[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Generating a cloud / VM kernel package


On Sat Aug 26, 2017 at 11:48:22 +0200, Thomas Goirand wrote:
> Dear Kernel maintainers,
> As you may know, it's been years that Ubuntu is shipping a kernel
> designed for the cloud. Such a kernel is simply a version of the kernel
> that is stripped down for running on VMs. The point here is that VMs do
> not need all the drivers that we typically build for the generic Debian
> kernel (and if one still needs it, a fallback to the generic kernel is
> always possible). This makes the kernel binary package a lot smaller,
> and also potentially reduces the surface of attack in case of a security
> problem. For example, we wouldn't need ax25, appletalk and such, which
> are unfortunately automatically loaded in case matching packets are
> received by the kernel, and which have been proven to be problematic in
> terms of security maintenance. Most hardware drivers would also go away.
> Since it is only a mater of *removing* some modules, I don't think
> adding a cloud / VM kernel flavor would be a lot of maintenance. Though
> of course, as I wouldn't be the one doing it, it is not up to me to
> judge the amount of work.
> Could we see this happening in Debian? Please let us know your thoughts.

I personaly think this is a good idea in general. Most cloud providers
will probably want/love this, esp. when it comes to specifica of their
environments. On the other hand I have some concerns:

a) we need to decide then if we need one kernel flavour for each cloud
provider or if we can agree on a basic set of kernel compile options
that every cloud provider can use.

b) most kernels Debian ships are kernels that have most drivers needed
as modules, so even though the kernel images are big, the kernel should
only load modules it really needs.

Thomas, can you elaborate why you think this a good idea? Is this about
boot time of the kernel image? The thing I really do not want to have is
additional kernel source uploads to the archive for just those cloud
kernel images, but you already considered that a bad idea (from what I
read between your lines).


 Martin Zobel-Helas <zobel@debian.org>    Debian System Administrator
 Debian & GNU/Linux Developer                       Debian Listmaster
 http://about.me/zobel                               Debian Webmaster
 GPG Fingerprint:  6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B 

Reply to: