a prompt and after it an editable text area much like a command-line in Unix or DOS. Each command is immediately executed after it is entered(8). The commands (see section 13.3 The list of command-line and menu entry commands) are a subset of those available in the configuration file, used with exactly the same syntax.

Cursor movement and editing of the text on the line can be done via a subset of the functions available in the Bash shell:

C-f
PC right key
Move forward one character.

C-b
PC left key
Move back one character.

C-a
HOME
Move to the start of the line.

C-e
END
Move the the end of the line.

C-d
DEL
Delete the character underneath the cursor.

C-h
BS
Delete the character to the left of the cursor.

C-k
Kill the text from the current cursor position to the end of the line.

C-u
Kill backward from the cursor to the beginning of the line.

C-y
Yank the killed text back into the buffer at the cursor.

C-p
PC up key
Move up through the history list.

C-n
PC down key
Move down through the history list.

When typing commands interactively, if the cursor is within or before the first word in the command-line, pressing the TAB key (or C-i) will display a listing of the available commands, and if the cursor is after the first word, the TAB will provide a completion listing of disks, partitions, and file names depending on the context. Note that to obtain a list of drives, one must open a parenthesis, as root (.

Note that you cannot use the completion functionality in the TFTP filesystem. This is because TFTP doesn't support file name listing for the security.

The simple menu interface

The menu interface is quite easy to use. Its commands are both reasonably intuitive and described on screen.

Basically, the menu interface provides a list of boot entries to the user to choose from. Use the arrow keys to select the entry of choice, then press RET to run it. An optional timeout is available to boot the default entry (the first one if not set), which is aborted by pressing any key.

Commands are available to enter a bare command-line by pressing c (which operates exactly like the non-config-file version of GRUB, but allows one to return to the menu if desired by pressing ESC) or to edit any of the boot entries by pressing e.

If you protect the menu interface with a password (see section 9. Protecting your computer from cracking), all you can do is choose an entry by pressing RET, or press p to enter the password.

Editing a menu entry

The menu entry editor looks much like the main menu interface, but the lines in the menu are individual commands in the selected entry instead of entry names.

If an ESC is pressed in the editor, it aborts all the changes made to the configuration entry and returns to the main menu interface.

When a particular line is selected, the editor places the user in a special version of the GRUB command-line to edit that line. When the user hits RET, GRUB replaces the line in question in the boot entry with the changes (unless it was aborted via ESC, in which case the changes are thrown away).

If you want to add a new line to the menu entry, press o if adding a line after the current line or press O if before the current line.

To delete a line, hit the key d. Although GRUB unfortunately does not support undo, you can do almost the same thing by just returning to the main menu.

The hidden menu interface

When your terminal is dumb or you request GRUB to hide the menu interface explicitly with the command hiddenmenu (see section 13.1.3 hiddenmenu), GRUB doesn't show the menu interface (see section 12.2 The simple menu interface) and automatically boots the default entry, unless interrupted by pressing ESC.

When you interrupt the timeout and your terminal is dumb, GRUB falls back to the command-line interface (see section 12.1 The flexible command-line interface).

command-line & menu entry commands

These commands are usable in the command-line and in menu entries. If you forget a command, you can run the command help (see section 15 help).

1 blocklist

Command: blocklist file
Print the block list notation of the file file. See section 11.3 How to specify block lists.

2 boot

Command: boot
Boot the OS or chain-loader which has been loaded. Only necessary if running the fully interactive command-line (it is implicit at the end of a menu entry).

3 cat

Command: cat file
Display the contents of the file file. This command may be useful to remind you of your OS's root partition:

grub> cat /etc/fstab

4 chainloader

Command: chainloader [`--force'] file
Load file as a chain-loader. Like any other file loaded by the filesystem code, it can use the blocklist notation to grab the first sector of the current partition with `+1'. If you specify the option `--force', then load file forcibly, whether it has a correct signature or not. This is required when you want to load a defective boot loader, such as SCO UnixWare 7.1 (see section 4.2.7 SCO UnixWare).

5 cmp

Command: cmp file1 file2
Compare the file file1 with the file file2. If they differ in size, print the sizes like this:

Differ in size: 0x1234 [foo], 0x4321 [bar]

If the sizes are equal but the bytes at an offset differ, then print the bytes like this:

Differ at the offset 777: 0xbe [foo], 0xef [bar]

If they are completely identical, nothing will be printed.

6 configfile

Command: configfile file
Load file as a configuration file.

7 debug

Command: debug
Toggle debug mode (by default it is off). When debug mode is on, some extra messages are printed to show disk activity. This global debug flag is mainly useful for GRUB developers when testing new code.

8 displayapm

Command: displayapm
Display APM BIOS information.

9 displaymem

Command: displaymem
Display what GRUB thinks the system address space map of the machine is, including all regions of physical RAM installed. GRUB's upper/lower memory display uses the standard BIOS interface for the available memory in the first megabyte, or lower memory, and a synthesized number from various BIOS interfaces of the memory starting at 1MB and going up to the first chipset hole for upper memory (the standard PC upper memory interface is limited to reporting a maximum of 64MB).

10 embed

Command: embed stage1_5 device
Embed the Stage 1.5 stage1_5 in the sectors after the MBR if device is a drive, or in the boot loader area if device is a FFS partition or a ReiserFS partition.(9) Print the number of sectors which stage1_5 occupies, if successful.

Usually, you don't need to run this command directly. See section 34 setup.

11 find

Command: find filename
Search for the file name filename in all mountable partitions and print the list of the devices which contain the file. The file name filename should be an absolute file name like /boot/grub/stage1.

12 fstest

Command: fstest
Toggle filesystem test mode. Filesystem test mode, when turned on, prints out data corresponding to all the device reads and what values are being sent to the low-level routines. The format is `<partition-offset-sector, byte-offset, byte-length>' for high-level reads inside a partition, and `[disk-offset-sector]' for low-level sector requests from the disk. Filesystem test mode is turned off by any use of the install (see section 18 install) or testload (see section 35 testload) commands.

13 geometry

Command: geometry drive [cylinder head sector [total_sector]]
Print the information for the drive drive. In the grub shell, you can set the geometry of the drive arbitrarily. The number of cylinders, the number of heads, the number of sectors and the number of total sectors are set to CYLINDER, HEAD, SECTOR and TOTAL_SECTOR, respectively. If you omit TOTAL_SECTOR, then it will be calculated based on the C/H/S values automatically.

14 halt

Command: halt `--no-apm'
The command halts the computer. If the `--no-apm' option is specified, no APM BIOS call is performed. Otherwise, the computer is shut down using APM.

15 help

Command: help `--all' [pattern ...]
Display helpful information about builtin commands. If you do not specify pattern, this command shows short descriptions of most of available commands. If you specify the option `--all' to this command, short descriptions of rarely used commands (such as 35 testload) are displayed as well.

If you specify any patterns, it displays longer information about each of the commands which match those patterns.

16 impsprobe

Command: impsprobe
Probe the Intel Multiprocessor Specification 1.1 or 1.4 configuration table and boot the various CPUs which are found into a tight loop. This command can be used only in the Stage 2, but not in the grub shell.

17 initrd

Command: initrd file ...
Load an initial ramdisk for a Linux format boot image and set the appropriate parameters in the Linux setup area in memory. See also 4.2.2 GNU/Linux.

18 install

Command: install [`--force-lba'] [`--stage2=os_stage2_file'] stage1_file [`d'] dest_dev stage2_file [addr] [`p'] [config_file] [real_config_file]
This command is fairly complex, and you should not use this command unless you are familiar with GRUB. Use setup (see section 34 setup) instead.

In short, it will perform a full install presuming the Stage 2 or Stage 1.5(10) is in its final install location.

In slightly more detail, it will load stage1_file, validate that it is a GRUB Stage 1 of the right version number, install in it a blocklist for loading stage2_file as a Stage 2. If the option `d' is present, the Stage 1 will always look for the actual disk stage2_file was installed on, rather than using the booting drive. The Stage 2 will be loaded at address addr, which must be `0x8000' for a true Stage 2, and `0x2000' for a Stage 1.5. If addr is not present, GRUB will determine the address automatically. It then writes the completed Stage 1 to the first block of the device dest_dev. If the options `p' or config_file are present, then it reads the first block of stage2, modifies it with the values of the partition stage2_file was found on (for `p') or places the string config_file into the area telling the stage2 where to look for a configuration file at boot time. Likewise, if real_config_file is present and stage2_file is a Stage 1.5, then the Stage 2 config_file is patched with the configuration file name real_config_file. This command preserves the DOS BPB (and for hard disks, the partition table) of the sector the Stage 1 is to be installed into.

Caution: Several buggy BIOSes don't pass a booting drive properly when booting from a hard disk drive. Therefore, you will unfortunately have to specify the option `d', whether your Stage2 resides at the booting drive or not, if you have such a BIOS. We know these are defective in this way:

Fujitsu LifeBook 400 BIOS version 31J0103A

HP Vectra XU 6/200 BIOS version GG.06.11

Caution2: A number of BIOSes don't return a correct LBA support bitmap even if they do have the support. So GRUB provides a solution to ignore the wrong bitmap, that is, the option `--force-lba'. Don't use this option if you know that your BIOS doesn't have LBA support.

Caution3: You must specify the option `--stage2' in the grub shell, if you cannot unmount the filesystem where your stage2 file resides. The argument should be the file name in your operating system.

19 ioprobe

Command: ioprobe drive
Probe I/O ports used for the drive drive. This command will list the I/O ports on the screen. For technical information, See section D. Hacking GRUB.

20 kernel

Command: kernel [`--type=type'] [`--no-mem-option'] file ...
Attempt to load the primary boot image (Multiboot a.out or ELF, Linux zImage or bzImage, FreeBSD a.out, NetBSD a.out, etc.) from file. The rest of the line is passed verbatim as the kernel command-line. Any modules must be reloaded after using this command.

This command also accepts the option `--type' so that you can specify the kernel type of file explicitly. The argument type must be one of these: `netbsd', `freebsd', `openbsd', `linux', `biglinux', and `multiboot'. However, you need to specify it only if you want to load a NetBSD ELF kernel, because GRUB can automatically determine a kernel type in the other cases, quite safely.

The option `--no-mem-option' is effective only for Linux. If the option is specified, GRUB doesn't pass the option `mem=' to the kernel. This option is implied for Linux kernels 2.4.18 and newer.

21 lock

Command: lock
Prevent normal users from executing arbitrary menu entries. You must use the command password if you really want this command to be useful (see section 13.2.10 password).

This command is used in a menu, as shown in this example:

title This entry is too dangerous to be executed by normal users
lock
root (hd0,a)
kernel /no-security-os

See also 9. Protecting your computer from cracking.

22 makeactive

Command: makeactive
Set the active partition on the root disk to GRUB's root device. This command is limited to primary PC partitions on a hard disk.

23 map

Command: map to_drive from_drive
Map the drive from_drive to the drive to_drive. This is necessary when you chain-load some operating systems, such as DOS, if such an OS resides at a non-first drive. Here is an example:

grub> map (hd0) (hd1)
grub> map (hd1) (hd0)

The example exchanges the order between the first hard disk and the second hard disk. See also 4.2.6 DOS/Windows.

24 md5crypt

Command: md5crypt
Prompt to enter a password, and encrypt it in MD5 format. The encrypted password can be used with the command password (see section 13.2.10 password). See also 9. Protecting your computer from cracking.

25 module

Command: module file ...
Load a boot module file for a Multiboot format boot image (no interpretation of the file contents are made, so the user of this command must know what the kernel in question expects). The rest of the line is passed as the module command-line, like the kernel command. You must load a Multiboot kernel image before loading any module. See also 26 modulenounzip.

26 modulenounzip

Command: modulenounzip file ...
The same as module (see section 25 module), except that automatic decompression is disabled.

27 pause

Command: pause message ...
Print the message, then wait until a key is pressed. Note that placing ^G (ASCII code 7) in the message will cause the speaker to emit the standard beep sound, which is useful when prompting the user to change floppies.

28 quit

Command: quit
Exit from the grub shell grub (see section 15. Invoking the grub shell). This command can be used only in the grub shell.

29 reboot

Command: reboot
Reboot the computer.

30 read

Command: read addr
Read a 32-bit value from memory at address addr and display it in hex format.

31 root

Command: root device [hdbias]
Set the current root device to the device device, then attempt to mount it to get the partition size (for passing the partition descriptor in ES:ESI, used by some chain-loaded boot loaders), the BSD drive-type (for booting BSD kernels using their native boot format), and correctly determine the PC partition where a BSD sub-partition is located. The optional hdbias parameter is a number to tell a BSD kernel how many BIOS drive numbers are on controllers before the current one. For example, if there is an IDE disk and a SCSI disk, and your FreeBSD root partition is on the SCSI disk, then use a `1' for hdbias.

kernel

kernel pages go here.....

kernel rebuild guide

Why Rebuild?

Why rebuild the kernel? The main reason was once to optimize the kernel to your environment (hardware and usage patterns). With modern hardware there is rarely a need to recompile unless there is a particular feature of a new kernel that you must have. The performance gains are probably not noticeable unless specific benchmarks are being run.

