Install from Sources
Instructions below describe compilation from sources on Ubuntu 24.04, which is the preferred build and execution environment for the moment. With small changes the instruction can be applied to other GNU/Linux distributions.
Build requirements๐
- common requirements
- 35-40 GB of free disk space.
apt-get install make flex bison gcc g++ libboost-all-dev libssl-dev bc fakeroot dwarves libelf-dev lz4
Compiling the patched Kernel๐
Install build dependencies๐
The easiest way to install all the build dependencies for the Linux kernel is to use information from sources repository.
Make sure that the line deb-src is present and uncommented in /etc/apt/sources.list
deb-src http://archive.ubuntu.com/ubuntu noble main restricted
Then all the build dependencies can be simply installed:
apt-get update
apt-get build-dep linux
Obtain kernel sources๐
Get Linux kernel with Tempesta-Tech patches.
Version 0.9 (current master):
git clone https://github.com/tempesta-tech/linux-6.12.12-tfw.git
Release version 0.8:
git clone https://github.com/tempesta-tech/linux-5.10.35-tfw.git
Or apply version 0.9 the patch set to 6.12.12 kernel sources or release 0.8 the patch set to 5.10.35 kernel sources.
Configure Kernel๐
Before build Linux Kernel must be configured. Recommended way is to reuse current kernel’s configuration with Tempesta FW-specific changes.
Ensure that the kernel tree is absolutely clean:
cd linux-6.12.12-tfw # or linux-5.10.35-tfw
make clean && make mrproper
Copy current kernel’s configuration:
cp /boot/config-$(uname -r) .config
Use a text editor for the copied .config:๐
to comment the following lines if set to "y" before proceed:
CONFIG_SYSTEM_TRUSTED_KEYRINGCONFIG_SYSTEM_TRUSTED_KEYSCONFIG_SYSTEM_REVOCATION_LISTCONFIG_SYSTEM_REVOCATION_KEYS- all CONFIG_DEFAULT_SECURITY_* lines
Why: Vanilla kernels donโt include files like debian/canonical-certs.pem. Leaving these options enabled causes build errors or interactive prompts during module signing.
to manually set all these options to "y":
CONFIG_SLUBCONFIG_HUGETLB_PAGECONFIG_SECURITYCONFIG_SECURITY_NETWORKCONFIG_SECURITY_TEMPESTACONFIG_DEFAULT_SECURITY_TEMPESTA- "tempesta" listed first in CONFIG_LSM, e.g.
CONFIG_LSM="tempesta,lockdown..."
For Linux kernel 5.10.35 and above the following config options should be set "y":
CONFIG_SOCK_CGROUP_DATACONFIG_NETCONFIG_CGROUPSCONFIG_CGROUP_NET_PRIO
Also it is better to choose CONFIG_UNWINDER_ORC instead of CONFIG_UNWINDER_FRAME_POINTER
and unset CONFIG_FRAME_POINTER, for greater efficiency of some cryptographic functions
(it is impossible to use %rbp register for calculations if CONFIG_FRAME_POINTER or
CONFIG_UNWINDER_FRAME_POINTER is set).
For integration of HTTP tables
and WebShield with iptables and nftables the following config options should be set
as well (Tempesta works without these options):
CONFIG_NF_TABLES_IPV4CONFIG_NF_TABLES_IPV6CONFIG_NF_TABLESCONFIG_NF_TABLES_INET
Failover configuration๐
For high availability setup you need to make the kernel to reboot on any issue preventing it from normal operation.
Set following kernel options:
CONFIG_WATCHDOG=y
CONFIG_SOFTLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=1
CONFIG_HARDLOCKUP_DETECTOR_PERF=y
CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
CONFIG_HARDLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC_VALUE=1
CONFIG_DETECT_HUNG_TASK=y
and set sysctl values in /etc/sysctl.conf:
kernel.panic=1
kernel.panic_on_oops=1
kernel.panic_on_rcu_stall=1
vm.panic_on_oom=1
These settings will reboot the machine on any hung, software crash or out of memory event.
Compile and install Kernel๐
Traditional way is to compile the kernel and manually install modules and kernel image:
make -j$(nproc)
make modules_install
make install
Compiling Tempesta FW๐
Install build dependencies๐
Install build dependencies by calling the next command:
apt-get install build-essential libboost-dev libboost-program-options-dev cmake ninja-build libfmt-dev libspdlog-dev pkgconf
Obtain sources๐
Get version 0.9 (current master) Tempesta FW from Github repository:
git clone https://github.com/tempesta-tech/tempesta
cd tempesta
or release version 0.8:
git clone --branch release-0.8 https://github.com/tempesta-tech/tempesta.git
cd tempesta
Compile Tempesta FW๐
Tempesta FW is out-of-tree kernel module. It is recommended to reboot into
Tempesta’s patched kernel and install kernel headers before building the module.
Simply run make to prepare the module:
make clean
make
It is also possible to build the module against target kernel sources directory:
make clean
make KERNEL=<path-to-kernel>
Troubleshooting 5.10.35 kernel๐
During lifecycle of Ubuntu, utility pahole was updated from version 1.22 to version 1.25.
Using updated version leads to kernel build error with message:
load BTF from vmlinux: Invalid argument.
To avoid it:
check version
pahole --version
and if it needed downgrade it
apt install pahole=1.22-8