Requirements

By Linux_Foundation - January 25, 2009 - 2:20pm

Contents

if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); }

Copyright

Copyright (c) 2005-2008 by The Linux Foundation, Inc. This material may be
distributed only subject to the terms and conditions set forth in the Open
Publication License, v1.0 or later (the latest version is available at
http://www.opencontent.org/opl.shtml/).

Distribution of substantively modified versions of this document is prohibited
without the explicit permission of the copyright holder. Other company,
product, or servic e names may be the trademarks of others.

Linux is a Registered Trademark of Linus Torvalds.


Introduction


Document Organization


Satasfied Requirements


Availability Requirements


AVL.2.0 Single-bit ECC handling

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide a mechanism for reporting when hardware error checking and correcting (ECC) detects and/or recovers from a single-bit ECC error.


AVL.2.1 Multi-bit ECC handling

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide a panic trigger mechanism when hardware error checking and correcting (ECC) detects multi-bit ECC errors.


AVL.4.1 VM Strict Over-Commit

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the ability to control kernel virtual memory allocation adjustments based on the specific needs of the system. Control of virtual memory shall include but not be limited to the following:

  • Heuristic overcommit handling. Obvious overcommits of address space are refused. Used for a typical system. It ensures a seriously wild allocation fails while allowing overcommit to reduce swap usage. root is allowed to allocate slighly more memory in this mode. This is the default.
  • Always overcommit. Appropriate for some scientific applications.
  • Don't overcommit. The total address space commit for the system is not permitted to exceed swap + a configurable percentage (default is 50) of physical RAM. Depending on the percentage you use, in most situations this means a process will not be killed while accessing pages but will receive errors on memory allocation as appropriate.


AVL.5.3 Process-Level Non-Intrusive Application Monitor

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide control and management capabilities for processes that cannot be altered to incorporate a monitoring API. Such capabilities are known as non-intrusive monitoring. These capabilities must be implemented programmatically using commands or scripts.

Another issue for many such processes is that the start script itself may spawn an application process that is not under the control of the management process. This sub-requirement assumes that this does not happen, and the child process remains under the control of the management entity.

Capabilities required:

  • The following capabilities must be enabled for controlling processes:
    • The ability to start a process (or a list of processes)
    • The ability to stop a process (or a list of processes)
  • The following capabilities must be enabled for monitoring processes:
    • The ability to detect the unexpected exit of a process
    • The ability to configure a set of actions in response to an unexpected exit of a process
  • The following services must be provided beyond those currently provided by inittab:
    • The ability to configure whether to restart the application if the process dies
    • A configurable amount of time to wait before restarting the application
    • A limit on the number of times to restart the application


AVL.6.0 Disk Predictive Analysis

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide
capabilities to assist in monitoring storage systems.. The aim of this support
is to assist in predicting situations likely to lead to failure of disks. This
allows preventive action to be taken to avoid the failure and resulting
disruption of service.


AVL.7.1.1 Multi-Path Access to Storage

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to enable multiple access paths from a node to storage devices. The
software shall determine if multiple paths exist to the same port of the I/O
device.


AVL.7.1.3 Multi-Path Access to Storage

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to enable multiple access paths from a node to storage devices.
Handling a path failure must be automatic.


AVL.7.1.4 Multi-Path Access to Storage

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to enable multiple access paths from a node to storage devices. A
mechanism must be provided for the reactivation of failed paths, allowing them
to be placed back in service.


AVL.7.1.5 Multi-Path Access to Storage

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to enable multiple access paths from a node to storage devices. It
must be possible to automatically determine and configure multiple paths.


AVL.7.1.6 Multi-Path Access to Storage

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to enable multiple access paths from a node to storage devices.
Automatic configuration shall allow automatic multi-path configuration of
complete disks and partitions located on those disks.


AVL.7.1.7 Multi-Path Access to Storage

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to enable multiple access paths from a node to storage devices. A
multipath device feature that allows multipath detection and mapping early in
the boot process must be provided so that the root file system can exist on a
multipath device.


AVL.7.2.2 Advanced Multi-Path Access to Storage

Priority P3

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to enable multiple access paths from a node to storage devices. The
mechanism should implement swap partition using the multipath mechanism.


AVL.7.2.4 Advanced Multi-Path Access to Storage

Priority P2

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to enable multiple access paths from a node to storage devices. The
mechanism should implement error logging functions that clearly identify the
failing device path.


