In some situations, your applications might require you to build your own operating system or compile a custom kernel. If you compile custom kernels or create custom operating systems for your instances, ensure that they meet the requirements in this document.
Building a custom operating system is an advanced task for users with applications that specifically require a custom kernel. For most users, create instances from one of the available public images or import a custom image from a system with a common stock Linux distribution.
Hardware support requirements
Your kernel must support the following devices:
- PCI Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
- ISA bridge: Intel 82371AB/EB/MB PIIX4 ISA (rev 03)
- Ethernet controller:
- Virtio-Net Ethernet Adapter
- vendor = 0x1AF4 (Qumranet/Red Hat), device id = 0x1000. Subsystem ID 0x1.
- Checksum offload is supported
- TSO v4 is supported
- UFO is supported
- GRO v4 is supported
- SCSI Storage Controller:
- Virtio-SCSI Storage Controller
- vendor = 0x1AF4 (Qumranet/Red Hat)
- device id = 0x1004. Subsystem ID 0x8.
- SCSI Primary Commands 4, SCSI Block Commands 3 is supported
- Only one request queue is supported
- Persistent disks report 4 KiB physical sectors / 512 byte logical sectors;
- Only block devices (disks) is supported
- The Hotplug / Events feature bit is supported
- Serial Ports:
- Four 16550A ports
- ttyS0 on IRQ 4
- ttyS1 on IRQ 3
- ttyS2 on IRQ 6
- ttyS3 on IRQ 7
Required Linux kernel build options
You must build the operating system kernel with the following options:
- Enable paravirtualization functionality.
- Enable the paravirtualized clock (if applies to your kernel version).
- Enable paravirtualized PCI devices.
- Enable access to paravirtualized disks.
- Enable access to networking.
- Enable high performance interrupt delivery, which is required for Local SSD devices.
Kernel build options for security
Use the recommended security settings in your kernel build options:
/dev/memto allow access to only PCI space, BIOS code and data regions.
- Disable support for
- Block access to kernel memory.
- Disable support for
- Set low virtual memory that is protected from userspace allocation.
- Mark the kernel read-only data as write-protected in the pagetables, in order to catch accidental (and incorrect) writes to such const data. This option can have a slight performance impact because a portion of the kernel code won't be covered by a 2MB TLB anymore.
- Catches unintended modifications to loadable kernel module's text and read-only data. This option also prevents execution of module data.
- Enables the -fstack-protector GCC feature. This feature puts a canary value at the beginning of critical functions, on the stack just before the return address, and validates the value just before actually returning. This also causes stack-based buffer overflows (that need to overwrite this return address) to overwrite the canary, which gets detected and the attack is then neutralized using a kernel panic.
- Ensures the VDSO isn’t at a predictable address to strengthen ASLR. If
enabled, this feature would map the VDSO to the predictable old-style
address, providing a predictable location for exploit code to jump to.
Nhere if you are running a sufficiently recent glibc version (2.3.3 or later), to remove the high-mapped VDSO mapping and to exclusively use the randomized VDSO.
- Ensures the VDSO isn’t at a predictable address to strengthen ASLR. If enabled, this feature would map the VDSO to the predictable old-style address, providing a predictable location for exploit code to jump to. Say
- Don’t disable heap randomization.
- Set this option for a 32 bit kernel, as PAE is required for NX support. This also enables larger swapspace support for non-overcommit purposes.
- Provides some protection against SYN flooding.
- This selects Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. Currently, the setting is ptrace scope restriction.
- This option forces Yama to stack with the selected primary LSM when Yama is available.
Kernel security settings
You can also harden the security of the kernel through the kernel settings
file. Edit the
/etc/sysctl.conf file to include the following recommended
# Enable syn flood protection net.ipv4.tcp_syncookies = 1 # Ignore source-routed packets net.ipv4.conf.all.accept_source_route = 0 # Ignore source-routed packets net.ipv4.conf.default.accept_source_route = 0 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 # Ignore ICMP redirects net.ipv4.conf.default.accept_redirects = 0 # Ignore ICMP redirects from non-GW hosts net.ipv4.conf.all.secure_redirects = 1 # Ignore ICMP redirects from non-GW hosts net.ipv4.conf.default.secure_redirects = 1 # Don't allow traffic between networks or act as a router net.ipv4.ip_forward = 0 # Don't allow traffic between networks or act as a router net.ipv4.conf.all.send_redirects = 0 # Don't allow traffic between networks or act as a router net.ipv4.conf.default.send_redirects = 0 # Reverse path filtering - IP spoofing protection net.ipv4.conf.all.rp_filter = 1 # Reverse path filtering - IP spoofing protection net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP broadcasts to avoid participating in Smurf attacks net.ipv4.icmp_echo_ignore_broadcasts = 1 # Ignore bad ICMP errors net.ipv4.icmp_ignore_bogus_error_responses = 1 # Log spoofed, source-routed, and redirect packets net.ipv4.conf.all.log_martians = 1 # Log spoofed, source-routed, and redirect packets net.ipv4.conf.default.log_martians = 1 # Implement RFC 1337 fix net.ipv4.tcp_rfc1337 = 1 # Randomize addresses of mmap base, heap, stack and VDSO page kernel.randomize_va_space = 2 # Provide protection from ToCToU races fs.protected_hardlinks=1 # Provide protection from ToCToU races fs.protected_symlinks=1 # Make locating kernel addresses more difficult kernel.kptr_restrict=1 # Set ptrace protections kernel.yama.ptrace_scope=1 # Set perf only available to root kernel.perf_event_paranoid=2