This said, the newest Linux kernel (2.6.5 as of this writing) has noticeable improvements for the typical desktop user as a result of the improved scheduling system in the new kernel. Even for older kernels, rebuilding is often necessary for low memory situations, esoteric hardware, and in cases where every ounce of performance must be extracted.

This guide covers the steps necessary to build both the 2.4.x and 2.6.x series of kernels. Because the process is quite different from one version to the next, the two kernel versions are described in separate chapters.

What is the kernel?

The Linux kernel is often likened to the conductor in an orchestra. Among other things, it makes sure that all other processes in the system work together coherently. Though it is only a small part of the operating system, the kernel has the most important job of keeping everything else synchronized.

Preparation

Hardware Requirements

Hardware requirements can differ greatly between kernel versions, and indeed, within versions depending upon the configuration. Though the Linux 2.4.x kernel can boot with as little as 8M of RAM, a more realistic number is about 64M. As of this writing, the published minimum hardware required for the typical distribution is about 128M RAM, 2G of hard drive space, and 200MhZ Pentium or equivalent CPU. To actually build the kernel, however, requires a little extra hardware. The kernel sources themselves will occupy anywhere from 40M to 80M of filesystem space. To build them requires a minimum of 400M of drive space for all the interim files. The actual kernel and included modules will require anywhere from 4M for an almost useless, bare minimum kernel to about 40M fully loaded. [1] Luckily, the kernel does not need to be built on the same machine on which it will be deployed. This means that you can compile and package your kernel on a more robust machine and then install on the minimal system.

Software Requirements

The minimum software versions for a kernel build are found in the ./Documentation/Changes file of the installed sources. They are as follows: 2.4.x series

		o  Gnu C                  2.91.66     # gcc --version
		o  Gnu make               3.77        # make --version
		o  binutils               2.9.1.0.25  # ld -v
		o  util-linux             2.10o       # fdformat --version
		o  modutils               2.4.2       # insmod -V
		o  e2fsprogs              1.19        # tune2fs
		o  reiserfsprogs          3.x.0b      # reiserfsck 2>&1|grep reiserfsprogs
		o  pcmcia-cs              3.1.21      # cardmgr -V
		o  PPP                    2.4.0       # pppd --version
		o  isdn4k-utils           3.1pre1     # isdnctrl 2>&1|grep version

2.6.x series

		o  Gnu C                  2.95.3       # gcc --version
		o  Gnu make               3.78         # make --version
		o  binutils               2.12         # ld -v
		o  util-linux             2.10o        # fdformat --version
		o  module-init-tools      0.9.10       # depmod -V
		o  e2fsprogs              1.29         # tune2fs 
		o  jfsutils               1.1.3        # fsck.jfs -V
		o  reiserfsprogs          3.6.3        # reiserfsck -V 2>&1|grep reiserfsprogs
		o  xfsprogs               2.1.0        # xfs_db -V
		o  pcmcia-cs              3.1.21       # cardmgr -V
		o  quota-tools            3.09         # quota -V
		o  PPP                    2.4.0        # pppd --version
		o  isdn4k-utils           3.1pre1      # isdnctrl 2>&1|grep version
		o  nfs-utils              1.0.5        # showmount --version
		o  procps                 3.1.13       # ps --version
		o  oprofile               0.5.3        # oprofiled --version

A common sticking point on distributions transitioning between 2.4.x and 2.6.x kernels is the module-init-tools package which must be updated to work with the 2.6.x kernel. Also, be aware that the underlying version of glibc, the GNU libc package, is implied. If you are upgrading from particularly old distributions then you will likely need to upgrade glibc itself. [2]

Determine Current Hardware

Once you have determined that your hardware and software meet the minimum requirements for the kernel build, we will need to collect more detailed information about the system. This is needed during the configuration process when we decide which hardware will be supported under our new kernel. Among the information we will gather include: Processor, Drive type and Controller (SCSI, IDE), Ethernet devices, Graphics and Sound Cards, USB HUB.

We start by running the /sbin/lspci utility to print information about our hardware:

			$ /sbin/lspci

		00:00.0 Host bridge: Silicon Integrated Systems [SiS] 735 Host (rev 01)
		00:01.0 PCI bridge: Silicon Integrated Systems [SiS] 5591/5592 AGP
		00:02.0 ISA bridge: Silicon Integrated Systems [SiS] 85C503/5513
		00:02.2 USB Controller: Silicon Integrated Systems [SiS] 7001 (rev 07)
		00:02.3 USB Controller: Silicon Integrated Systems [SiS] 7001 (rev 07)
		00:02.5 IDE interface: Silicon Integrated Systems [SiS] 5513 [IDE] (rev d0)
		00:02.7 Multimedia audio controller: SiS7012 PCI Audio Accelerator (rev a0)
		00:03.0 Ethernet controller: [SiS] SiS900 10/100 Ethernet (rev 90)
		01:00.0 VGA compatible controller: ATI Technologies Inc Rage 128 RF/SG AGP

Next, we must determine our processor type if not known. Some Linux systems contain a /proc filesystem that allows a user to view raw information about the system. If /proc exists you can issue the following command to get CPU information:

			$ cat /proc/cpuinfo

		processor       : 0
		vendor_id       : AuthenticAMD
		cpu family      : 6
		model           : 6
		model name      : AMD Athlon(tm) XP 1800+
		stepping        : 2
		cpu MHz         : 1526.870
		cache size      : 256 KB
		fdiv_bug        : no
		hlt_bug         : no
		f00f_bug        : no
		coma_bug        : no
		fpu             : yes
		fpu_exception   : yes
		cpuid level     : 1
		wp              : yes
		flags           : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge 
		bogomips        : 3047.42

Acquiring the Sources

There are many ways to acquire the Linux kernel sources. If you are using a packaged distribution then most likely the distributor will bundle a kernel source package. These are installable via the package installation method, whether RPM, apt, YAST, portage, etc.. If you decide to go this route, please consult your distribution's documentation for specifics.

The other option is to use the "pristine" sources, either the "official" sources from Linus Torvalds himself, or one of the regularly maintained trees from people such as Alan Cox, Robert Love, Andrew Morton, et al.. These sources are often on the bleeding-edge of kernel development, full of new features and untested code.

Untested code? This is a feature of the distributed development model of Linux and Open Source (??) in general. The traditional model of a software release is somewhat antithetical to this model, as new code must be released to allow all developers to test and improve the code. However, because Linux is used in production environments throughout world it is necessary to separate the unstable development tree from the tested, stable tree. This is done through the version number of the kernel. There are three main numbers associated with the kernel -- the Major, Minor, and PatchLevel fields. The Major number rarely changes, and then only when/if the entire architecture is revamped. The Minor number changes more frequently, perhaps once every couple years. Kernels with an odd Minor number are considered unstable, testing branches. Kernels with an even Minor number are generally rock solid. The PatchLevel is updated frequently, sometimes more than once a week in extreme cases.

To recap, you can build either from your distribution's modified kernel sources or from the stable or unstable branch of the offical sources. If you are making minor modifications to the configuration, it is perhaps safest to install your distributor's version. These kernels usually include stability and feature patches that may be missing from the stock kernels. For example, some distributors will include low-latency or security patches and do the more difficult work of integrating these into their system. The downside is that the distributors tend to lag behind the bleeding-edge kernels. If you would like to test features that are available in the newest tree then you will likely need to build from the "pristine" source from Linus or the tree maintainer of your choice.. FIXME: NO LONGER really true -- 2.6 based distributions are out there / will be (e.g., SuSE 9.1) by the end of April 2004.

Download the Source

Though the latest sources are always available from http://kernel.org, to be kind to the Internet, always use one of the mirrors listed at http://kernel.org/mirrors. In general, geographically close mirrors will tend to be fastest. You can either browse the sites with an Internet browser or with a dedicated FTP client.

You will see several links to /pub/linux on the mirror site. Select the kernel directory, then the kernel version that you would like to install. As of this writing, 2.4.22 is the latest stable version and 2.6.0 is in pre-release state. Once you select a kernel version you will see several files.

		ChangeLog-2.6.0-test9          25-Oct-2003 14:51    41k  
		LATEST-IS-2.6.0-test9          25-Oct-2003 14:51     0k  
		linux-2.6.0-test9.tar.bz2.sign 25-Oct-2003 15:14     1k  
		linux-2.6.0-test9.tar.gz       25-Oct-2003 15:14  39.7M  
		linux-2.6.0-test9.tar.gz.sign  25-Oct-2003 15:14     1k  
		linux-2.6.0-test9.tar.sign     25-Oct-2003 15:14     1k  
		patch-2.6.0-test9.bz2.sign     25-Oct-2003 15:14     1k  
		patch-2.6.0-test9.gz           25-Oct-2003 15:14   123k  
		patch-2.6.0-test9.gz.sign      25-Oct-2003 15:14     1k  
		patch-2.6.0-test9.sign         25-Oct-2003 15:14     1k

The Changelog files detail the differences between versions. The linux- files are the compressed sources for the entire Linux kernel. Most sites will contain both gzip and bzip packages. The bzip packages tend to be about 20% smaller than the GZIP versions, so they are usually the best option since all modern Linux distributions contain BZIP utilities.

The patch files are a list of differences between versions of the kernel. If you have previously downloaded an earlier source package, you will only need to download the much smaller patch file to bring those up to date. We will discuss patch application in the next section.

There are also some .sign files that contain GPG checksum information which are useful for verifying that the sources you downloaded have not been corrupted or maliciously modified. For more information on verifying the GPG signature, see http://www.kernel.org/signature.html .

The http://kernel.org website is not the only place to retrieve patches. Many other vendors and individuals have developed patches to improve aspects of the kernel's performance, support new hardware, or introduce features that are too esoteric or experimental to make it to the stock kernel. For example, kernel hacker Robert Love had developed the pre-emptible kernel modifications that made dramatic improvements to the responsiveness of a Linux system. These patches were not part of the standard 2.4.x kernel but were of such usefulness that they were officially adopted into the 2.6.0 series. For the most part these third-party patches are stable but do use your judgment when downloading and applying them.

Extract and Patch

Once you have retrieved the kernel sources and patches, you will need to extract them and apply the patches. The pristine 2.4.x and 2.6.x sources can be built as a regular, unprivileged user and this is recommended. [3]

We will begin by creating a directory to hold all the source tarballs and patches, then proceed to extract the sources. For these examples we will assume that you have previously downloaded an earlier release of the kernel and will now need to patch to bring it up to the current version.

			$ mkdir src
			$ cd src

If your Linux sources are in BZIP compressed format (that is, end with a .bz2 extenstion, then use the following command:

			$ tar xfvj /path/to/linux-2.6.0-test7.tar.bz2

Otherwise, use the options for GZIP compressed data:

			$ tar xfvz /path/to/linux-2.6.0-test7.tar.gz

You should see a list of filenames scroll by as they are being extracted. Verify that the new kernel source directory is created:

			$ ls -l

		total 4
		drwxr-xr-x   18 kwan   users   4096 Oct  8 15:24 linux-2.6.0-test7
		-rw-r--r--    1 kwan   users 276260 Nov 15 02:05 patch-2.6.0-test8.gz
		-rw-r--r--    1 kwan   users 126184 Nov 15 02:07 patch-2.6.0-test9.gz

Next we must apply the patches in order. Patch files are created by the diff program, and can selectively modify one or more files by adding, deleting, or modifying lines in the source code. Because they contain only the differences between files it is usually a lot faster (and better for the Internet in general) if you patch to the current release. (TBF unclear). Appendix TBF shows a typical patch file. Like the kernel sources, the patch files are also compressed.

			$ gunzip patch-2.6.0-test8.gz
			$ gunzip patch-2.6.0-test9.gz
			$ ls -l

		-rw-r--r--    1 kwan  users  1072806 Nov 15 02:05 patch-2.6.0-test8
		-rw-r--r--    1 kwan  users   486902 Nov 15 02:07 patch-2.6.0-test9

Once the patches are uncompressed we can apply them to the kernel sources. Remember that it is important to apply them in order.

			$ cd linux-2.6.0-test7
			$ patch -p1 <../patch-2.6.0.test8
			$ patch -p1 <../patch-2.6.0.test9

If it is successful you will see messages similar to the following scroll by:

		patching file Documentation/filesystems/jfs.txt
		patching file Documentation/filesystems/xfs.txt
		patching file Documentation/ia64/fsys.txt
		patching file Documentation/ide.txt
		patching file Documentation/x86_64/boot-options.txt
		patching file Makefile

If unsuccessful you will get a warning and be prompted for a file to patch. If this occurs, press Ctrl-C to break out of the patch utility and verify that you are using the correct patch and applying them in the correct order.

Once all the patches are applied you might consider backing up the directory.

			$ cd ..
			$ mv linux-2.6.0-test7 linux-2.6.0-test9
			$ tar cfvj linux-2.6.0-test9.tar.bz2 linux-2.6.0-test9

Configuration

The Configuration Process

The configuration process is the most strenous portion of the kernel rebuild process. In this step you are deciding which features will be included in the final kernel and it can require lots of hardware knowledge. In truth, it is not too onerous. The current kernels have graphical configuration programs and though not perfect, provide help screens for most of the configuration options.