AVL.8.1 Fast Linux Restart Bypassing System Firmware

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to speed up operating system initialization by bypassing the system
firmware when one instance of Linux reboots to another instance of Linux.


AVL.9.0 Boot Image Fallback Mechanism

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide a mechanism that enables a system to fallback to a previous "known good" boot image in the event of a catastrophic boot failure (i.e. failure to boot, panic on boot, failure to initialize HW/SW). System images are captured from the "known good" system and the system reboots to the latest good image. This mechanism would allow an automatic fallback mechanism to protect against problems resulting from system changes, such as program updates, installations, kernel changes, and configuration changes."


AVL.10.0 Application Live Patching

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide a mechanism and framework by which a custom application can be built so that it can be upgraded by replacing symbols in its live process. Dynamic replacement of symbols allows a process to access upgraded functions or values without requiring a process restart and in many circumstances can lead to improved process availability and uptime. The mechanism should be applied only to user applications. Patch to underlying distribution software component may lose distribution support.


AVL.13.1 Parallel User Initialization During Startup

Priority: P2

Description: CGL specifies that the user initialization procedure executed by the program /sbin/init shall provide a mechanism to allow multiple init scripts to run in parallel. CGL further specifies that a service is only started once its dependent services have started.


AVL.17.0 Multiple FIB Support

Priority: P3

Description: CGL specifies that Linux shall support multiple Forwarding Information Base (FIB) quick look-up tables with forwarding addresses to allow better server virtualization of overlapping addresses. An FIB is a table that contains a copy of the forwarding information in the IP routing table. All hooks/changes required to support multiple FIBs shall be added.


AVL.21.0 Ethernet link bonding using IPV4

Priority: P1

Description: CGL specifies that carrier grade Linux shall support bonding of multiple Ethernet NICs within a single node using IPV4. The bonding supports the following functions:

  • Ethernet link aggregation - Supports multiple Ethernet cards to be bonded for bandwidth aggregation.
  • Ethernet link failover - Supports automatic failover of an IP address from one Ethernet NIC to another within a single node using the Ethernet bonding.

Some mode of bonding requires IEEE 802.3ad support on switches; however, other modes do not require special protocol support.


AVL.21.1 Ethernet link bonding using IPV6

Priority: P1

Description: CGL specifies that carrier grade Linux shall support bonding of multiple Ethernet NICs within a single node using IPV6. The bonding supports the following functions:

  • Ethernet link aggregation - Supports multiple Ethernet cards to be bonded for bandwidth aggregation.
  • Ethernet link failover - Supports automatic failover of an IP address from one Ethernet NIC to another within a single node using the Ethernet bonding.

Some modes of bonding require IEEE 802.3ad support on switches; however, other modes do not require special protocol support.


AVL.22.0 Software RAID 1 support

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide RAID 1(Mirroring) support so that the OS maintains duplicate sets of all data on separate disk drives. RAID 1 support shall allow booting off of selected mirror disk drive even if the other drive is failed. RAID 1 implementation shall provide a user-controllable parameter to throttle the syncing operation. Support can be configured out if desired.


AVL.23.0 Watchdog Timer Pre-Timeout Interrupt

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for a watchdog timer pre-timeout interrupt. Where the hardware supports such a capability an interrupt handler routine will be called before the real timeout occurs.


AVL.24.0 Watchdog Timer Interface Requirements

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the ability to use an interface to reset the hardware watchdog timer, where the hardware supports such a capability. This timeout value shall be a configurable item. A configurable action can be performed when a timeout occurs.


AVL.25.0 Application Heartbeat Monitor

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide an application heartbeat service that allows applications to register to be monitored via specified APIs. The mechanism shall use periodic synchronized events (heartbeats) between an application and the monitor. If a registered application fails to provide a heartbeat, the monitor shall report the events. The application heartbeat service shall be available to any process or sub-process (thread) entity on the system. A process or thread may register for multiple heartbeats.


AVL.26.0 Resilient File System Support

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for the installation of a file system that is resilient against system failures in terms of recovering rapidly upon reboot without requiring a full, traditional fsck. This is normally achieved using logging or journaling techniques.


