though addressing vserver kernel patching, this gets pretty debian/ubuntu distribution specific, so in advance i apologize to (and warn) all other distribution users on the mailing list.
On Tue, 28 Mar 2006 07:58:03 +0200
Tom Coetser <subs@icave.net> wrote:
> As a matter of interest, how do you use the ubuntu kernels with vserver
> patches on your sarge box? Do you add the ubuntu repositories to
> sources.list and install the ubuntu kernel source of choice?
nope; that would require pinning a single package, and i only pin repositories (as that's difficult enough for me to get right). i either search packages.ubuntu.com or, if a security update, download the linux-source package at the url listed in the email. and i download the appropriate linux-image package to get the config file. i don't install a single one of those packages, but extract from them only the file(s) that i want using midnight commander and it's virtual filesystem feature.
> - which
> vserver patches do you use then? those from the ubuntu vserver-patch
> package or directly from Herbert?
directly from http://vserver.13thfloor.at/Experimental/. as far as i know, the ubuntu kernel-patch-vserver is a straight rebuild of the debian one, and the debian ones are directly from Herbert (i believe; though if customized, i would expect them to be specific to a debian kernel source package, which we are not using, though probably not all that different from ubuntu's).
> How do you then deal with security updates? Get the updated kernel source
> release and patch and rebuild?
yep. subscribe to ubuntu-security-announce. it's very low traffic. when notified of a new linux-source, download the new package, and reapply vserver patch and ubuntu-vserver merge patch (what i attached previously). since tracking hoary, breezy, and now dapper, i've never seen a security update break a vserver patch or ubuntu-vserver merge patch, nor change the config file, so only the new linux-source package is needed. or you can generate a diff of only the security updates by comparing the two ubuntu linux-source packages and apply that diff to your old source code directory or personal linux-source package (created during "make-kpkg binary"). i don't know of an easy way to acquire the diff of just the security changes except by downloading the whole linux-source package and diffing it to the previous one.
so either:
1. new linux source + old patches, or
2. old linux source (including patches) + new security patch
but both require downloading the updated linux-source package.
here's the whole process in detail (probably more detail than most people care to see)...
disclaimer: there's probably "better" ways (add ubuntu repository to sources.list, pin linux-source package in preferences file, install ubuntu's linux-source, add debian unstable repository, pin kernel-patch-vserver, install debian's kernel-patch-vserver, extract linux-source tarball, execute "make-kpkg --added-patches vserver binary", and install the resulting linux-image package), but this is how i do it. the process is largely manual, but i only bootstrap twice a year, and security updates average about one a month, so i haven't been inconvenienced enough to research/implement automating it.
overview
--------
1. bootstrap
a. kernel source
b. config file
c. vserver patch
d. build
2. security updates
a. kernel source
b. diff
c. build
bootstrap
=========
kernel source
-------------
1. go to http://packages.ubuntu.com/
2. search for "linux-source-2.6" in "any" distribution, section "main" (make sure section is "main" because sometimes there's kernel source universe, but universe is not guaranteed security updates)
3. choose whatever version you want, usually the version from the latest released distribution (because though linux-source-2.6.15 is the latest, it's from dapper, which hasn't been released yet, and therefor not guaranteed security updates; recently the conversation has been about 2.6.15-19.29 in dapper, but this is in preparation for its official release next month or so; i don't have redundant hardware, so i'll briefly test it live on my server this weekend to see if it has any problems with 2.6.15 in general, but continue using 2.6.12 from breezy)
4. click the "all" link immediately under the "download linux-source-2.6.x" heading
5. download the package from the mirror appropriate for your location
6. copy the tar.bz2 from the package using midnight commander (love it's ability to browse tarballs, packages, diffs, etc)
7. extract the tarball
config file
-----------
1. go back to http://packages.ubuntu.com
2. search for linux-image corresponding to the linux-source you just downloaded and desired architecture (for me: k7 & amd64-k8)
3. manually download the package (see steps 4 & 5 above)
4. again using mc, copy the /boot/config-* file from the linux-image package creating the .config file in the extracted linux source directory
vserver patch
-------------
1. go to http://vserver.13thfloor.at/Experimental/
2. download the latest stable vserver patch corresponding to the kernel version (never hesitate joining #vserver on irc.oftc.net to ask questions; bertl and the rest of the channel are awesome)
build
-----
1. apply vserver patch
2. make copy of linux source with vserver patch
3. merge patch rejects
4. create diff between linux+vserver (step 2) and linux+vserver+merges (step 3)
5. make menuconfig (only setting vserver-specific options as the ubuntu defaults are currently good enough for me)
6. make-kpkg clean
7. make-kpkg --rootcmd fakeroot --append-to-version -19.29+1-k7 --revision 1 --initrd binary (technically, i'm encoding the revision in the version (ie "+1"), but otherwise a new revision would replace an old revision, and i instead like to have both "revisions" installed when upgrading from one to another as i don't trust myself that much to not need to quickly revert back, even for small changes)
8. fix compilation errors, if any
9. recreate diff between linux+vserver (step 2) and linux+vserver+merges+fixes (step 8)
10. wash, rinse, repeat until desired linux-image package is generated
security updates
================
kernel source
-------------
1. go to https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
2. subscribe to the mailing list (it's very low volume; see the archives)
3. receive "Linux kernel vulnerabilities" email
4. download appropriate linux-source package listed in email
5. copy the tar.bz2 from the package using midnight commander (love it's ability to browse tarballs, packages, diffs, etc)
6. extract the tarball
diff
---- 1. apply vserver patch and your merges+fixes patch to extracted source 2. copy over config from previously generated linux-image package (probably now in your /boot directory if the kernel is installed on this same machine) or 1. create a diff between the previous downloaded linux-source and the current one 2. apply this diff to your old linux+vserver+merges+fixes source build ----- 1. make-kpkg clean 2. make-kpkg --rootcmd fakeroot --append-to-version -19.30+1-k7 --revision 1 --initrd binary corey -- undefined@pobox.com _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserverReceived on Tue Mar 28 09:23:26 2006