Many changes were made to the configuration subsystem in the 2.6.x kernel series. It is easier to add modules and much more robust than before. It has also changed dramatically in appearance especially when using the X-based configuration tool, xconfig. For this reason the configuration steps for the different branches have been split into two sections in this chapter.

As mentioned, both configuration tools provide context sensitive help screens for the different options. Because this help is readily available to the user (and more importantly, because there are several hundred options) this guide will only cover a fraction of the choices.

Compile Modules or Static

One of the first choices you will make is whether or not to build device support directly into the kernel or as a module. In the early days of Linux, when module support was in its infancy, it was possible that static (i.e., compiled in) drivers were faster. With any modern CPU, the time to load and unload the modules and the memory required for the module loader subsystem is negligible even to benchmarking utilities. Some devices, notably the disk controller, can be built directly into the kernel in order to simplify the boot process. [4]

You may also choose to disable some options entirely. Though you will not have any performance increases, there are advantages to disabling features that are not required. For one, the compile times will be drastically reduced depending on which subsystem is disabled. For another, the final kernel and installed modules will require less space. On modern hard drives of 40G, 60G, and even 250G, an extra 20M or so is negligible but is significant on embedded or older systems. The disadvantage is that you will not have support for those features until you recompile the kernel. One other thing to keep in mind, as noted in KERNELTRAP.ORG (http://www.kerneltrap.org/node/view/799):

	Having unnecessary drivers will make the kernel bigger, and can under some circumstances lead to problems: probing for a nonexistent controller card may confuse your other controllers.
--kerneltrap.org

Assign Unique Name

We have so far extracted and patched the Linux sources. During our preparation we also determined what hardware is installed in the system so that we will know which modules will need compilation. Before we proceed to actually configuring the kernel there are a couple minor but important details to complete.

Inside the Linux source directory is the default Makefile. This file is used by the make utility to compile the Linux sources. The first few lines of the Makefile contains some versioning information:

		VERSION = 2
		PATCHLEVEL = 4
		SUBLEVEL = 22
		EXTRAVERSION = -1

Note that there is an additional EXTRAVERSION field. To prevent overwriting any existing kernel modules on the system we will change this EXTRAVERSION to something unique. When the final installation steps are run, kernel module files will then get written to /lib/modules/$VERSION.$PATCHLEVEL.$SUBLEVEL-$EXTRAVERSION.

Backup `.config`

Finally, before we begin, please note that the configuration choices are kept in the ../linux/.config file. If you have not already run any configurations, this file will not exist. If you have, and would like to save your configuration, copy the .config to another file:

			$ cd linux
			$ cp .config config.save

If you are using the sources from a vendor, then the default configuration files are usually included in the configs or in the ./arch/i386/defconfig (for i386 machines) file. You can use these configurations as a starting point for your customizations. The .config will be overwritten in the next step, so do make a backup before proceeding!

We begin the configuration by wiping out all previous configurations and resetting the source directory to a pristine state. The main reason for doing this is that some files do not automatically get rebuilt, which can lead to failed builds, or at worst, a buggy kernel.

			$ make mrproper

In the 2.4.x series, a few dozen lines of rm -f commands will appear as all generated files get removed. The 2.6.x process is less noisy and returns only a few CLEAN messages. Please note that it is generally safe to omit the make mrproper step during subsequent rebuilds.

As of this writing (December 15, 2003), the 2.4.x kernel is in wide deployment. The 2.6.0 has just been released to the world. FIXME -- the previous sentence needs to be updated Though the configuration and build procedures are quite similar, there are enough differences to warrant separate sections for each kernel. If you are building a 2.6.x series kernel, skip to the Section called Configuring the 2.6.x kernels. Otherwise, proceed to the next section, the Section called Configuring the 2.4.x kernels.

Configuring the 2.4.x kernels

Our next step is to run the configuration utility. In the 2.4.x kernels there are four main frontends: config, oldconfig, menuconfig, xconfig. We choose one configuration method and run it, for example:

			$ make config

config is the least user-friendly option as it merely presents a series of questions that must be answered sequentially. Alas, if an error is made you must begin the process from the top. Pressing Enter will accept the default entry, which is in upper case.

oldconfig will read the defaults from an existing .config and rewrite necessary links and files. Use this option if you've made minor changes to source files or need to script the rebuild process. Note that oldconfig will only work within the same major version of the kernel. You cannot, for example, use a 2.4.x .config with the 2.6.x kernel.

menuconfig is an ncurses-based frontend. Your system must have the ncurses-devel libraries installed in order to use this utility. As the help text at the top of the screen indicates, use the arrow keys to navigate the menu. Press Enter to select sub-menus. Press the highlighted letter on each option to jump directly to that option. To build an option directly into the kernel, press Y. To disable an option entirely, press N. To build an option as a loadable module, press M. You can also access content-specific help screens by pressing ? on each page or selecting HELP from the lower menu. Figure 1 shows an example screen. [5]

Figure 1. make menuconfig

xconfig, as the name suggests, is an X Window based frontend. It requires the Tcl/Tk and X libraries to work, and of course, an X server. Figure 2 shows an example screen.

Figure 2. make xconfig

For the purposes of this next section we will assume that make xconfig is used. The options are identical otherwise. As mentioned, there are literally hundreds of configuration options and this precludes us from listing every one of them. If you are unsure of an option use the online help or consult the kernel documentation found in the ../linux/Documentation directory. We begin by typing:

			$ make xconfig

The main configuration menu will appear. Selecting an item will bring up another window with further options. These in turn can spawn other sub-menus.

Code Maturity Level Options

This option allows configuration of alpha-quality software. It is best to disable this option if the kernel is intended for a stable production system. If you require an experimental feature in the kernel, such as a driver for new hardware, then enable this option but be aware that it "may not meet the normal level of reliability" as tested code.

Loadable Module Support

You will almost certainly want to enable module support. If you will need third-party kernel modules you will also need to enable Set Version Information on All Module Symbols.

Processor Type and Features

This is perhaps the most important option to choose. In the Preparation section we determined our processor type by examining /proc/cpuinfo and we use that information here to select the appropriate processor. Included in this submenu are features such as Low Latency Scheduling which can improve desktop responsiveness, Symmetric Multi-processing Support for machines with multiple CPUs, and High Memory Support for machines with more than 1G of RAM. Laptop users can also benefit from the CPU Frequency Scaling feature.

General Setup

Choices for PCI, ISA, PCMCIA and other architectural support such as Advanced Power Management are found here.

Memory Technology Devices

MTD devices include Compact Flash devices. Some digital cameras will require this support.

Block Devices

The Block Device section contains options for floppy and hard drives, including parallel port devices, tape drives and RAID controllers. Important options include loopback device support, which allows mounting on disk images, and initrd support, which is needed to preload drivers necessary to boot the system.

Multi-Device support (RAID and LVM)

Important for servers, these options include RAID support for combining multiple disks. Note that this option is not needed for certain hardware RAID that function below the operating system level. LVM is a useful subsystem that allows, among other things, dynamic resizing of filesystems.

ATA/IDE/MFM/RLL support.

This section includes options for IDE/ATAPI chipsets, including performance tweaks such as DMA. Most systems will need this support.

Cryptography Support (CryptoAPI)

Useful options include Loopback Crypto Support, which allows encrypted filesystem images to be mounted. Even with full access to the PC, loopback encryption can help safeguard data.

Networking Options

Many choices are available for networking. TCP/IP, IP tunneling, packet filtering, IPv4 and IPv6, routing support and network QoS are among the most useful. If your kernel is intended for a dedicated firewall or router device, then the options here can significantly improve performance. Read the online and kernel documentation.

SCSI Support

SCSI support is needed for not only true SCSI devices, but also for IDE CDR/W drives in SCSI emulation mode. If your root filesystem is mounted on a SCSI disk, then you must build support directly into the kernel and not as a module.

Character Devices

Dozens of options are available here, including support for many serial and parallel devices, hardware sensors (for system monitors), mice, joysticks and DRM. Many of the options can be safely disabled without problem.

File Systems

It is a good idea to build support for your root filesystem directly into the kernel. Though the initrd utilities can get around the chicken-and-egg boot problem, it is generally safer and easier to just build the fs modules directly. Many options can also be safely disabled if you have no use for the feature.

Once all the configuration changes have been made, you can go ahead and save settings. By defaulti, the configuration is placed in the .config file in the topmost directory. Because this file is deleted by make mrproper and is also hidden, it is a good idea to use the Save to Alternate File before exiting. It will prompt for another save location. Enter something outside of the source tree and with a useful name such as kernel-2.4.22-lowlatency.config. Once this is done, exit the configuration menu. You will be prompted to save the configuration again. Select Yes and continue.

The configuration for the 2.4.x kernel is now complete. You may now skip to the chapter called Build.

Configuring the 2.6.x kernels

Our next step is to run the configuration utility. On the 2.6.x kernels there are four main frontend programs: config, menuconfig, and xconfig.

menuconfig is an ncurses based frontend. Your system must have the ncurses-devel libraries installed in order to use this utility. As the help text at the top of the screen indicates, use the arrow keys to navigate the menu. Press Enter to select sub-menus. Press the highlighted letter on each option to jump directly to that option. To build an option directly into the kernel, press Y. To disable an option entirely, press N. To build an option as a loadable module, press M. You can also access content-specific help screens by pressing ? on each page or selecting HELP from the lower menu. Figure 1 in the Section called Configuring the 2.4.x kernels shows an example screen from the 2.4.x kernel series.

xconfig is a graphical frontend using qconf by Roman Zippel. It requires the qt and X libraries to build and use. The interface is intuitive and customizable. Online help is automatically shown for each kernel configuration option. It also can show dependency information for each module which can help diagnose build errors. Figure 3 shows an example of the xconfig screen. From the online help:

	For each option, a blank box indicates the feature is disabled, a check indicates it is enabled, and a dot indicates that it is to be compiled as a module. Clicking on the box will cycle through the three states. If you do not see an option (e.g., a device driver) that you believe should be present, try turning on Show All Options under the Options menu. Although there is no cross reference yet to help you figure out what other options must be enabled to support the option you are interested in, you can still view the help of a grayed-out option.
--qconf help

Figure 3. make xconfig

Once you have decided which configuration option to use, start the process with make followed by either config, menuconfig, or xconfig. For example:

		 	$ make menuconfig

The system will take a few moments to build the configuration utility. Next you will be presented with the configuration menus. Though similar to the 2.4.x series, the 2.6.x menu is more logically organized with better grouping of sub-modules. Following are some of the top level configuration options in the 2.6 kernel.

Code Maturity Level Options

This option allows configuration of alpha-quality software or obsoleted drivers. It is best to disable this option if the kernel is intended for a stable production system. If you require an experimental feature in the kernel, such as a driver for new hardware, then enable this option but be aware that it "may not meet the normal level of reliability" as more rigorously tested code.

General Setup

This section contains options for sysctl support, a feature allowing run-time configuration of the kernel. A new feature, kernel .config support, allows the complete kernel configuration to be viewed during run-time. This addresses many requests to be able to see what features were compiled into the kernel.

Loadable Module Support

You will almost certainly want to enable module support. If you will need third-party kernel modules you will also need to enable Set Version Information on All Module Symbols.

Processor Type and Features

This is perhaps the most important configuration choice. In the Preparation section we determined our processor type by examining /proc/cpuinfo and we use that information here to select the appropriate processor. Included in this submenu are features such as Preemptible Kernel which can improve desktop responsiveness, Symmetric Multi-processing Support for machines with multiple CPUs, and High Memory Support for machines with more than 1G of RAM.

Power Management Options

Found here are options for ACPI and CPU Frequency Scaling which can dramatically improve laptop power usage. Read the Documentation/power file for more information.

Bus Options ( PCI, PCMCIA, EISA, MCA, ISA)

Here are found options for all system bus devices. On modern machines the ISA and MCA support can often be disabled.

Executable File Formats

Interesting features here include the kernel support for miscellaneous binaries, which can allow seamless operation of non-Linux binaries with a little userland help.

Device Drivers

All the device-driver configuration options that were previously scattered throughout the 2.4.x menus are now neatly organized under this option. Features such as SCSI support, graphic card optimizations, sound, USB and other hardware are configured here.

File Systems

Found here are options for filesystems which are supported by the kernel, such as EXT2 and ReiserFS. It is best to build support for the root filesystems directly into the kernel rather than as a module.

Security Options

Interesting options here include support for NSA Security Enhanced Linux and other, somewhat experimental, features to increase security.

Build

Dependencies

The next step is to create the necessary include files and generate dependency information. This step is only required for the 2.4.x kernel tree.

			$make dep

Lots of messages will scroll by. Depending on the speed of your machine and on what options you chose, this may take several minutes to complete. Once the dependency information is created we can clean up some miscellaneous object files. This step is required for all versions of the kernel.