AVL.27.0 Kernel Live Patching

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide a mechanism for symbols, functions, or variables within a running kernel to be replaced with new symbols, functions, or variables. CGL further specifies this operation be completed without a system shutdown or restart


Cluster Requirements


CFH.1.0 Cluster Node Failure Detection

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide a fast, communicationbased cluster node failure mechanism that is reflected in a cluster membership service. At a minimum, the cluster node failure mechanism maintains a list of the nodes that are currently active in the cluster. Changes in cluster membership must result in a membership event that can be monitored by cluster services, applications, and middleware that register to be notified of membership events. Fast node failure detection must not depend on a failing node reporting that the node is failing. However, self-diagnosis may be leveraged to speed up failure detection in the cluster. This requirement does not address the issue of how to prevent failing nodes from accessing shared resources (see CFH.3.0 Application Fail-Over Enabling).

Fast node failure detection shall include the following capabilities:

  • Ability to provide cluster membership health monitoring through cluster communication mechanisms.
  • Support for multiple, redundant communication paths to check the health of

cluster nodes.

  • Support for fast failure detection. The guideline is a maximum

of 250ms for failure detection. Since there is tradeoff between fast failure
detection and potentially false failures, the health-monitoring interval must
be tunable.

  • Ability to provide a cluster-membership change event to middleware

and applications.

Cluster node failure detection must use only a small percentage of the total cluster communication bandwidth for membership health monitoring. The guideline is that the bandwidth used by the health monitoring mechanism shall be linear with respect to the number of bytes per second per node.


CFH.2.0 Prevent Failed Node From Corrupting Shared Resources

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a way
to fence a failed or errant node from shared resources, such as SAN storage,
to prevent the failed node from causing damage to shared resources. Since the
surviving nodes in the cluster will want to failover resources, applications,
and/or middleware to other surviving nodes in the cluster, the cluster must
make sure it is safe to do the failover. Killing the failed node is the
easiest and safest way to protect shared resources from a failing node. If a
failing node can detect that it is failing, the failing node could kill itself
(suicide) or disable its ability to access shared resources to augment the
node isolation process. However, the cluster cannot depend on the failing node
to alter the cluster when it is failing, so the cluster must be proactive in
protecting shared resources.

External Specification Dependencies: This
requirement is dependent on hardware to provide a mechanism to reset or
isolate a failed or failing node.


CFH.3.0 Application Fail-Over Enabling

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide
mechanisms for failing over applications in a cluster from one node to
another. Applications and nodes are monitored and a failover mechanism is
invoked when a failure is detected. Once a failure is detected, the
application failover mechanism must determine which policies apply to this
failover scenario and then begin the process to start a standby application or
initiate the re-spawn of an application within 1 second.

Note: The full application failover time is dependent upon application and
node failure detection, the time to apply the failover policies, and the time
it takes to start or restart the application. The aggregate failover time for
an application must allow the cluster to maintain carrier grade application
availability.


CSM.1.0 Storage Network Replication

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a mechanism for storage network replication. The storage network replication shall provide the following:

  • A network replication layer that enables RAID-1-like disk mirroring, using a

cluster-local network for data.

  • Resynchronization of replicated data after

node failure and recovery such that replicated data remains available during
resynchronization.


CSM.2.0 Cluster-aware Volume Management for Shared Storage

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide management of logical volumes on shared storage from different cluster nodes. Volumes in such an environment are usually on physical disks accessible to multiple nodes. Volume management shall include the following:

  • Enabling remote nodes to be informed of volume definition changes.
  • Providing consistent and persistent cluster-wide volume names.
  • Managing volumes from different cluster nodes consistently.
  • Providing support for the striping and concatenation of storage. Clustered mirroring of shared storage is not included in this requirement (see CSM.3.0 Shared Storage Mirroring).


CSM.4.0 Redundant Cluster Storage Path

Priority: P1

Description: CGL specifies that Linux shall provide each cluster node with the ability to have redundant access paths to shared storage. CGL Availability Requirement: AVL.7.1 Multi-Path Access To Storage


CSM.6.0 Cluster File System

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a cluster-wide file system. A clustered file system must allow simultaneous access to shared files by multiple computers. Node failure must be transparent to file system users on all surviving nodes. A clustered file system must provide the same user API and semantics as a file system associated with private, single-node storage.


CSM.7.0 Shared Storage Consistent Access

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a consistent method to access shared storage from different nodes to ensure partition information isn't changed on one node while a partition is in use on another node that would prevent the change.


