There was a discussion a few moons ago about LTS kernels available for Arch being optimized for server scenarios. There are other kernels also maintained in the arch repository.
One of them is linux-hardened kernel which is based on the latest linux kernel release, i.e. as on today the 6.13 release branch of Linux Kernel. The second one is Linux Kernel 6.6 LTS. While the third one is the Linux Kernel 6.6 LTS hardened. Surprisingly there is no hardened version of Linux Kernel 6.12 LTS being maintained.
My question is this that are all the 3 other kernels, i.e. Linux LTS 6.6.x, Linux LTS Hardened 6.6.x and Linux Hardened 6.13.x also optimized for server scenarios?
Shout-out to @BS86 for his post. Very helpful.
I think there is confusion here. Server optimized kernel, would have kernel parameters tweaked for better networking or doing multiple things in parallel or for virtualization.
LTS - just means it does not change so often. So it is better for critical tasks, as introduces less potential bugs / new risks with major changes. More conservative approach is using Debian, which central philosophy is stability. Even more conservative approach is using Red Hat, which has 10 years of support per version. So overall you mitigate risk but not changing product so often, or making changes small.
Hardened - as wiki explains https://wiki.archlinux.org/title/Security#Kernel_hardening - has some parameters and some compilation parameters aimed at increasing security.
There are multiple ways to make linux more secure (see this https://www.reddit.com/r/archlinux/comments/lyco90/comment/gpw7ub0/ ). So it all depends on system administrator what type of protection he wants, what risks he expects, and what trade-offs he is willing to do (cost vs performance vs security).
So to try to summarize:
- any kernel can be used as server kernel
- if you want more stability, don’t change your software often. Example: use LTS, or Debian or Red Hat
- if you want more security - there are multiple ways to make your system secure. Hardened kernel is one of ways of doing it for specific purposes, which will not work for everybody
Endevour OS / Arch is rolling release distro which has different philosophy:
- we want to use latest, and we accept risk of things braking because of that
So it all boils down to need of single user - either it is you or admin in big corporation. And all those kernels are just tools from toolset you can choose.
Thanks @gladykov. What I wanted to know was that are the hardened kernels available in arch packages also tuned for better networking or doing multiple things in parallel or for virtualization? Just like the LTS kernels are?
I know nothing about it. It does not mean it does not exists.
The information in those topics is out of date. The primary focus of those discussions was the fact that the LTS kernel was compiled with CONFIG_PREEMPT_NONE=y, which is no longer the case.
❯ uname -r
6.12.21-1-lts
❯ zcat /proc/config.gz | grep CONFIG_PREEMPT
CONFIG_PREEMPT_BUILD=y
# CONFIG_PREEMPT_NONE is not set
CONFIG_PREEMPT_VOLUNTARY=y
# CONFIG_PREEMPT is not set
CONFIG_PREEMPT_COUNT=y
CONFIG_PREEMPTION=y
CONFIG_PREEMPT_DYNAMIC=y
CONFIG_PREEMPT_RCU=y
CONFIG_PREEMPT_NOTIFIERS=y
# CONFIG_PREEMPT_TRACER is not set
# CONFIG_PREEMPTIRQ_DELAY_TEST is not set
Nowadays, the LTS kernel uses voluntary preemption and dynamic preemption. Voluntary preemption means preemption is allowed if a task voluntarily yields the CPU, and dynamic preemption means that the kernel can adjust its preemption behavior at runtime (for example, to enable preemption when handling a high-priority task).
linux-hardened uses full preemption, same as the vanilla kernel.
❯ uname -r
6.13.7-hardened1-1-hardened
❯ zcat /proc/config.gz | grep CONFIG_PREEMPT
CONFIG_PREEMPT_BUILD=y
# CONFIG_PREEMPT_NONE is not set
# CONFIG_PREEMPT_VOLUNTARY is not set
CONFIG_PREEMPT=y
# CONFIG_PREEMPT_LAZY is not set
CONFIG_PREEMPT_COUNT=y
CONFIG_PREEMPTION=y
CONFIG_PREEMPT_DYNAMIC=y
CONFIG_PREEMPT_RCU=y
CONFIG_PREEMPT_NOTIFIERS=y
# CONFIG_PREEMPT_TRACER is not set
# CONFIG_PREEMPTIRQ_DELAY_TEST is not set
In general, linux-hardened is more similar to the linux kernel than the linux-lts kernel because that is what it is directly based on.
1 Like
Thanks @BluishHumility. That cleared up a lot.
The reason why linux-hardened is similar to linux kernel is because they are of the same branch, i.e. 6.13.x. Just that linux-hardened is one minor version behind the linux kernel.
I have yet to see a linux hardened kernel for ver 6.12.x or for ver 6.1.x.