Package the next LTS kernel (4.9)
Closed, ResolvedPublic

Description

The next LTS kernel for Linux is 4.9.

I plan to package that along our 4.4 kernel soon and gradually migrate to it. Debian will also pick the kernel LTS kernel, which provides nice synergy effects.

4.9 brings a full year of upstream development activity and notable improvements like e.g. BBR congestion control and improved kernel hardening.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 9 2017, 8:12 PM
MoritzMuehlenhoff changed the title from "Package the next LTS kernel (likely 4.9)" to "Package the next LTS kernel (4.9)".Jan 20 2017, 1:29 PM
MoritzMuehlenhoff edited the task description. (Show Details)

4.9 introduced a new security hardening feature around stack handling [1], which caused fallout in form of memory corruption all over the kernel tree. Brad Spengler of grsecurity reported a few of those already on oss-security.

This needs at least an additional month to shake out bugs until we can use it in production.

[1] https://outflux.net/blog/archives/2016/12/12/security-things-in-linux-v4-9/

ema added a subscriber: ema.Feb 6 2017, 8:57 AM
ema triaged this task as "Normal" priority.Feb 6 2017, 9:08 AM

Debian jessie-backports will follow the kernel from Debian stretch, i.e. 4.9.x. This means that we follow Debian more closely and don't need an internal build (at least until we migrate to the 2018 kernel LTS series). I'll also help out preparing Linux builds in jessie-backports.

We will continue to use our custom meta package instead of the one used in Debian, since it allows a little extra flexibility and will also be useful if we migrate to the 2018 LTS series. Plus all the existing jessie systems use it.

In stretch the kernel images are now signed in a two step process; first the unsigned kernel is built and then a signed kernel image is built with a detached signature. Packages from jessie-backports are not signed, so our meta package will use that the unsigned variants.

I'll initially import the kernel to the experimental section for testing. When testing is complete and ready to be used in general I'm still planning to import the packages from jessie-backports into apt.wikimedia.org; this avoids fiddling with apt preferences for experimental and we have some control over testing packages from backports first before they enter our repo.

Change 341810 had a related patch set uploaded (by Muehlenhoff):
[operations/debs/linux-meta] Add new meta package for Linux 4.9

https://gerrit.wikimedia.org/r/341810

Change 341810 merged by Muehlenhoff:
[operations/debs/linux-meta] Add new meta package for Linux 4.9

https://gerrit.wikimedia.org/r/341810

Linux 4.9.13 is now available in jessie-wikimedia/experimental along with updated firmware-nonfree. I have extended linux-meta with a new meta package linux-meta-4.9 which pulls in all the packages. This has been working fine so far in labs and I've also upgraded multatuli.

Mentioned in SAL (#wikimedia-operations) [2017-03-15T10:34:44Z] <ema> upgrade cp4001 (misc) and cp4011 (maps) to linux 4.9 T154934

ema added a comment.Mar 22 2017, 10:44 AM

I've noticed the following warning on cp4011. It could potentially be related to the upgrade to 4.9 given that I haven't seen the same message on any other machine.

TCP: eth0: Driver has suspect GRO implementation, TCP performance may be compromised.

I had a look at that GRO error message yesterday: The check was only introduced in 4.9 with https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dcb17d22e1c2cd72e72190c736349a675362b3bc
I'm pretty sure the same MSS situation happened before as well, but only now there's a log message explicitiy pointing to it. And given that it happened only once in almost a week, it's probably caused by intermittent router/network problems.

Change 345314 had a related patch set uploaded (by Muehlenhoff):
[operations/puppet@production] Install jessie systems with Linux 4.9 by default

https://gerrit.wikimedia.org/r/345314

Change 345314 merged by Muehlenhoff:
[operations/puppet@production] Install jessie systems with Linux 4.9 by default

https://gerrit.wikimedia.org/r/345314

MoritzMuehlenhoff closed this task as "Resolved".Mon, Apr 3, 1:50 PM

The new kernel is available on apt.wikimedia.org and is used by default on jessie installations. Closing, the migration of existing jessie installations will happen via T162029