			$make clean

Build the Kernel

We are now (finally) ready to start the actual kernel build. At the prompt type:

			$make bzImage

As the Kbuild documentation states:

	Some computers won't work with 'make bzImage', either due to hardware problems or very old versions of lilo or loadlin. If your kernel image is small, you may use 'make zImage', 'make zdisk', or 'make zlilo' on these systems.
--Kbuild 2.4 Documentation

[6] On an Athlon 1800XP, building the bzImage took approximately seven minutes for a moderately configured kernel. On a Pentium 100 used as a baseline, a similar configuration took almost 45 minutes. If you are not in a hurry you may want to start the build on a console while you continue to work. The main difference between the 2.4 and 2.6 trees is the amount of information presented on the screen. Much less information is displayed with 2.6.x, making errors and warnings easier to spot. If everything went correctly then the new kernel should exist in ./arch/$ARCH/boot. For example, on IA32 systems we can verify this with:

			$ls -l arch/i386/boot

Build the Modules

There is one more step needed for the build process, however. You have created the kernel, but now you need to create all the loadable modules if you have them configured. Be aware that typical distribution kernels tend to have almost every feature installed, plus a few others for good measure. These can typically take an hour or so to build on our Athlon XP1800. The stock kernels are somewhat leaner by default and take, on average, 25 minutes to compile. To build the modules we run:

			$ make modules

Again, lots of messages will scroll by on the screen. Here also the 2.6.x series is less talkative, outputting only summary information. Once the modules are built they can be installed. If you were building as a non-privileged user you will now need to switch to root to complete this next step:

			$ su
			password:
			$ make modules_install

The freshly baked modules will be copied into /lib/modules/KERNEL_VERSION.

Create Initial RAMDisk

If you have built your main boot drivers as modules (e.g., SCSI host adapter, filesystem, RAID drivers) then you will need to create an initial RAMdisk image. The initrd is a way of sidestepping the chicken and egg problem of booting -- drivers are needed to load the root filesystem but the filesystem cannot be loaded because the drivers are on the filesystem. As the manpage for mkinitrd states:

	mkinitrd creates filesystem images which are suitable for use as Linux initial ramdisk(initrd) images. Such images are often used for preloading the block device modules (such as IDE, SCSI or RAID) which are needed to access the root filesystem. mkinitrd automatically loads filesystem modules (such as ext3 and jbd), IDE modules,all scsi_hostadapter entries in /etc/modules.conf, and raid modules if the systems root partition is on raid, which makes it simple to build and use kernels using modular device drivers.
--MKINITRD(8)

To create the initrd, do the following:

				$ mkinitrd /boot/initrd-2.6.0.img 2.6.0

Some versions of mkinitrd may require other options to specify the location of the new kernel. On SuSe 9.0, for example, the following syntax is required:

				$ mkinitrd -k vmlinux-VERSION -i initrd-VERSION

[7]

Troubleshooting Build Failures

If your build fails with a signal 11 error it is most likely because of hardware problems; often the culprit is failing memory. Unfortunately, the BIOS memory check is close to useless in detecting intermittent memory failures. Even dedicated memory checkers do not stress memory as much as gcc running a kernel build. One way to tell if hardware is at fault is to restart the 'make bzImage' process. If you can get a little further before failing again then it is a hardware error. There are several possible ways to try to correct these.

Try changing your memory settings in the BIOS to more conservative levels. For example, change to SLOW or NORMAL instead of FAST. Verify that all the fans are working correctly. [8] Swap out the memory. One trick is to specify less memory than is actually installed by passing values to the kernel on boot. This prevents the kernel from accessing all the memory in the machine, and could help diagnose bad SIMMs or SDRAMs.

If instead the 'make' fails at the same point each time, then it is a configuration error. These usually result from not enabling a feature that is required by another. For example, IP Firewalling requires TCP/IP. If the prerequisite is not enabled, the build will fail. You may also get errors if you select the wrong processor or are using either a very old or development compiler.

Also keep in mind that the kernel is highly sensitive to the versions of the build tools such as the compiler and linker. The versions listed are requirements, not suggested.

Installation

Copy the Kernel and System.map

Once your kernel is created, you can prepare it for use. From the ./linux directory, copy the kernel and System.map file to /boot. In the following examples change KERNEL_VERSION to the version of your kernel. [9]

			$ cp arch/i386/boot/bzImage /boot/bzImage-KERNEL_VERSION
			$ cp System.map /boot/System.map-KERNEL_VERSION
			$ ln -s /boot/System.map-KERNEL_VERSION /boot/System.map

The next step is to configure your bootloader. The bootloader is the first program that runs when a computer is booted. For this document it is assumed that you are running an IA32 system with a standard PC BIOS. If you are running the LiLO bootloader skip to the the Section called LiLO Configuration otherwise proceed to the Section called GrUB Configuration.

FIXME: Need information on non-IA32 bootloaders!!

GrUB Configuration

GrUB is beginning to supplant LiLO as the bootloader of choice in more recent Linux distributions. It is generally more flexible and a lot more forgiving of system errors. For example, LiLO generally requires that an alternate boot disk is used if the kernel configuration renders the system unbootable Grub allows "on-the-fly" modification of kernel location, boot parameters, kernel to boot, etc..

Once you have copied the bzImage and System.map to /boot, edit the grub configuration file located in /boot/grub/menu.lst. On some distributions /etc/grub.conf is a symbolic link to this file.

		# Note that you do not have to rerun grub after making changes to this file
		#boot=/dev/hda
		default=0
		timeout=10
		title Red Hat Linux (2.4.20-24.9)
			root (hd0,1)
			kernel /boot/vmlinuz-2.4.20-24.9 ro root=LABEL=/
			initrd /boot/initrd-2.4.20-24.9.img
		title Red Hat Linux (2.4.20-20.9)
			root (hd0,1)
			kernel /boot/vmlinuz-2.4.20-20.9 ro root=LABEL=/
			initrd /boot/initrd-2.4.20-20.9.img

Edit the file to include your new kernel information. Keep in mind that GrUB counts starting from 0, so (hd0,1) references the first controller, second partition. If you have created an initial RAMdisk be sure to include it here too. A typical configuration may look something like this:

		title Test Kernel (2.6.0)
			root (hd0,1)
			kernel /boot/bzImage-2.6.0 ro root=LABEL=/
			initrd /boot/initrd-2.6.0.img

LiLO Configuration

LiLO is an older bootloader. Its configuration file is located in /etc/lilo.conf on most systems. Unlike GrUB, any changes to lilo.conf will not be set until the lilo program is rerun.

		boot=/dev/hda
		map=/boot/map
		install=/boot/boot.b
		default=test-2.6.0
		keytable=/boot/us.klt
		lba32
		prompt
		timeout=50
		message=/boot/message
		menu-scheme=wb:bw:wb:bw
		image=/boot/vmlinuz
			label=linux
			root=/dev/hda3
			append=" ide1=autotune ide0=autotune"
			read-only
		  
		image=/boot/bzImage-2.6.0
			label=test-2.6.0
			root=/dev/hda2
			read-only

The important sections are the image=/boot/bzImage and the default=test-2.6.0 options. Notice that you can have several image sections in the lilo.conf, allowing multiple configurations. Install the new kernel by running the lilo program.

		$  /sbin/lilo

If you are installing and testing the kernel remotely, you can instead specify to LiLO that the new kernel is loaded only for the next boot by using the following syntax:

		$  /sbin/lilo -R test-2.6.0

Messages will appear showing the newly added kernel with an asterisk marking the default image. If you get errors, consult the lilo documentation for the correct syntax.

Bibliography

Books

[LinuxKernel] Daniel P. Dovet and Marco Cesati, 2003, Edited by FIXME FIXME, 0672325128 , SAMS, Linux Kernel Development.

Resources

Online Resources

Feedback

Comments and corrections

The current maintainer of this HOWTO is Kwan Lowe. Please send corrections, additions, comments and criticisms to <kwan@digitalhermit.com>.

The HOWTO's maintainer is not a professional writer. If you find some parts of this HOWTO difficult to comprehend then let the maintainer know.

Colophon

Written in DocBook 4.1 SGML. Vim was used to create the SGML source file. The HTML, PostScript and PDF output was generated from the DocBook source by the Linux Documentation Project.

Notes

[1]

I have successfully installed a serviceable machine on an original Pentium 100, 64M RAM, and 1.2G of drive space. A full build of the 2.6.0test9 kernel took approximately 4 hours to complete.

[2]

On an RPM-based system you can query a minimal version with a command such as:

			$ rpm -q --requires gcc|grep glibc

[3]

Distributions will often install the kernel sources into /usr/src/linux. To build in this directory will require root access. Note that there are usually two source packages -- one called something like kernel-source-VERSION-i386.rpm and another called kernel-VERSION.src.rpm. You can generally rebuild the src.rpm as an unpriveleged user.

[4]

This is a relative thing. The initrd utility is robust and easy to use. Bootloaders have also improved to the point that little effort is saved by using static kernels. My two cents.

[5]

I have noticed some minor screen corruption when using menuconfig in slightly non-standard terminals. Though it functions normally some of the menu entries may be difficult to read until the screen is refreshed.

[6]

The difference between 'zImage' files and 'bzImage' files is that 'bzImage' uses a different layout and a different loading algorithm, and thus has a larger capacity. Both files use gzip compression. The 'bz' in 'bzImage' stands for 'big zImage', not for 'bzip'!

[7]

At this writing there are some issues with the modules.conf when moving from 2.4 to 2.6 kernels. Some module names have changed which seems to cause glitches with initrd.

[8]

For a long while, I thought that the xmatrix screensaver was crashing my machine because of the numerous core dumps I would discover in my home directory. It turned out that xmatrix was cpu intensive. Unknown to me, the CPU fan on this machine had failed. Everything was fine until xmatrix started, causing the processor to overheat, eventually leading to a crash.

[9]

Jerome Walter offers the following information for PowerPPC plaforms: On a PowerPC (PreP architecture). To make the system bootable, one needs to copy the bzImage file into the special partition (PreP Boot Partition type 41), using dd. Assuming that the so called partition is named /dev/sda1, the command should look like :

			$ dd if=bzImage-you-have-just-done.img of=/dev/sda1

People should be warned that if their partition is too small, the bzImage will not fit, and the boot procedure will fail.

Kwan Lowe

Digital Hermit

kwan@digitalhermit.com

Dedication: To penguin lovers everywhere...

This document, Kernel Build HOWTO, is copyrighted (c) 2004 by Kwan L. Lowe. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html .

Linux is a registered trademark of Linus Torvalds.

loadable kernel module

Loadable Kernel Modules (LKM) allow admins to code to the Linux kernel while it is running. These modules can do lots of things, but they typically are one of three things:

device drivers;
filesystem drivers;
system calls.

The kernel isolates certain functions, including these, especially well so they don't have to be intricately wired into the rest of the kernel.

The Case For Loadable Kernel Modules

You often have a choice between putting a module into the kernel by loading it as an LKM or binding it into the base kernel. LKMs have a lot of advantages over binding into the base kernel and I recommend them wherever
possible.

One advantage is that you don't have to rebuild your kernel as often. This saves you time and spares you the possibility of introducing an error in rebuilding and reinstalling the base kernel. Once you have a working base kernel, it is good to leave it untouched as long as possible.

Another advantage is that LKMs help you diagnose system problems. A bug in a device driver which is bound into the kernel can stop your system from booting at all. And it can be really hard to tell which part of the base kernel caused the trouble. If the same device driver is an LKM, though, the base kernel is up and running before the device driver even gets loaded. If
your system dies after the base kernel is up and running, it's an easy matter to track the problem down to the trouble-making device driver and just not load that device driver until you fix the problem.

LKMs can save you memory, because you have to have them loaded only when you're actually using them. All parts of the base kernel stay loaded all the time. And in real storage, not just virtual storage.

LKMs are much faster to maintain and debug. What would require a full reboot to do with a filesystem driver built into the kernel, you can do with a few quick commands with LKMs. You can try out different parameters or even change the code repeatedly in rapid succession, without waiting for a boot.

LKMs are not slower, by the way, than base kernel modules. Calling either one is simply a branch to the memory location where it resides. [1]

Sometimes you have to build something into the base kernel instead of making it an LKM. Anything that is necessary to get the system up far enough to load LKMs must obviously be built into the base kernel. For example, the driver
for the disk drive that contains the root filesystem must be built into the base kernel.

What LKMs Can't Do

There is a tendency to think of LKMs like user space programs. They do share a lot of their properties, but LKMs are definitely not user space programs. They are part of the kernel. As such, they have free run of the system and can easily crash it.

What LKMs Are Used For

There are six main things LKMs are used for:

* Device drivers. A device driver is designed for a specific piece of hardware. The kernel uses it to communicate with that piece of hardware without having to know any details of how the hardware works. For example, there is a device driver for ATA disk drives. There is one for NE2000 compatible Ethernet cards. To use any device, the kernel must contain a device driver for it.

* Filesystem drivers. A filesystem driver interprets the contents of a filesystem (which is typically the contents of a disk drive) as files and directories and such. There are lots of different ways of storing files and directories and such on disk drives, on network servers, and in other ways. For each way, you need a filesystem driver. For example, there's a filesystem driver for the ext2 filesystem type used almost universally on Linux disk drives. There is one for the MS-DOS filesystem too, and one for NFS.

