Handbook:Parts/Installation/Kernel/Dist-Kernel
Distribution-Kernels
Distribution Kernels sind ebuilds, die alle Schritte einer Kernel-Installation abdecken: auspacken, konfigurieren, kompilieren und installieren. Der hauptsächliche Vorteil dieser Methode ist, dass Kernel vom Paketmanager durch ein @world Upgrade aktualisiert werden. Dies erfordert nicht mehr Aufwand als die Ausführung eines emerge-Befehls. Distributionskernel werden standardmäßig mit einer Konfiguration ausgeliefert, die den Großteil der Hardware unterstützt. Es werden jedoch zwei Mechanismen zur Anpassung angeboten: savedconfig und config snippets. Siehe die Projektseite für weiteren Details zur Konfiguration.
Einen Distribution-Kernel installieren
Before installing the kernel package the dracut USE flag needs to be added for the package sys-kernel/installkernel in /etc/portage/package.use:
sys-kernel/installkernel dracut
Users may also wish to enable additional sys-kernel/installkernel USE flags at this stage. See the Installation/Kernel#Installkernel section for details.
Um einen Kernel mit Gentoo Patches aus dem Quellcode zu bauen:
root #
emerge --ask sys-kernel/gentoo-kernel
System-Administratoren, die das Kompilieren von Kernel Quellcode auf ihrem Rechner vermeiden wollen, können vorkompilierte Kernel Images verwenden:
root #
emerge --ask sys-kernel/gentoo-kernel-bin
Optional: Signed kernel modules
The kernel modules in the prebuilt distribution kernel (sys-kernel/gentoo-kernel-bin) are already signed. To sign the modules of kernels built from source enable the modules-sign USE flag, and optionally specify which key to use for signing in /etc/portage/make.conf:
USE="modules-sign"
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to use custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate.
MODULES_SIGN_HASH="sha512" # Defaults to sha512.
If MODULES_SIGN_KEY is not specified the kernel build system will generate a key, it will be stored in /usr/src/linux-x.y.z/certs. It is recommended to manually generate a key to ensure that it will be the same for each kernel release. A key may be generated with:
root #
openssl req -new -nodes -utf8 -sha256 -x509 -outform PEM -out kernel_key.pem -keyout kernel_key.pem
The MODULES_SIGN_KEY and MODULES_SIGN_CERT may be different files. For this example the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.
OpenSSL will ask some questions about the user generating the key, it is recommended to fill in these questions as detailed as possible.
Store the key in a safe location, at the very least the key should be readable only by the root user. Verify this with:
root #
ls -l kernel_key.pem
-r-------- 1 root root 3164 Jan 4 10:38 kernel_key.pem
If this outputs anything other then the above, correct the permissions with:
root #
chown root:root kernel_key.pem
root #
chmod 400 kernel_key.pem
Optional: Signing the kernel image (Secure Boot)
The kernel image in the prebuilt distribution kernel (sys-kernel/gentoo-kernel-bin) is already signed for use with Secure Boot. To sign the kernel image of kernels built from source enable the secureboot USE flag, and optionally specify which key to use for signing in /etc/portage/make.conf. Note that signing the kernel image for use with secureboot requires that the kernel modules are also signed, the same key may be used to sign both the kernel image and the kernel modules:
USE="modules-sign secureboot"
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to use custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate.
MODULES_SIGN_HASH="sha512" # Defaults to sha512.
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to boot with secureboot enabled, may be the same or different signing key.
SECUREBOOT_SIGN_KEY="/path/to/kernel_key.pem"
SECUREBOOT_SIGN_CERT="/path/to/kernel_key.pem"
The SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT may be different files. For this example the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.
For this example the same key that was generated to sign the modules is used to sign the kernel image. It is also possible to generate and use a second separate key for signing the kernel image. The same OpenSSL command as in the previous section may be used again.
See the above section for instructions on generating a new key, the steps may be repeated if a separate key should be used to sign the kernel image.
To successfully boot with Secure Boot enabled, the used bootloader must also be signed and the certificate must be accepted by the UEFI firmware or Shim. This will be explained later in the handbook.
Upgraden und Aufräumen
Nachdem der Kernel installiert ist, wird der Paketmanager ihn in Zukunft automatisch auf neuere Versionen aktualisieren. Ältere Versionen werden erhalten bleiben, bis der Paketmanager angewiesen wird, veraltete Versionen zu löschen. Um Speicherplatz zu gewinnen, können veraltete Pakete durch regelmäßiges Ausführen von emerge mit der Option --depclean
entfernt werden:
root #
emerge --depclean
Alternativ können veraltete Kernels auch mit folgenden Befehl gelöscht werden:
root #
emerge --prune sys-kernel/gentoo-kernel sys-kernel/gentoo-kernel-bin
Aufgaben nach der Installation/dem Upgrade
Distribution kernels are capable of rebuilding kernel modules installed by other packages. Portage provides a hook with dist-kernel USE flag which is part of linux-mod-r1.eclass and controls a subslot dependency on virtual/dist-kernel.
Das Aktivieren dieses USE-Flag bei Paketen wie sys-fs/zfs und sys-fs/zfs-kmod erlaubt es ihnen, automatisch gegen einen neu aktualisierten Kernel neu gebaut zu werden und, falls zutreffend, das initramfs entsprechend neu zu generieren.
initramfs von Hand bauen
Falls notwendig, kann ein Rebuild nach einem Kernel Upgrade auch von Hand gestartet werden:
root #
emerge --ask @module-rebuild
Wenn Kernel-Module (z.B. ZFS) beim frühen Booten benötigt werden, bauen Sie das initramfs danach neu:
root #
emerge --config sys-kernel/gentoo-kernel
root #
emerge --config sys-kernel/gentoo-kernel-bin