Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/compute/docs/images/building-custom-os below:

Requirements to build custom images | Compute Engine Documentation

Stay organized with collections Save and categorize content based on your preferences.

Linux

In some situations, your applications might require you to build your own operating system or compile a custom kernel. If you compile custom kernels or create custom operating systems for your VMs, ensure that they meet the requirements in this document.

Building a custom operating system is an advanced task for users with applications that specifically require a custom kernel. Most users can create VMs from one of the available public images, use the automated virtual disk import tool to import disks into Compute Engine from other environments, or manually import a custom image from a system with a common stock Linux distribution.

Your kernel must support the following devices:

• PCI Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
• ISA bridge: Intel 82371AB/EB/MB PIIX4 ISA (rev 03)

• Ethernet controller:

  • Virtio-Net Ethernet Adapter.

  • gVNIC is required for second generation Tau T2A, and all third generation and later machine series.

    Additionally, gVNIC is required or recommended if you use GPUs on any of the following:

    • General-purpose N1 machine types
    • Accelerator-optimized A4, A3, A2, or G2 machine types

  • vendor = 0x1AF4 (Qumranet/Red Hat)

  • device id = 0x1000. Subsystem ID 0x1

  • Checksum offload is supported

  • TSO v4 is supported

  • GRO v4 is supported

• SCSI Storage Controller:

  • Virtio-SCSI Storage Controller
  • vendor = 0x1AF4 (Qumranet/Red Hat)
  • device id = 0x1004. Subsystem ID 0x8.
  • SCSI Primary Commands 4 and SCSI Block Commands 3 are supported
  • Only one request queue is supported
  • Persistent disks report 4 KiB physical sectors / 512 byte logical sectors
  • Only block devices (disks) are supported
  • The Hotplug / Events feature bit is supported

• Serial Ports:
  • Four 16550A ports
  • ttyS0 on IRQ 4
  • ttyS1 on IRQ 3
  • ttyS2 on IRQ 6
  • ttyS3 on IRQ 7

You must build the operating system kernel with the following options:

• CONFIG_KVM_GUEST=y
  • Enable paravirtualization functionality.
• CONFIG_KVM_CLOCK=y
  • Enable the paravirtualized clock (if applies to your kernel version).
• CONFIG_VIRTIO_PCI=y
  • Enable paravirtualized PCI devices.
• CONFIG_SCSI_VIRTIO=y
  • Enable access to paravirtualized disks.
• CONFIG_VIRTIO_NET=y
  • Enable access to networking.
• CONFIG_PCI_MSI=y
  • Enable high-performance interrupt delivery, which is required for local SSD devices.

Use the recommended security settings in your kernel build options:

• CONFIG_STRICT_DEVMEM=y
  • Restrict /dev/mem to allow access to only PCI space, BIOS code, and data regions.
• CONFIG_DEVKMEM=n
  • Disable support for /dev/kmem.
  • Block access to kernel memory.
• CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
  • Set low virtual memory that is protected from userspace allocation.
• CONFIG_DEBUG_RODATA=y
  • Mark the kernel read-only data as write-protected in the pagetables, to catch accidental (and incorrect) writes to such const data. This option can have a slight performance impact because a portion of the kernel code won't be covered by a 2 MB TLB anymore.
• CONFIG_DEBUG_SET_MODULE_RONX=y
  • Catches unintended modifications to loadable kernel module's text and read-only data. This option also prevents execution of module data.
• CONFIG_CC_STACKPROTECTOR=y
  • Enables the -fstack-protector GCC feature. This feature puts a canary value at the beginning of critical functions, on the stack before the return address, and validates the value before actually returning. This also causes stack-based buffer overflows (that need to overwrite this return address) to overwrite the canary, which gets detected and the attack is then neutralized using a kernel panic.
• CONFIG_COMPAT_VDSO=n
  • Ensures the VDSO isn't at a predictable address to strengthen ASLR. If enabled, this feature maps the VDSO to the predictable old-style address, providing a predictable location for exploit code to jump to. Say N here if you are running a sufficiently recent glibc version (2.3.3 or later), to remove the high-mapped VDSO mapping and to exclusively use the randomized VDSO.
• CONFIG_COMPAT_BRK=n
  • Don't disable heap randomization.
• CONFIG_X86_PAE=y
  • Set this option for a 32-bit kernel because PAE is required for NX support. This also enables larger swapspace support for non-overcommit purposes.
• CONFIG_SYN_COOKIES=y
  • Provides some protection against SYN flooding.
• CONFIG_SECURITY_YAMA=y
  • This selects Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. Currently, the setting is ptrace scope restriction.
• CONFIG_SECURITY_YAMA_STACKED=y
  • This option forces Yama to stack with the selected primary LSM when Yama is available.

You can also harden the security of the kernel through the kernel settings file. Edit the /etc/sysctl.conf file to include the following recommended security settings:

# Enable syn flood protection
net.ipv4.tcp_syncookies = 1

# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route = 0

# Ignore source-routed packets
net.ipv4.conf.default.accept_source_route = 0

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0

# Ignore ICMP redirects
net.ipv4.conf.default.accept_redirects = 0

# Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.all.secure_redirects = 1

# Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.default.secure_redirects = 1

# Don't allow traffic between networks or act as a router
net.ipv4.ip_forward = 0

# Don't allow traffic between networks or act as a router
net.ipv4.conf.all.send_redirects = 0

# Don't allow traffic between networks or act as a router
net.ipv4.conf.default.send_redirects = 0

# Reverse path filtering—IP spoofing protection
net.ipv4.conf.all.rp_filter = 1

# Reverse path filtering—IP spoofing protection
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcasts to avoid participating in Smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians = 1

# Log spoofed, source-routed, and redirect packets
net.ipv4.conf.default.log_martians = 1

# Randomize addresses of mmap base, heap, stack and VDSO page
kernel.randomize_va_space = 2

# Provide protection from ToCToU races
fs.protected_hardlinks=1

# Provide protection from ToCToU races
fs.protected_symlinks=1

# Make locating kernel addresses more difficult
kernel.kptr_restrict=1

# Set ptrace protections
kernel.yama.ptrace_scope=1

# Set perf only available to root
kernel.perf_event_paranoid=2

• Install the operating system to a boot disk and manually import the image to Compute Engine as a custom image.
• If you have already imported your operating system as a custom image, configure non-kernel settings on the image so that it can functional optimally within the Compute Engine environment.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["Building custom operating systems or compiling custom kernels is an advanced task mainly for applications with specific kernel requirements, with most users able to use public images or import existing ones."],["Custom kernels must support specific hardware devices including PCI Bridge, ISA bridge, Virtio-Net or gVNIC Ethernet controller, Virtio-SCSI storage controller (or NVMe for newer machine series), and four 16550A serial ports."],["Required Linux kernel build options include enabling paravirtualization, PCI devices, disks, and networking, as well as enabling high-performance interrupt delivery, which is needed for local SSD devices."],["Recommended kernel security settings involve restricting `/dev/mem`, disabling `/dev/kmem`, setting low virtual memory protection, using read-only protection for kernel data, enabling stack protection, and randomizing memory addresses."],["Kernel security can also be hardened by editing `/etc/sysctl.conf` to include settings for syn flood protection, ignoring source-routed packets and ICMP redirects, preventing traffic routing, enabling reverse path filtering, and randomizing addresses."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4