* System calls. User space programs use system calls to get services from the kernel. For example, there are system calls to read a file, to create a new process, and to shut down the system. Most system calls are integral to the system and very standard, so are always built into the base kernel (no LKM option). But you can invent a system call of your own and install it as an LKM. Or you can decide you don't like the way Linux does something and override an existing system call with an LKM of your own.

* Network drivers. A network driver interprets a network protocol. It feeds and consumes data streams at various layers of the kernel's networking function. For example, if you want an IPX link in your network, you would use the IPX driver.

* TTY line disciplines. These are essentially augmentations of device drivers for terminal devices.

* Executable interpreters. An executable interpreter loads and runs an executable. Linux is designed to be able to run executables in various formats, and each must have its own executable interpreter.

making loadable kernel modules

An LKM lives in a single ELF object file (normally named like "serial.o"). You typically keep all your LKM object files in a particular directory (near your base kernel image makes sense). When you use the insmod program to insert an LKM into the kernel, you give the name of that object file.

For the LKMs that are part of Linux, you build them as part of the same kernel build process that generates the base kernel image. See the README file in the Linux source tree. In short, after you make the base kernel image with a command such as make zImage, you will make all the LKMs with the command

make modules

This results in a bunch of LKM object files (*.o) throughout the Linux source tree. (In older versions of Linux, there would be symbolic links in the modules directory of the Linux source tree pointing to all those LKM object files). These LKMs are ready to load, but you probably want to install them in some appropriate directory. The conventional place is described in Section 5.6. The command make modules_install will copy them all over to the conventional locations.

Part of configuring the Linux kernel (at build time) is choosing which parts of the kernel to bind into the base kernel and which parts to generate as separate LKMs. In the basic question-and-answer configuration (make config), you are asked, for each optional part of the kernel, whether you want it bound into the kernel (a "Y" response), created as an LKM (an "M" response),
or just skipped completely (an "N" response). Other configuration methods are similar.

As explained in Section 2.3, you should have only the bare minimum bound into the base kernel. And only skip completely the parts that you're sure you'll never want. There is very little to lose by building an LKM that you won't use. Some compile time, some disk space, some chance of a problem in the code killing the kernel build. That's it.

As part of the configuration dialog you also must choose whether to use symbol versioning or not. This choice affects building both the base kernel and the LKMs and it is crucial you get it right. See Section 6.

LKMs that are not part of Linux (i.e. not distributed with the Linux kernel) have their own build procedures which I will not cover. The goal of any such procedure, though, is always to end up with an ELF object file.

You don't necessarily have to rebuild all your LKMs and your base kernel image at the same time (e.g. you could build just the base kernel and use LKMs you built earlier with it) but it is always a good idea.

networks

network pages go here...

dns

Introduction.

What this is and isn't.

DNS is the Domain Name System. DNS converts machine names to the IP addresses that all machines on the net have. It translates (or "maps" as the jargon would have it) from name to address and from address to name, and some other things. This HOWTO documents how to define such mappings using Unix system, with a few things specific to Linux.

A mapping is simply an association between two things, in this case a machine name, like ftp.linux.org, and the machine's IP number (or address) 199.249.150.4. DNS also contains mappings the other way, from the IP number to the machine name; this is called a "reverse mapping".

DNS is, to the uninitiated (you ;-), one of the more opaque areas of network administration. Fortunately DNS isn't really that hard. This HOWTO will try to make a few things clearer. It describes how to set up a simple DNS name server, starting with a caching only server and going on to setting up a primary DNS server for a domain. For more complex setups you can check the qanda section of this document. If it's not described there you will need to read the Real Documentation. I'll get back to what this Real Documentation consists of in the last chapter.

Before you start on this you should configure your machine so that you can telnet in and out of it, and successfully make all kinds of connections to the net, and you should especially be able to do telnet 127.0.0.1 and get your own machine (test it now!). You also need good /etc/nsswitch.conf, /etc/resolv.conf and /etc/hosts files as a starting point, since I will not explain their function here. If you don't already have all this set up and working the Networking-HOWTO and/or the Networking-Overview-HOWTO explains how to set it up. Read them.

When I say `your machine' I mean the machine you are trying to set up DNS on, not any other machine you might have that's involved in your networking effort.

I assume you're not behind any kind of firewall that blocks name queries. If you are you will need a special configuration --- see the section on qanda.

Name serving on Unix is done by a program called named. This is a part of the ``BIND'' package which is coordinated by The Internet Software Consortium. Named is included in most Linux distributions and is usually installed as /usr/sbin/named, usually from a package called BIND, in upper or lower case depending on the whim of the packager.

If you have a named you can probably use it; if you don't have one you can get a binary off a Linux ftp site, or get the latest and greatest source from ftp://ftp.isc.org/isc/bind9/. This HOWTO is about BIND version 9. The old versions of the HOWTO, about BIND 4 and 8, is still available at http://langfeldt.net/DNS-HOWTO/ in case you use BIND 4 or 8 (incidentally, you will find this HOWTO there too). If the named man page talks about (at the very end, in the FILES section) named.conf you have BIND 8; if it talks about named.boot you have BIND 4. If you have 4 and are security conscious you really ought to upgrade to the latest version of BIND 8. Now.

DNS is a net-wide database. Take care about what you put into it. If you put junk into it, you, and others, will get junk out of it. Keep your DNS tidy and consistent and you will get good service from it. Learn to use it, admin it, debug it and you will be another good admin keeping the net from falling to its knees by mismanagement.

Tip: Make backup copies of all the files I instruct you to change if you already have them, so that if after going through this nothing works you can get it back to your old, working state.

file management

this book contains information on file management

directory overview

< / >

The root directory. The starting point of your directory structure. This is where the Linux system begins. Every other file and directory on your system is under the root directory. Usually the root directory contains only subdirectories, so it's a bad idea to store single files directly under root.

Don't confuse the root directory with the root user account, root password (which obviously is the root user's password) or root user's home directory.

< /boot >

As the name suggests, this is the place where Linux keeps information that it needs when booting up. For example, this is where the Linux kernel is kept. If you list the contents of /boot, you'll see a file called vmlinuz - that's the kernel.

< /etc >

The configuration files for the Linux system. Most of these files are text files and can be edited by hand. Some interesting stuff in this directory:

/etc/inittab
A text file that describes what processes are started at system bootup and during normal operation. For example, here you can determine if you want the X Window System to start automatically at bootup, and configure what happens when a user presses Ctrl+Alt+Del.

/etc/fstab
This file contains descriptive information about the various file systems and their mount points, like floppies, cdroms, and so on.

/etc/passwd
A file that contains various pieces of information for each user account. This is where the users are defined.

< /bin, /usr/bin >

These two directories contain a lot of programs (binaries, hence the directory's name) for the system. The /bin directory contains the most important programs that the system needs to operate, such as the shells, ls, grep, and other essential things. /usr/bin in turn contains applications for the system's users. However, in some cases it really doesn't make much difference if you put the program in /bin or /usr/bin.

< /sbin, /usr/sbin >

Most system administration programs are stored in these directories. In many cases you must run these programs as the root user.

< /usr >

This directory contains user applications and a variety of other things for them, like their source codes, and pictures, docs, or config files they use. /usr is the largest directory on a Linux system, and some people like to have it on a separate partition. Some interesting stuff in /usr:

/usr/doc
Documentation for the user apps, in many file formats.

/usr/share
Config files and graphics for many user apps.

/usr/src
Source code files for the system's software, including the Linux kernel.

/usr/include
Header files for the C compiler. The header files define structures and constants that are needed for building most standard programs. A subdirectory under /usr/include contains headers for the C++ compiler.

/usr/X11R6
The X Window System and things for it. The subdirectories under /usr/X11R6 may contain some X binaries themselves, as well as documentation, header files, config files, icons, sounds, and other things related to the graphical programs.

< /usr/local >

This is where you install apps and other files for use on the local machine. If your machine is a part of a network, the /usr directory may physically be on another machine and can be shared by many networked Linux workstations. On this kind of a network, the /usr/local directory contains only stuff that is not supposed to be used on many machines and is intended for use at the local machine only.

Most likely your machine isn't a part of a network like this, but it doesn't mean that /usr/local is useless. If you find interesting apps that aren't officially a part of your distro, you should install them in /usr/local. For example, if the app would normally go to /usr/bin but it isn't a part of your distro, you should install it in /usr/local/bin instead. When you keep your own programs away from the programs that are included in your distro, you'll avoid confusion and keep things nice and clean.

< /lib >

The shared libraries for programs that are dynamically linked. The shared libraries are similar to DLL's on Winblows.

< /home >

This is where users keep their personal files. Every user has their own directory under /home, and usually it's the only place where normal users are allowed to write files. You can configure a Linux system so that normal users can't even list the contents of other users' home directories. This means that if your family members have their own user accounts on your Linux system, they won't see all the w4r3z you keep in your home directory. ;-)

< /root >

The superuser's (root's) home directory. Don't confuse this with the root directory (/) of a Linux system.

< /var >

This directory contains variable data that changes constantly when the system is running. Some interesting subdirectories:

/var/log
A directory that contains system log files. They're updated when the system runs, and checking them out can give you valuable info about the health of your system. If something in your system suddenly goes wrong, the log files may contain some info about the situation.

/var/mail
Incoming and outgoing mail is stored in this directory.

/var/spool
This directory holds files that are queued for some process, like printing.

< /tmp >

Programs can write their temporary files here.

< /dev >

The devices that are available to a Linux system. Remember that in Linux, devices are treated like files and you can read and write devices like they were files. For example, /dev/fd0 is your first floppy drive, /dev/cdrom is your CD drive, /dev/hda is the first IDE hard drive, and so on. All the devices that a Linux kernel can understand are located under /dev, and that's why it contains hundreds of entries.

< /mnt >

This directory is used for mount points. The different physical storage devices (like the hard disk drives, floppies, CD-ROM's) must be attached to some directory in the file system tree before they can be accessed. This attaching is called mounting, and the directory where the device is attached is called the mount point.

The /mnt directory contains mount points for different devices, like /mnt/floppy for the floppy drive, /mnt/cdrom for the CD-ROM, and so on. However, you're not forced to use the /mnt directory for this purpose, you can use whatever directory you wish. Actually in some distros, like Debian and SuSE, the default is to use /floppy and /cdrom as mount points instead of directories under /mnt.

< /proc >

This is a special directory. Well, actually /proc is just a virtual directory, because it doesn't exist at all! It contains some info about the kernel itself. There's a bunch of numbered entries that correspond to all processes running on the system, and there are also named entries that permit access to the current configuration of the system. Many of these entries can be viewed.

< /lost+found >

Here Linux keeps the files that it restores after a system crash or when a partition hasn't been unmounted before a system shutdown. This way you can recover files that would otherwise have been lost.

access control lists on fedora

What Are ACLs And Their Purpose

Access control lists (ACLs) are a kernel-level feature of Fedora's default ext3 file system. ACLs provide an important level of flexibility for managing file permissions, that is, who or what has the rights to read, write, or execute a file.

Traditional Linux/UNIX file permissions (read, write, execute) are defined for three classes of users: the file owner, the file group, and others. This means that when a group is granted access to a particular shared resource (document, directory, printer, etc.), the same level of access is granted to all members of a group.

In practice, it is often required that some of the group members have limited or no access to the shared resource, or that the access is granted to other users who are not members of the particular group. In a non-ACL file permissions scheme this requires creation of numerous new groups, which quickly becomes difficult to manage, especially on large systems.

Fedora provides ACL support for ext3, NFS-exported ext3, and ext3 file systems accessed via Samba (which provides CIFS/Microsoft Windows file sharing.)

The most common file manipulation utilities, such as mv, cp, and ls also support ACLs. To preserve ACLs when archiving files, the star utility should be used instead of tar, which does not support ACLs.

There are two types of ACLs:

Access ACL - ACL that controls the level of access to the object (file or directory)
Default ACL - ACL associated with a directory. If set, all objects within a directory inherit the default ACL as their initial access ACL

Each ACL is composed of a set of ACL entries. Each ACL entry specifies access permissions to the object as a combination of read, write, and execute permissions for an individual user or a group.

Using Access Control Lists

There are a few prerequisites to using ACLs:

File system must support ACLs
File system must be mounted with acl option
RPM package acl must be installed

Enabling ACLs on a file system

On a default Fedora installation, file systems are mounted without ACL support. To enable ACLs for a local file system, edit the /etc/fstab file and add the acl option for the desired partition. The entry might look similar to:

LABEL=/data   /data   ext3   rw,acl   1 2

This entry ensures that ACL support is preserved after reboot but reboot is not required to enable ACLs. To accomplish this on an already mounted /data partition run:

su -c '/bin/mount -o remount /data'

Additional parameters are not required when mounting ACL enabled remote Samba shares. If the client accessing an NFS share can read ACLs and the NFS share is exported from an ACL enabled file system, ACLs are utilized by the client.

