KernelMaintenance
|
Size: 15923
Comment: Updates for gutsy build system.
|
Size: 16149
Comment: Add comments to security section.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 226: | Line 226: |
| If possible (especially for critical code paths), attempt to reproduce the bug via supplied reproducers (usually from the security team) to verify it actually fixes the bug. Make sure that there are no regressions as well. |
ContentsBRTableOfContents |
This document is geared towards gutsy and later releases. For feisty, please see KernelMaintenanceFeisty.
This is meant as a reference for the kernel team.
Getting the source
Ubuntu kernel source is available via git. More information can be obtained from KernelGitGuide.
Build system breakdown
This requires some knowledge of the Debian build system (including the debian/rules, etc). The gutsy build system was rewritten from the ground up, to mainly exclude kernel-package, since it was getting too heavy and restrictive for the kernels builds. We still use kernel-wedge for udeb creation.
Flavours
Flavours are how we define different types of kernels on the same architecture. Each flavour can be targeted to a specific CPU, or provide some functionality for a specific purpose.
For example, the amd64 (x86_64) architecture has these flavours:
- generic - The default install kernel.
- server - Optimized for server installations.
When building on the amd64 architecture, these are the kernels that are built. In reality, they only differ in slight variations of kernel config options.
Configs
Each flavour is built using a pre-defined configuration file (used by the kernel build system). Each architecture contains it's config files in debian/config/<arch>/. The files are split for each flavour in debian/config/<arch>/config.<flavour>, and common options are shared in debian/config/<arch>/config.
When the kernels are built, the common and flavour specific config files are concatenated together.
debian/control
The debian/control file is generated from debian/control.stub by the kernel-wedge command.
The debian/control.stub file is generated from debian/control.stub.in by a debian/rules target. This is populated by files defining the flavours in debian/control.d/vars.*.
The vars files define package descriptions for each flavour.
debian/changelog
The changelog file is where we track all changes made to the repository. This is a standard debian/changelog. However, changes are not added to it manually. Instead, it is done automatically at release time using git-log. See below for process.
ABI
The ABI is probably one of the most important features of the build system. In the kernel package naming, the ABI is the numerical component immediately following the kernel version. E.g.
2.6.20-6-generic
The ABI in the above example is 6. The ABI is represented in the debian/changelog as:
linux-source-2.6.20 (2.6.22-1.3) feisty; urgency=low
The minor version after the ABI is an ever increasing counter. It basically denotes how many uploads have been made for this kernel version.
The kernel ABI is derived from the Modules.symver file produced during the kernel build. Each exported function is given a hash defining the function's arguments and return value, making it easy to detect changes which can break modules built against the kernel (such as our own linux-restricted-modules package).
The ABI files for the previous build are located in debian/abi/<prev-rev>/. The layout is similar to the debian/config/ directory in that each architecture is a subdirectory, and each flavour is a file with the ABI for that flavour in it.
When the kernel build process finishes, it checks each flavour against the prev ABI. If the previous and current ABI's are the same version (e.g. 6), and the ABI has changed, the build will fail. This signifies that an ABI bump is needed (see below).
As of now, a single ABI change in any flavour results in an ABI bump for the entire build. There is no per-flavour or per-architecture ABI number. This is for sanity reasons.
Module lists
Module lists are tracked similarly to the ABI, and are kept in debian/abi/<prev-ver>/<arch>/<flavour>.modules. The file is a basename sorted list, sans .ko extension, of all the modules in a particular flavour. This is checked regardless of ABI, since it's meant to track release-to-release to avoid modules going missing by mistake.
The check will honor debian/abi/<prev-ver>/<arch>/ignore to ignore an entire architecture, or debian/abi/<pre-ver>/<arch>/<flavour>.ignore for a specific kernel flavour.
This section describes all the steps involved in a common development cycles. That is, the cycles from one upload (release) of the Ubuntu kernel to the next.
To start a new release, you need to download the ABI and module files from the previous release. To do this, use: This will download all the previous deb's, and extract the ABI files, and module lists. You may find it easier to do this from a DC machine where the archive is closer too (downloading all the kernel deb's is a bandwidth eater).
Immediately after an upload you should run: This will generate a new
If it becomes necessary to increase the ABI, you simply need to edit This will regenerate all of the control files with the appropriate ABI.
In You would use these files in this way: Always commit using The primary one you will use is the
During an Ubuntu development cycles, the kernel is constantly synced against upstream Linux GIT head. This involves merging conflicts, possibly deprecating local patches, and performing test builds. For stable releases, we cherry pick and sometimes outright sync to the 2.6.x.y GIT tree for that particular release.
In prior releases, third party drivers were kept as part of the main kernel tree in the ubuntu/ directory. This has changed in gutsy. Third party drivers are now separate, and in the linux-ubuntu-modules package.
