Accessing a hard disk can be 50 to 100 times slower than reading data from RAM. File caches using RAM can alleviate this. However, low memory conditions will reduce the amount of memory available for the file-system cache slowing things down. File systems can also become heavily fragmented, slowing down disk accesses. Heavy use of symbolic links on Unix systems can slow down disk accesses too.
Default Linux installs are also notorious for setting hard disk default settings which are tuned for compatibility and not for speed. Use the command hdparm to tune your Linux hard disk settings. The hdparm is a tool, which can be used to tune and improve the performance of your IDE hard disk. By default, any IDE drives you have in your Linux system are not optimized. Even if you have an ULTRADMA system you will not be able to take full advantage of its speed if you are not using the hdparm tool to enable its features. This is because there is many different hard drive makes and models and Linux cannot know every feature of each one.
Performance increases have been reported on massive disk I/O operations by setting the IDE drivers to use DMA, 32-bit transfers and multiple sector modes. The kernel seems to use more conservative settings unless told otherwise. The magic command to change the setting of your drive is hdparm.
Before going into the optimization of your hard drive, it is important to verify that the hdparm package is installed in your system. If you have followed every step during the installation of Linux on your computer, then this package is not installed.
To verify if hdparm package is installed on your system, use the command: [root@deep /]# rpm -q hdparm
package hdparm is not installed
If the hdparm package seems not to be installed, you’ll need to mount your CD-ROM drive containing the Linux CD-ROM Part 1 and install it.
General Optimization 0 CHAPTER 5
• To mount the CD-ROM drive, use the following commands:
[root@deep /]# mount /dev/cdrom /mnt/cdrom/
had: ATAPI 32X CD-ROM drive, 128kB Cache
mount: block device dev/cdrom is write-protected, mounting read-only
• To install the hdparm package on your Linux system, use the following command:
[root@deep /]# cd /mnt/cdrom/RedHat/RPMS/
[root@deep RPMS]# rpm -Uvh hdparm-version.i386.rpm
hdparm ##################################################
• To unmount your CD-ROM drive, use the following command:
[root@deep RPMS]# cd /; umount /mnt/cdrom/
Once hdparm package is installed on the system, it is time to go into the optimization of your hard drive. It is important to note that depending on your model and make, there will be some parameters that will apply and other that don’t. It is to your responsibility to know and understand your disk drive before applying any optimization parameters as described below.
Finally, and especially for UltraDMA systems, it is vital to verify under your BIOS settings if the parameters related to DMA support on your computer are enabled or you will inevitably break your hard disk. You have been warned.
Step 1
The first parameter applies to the majority of all modern drives and models in the market and enables 32-bit I/O over PCI buses. This option is one of the most important and will usually double the speed of your drive.
• To enable 32-bit I/O over the PCI buses, use the following command:
[root@deep /]# /sbin/hdparm -c3 /dev/hda (or hdb, hdc etc).
This will usually, depending on your IDE Disk Drive model, cut the timing buffered disk reads time by two. The hdparm (8) manpage says that you may need to use “-c3” for many chipsets since it works with nearly all 32-bit IDE chipsets. All (E)IDE drives still have only a 16-bit connection over the ribbon cable from the interface card.
Step 2
The second parameter applies only on standard DMA disk and will activate the simple DMA feature of the disk. This feature is for old disk drives with DMA capabilities.
• To enable DMA, use the following command:
[root@deep /]# /sbin/hdparm -d1 /dev/hda (or hdb, hdc etc).
This may depend on support for your motherboard chipset being compiled into your kernel. Also, this command will enable DMA support for your hard drive only for interfaces which support DMA, it will cut the timing buffered disk reads time and will improve the performance by two.
Step 3
Multiword DMA mode 2, also known as ATA2 disk drive is the successor of the simple DMA drive. If you have this kind of hard drive, then you must enable the parameter in your Linux system.
• To enable multiword DMA mode 2 transfers, use the following command:
[root@deep /]# /sbin/hdparm -d1 -X34 /dev/hda (or hdb, hdc etc).
This sets the IDE transfer mode for newer (E)IDE/ATA2 drives. (Check your hardware manual to see if you have it).
Step 4
As for DMA mode 2, the UltraDMA mode 2 is an improvement of the DMA technology. If you have this kind of drive in your system, then choose this mode.
• To enable UltraDMA mode 2 transfers, use the following command:
[root@deep /]# /sbin/hdparm -d1 -X66 /dev/hda (or hdb, hdc etc)
See your manual page about hdparm for more information. USE THIS OPTION WITH EXTREME CAUTION!
Step 5
The UltraDMA mode 4 is one of the latest entries and one of the most popular at this time; it is also known and referred as ATA/66. I guess that most of you have this kind of drive installed and if it is the case then it is the one that you must choose for sure.
• To enable UltraDMA mode4 transfers, use the following command:
[root@deep /]# /sbin/hdparm -d1 -X12 -X68 /dev/hda (or hdb, hdc etc)
This will enable UltraDMAATA/66 mode on your drive. See your manual page about hdparm for more information. USE THIS OPTION WITH EXTREME CAUTION!
Step 6
Multiple sector mode (akaIDE Block Mode), is a feature of most modern IDE hard drives, permitting the transfer of multiple sectors per I/O interrupt, rather than the usual one sector per interrupt. When this feature is enabled, it typically reduces operating system overhead for disk I/O by 30-50%. On many systems it also provides increased data throughput of anywhere from 5% to 50%.