Setting ACLs and retrieving ACL information

ACLs are controlled by two utilities:

getfacl is used to retrieve ACL information
setfacl is used to set or modify ACL entry

To view ACL information on an object (directory docs) in the /data directory, run:

getfacl /data/docs

The output shows ACL information associated with the docs directory:

getfacl: Removing leading '/' from absolute path names
user::rwx
group::r-x
other::r-x

Since ACLs are not yet set, this information corresponds to common permissions on the /data/docs directory:

ls -dl /data/docs
drwxr-xr-x 5 jerry black 4096 Nov  1 19:57 /data/docs

To set an ACL for an object, run setfacl:

setfacl -m <rules> <object>

The command option -m is used to create or modify an ACL entry. For an object without previously set ACLs, a new ACL entry is created. If an object already has an ACL entry, option -m modifies the existing ACL entry by appending the new ACL entry to the object's ACL.

If using the --set option, all user, group, and others permissions must be defined.
The command option --set is used to create a new ACL or replace all existing ACLs on the object, so it needs a complete definition for the setting.

The <object> is a file or a directory on which an ACL is created

The <rules> are specified per user, per group, using an effective rights mask or for users who are not members of the user group for an object, using one of the following:

u:<uid>:<permissions>: sets the ACL for user; <uid> can be user name or numerical UID; <permissions> are any combination of rwx

g:<gid>:<permissions>: sets the ACL for group; <gid> can be group name or numerical GID; <permissions> are any combination of rwx

m:<permissions>: sets the effective rights mask on the object; <permissions> are any combination of rwx

o:<permissions>: sets the ACL for users who are not members of the object group; <permissions> are any combination of rwx

The effective rights mask is a sum of all permissions of the object group owner and all ACLs set on the object. It represents the actual rights granted to all ACL users and groups on the object and limits their access to the level it specifies. If a user has read and write permission through an ACL but the mask is set to read, the more restrictive permission (read) is in effect. The effective mask does not apply to file owner or file group.

Numerical UID or GID can be specified for a non-existing user or group, respectively. If the actual user or group name is specified, they must exist on the system, otherwise the setfacl command exits with an error.

To specify multiple ACLs on the same line, separate them by commas. Blank spaces are ignored:

setfacl -m u:<uid>:rw,g:<gid>:rx, u:<uid>:r /dir/file

To remove an ACL entry for user, use the -x command option and do not specify any permissions:

setfacl -x u:<uid> /dir/file

To set the default ACL, prefix the rule with a d:

setfacl -m d:g:<gid>:rx /dir

ACL examples

To grant the user carlos read, write, and execute rights on all files in the /data/docs directory, run:

setfacl -R -m u:carlos:rw /data/docs

(i) Use the -R command option to recursively set ACL on all files in /data/docs directory.

To check permissions for the /data/docs directory, run:

ls -dl /data/docs
drwxrwxr-x+ 5 jerry black 4096 Nov  1 19:57 /data/docs

To check modified ACL information for the /data/docs directory, run:

getfacl /data/docs
getfacl: Removing leading '/' from absolute path names
user::rwx
user:carlos:rwx
group::r-x
mask::rwx
other::r-x

Both of the above commands now produce a different output than previously.

The plus sign next to permission bits after the ls command shows that the ACL is now set on the object. Likewise, the getfacl output has two additional entries:

user:carlos:rwx indicates the additional user with the access rights on the object
mask::rwx denotes the effective rights on the object

The setfacl command also accepts input from text files. This is useful if identical long rules must be set for large number of objects. To accomplish this, create a plain text file (rules.txt in the next example) with a rule per line and use the -M command option to set ACL on all html files in a directory /dir:

setfacl -M rules.txt /dir/*.html

The format of the rules.txt file is the same as an output of the getfacl command with the --omit-header option:

getfacl --omit-header /data/etc/conf/script1.cfg

user::rw-
user:jerry:rw-
group::r--
group:black:r-x
mask::rwx
other::r--

This is very useful if the same ACL must be applied to some other files. You can create the rules.txt file by simply redirecting the output of the getfacl command:

getfacl --omit-header /data/etc/conf/script1.cfg > rules.txt

cat rules.txt
user::rw-
user:jerry:rw-
roup::r--
group:black:r-x
mask::rwx
other::r--

Copying And Archiving ACLs

Common file utilities mv and cp on Fedora support ACLs. Archiving tools such as tar and dump do not have support for ACLs and the star utility should be used to preserve ACLs while archiving files.

Copying And Moving ACLs

To copy the file or directory while preserving ACLs, use the -p or -a command option:

cp -p /dir1/file1 /dirx/file2

The /dirx directory must reside on a partition mounted with the acl option to copy the ACL of file1 to file2.

cp -a /dir1/dir2 /dirx/dir3

The /dirx directory must reside on a partition mounted with the acl option to copy the ACLs of dir2 to dir3.

The mv command always transfers ACLs, without any extra command options, if the destination file system is ACL enabled. If not, it transfers the files and issues a warning about the inability to preserve ACLs.

Archiving ACLs

To archive the files or directories while preserving ACLs, use the star command with the -acl option:

star -c -acl file=archive.star /data

This creates the backup.star archive of /data directory with preserved ACLs.

To restore the star archive and ACLs, run star with the -acl command option:

star -x -acl file=backup.star

This extracts the backup.star archive into current directory with preserved ACLs. The target filesystem being extracted to must support ACLs for this to work.

Additional Information

Related web sites

ACLs web site:

Related manuals

For more information on ACLs and associated utilities, read the following manual pages:

man acl
man getfacl
man setfacl
man star

fstab manpage

fstab stand's for File System TABle. It is where the system administrator can tell the OS about any filesystems the machine may have access to. It also allows default parameters to be provided for each filesystem.

A typical fstab looks something like the following:

#
# /etc/fstab
#
# <device>      <mountpoint>    <filesystemtype><options>  <dump> <fsckorder>

/dev/hdb5	/               ext2     	defaults       	1 	1
/dev/hdb2	/home        	ext2     	defaults       	1 	2
/dev/hdc	/mnt/cdrom   	iso9660  	noauto,ro,user 	0 	0
/dev/hda1	/mnt/dos/c   	msdos    	defaults       	0 	0
/dev/hdb1	/mnt/dos/d   	msdos    	defaults       	0 	0
/dev/fd0	/mnt/floppy  	ext2     	noauto,user    	0 	0
/dev/hdb4	none         	ignore   	defaults       	0 	0

none     	/proc        	proc     	defaults
/dev/hdb3	none         	swap     	sw

Note that this system has two IDE partitions, one which is used as /, and the other used as /home. It also has two DOS partitions which are mounted under /mnt. Note the user option provided for the cdrom, and the floppy drive. This is one of the many default parameters you can specify. In this case it means that any user can mount a cdrom, or floppy disk. Other options will be dealt with later.

fstab consists of a number of lines (one for each filesystem) seperated into six fields. Each field is seperated from the next by whitespace (spaces/tabs).

So from the example given previously:

/dev/hdc	/mnt/cdrom   	iso9660  	noauto,ro,user 	0 	0

The first field (/dev/hdc) is the physical device/remote filesystem which is to be described.

The second field (/mnt/cdrom) specifies the mount point where the filesystem will be mounted.

The third field (iso9660) is the type of filesystem on the device from the first field.

The fourth field (noauto,ro,user) is a (default) list of options which mount should use when mounting the filesystem.

The fifth field (0) is used by dump (a backup utility) to decide if a filesystem should be backed up. If zero then dump will ignore that filesystem. The sixth field (0) is used by fsck (the filesystem check utility) to determine the order in which filesystems should be checked.
If zero then fsck won't check the filesystem.
(as the example line above is a cdrom there is very little point in doing a fsck on it, so the value is zero).

lvm manpage

LVM(8) LVM(8)

NAME

lvm - LVM2 tools

SYNOPSIS

lvm [command | file]

DESCRIPTION

lvm provides the command-line tools for LVM2. A separate manual page
describes each command in detail.

If lvm is invoked with no arguments it presents a readline prompt
(assuming it was compiled with readline support). LVM commands may be
entered interactively at this prompt with readline facilities including
history and command name and option completion. Refer to readline(3)
for details.

If lvm is invoked with argv[0] set to the name of a specific LVM com‐
mand (for example by using a hard or soft link) it acts as that com‐
mand.

Where commands take VG or LV names as arguments, the full path name is
optional. An LV called "lvol0" in a VG called "vg0" can be specified
as "vg0/lvol0". Where a list of VGs is required but is left empty, a
list of all VGs will be substituted. Where a list of LVs is required
but a VG is given, a list of all the LVs in that VG will be substi‐
tuted. So "lvdisplay vg0" will display all the LVs in "vg0". Tags can
also be used - see addtag below.

One advantage of using the built-in shell is that configuration infor‐
mation gets cached internally between commands.

A file containing a simple script with one command per line can also be
given on the command line. The script can also be executed directly if
the first line is #! followed by the absolute path of lvm.

BUILT-IN COMMANDS

The following commands are built into lvm without links normally being
created in the filesystem for them.

dumpconfig — Display the configuration information after
loading lvm.conf (5) and any other configuration files.

formats — Display recognised metadata formats.

help — Display the help text.

pvdata — Not implemented in LVM2.

segtypes — Display recognised logical volume segment types.

version — Display version information.

COMMANDS

The following commands implement the core LVM functionality.

pvchange — Change attributes of a physical volume.

pvck — Check physical volume metadata.

pvcreate — Initialize a disk or partition for use by LVM.

pvdisplay — Display attributes of a physical volume.

pvmove — Move physical extents.

pvremove — Remove a physical volume.

pvresize — Resize a disk or partition in use by LVM2.

pvs — Report information about physical volumes.

pvscan — Scan all disks for physical volumes.

vgcfgbackup — Backup volume group descriptor area.

vgcfgrestore — Restore volume group descriptor area.

vgchange — Change attributes of a volume group.

vgck — Check volume group metadata.

vgconvert — Convert volume group metadata format.

vgcreate — Create a volume group.

vgdisplay — Display attributes of volume groups.

vgexport — Make volume groups unknown to the system.

vgextend — Add physical volumes to a volume group.

vgimport — Make exported volume groups known to the system.

vgmerge — Merge two volume groups.

vgmknodes — Recreate volume group directory and logical volume special
files

vgreduce — Reduce a volume group by removing one or more physical vol‐
umes.

vgremove — Remove a volume group.

vgrename — Rename a volume group.

vgs — Report information about volume groups.

vgscan — Scan all disks for volume groups and rebuild caches.

vgsplit — Split a volume group into two, moving any logical volumes
from one volume group to another by moving entire physical volumes.

lvchange — Change attributes of a logical volume.

lvconvert — Convert a logical volume from linear to mirror or snapshot.

lvcreate — Create a logical volume in an existing volume group.

lvdisplay — Display attributes of a logical volume.

lvextend — Extend the size of a logical volume.

lvmchange — Change attributes of the logical volume manager.

lvmdiskscan — Scan for all devices visible to LVM2.

lvmdump — Create lvm2 information dumps for diagnostic purposes.

lvreduce — Reduce the size of a logical volume.

lvremove — Remove a logical volume.

lvrename — Rename a logical volume.

lvresize — Resize a logical volume.

lvs — Report information about logical volumes.

lvscan — Scan (all disks) for logical volumes.

The following commands are not implemented in LVM2 but might be in the
future: lvmsadc, lvmsar, pvdata.

OPTIONS

The following options are available for many of the commands. They are
implemented generically and documented here rather than repeated on
individual manual pages.

-h | --help — Display the help text.

--version — Display version information.

-v | --verbose — Set verbose level.
Repeat from 1 to 3 times to increase the detail of messages sent
to stdout and stderr. Overrides config file setting.

-d | --debug — Set debug level.
Repeat from 1 to 6 times to increase the detail of messages sent
to the log file and/or syslog (if configured). Overrides config
file setting.

--quiet — Suppress output and log messages.
Overrides -d and -v.

-t | --test — Run in test mode.
Commands will not update metadata. This is implemented by dis‐
abling all metadata writing but nevertheless returning success
to the calling function. This may lead to unusual error mes‐
sages in multi-stage operations if a tool relies on reading back
metadata it believes has changed but hasn’t.

--driverloaded { y | n }
Whether or not the device-mapper kernel driver is loaded. If
you set this to n, no attempt will be made to contact the
driver.

-A | --autobackup { y | n }
Whether or not to metadata should be backed up automatically
after a change. You are strongly advised not to disable this!
See vgcfgbackup (8).

-P | --partial
When set, the tools will do their best to provide access to vol‐
ume groups that are only partially available. Where part of a
logical volume is missing, /dev/ioerror will be substituted, and
you could use dmsetup (8) to set this up to return I/O errors
when accessed, or create it as a large block device of nulls.
Metadata may not be changed with this option. To insert a
replacement physical volume of the same or large size use pvcre‐
ate -u to set the uuid to match the original followed by vgcf‐
grestore (8).

-M | --metadatatype type
Specifies which type of on-disk metadata to use, such as lvm1 or
lvm2, which can be abbreviated to 1 or 2 respectively. The
default (lvm2) can be changed by setting format in the global
section of the config file.

--ignorelockingfailure
This lets you proceed with read-only metadata operations such as
lvchange -ay and vgchange -ay even if the locking module fails.
One use for this is in a system init script if the lock direc‐
tory is mounted read-only when the script runs.