As new drivers are added and merges are done with upstream, it becomes necessary to update our configs in This runs silentoldconfig for all flavours, so if any possible config options unanswered, it will ask you. Alternatively, if you know of a new config option, you can alleviate answering the same question for it on all flavours by prepending it to the Once the configs are updated, you simply commit the new changes:
Once the tree is ready for upload, follow these steps to complete the package for uploading: Run Tag the release. The -m option is the message for the tag commit, and matches the actual tag name. Run dpkg-buildpackage. NOTE: Requires latest dpkg-dev so that it ignores GIT meta-data. Upload using whatever tools you wish ( It should be noted that for development releases, a new tarball is generated at each upload. However at release time, a .orig.tar.gz is generated, sans
The kernel team should push changes to our internal repo (see KernelGitGuide for public repo). To make this easy, you can setup a script called For normal pushes, just call the script, but if you need to push a tag, add the tag to the command line, e.g.:
On occasion, security patches are applied to stable kernels. For these kernels, you will set the archive in The security team generally provides patches in the form of CVE's, with GIT SHA URL's to an upstream patch that fixes the problem. We usually use will fetch from the upstream GIT repo, and The easiest way to fetch the remote repo's objects is to create a remote file such as Then to pull the objects, and cherry pick an SHA, do this: The -e option will bring up an editor to add any Ubuntu related info to the commit (perhaps a bug number, or maybe even add the CVE number). The -x will keep the original GIT SHA in the commit message to track where it came from. Security uploads should be build tested prior to upload (this is the case for any upload, but especially so for security and proposed updates). You and one other person should boot test the resulting kernel. If possible (especially for critical code paths), attempt to reproduce the bug via supplied reproducers (usually from the security team) to verify it actually fixes the bug. Make sure that there are no regressions as well. After upload, notify the security team that you have made the upload and include a copy of the changelog.
Aside from the standard You can add -jX as needed. One other helpful tool for a developer is to install the
To test normal package building, one can use this command from the kernel git repo: This will build every kernel flavour.
You can also do single or multiple specific flavours during the build, using this syntax: So you can change
There are several build options, in the form of environment variables and make variables. Make options are passed on the CONCURRENCY_LEVEL=X where X is a number to pass using AUTOBUILD - (can be passed to make as well). Tells the build to create a non-official package with generated ABI. Used for daily builds of the kernel. skipabi - Used for test only, causes the build to skip the ABI consistency check. skipmodule - Same as above, but for the module check. NOKERNLOG - Used for the insertchanges or printchanges target. Causes git-ubuntu-log to not include upstream kernel changes in changelog output.
There are several things to do after an upload. These depend greatly on what the upload involved. Usually, for a non-ABI changing upload, you do not need to do anything further. However, for an ABI changing upload, packages need to be rebuilt against the linux-headers. Note that these packages have a extra version who's major matches the ABI of the kernel it is being built against.
This package contains modules that are proprietary. They are distributed separately so that it is easy for users to not have to use them. For an ABI bump, edit
Same as with linux-restricted-modules.
The linux-meta package provides meta packages for easier user upgrades. Because our kernel packages are named with full ABI and flavour, users normally would have to manually upgrade to a new kernel (if it had an ABI bump). The meta packages always point to the latest kernel, so if users install these packages (and they are installed by default on new systems), then upgrades will always pull in everything they need to be current. For an ABI bump, edit
This package is usually empty during development. It is meant for post-release updates of new drivers. It is packages separately from the kernel so that it is easier to provide sometimes untested drivers for new hardware on a stable release. Users do not have this package installed by default. The ABI bump method is the same as for linux-meta.
We have some differing processes for different types of uploads. Described here for the sanity challenged.
No differences for this. Uploading to main (the current development release) is the primary target for work.
Technically known as Typical changes in this tree are new drivers, and large updates to support new hardware. The GIT tree is named See the KernelUpdates page for more information.
This is self explanatory, or so it would seem. While the Development cycle
Updating ABI and modules lists
debian/bin/misc/getabis 2.6.22 6.11
Starting a new release
debian/rules startnewrelease
Bumping the ABI
debian/rules debian/control.stub
Commit templates
git-commit -s -F debian/commit-templates/<template> -e
Upstream syncing
Third party drivers
Updating configs
debian/rules updateconfigs
git-update-index debian/config/*/*
git-commit -s -F debian/commit-templates/update-configs
Preparing an upload
git-status to be sure you have no outstanding commits, or extraneous files in your local tree. debian/rules insertchanges
<open edit debian/changelog in editor to verify release and date>
git-update-index debian/changelog
git-commit -s -F debian/commit-templates/updateconfigs
git-tag -s -m Ubuntu-2.6.20-6.11 Ubuntu-2.6.20-6.11
dpkg-buildpackage -S -rfakeroot
Pushing to our repo
branches="master"
remotes="rookery.ubuntu.com:/srv/kernel-team/private/ubuntu-gutsy.git"
cd /path/to/your/repo
for repo in $remotes; do
echo "Pushing to: $repo"
git-send-pack $repo $branches $@
echo
donepush-gutsy Ubuntu-2.6.22-1.3
Security and Proposed Updates
URL: ssh://master.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.6.20.y.git
Pull: master:upstream-linux-2.6.20
git-fetch upstream-linux-2.6.20
git-cherry-pick -e -x aa1812b3e344dbb2c7f30e1b95661cbd36d0cd2b
Performing builds
$ cd ubuntu-gutsy
$ mkdir ../build
$ cat debian/config/i386/config{,.generic} > ../build/.config
$ make O=`pwd`/../build oldconfig
$ make O=`pwd`/../buildNormal full build
fakeroot debian/rules binary-arch
Partial build
fakeroot debian/rules binary-generic
Build options
make's -j option. Post upload
linux-restricted-modules
linux-ubuntu-modules
linux-meta
linux-backports-modules
main, proposed and security, OH MY!
main
proposed
security
KernelTeam/KernelMaintenance (last edited 2012-02-22 17:20:37 by eth0)