|Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
|Chapter 7. Configuring and Building a Secure, Optimized Kernel
We must copy the archive file of the Kernel to the /usr/src directory and move to this directory.
[root@deep] /#cp linux-version_tar.gz /usr/src/ [root@deep] /#cd /usr/src/
[root@deep ] /src#rm -rf linux
[root@deep ] /src#rm -rf linux-2.2.xx
[root@deep ] /src#rm -rf /lib/modules/2.2.xx
: Removing the old kernel modules is required only if you have installed a modularized kernel version before. If the modules directory doesn't exist under the /lib directory it's because your old kernel version is not a modularized kernel.
[root@deep ] /src#rpm -qa |grep kernel
[root@deep ] /src#rpm -e --nodeps kernel-headers kernel
cannot remove /usr/src/linux-2.2.xx - directory not empty cannot remove /lib/modules/2.2.xx - directory not empty
[root@deep ] /src#rm -rf /usr/src/linux-2.2.xx/ [root@deep ] /src#rm -rf /lib/modules/2.2.xx/
Now, we must decompress the tar archive of the kernel and remove the Linux tar archive from the system.
[root@deep ] /src#tar xzpf linux-version_tar.gz [root@deep ] /src#rm -f linux-version_tar.gz
To increase the number of tasks allowed the maximum number of processes per user, you may need to edit the /usr/src/linux/include/linux/tasks.h file and change the following parameters. Edit the tasks.h file, vi +14 /usr/src/linux/include/linux/tasks.h and change the following parameters: NR_TASKS from 512 to 3072 and MIN_TASKS_LEFT_FOR_ROOT from 4 to 24
: The value in the NR_TASKS line denotes the maximum number of tasks (processes) handles that the Linux kernel will allocate per users. Increasing this number will allow you to handle more connections from clients on your server, example: an HTTP web server will be able to serve more client connections. Please don't forget, Linux is protected from allocation of all process slots for normal users. There is a special parameter line MIN_TASKS_LEFT_FOR_ROOT reserved especially for the super-user root that you may set for the number of process reserved to root -24 is a good value.
To optimize the Linux kernel to fit your specific CPU architecture and optimization flags you may need to edit the /usr/src/linux/Makefile file and change the following parameters.
Edit the Makefile file (vi +18 /usr/src/linux/Makefile) and change the line: HOSTCC =gcc to read:
Edit the Makefile file, vi +25 /usr/src/linux/Makefile and change the line: CC =$(CROSS_COMPILE)gcc D__KERNEL__ -I$(HPATH) to read:
CC =$(CROSS_COMPILE)egcs D__KERNEL__ -I$(HPATH).
Edit the Makefile file vi +90 /usr/src/linux/Makefile and change the line: CFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer to read:
CFLAGS = -Wall -Wstrict-prototypes -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions
Edit the Makefile file vi +19 /usr/src/linux/Makefile and change the line: HOSTCFLAGS =-Wall -Wstrict-prototypes -O2 -fomit-frame-pointer to read:
HOSTCFLAGS =-Wall -Wstrict-prototypes -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions
: These changes turn on aggressive optimization tricks that may or may not work with all kernels. Please, if the optimization flags above, or the ones you have chosen for your CPU architecture do not work for you, don't try to absolutely force it to work. I wouldn't want to make your system unstable like Microsoft Windows.