--addtag tag
Add the tag tag to a PV, VG or LV. A tag is a word that can be
used to group LVM2 objects of the same type together. Tags can
be given on the command line in place of PV, VG or LV arguments.
Tags should be prefixed with @ to avoid ambiguity. Each tag is
expanded by replacing it with all objects possessing that tag
which are of the type expected by its position on the command
line. PVs can only possess tags while they are part of a Volume
Group: PV tags are discarded if the PV is removed from the VG.
As an example, you could tag some LVs as database and others as
userdata and then activate the database ones with lvchange -ay
@database. Objects can possess multiple tags simultaneously.
Only the new LVM2 metadata format supports tagging: objects
using the LVM1 metadata format cannot be tagged because the on-
disk format does not support it. Snapshots cannot be tagged.
Characters allowed in tags are: A-Z a-z 0-9 _ + . -

--deltag tag
Delete the tag tag from a PV, VG or LV, if it’s present.

--alloc AllocationPolicy
The allocation policy to use: contiguous, cling, normal, any‐
where or inherit. When a command needs to allocate physical
extents from the volume group, the allocation policy controls
how they are chosen. Each volume group and logical volume has
an allocation policy. The default for a volume group is normal
which applies common-sense rules such as not placing parallel
stripes on the same physical volume. The default for a logical
volume is inherit which applies the same policy as for the vol‐
ume group. These policies can be changed using lvchange (8) and
vgchange (8) or over-ridden on the command line of any command
that performs allocation. The contiguous policy requires that
new extents be placed adjacent to existing extents. The cling
policy places new extents on the same physical volume as exist‐
ing extents in the same stripe of the Logical Volume. If there
are sufficient free extents to satisfy an allocation request but
normal doesn’t use them, anywhere will - even if that reduces
performance by placing two stripes on the same physical volume.

N.B. The policies described above are not implemented fully yet.
In particular, contiguous free space cannot be broken up to sat‐
isfy allocation attempts.

ENVIRONMENT VARIABLES

LVM_SYSTEM_DIR
Directory containing lvm.conf and other LVM system files.
Defaults to "/etc/lvm".

HOME Directory containing .lvm_history if the internal readline shell
is invoked.

LVM_VG_NAME
The volume group name that is assumed for any reference to a
logical volume that doesn’t specify a path. Not set by default.

VALID NAMES

The following characters are valid for VG and LV names: a-z A-Z 0-9 + _
. -

VG and LV names cannot begin with a hyphen. There are also various
reserved names that are used internally by lvm that can not be used as
LV or VG names. A VG cannot be called anything that exists in /dev/ at
the time of creation, nor can it be called ’.’ or ’..’. A LV cannot be
called ’.’ ’..’ ’snapshot’ or ’pvmove’. The LV name may also not con‐
tain the strings ’_mlog’ or ’_mimage’

DIAGNOSTICS

All tools return a status code of zero on success or non-zero on fail‐
ure.

FILES

/etc/lvm/lvm.conf
$HOME/.lvm_history

lvm commands

Initializing disks or disk partitions

To use LVM, partitions and whole disks must first be converted into physical volumes (PVs) using the command. For example, to convert pvcreate/dev/hda and /dev/hdb into PVs use the following commands:

pvcreate /dev/hda
pvcreate /dev/hdb

If a Linux partition is to be converted make sure that it is given partition type 0x8E using fdisk, then use pvcreate:

pvcreate /dev/hda1

Creating a volume group

Once you have one or more physical volumes created, you can create a volume group from these PVs using the vgcreate command. The following command:

vgcreate  volume_group_one /dev/hda /dev/hdb

creates a new VG called volume_group_one with two disks, /dev/hda and /dev/hdb, and 4 MB PEs. If both /dev/hda and /dev/hdb are 128 GB in size, then the VG volume_group_one will have a total of 2**16 physical extents that can be allocated to logical volumes.

Additional PVs can be added to this volume group using the vgextend command. The following commands convert /dev/hdc into a PV and then adds that PV to volume_group_one:

pvcreate /dev/hdc
vgextend volume_group_one /dev/hdc

This same PV can be removed from volume_group_one by the vgreduce command:

vgreduce volume_group_one /dev/hdc

Note that any logical volumes using physical extents from PV /dev/hdc will be removed as well. This raises the issue of how we create an LV within a volume group in the first place.

Creating a logical volume

We use the lvcreate command to create a new logical volume using the free physical extents in the VG pool. Continuing our example using VG volume_group_one (with two PVs /dev/hda and /dev/hdb and a total capacity of 256 GB), we could allocate nearly all the PEs in the volume group to a single linear LV called logical_volume_one with the following LVM command:

lvcreate -n logical_volume_one   --size 255G volume_group_one

Instead of specifying the LV size in GB we could also specify it in terms of logical extents. First we use vgdisplay to determine the number of PEs in the volume_group_one:

vgdisplay volume_group_one | grep "Total PE"

which returns

Total PE   65536

Then the following lvcreate command will create a logical volume with 65536 logical extents and fill the volume group completely:

lvcreate -n logical_volume_one  -l 65536 volume_group_one

To create a 1500MB linear LV named logical_volume_one and its block device special file /dev/volume_group_one/logical_volume_one use the following command:

lvcreate -L1500 -n logical_volume_one volume_group_one

The lvcreate command uses linear mappings by default.

Striped mappings can also be created with lvcreate. For example, to create a 255 GB large logical volume with two stripes and stripe size of 4 KB the following command can be used:

lvcreate -i2 -I4 --size 255G -n logical_volume_one_striped volume_group_one

It is possible to allocate a logical volume from a specific physical volume in the VG by specifying the PV or PVs at the end of the lvcreate command. If you want the logical volume to be allocated from a specific physical volume in the volume group, specify the PV or PVs at the end of the lvcreate command line. For example, this command:

lvcreate -i2 -I4 -L128G -n logical_volume_one_striped volume_group_one /dev/hda /dev/hdb

creates a striped LV named logical_volume_one that is striped across two PVs (/dev/hda and /dev/hdb) with stripe size 4 KB and 128 GB in size.

An LV can be removed from a VG through the lvremove command, but first the LV must be unmounted:

umount /dev/volume_group_one/logical_volume_one
lvremove /dev/volume_group_one/logical_volume_one

Note that LVM volume groups and underlying logical volumes are included in the device special file directory tree in the /dev directory with the following layout:

/dev// 
so that if we had two volume groups myvg1 and myvg2 and each with three logical volumes named lv01, lv02, lv03, six device special files would be created:

/dev/myvg1/lv01
/dev/myvg1/lv02
/dev/myvg1/lv03
/dev/myvg2/lv01
/dev/myvg2/lv02
/dev/myvg2/lv03

Extending a logical volume

An LV can be extended by using the lvextend command. You can specify either an absolute size for the extended LV or how much additional storage you want to add to the LVM. For example:

lvextend -L120G /dev/myvg/homevol

will extend LV /dev/myvg/homevol to 12 GB, while

lvextend -L+10G /dev/myvg/homevol

will extend LV /dev/myvg/homevol by an additional 10 GB. Once a logical volume has been extended, the underlying file system can be expanded to exploit the additional storage now available on the LV. With Red Hat Enterprise Linux 4, it is possible to expand both the ext3fs and GFS file systems online, without bringing the system down. (The ext3 file system can be shrunk or expanded offline using the ext2resize command.) To resize ext3fs, the following command

ext2online /dev/myvg/homevol

will extend the ext3 file system to completely fill the LV, /dev/myvg/homevol, on which it resides.

The file system specified by device (partition, loop device, or logical volume) or mount point must currently be mounted, and it will be enlarged to fill the device, by default. If an optional size parameter is specified, then this size will be used instead.

Differences between LVM1 and LVM2

The new release of LVM, LVM 2, is available only on Red Hat Enterprise Linux 4 and later kernels. It is upwardly compatible with LVM 1 and retains the same command line interface structure. However it uses a new, more scalable and resilient metadata structure that allows for transactional metadata updates (that allow quick recovery after server failures), very large numbers of devices, and clustering. For Enterprise Linux servers deployed in mission-critical environments that require high availability, LVM2 is the right choice for Linux volume management. Table 1. A comparison of LVM 1 and LVM 2 summarizes the differences between LVM1 and LVM2 in features, kernel support, and other areas.

Features	LVM1	LVM2
RHEL AS 2.1 support	No	No
RHEL 3 support	Yes	No
RHEL 4 support	No	Yes
Transactional metadata for fast recovery	No	Yes
Shared volume mounts with GFS	No	Yes
Cluster Suite failover supported	Yes	Yes
Striped volume expansion	No	Yes
Max number PVs, LVs	256 PVs, 256 LVs	232 PVs, 232 LVs
Max device size	2 Terabytes	8 Exabytes (64-bit CPUs)
Volume mirroring support	No	Yes, in Fall 2005

Table 1. A comparison of LVM 1 and LVM 2

lvm -help

dumpconfig- Dump active configuration
formats- List available metadata formats
help--Display help for commands
lvchange- Change the attributes of logical volume(s)
lvconvert- Change logical volume layout
lvcreate- Create a logical volume
lvdisplay- Display information about a logical volume
lvextend- Add space to a logical volume
lvmchange- With the device mapper, this is obsolete and does nothing.
lvmdiskscan-List devices that may be used as physical volumes
lvmsadc- Collect activity data
lvmsar- Create activity report
lvreduce- Reduce the size of a logical volume
lvremove- Remove logical volume(s) from the system
lvrename- Rename a logical volume
lvresize- Resize a logical volume
lvs-- Display information about logical volumes
lvscan- List all logical volumes in all volume groups
pvchange- Change attributes of physical volume(s)
pvresize- Resize physical volume(s)
pvck--Check the consistency of physical volume(s)
pvcreate- Initialize physical volume(s) for use by LVM
pvdata- Display the on-disk metadata for physical volume(s)
pvdisplay- Display various attributes of physical volume(s)
pvmove- Move extents from one physical volume to another
pvremove- Remove LVM label(s) from physical volume(s)
pvs-- Display information about physical volumes
pvscan- List all physical volumes
segtypes- List available segment types
vgcfgbackup-Backup volume group configuration(s)
vgcfgrestore Restore volume group configuration
vgchange- Change volume group attributes
vgck--Check the consistency of volume group(s)
vgconvert- Change volume group metadata format
vgcreate- Create a volume group
vgdisplay- Display volume group information
vgexport- Unregister volume group(s) from the system
vgextend- Add physical volumes to a volume group
vgimport- Register exported volume group with system
vgmerge- Merge volume groups
vgmknodes- Create the special files for volume group devices in /dev
vgreduce- Remove physical volume(s) from a volume group
vgremove- Remove volume group(s)
vgrename- Rename a volume group
vgs-- Display information about volume groups
vgscan- Search for all volume groups
vgsplit- Move physical volumes into a new or existing volume group
version- Display software and driver version information

cryptsetup-luks on fedora

Take a Fedora Core 5 system and encrypt (using dm-crypt and LUKS) the partition that gets mounted on /home.

Note that /home needs to be on its own partition, not on the / partition. Also, in words similar to those from night-shade, I have tested this with LVM2 devices containing nothing important. It worked for me but you are advised to have current working backups if the data matters to you. Because we are dealing with the /home partition, these instructions will also explain how to ensure that the /home partition is mounted during a boot.

Step 0: Log on as root

Because you will need to unmount /home, you must log on as root rather than su to root from an unpriveledged user account.

-=Step 1: Backup /home Presumably you would like to return to the same Home environment that you started with before you encrypted your /home partition. Therefore, you need to backup the contents of /home. (Be aware that these instructions will not necessary restore your Home environment EXACTLY as it was before you encrypted /home. Please read all of these instructions before proceeding, so that you are sure that this solution will work for you.) In this HOWTO, we will assume there is only one unpriveledged user (jmaher) on the system, so only /home/jmaher needs to be backed up. One way to back up this folder is to use the following commands:

# mkdir /root/jmaher
# /bin/cp -a /home/jmaher/.* /root/jmaher

The -a option is for archiving files and directories. It uses recursion and preserves the permissions of the files and directories.

cryptsetup-luks on fedora: step 2, 3

cryptsetup-luks on fedora: step 2, 3

Remove the user whose Home directory we just backed up
We will be recreating the unpriviledged user (jmaher) after we have encrypted and re-mounted our /home directory, so we should clean things up first and remove that account:
# userdel jmaher

Step 3: Get the correct cryptsetup version

You need the version of cryptsetup with luks enabled. You can determine if the correct version of cryptsetup is install using the command:

# cryptsetup --help

You should see "cryptsetup-luks" displayed near the top of the output.
If you do not have cryptsetup, you can install it using yum (assuming yum has been properly configured):

# yum -y install cryptsetup-luks

The -y option will assume that the answer is yes to any question that would be presented during the execution of yum.

cryptsetup-luks on fedora: step 4

cryptsetup-luks on fedora: step 4

Step 4a: (Optional) Check the hard disk for errors and fill it with random data.