• To set multiple sector mode I/O, use the following command:
[root@deep /]# /sbin/hdparm -mXX /dev/hda (or hdb, hdc etc)
Where “XX” represent the maximum setting supported by your drive. The “-i” flag can be used to find the maximum setting supported by an installed drive: look for MaxMultSect in the output.
General Optimization 0 CHAPTER 5
• To find the maximum setting of your drive, use the following command:
[root@deep /]# /sbin/hdparm -i /dev/hda (or hdb, hdc etc)
/dev/hda:
Model=QUANTUM FIREBALLP LM15, FwRev=A35.0700, SerialNo=883012661990 Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs }
RawCHS=16383/16/63, TrkSize=32256, SectSize=21298, ECCbytes=4
BuffType=3(DualPortCache), BuffSize=1900kB, MaxMultSect=16, MultSect=16
DblWordIO=no, OldPIO=2, DMA=yes, OldDMA=2
CurCHS=16383/16/63, CurSects=-66060037, LBA=yes, LBAsects=29336832 tDMA={min:120,rec:120}, DMA modes: mword0 mword1 mword2
IORDY=on/off, tPIO={min:120,w/IORDY:120}, PIO modes: mode3 mode4 UDMA modes: mode0 mode1 mode2 mode3 *mode4
Step 7
The get/set sector count is used to improve performance in sequential reads of large files! The default setting is 8 sectors (4KB) and we will double and change it for 16. USE THIS OPTION WITH EXTREME CAUTION!
• To improve the get/set sector count for file system read-ahead, use the command:
[root@deep /]# /sbin/hdparm -a16 /dev/hda (or hdb, hdc etc)
Step 8
The get/set interrupt-unmask flag will greatly improve Linux's responsiveness and eliminates "serial port overrun" errors. USE THIS OPTION WITH EXTREME CAUTION!
• To improve and get/set interrupt-unmask flag for the drive, use the command:
[root@deep /]# /sbin/hdparm -u1 /dev/hda (or hdb, hdc etc)
Step 9
The IDE drive's write-caching feature will improve the performance of the hard disk. USE THIS OPTION WITH EXTREME CAUTION!
• To enable the IDE drive's write-caching feature, use the following command:
[root@deep /]# /sbin/hdparm -W1 /dev/hda (or hdb, hdc etc)
Step 10
These options will allow the drive to retain your settings over a soft reset (as done during the error recovery sequence). It is important to note that not all drives support this feature.
• To enables the drive to retain your settings, use the command:
General Optimization 0 CHAPTER 5
Step 11
Once every tuning related to your specific drive have been set, you can test the results and see if you want to keep them or not.
• You can test the results of your changes by running hdparm in performance test mode:
[root@deep /]# /sbin/hdparm -vtT /dev/hda (or hdb, hdc etc).
/dev/hda:
multcount = 16 (on)
I/O support = 3 (32-bit w/sync)
unmaskirq = 1 (on) using_dma = 1 (on) keepsettings = 1 (on) nowerr = 0 (off) readonly = 0 (off) readahead = 16 (on)
geometry = 1826/255/63, sectors = 29336832, start = 0
Timing buffer-cache reads: 128 MB in 0.85 seconds = 150.59 MB/sec
Timing buffered disk reads: 64 MB in 2.54 seconds = 25.20 MB/sec
Once you have a set of hdparm options, you can put the commands in your /etc/rc.local file to run it every time you reboot the machine. When running from /etc/rc.local, you can add the “-q” option for reducing screen clutter. In my case, I will put the following configuration in the end of my rc.local file:
IN THIS CHAPTER
1. Difference between a Modularized Kernel and a Monolithic Kernel 2. Making an emergency boot floppy
3. Preparing the Kernel for the installation 4. Applying the Grsecurity kernel patch 5. Obtaining and Installing Grsecurity 6. Tuning the Kernel
7. Cleaning up the Kernel 8. Configuring the Kernel 9. Compiling the Kernel 10. Installing the Kernel
11. Verifying or upgrading your boot loader 12. Reconfiguring /etc/modules.conf file 13. Rebooting your system to load the new kernel 14. Delete programs, edit files pertaining to modules 15. Making a new rescue floppy for Modularized Kernel
Kernel Security & Optimization 0 CHAPTER 6
Linux Kernel
Abstract
Well, our Linux server seems to be getting in shape now! But wait, what is the most important part of our server? Yes, it’s the kernel. The Linux kernel is the core of our operating system, and without it there is no Linux at all. So we must configure the kernel to fit our needs and compile only the features we really need.
The new generation of Linux Kernel 2.4 was seemingly written with the server in mind. Many of the old limits, which prevented Linux being adopted in the “enterprise” market, have been lifted. The first thing to do next is to build a kernel that best suits your system. It’s very simple to do but, in any case, refer to the README file in the /usr/src/linux source directory after
uncompressing the archive on your system. When configuring your kernel, only compile in code that you need. A few reasons that come to mind are:
The Kernel will be faster (less code to run);
You will have more memory (Kernel parts are NEVER swapped to the virtual memory); More stable (Ever probed for a non-existent card?);
Unnecessary parts can be used by an attacker to gain access to the machine or other machines on the network.
Modules are also slower than support compiled directly in the kernel.
In our configuration and compilation we will firstly show you how to build a monolithickernel, which is the recommended method for better performance and security and a modularized kernel for easily portability between different Linux systems. Monolithickernel means to only answer yes or no to the questions (don’t make anything modular) and omits the steps: make modules and makemodules_install.