(Much of the following was shamelessly lifted from William Owen Smith's HOWTO: EncryptedDeviceUsingLUKS.)

It's probably a good idea to check for errors on the partition where /home will be mounted. Not only is this good practice, but modern hard disks contain a few 'spare' sectors, and if they detect errors in reading, they can silently replace the bad sector with a backup sector (this is invisible to the OS). So writing and reading the entire disk before you start should allow this to happen.

We will now use the information in /etc/fstab to determine the partition that is currently mounted on /home. (This partition may be represented as a logical volume, as it is in the example below.) You should see a line in /etc/fstab that is similar to the following:

/dev/vg0/home /home ext3 defaults 1 2

The above line indicates that partition /dev/vg0/home, which is actually a logical volume, is currently mounted on /home. We will use this partition as our physical device. We need to unmount this device in order the proceed with the next steps:

# umount /home

It's good to fill an encrypted disk with initial random data. This makes breaking the passphrase so much harder. The below method is sufficient for a casual attack but is not 'random enough' to defeat sophisticated cryptographers. If you need protection against sophisticated cryptanaylsis, use the '/dev/urandom' method shown in Step 4b.

The following command will perform a disk check and fill the disk with random data at the same time. Read the man page for more details on this command:

# /sbin/badblocks -c 10240 -s -w -t random -v /dev/vg0/home
(wait several hours...)
Checking for bad blocks in read-write mode
From block 0 to 295360984
done
Reading and comparing: done
Pass completed, 0 bad blocks found.
#

The -c option will test 10,240 blocks at a time. The -s option will show the progress of the scan by writing out the block numbers as they are checked. The -w option scans for bad blocks by writing some patterns (0xaa, 0x55, 0xff, 0x00) on every block of the device, reading every block and comparing the contents. The -t options specifies that each scanned block should be filled with a random bit pattern. The -v option indicates verbose mode. The physical device (logical volume) is /dev/vg0/home.

This will take some time. On William Owen Smith's USB-attached 300Gb disk it took around 8 hours. Phase 1 will write random data to the disk, phase 2 will read it back and verify it.

Step 4b: (Optional) Fill the disk with random data

If you didn't do Step 4a (or you left out the -t random option), do Step 4b. This will take a long time, because generating good quality random data is very CPU intensive. However, this method is 'more random' (and more secure) than the primitive random number generator included in 'badblocks', above.

One minor advantage to the method in Step xa above is that it has a progress indicator, while "dd" only shows its progress when a USR1 signal is sent to it ("kill -USR1 `pidof dd`").

# dd if=/dev/urandom of=/dev/vg0/home
(wait several hours...)

cryptsetup-luks on fedora: step 5, 6

cryptsetup-luks on fedora: step 5, 6

Step 5: Initialize a LUKS partition and set the initial key

This step establishes the mapping between physical partitions and logical partitions.

In this HOWTO, our physical partition will actually be a logical volume. By default, when installing Fedora Core 5, a volume group and logical volumes within the volume group are created. The volume group is called VolGroup00?, and the logical volumes are called LogVol00?, LogVol01?, etc, for each of the partitions. However, in this HOWTO, our volume group will be called vg0, and our logical volume that will eventually get mounted to /home will be called home. So, the full path of the physical partition that will be mounted on /home (when we are done) is /dev/vg0/home. (Your device path will likely be different, but you need to identify the device that is currently mounted to /home.)

With that said, let's use the following command to initialize a LUKS partition and set the initial key using a passphrase (note, this will wipe out all data on the /home partition):

# cryptsetup --verbose --verify-passphrase luksFormat /dev/vg0/home

WARNING!
========
This will overwrite data on /dev/vg0/home irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: (enter your passphrase, and write it down somewhere!)
Verify passphrase: (repeat passphrase)

Step 6: Create a mapping between physical and logical partitions

# cryptsetup luksOpen /dev/vg0/home home
Enter LUKS passphrase:
#

If all is well, you now have a special file called /dev/mapper/home. This is what you will mount on /home. Verify that the file was created:

# ls -l /dev/mapper/

total 0
crw------- 1 root root 10, 63 May 24 06:52 control
brw-rw---- 1 root disk 253, 4 May 24 10:54 home
brw-rw---- 1 root disk 253, 1 May 24 06:52 vg0-home
brw-rw---- 1 root disk 253, 0 May 24 10:53 vg0-root
brw-rw---- 1 root disk 253, 2 May 24 06:52 vg0-swap

Notice the other logical volumes (vg0-home, vg0-root, and vg0-swap) that were created when Fedora Core 5 was installed. (Note, the names of these volumes were changed by me during the installation. The were originally VolGroup00-LogVol00?, VolGroup00-LogVol01?, etc.) The fact that you are using logical volumes (like /dev/vg0/home) as physical devices can be confusing. It may help to remember that when we refer to physical devices we use devices located in the volume group directory (example: /dev/vg0), and when we refer to logical devices we use devices located in /dev/mapper (i.e., they have been mapped are are ready to use). (Okay, yes, it's confusing that the physical devices in /dev/vg0 are also listed as logical devices in /dev/mapper. Try to ignore them.)

cryptsetup-luks on fedora: step 7, 8

cryptsetup-luks on fedora: step 7, 8

Step 7: Create a filesystem on the new logical partition

For this HOWTO, we make an ext3 file system on /dev/mapper/home using the following commands:

# /sbin/mkfs.ext3 -j -m 1 /dev/mapper/home

(wait several minutes...)
mke2fs 1.35 (28-Feb-2004)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
36634624 inodes, 73258400 blocks
732584 blocks (1.00%) reserved for the super user
First data block=0
2236 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616

Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 39 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
#

(Note, the above output was borrowed from William Owen Smith's HOWTO: "EncryptedDeviceUsingLUKS".)

Step 8: Mount the filesystem

Mount your new logical device /dev/mapper/home to /home.

# mount /dev/mapper/home /home

View the file system's disk usage to verify that it worked:

# df -h /dev/mapper/home
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/home 4.0G 80M 3.8G 3% /home

cryptsetup-luks on fedora: step 9, 10

cryptsetup-luks on fedora: step 9, 10

Step 9: Restore the user's Home directory

Re-create the unpriviledged user:

# useradd -m jmaher
# passwd jmaher
Changing password for user jmaher.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
#

The -m option create's the user's home directory using the files and directories in /etc/skel as a template.

Now we need to copy MOST of the user's backed-up files back to the user's Home directory. I say MOST because I have found that copying all of the files back to the user's Home directory will break the use of the Home directory for that user. I have not investigated this, so someone else may want to comment as to the reason for this. Basically, I found it safe to copy all non-hidden files and directories back to the /home/jmaher using the following command:

# /bin/cp -r --preserve /root/jmaher/* /home/jmaher

The -r options allows recursion of subdirectories to occur, and the --preserve option preserves permissions and ownership of the files and directories.

I would recommend selectively copying hidden files and directories for those applications you find most important. For example, I really wanted my Thunderbird, Firefox, and ssh settings to be restored, so I used the following commands:

# /bin/cp -r --preserve /root/jmaher/.thunderbird /home/jmaher
# /bin/cp -r --preserve /root/jmaher/.mozilla /home/jmaher
# /bin/cp -r --preserve /root/jmaher/.ssh /home/jmaher

If you had previously modified .bashrc, .bash_profile, or .bash_logout, then you may want to copy those files as well.

Don't reboot yet, but you should now be able to test your actions and log on as the unpriviledged user (jmaher) using the following command:

# su - jmaher

After confirming that you can log on as the unpriviledged user without errors indicating that the user's environment in /home is missing, log off as the unpriviledged user to return to root.

# logout

Step 10: Modify /etc/fstab

Some aspects of the boot sequence need to be changed, because the physical volume (/dev/vg0/home) that gets mounted to /home is encrypted and is no longer a recognizable file system as far as /bin/mount is concerned. Of course, if cryptsetup is used to open the device (using the command cryptsetup luksOpen /dev/vg0/home), then /bin/mount could see that the device has an ext3 file system, and the device can be mounted.

So here are the steps to do that.

Change the line in /etc/fstab that mounted the Home directory so that:
(a) the first field refers to /dev/mapper/home rather than /dev/vg0/home
(b) the fifth field no longer indicates that this device should be accessed by the dump command
(c) the six field no longer indicates that fsck should check this device at boot time.

In short, change the line that looks similar to this:

/dev/vg0/home /home ext3 defaults 1 2

and change it to this:

/dev/mapper/home /home ext3 defaults 0 0

cryptsetup-luks on fedora: step 11, 12 & 13

cryptsetup-luks on fedora: step 11, 12 & 13

Step 11: Create and modify luksopen script

Copy the wonderful script called luksopen (created by embro and modified by johnny) from http://www.saout.de/tikiwiki/tiki-index.php?page=luksopen, and paste it into a new file called /sbin/luksopen.

Modify the script as follows:

a. Change devArray variable from:
devArray=(/dev/hda7 /dev/hda10 /dev/hda11 /dev/hda13)
to:
devArray=(/dev/vg0/home)
(Remember, this is the physical device used for /home. Yours is probably different.)

b. Delete the entire mapArray variable line

c. Change mntArray variable from:
mntArray=(/tmp /mnt/bergen /mnt/trondheim /mnt/oslo)
to:
mntArray=(/home)

d. Replace the line that reads:
map=${mapArray[$i]}
with:
# assign last directory name of device name to $map variable
map_elements=`echo ${devArray[$i]} | sed -e 's/^\///' -e 's/\// /g'`
for e in $map_elements ; do map=$e ; done

e. Add ' answer' (no quotes) to the following line:
read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): "
so that it looks like this:
read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): " answer

f. Delete (or comment out) the three lines at the bottom of the script that immediately preceed the final 'done' command. So, if you choose to comment out those lines, they would look like this:
#if $j -le 0 || ! mount "/dev/mapper/$map" "$mnt" ; then
# echo "Failed to mount \"/dev/mapper/$map\" on \"$mnt\"" >&2
#fi

Step 12: Edit /etc/rc.d/rc.sysinit

During a boot, we now need to open (unlock) our encrypted partition (/dev/vg0/home) and map it to our logical volume (/dev/mapper/home) before the logical volume can be mounted on /home. Because we would like to have /home mounted during the boot (so we can log on as an unpriviledged user), we need to be prompted for the LUKS passphrase (established in Step 5) before any attempts are made to mount /dev/mapper/home to /home (as configured in /etc/fstab).

Now, one could assume that simply adding /sbin/luksopen to /etc/rc.d/rc.local would result in the necessary prompting for the LUKS passphrase; however, when booting to runlevel 5 I have experienced problems getting prompted. Therefore, modifying /etc/rc.d/rc.sysinit as follows will solve the prompting problem.

Modify /etc/rc.d/rc.sysinit to incude the following code . . .

# Run /sbin/luksopen to use cryptsetup to map /dev/vg0/home to /dev/mapper/home.
if -x /sbin/luksopen ; then
/sbin/luksopen
fi

. . . immediately before the code where /usr/bin/rhgb is called. In Fedora Core 5 you can place the above code immediately before the comment line that reads:

# Start the graphical boot, if necessary; /usr may not be mounted yet, so we
# may have to do this again after mounting

Step 13: REBOOT

What You Can Expect

The boot process will be essentially the same as before, but this time you will be prompted with the following text shortly after the boot begins:

Next device in list is /dev/vg0/home. Do you want to open and mount it? (y/N):

You need to type y <ENTER>, and you will then be prompted to enter your passphrase. If you enter your passphrase correctly, the device (/dev/vg0/home) that you encrypted and mapped in Steps 5 and 6 above will be mapped to /dev/mapper/home and mounted to /home. The boot process will complete, and you can log on as your unpriviledged user (jmaher).

(Written by John Maher, 24 May 2006)

cryptsetup-luks on fedora: 1 page

Take a Fedora Core 5 system and encrypt (using dm-crypt and LUKS) the partition that gets mounted on /home. Note that /home needs to be on its own partition, not on the / partition. Also, in words similar to those from night-shade, I have tested this with LVM2 devices containing nothing important. It worked for me but you are advised to have current working backups if the data matters to you. Because we are dealing with the /home partition, these instructions will also explain how to ensure that the /home partition is mounted during a boot.

Step 0: Log on as root

Because you will need to unmount /home, you must log on as root rather than su to root from an unpriveledged user account.

# mkdir /root/jmaher
# /bin/cp -a /home/jmaher/.* /root/jmaher

The -a option is for archiving files and directories. It uses recursion and preserves the permissions of the files and directories.

Step 2: Remove the user whose Home directory we just backed up

We will be recreating the unpriviledged user (jmaher) after we have encrypted and re-mounted our /home directory, so we should clean things up first and remove that account:

# userdel jmaher

Step 3: Get the correct cryptsetup version

You need the version of cryptsetup with luks enabled. You can determine if the correct version of cryptsetup is install using the command:

# cryptsetup --help

You should see "cryptsetup-luks" displayed near the top of the output.

If you do not have cryptsetup, you can install it using yum (assuming yum has been properly configured):

# yum -y install cryptsetup-luks

The -y option will assume that the answer is yes to any question that would be presented during the execution of yum.