CCM.2.1 Cluster Communication Service - Logical Addressing

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a
cluster communication service with a socket-based interface that provides
logical addressing for pointto-point and multipoint communication. The
communication service must hide the physical topology of the cluster from
application programs with this logical addressing scheme. Mapping between
logical and physical addresses must be performed transparently. In addition,
there must be no user-level distinction between inter- and intra-node
communications or between user-space and kernel-space messages.
Connection-oriented and connectionless modes must be supported.


CCM.2.2 Cluster Communication Service - Fault Handling

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a reliable communication service that detects a connection failure, aborts the connection, and reports the connection failure. An established connection must react to and report a problem to the application within 100 ms upon any kind of service failure, such as a process or node crash. The connection failure detection requirement must offer controls that allow it to be tailored to specific conditions in different clusters. An example is to allow the specification of the duration of timeouts or the number of lost packets before declaring a connection failed.


CCM.3.0 Redundant Cluster Communication Path

Priority: P1

Description: CGL specifies that Linux shall provide each cluster node the ability to have redundant communication paths to other cluster nodes and for these paths to appear as a single interface to an application. CGL Availability Requirement: AVL.7.3 Redundant Communication Paths


CAF.2.1 Ethernet MAC Address Takeover

Priority: P1

Description: CGL specifies a mechanism to program and announce MAC addresses on Ethernet interfaces so that when a SW Failure event occurs, redundant nodes may begin receiving traffic for failed nodes.


CAF.2.2 IP Takeover

Priority: P1

Description: CGL specifies a mechanism to program and announce IP addresses (using gratuitous ARP) so that when a SW Failure event occurs, redundant nodes may begin receiving traffic for failed nodes.


CDIAG.2.1 Cluster-Wide Identified Application Core Dump

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a cluster-aware application core dump that uniquely identifies which node produced the core dump. For instance, if a diskless node dumps core files to network storage, the core dump will be uniquely identified as originating from that node.


CDIAG.2.2 Cluster-Wide Kernel Crash Dump

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a cluster-aware kernel crash dump that uniquely identifies which node produced the crash dump. For instance, if a diskless node dumps crash data to network storage, the data will be uniquely identified as originating from that node.


CDIAG.2.3 Cluster Wide Log Collection

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a cluster-wide logging mechanism. A cluster-wide log shall contain node identification, message type, and cluster time identification. This cluster-wide log may be implemented as a central log or as the collection of specific node logs.


CDIAG.2.4 Synchronized/Atomic Time Across Cluster

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide cluster wide time synchronization within 500mS, and must synchronize within 10 seconds once the time synchronization service is initiated. In a cluster, each node must have be synchronized to the same wall-clock time to provide consistency in access times to shared resources (i.e. clustered file system modification and access times) as well as time stamps in cluster-wide logs.


Serviceability Requirements


SMM.3.1 Serial Console Operation

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for a connection to a system console via a serial port on the system where a serial port exists. All output that would appear on a local console must appear on the remote console.


SMM.3.2 Network Console Operation

Priority: P1

Description: CGL specifies that Linux shall provide support for a management console connection via a network port in addition to providing the standard support for a management console connection via a serial port.


SMM.4.0 Persistent Device Naming

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide consistent device naming functionality. The user-space system name of the device shall be maintained when the device is removed and reinstalled even if the device is plugged into a different bus, slot, or adapter. A device name shall be assigned, based on hardware identification information using policies set by the administrator.


SMM.5.0 Kernel Profiling

Priority: P1

Description: CGL specifies that Linux shall support profiling of a running kernel and applications to identify bottlenecks and other kernel and application statistics.


SMM.5.1 Application Profiler (was AVL.19.0)

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a mechanism to profile critical resources of the kernel and applications. The critical resources that are profiled by this mechanism shall include (but are not limited to):

  • Time used
  • Memory used
  • Number of semaphores, mutexes, sockets, and threads/child processes in use
  • Number of open files.

Monitoring shall happen at configurable, periodic intervals or as initiated by the user.


SMM.6.0 Boot Cycle Detection

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide support for detecting a repeating reboot cycle due to recurring failures. This detection should happen in user space before system services are started. This type of failure requires a response due to the negative impact of repeatedly bringing up and taking down services. A configurable policy is needed to set thresholds of cycling and desired shutdown actions, such as exponential back off, shutdown, or notifying administrators.


SMM.7.1 Temperature Monitoring

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a capability that supports the monitoring of system temperature settings and conditions.


SMM.7.2 Fan Monitoring

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a capability that supports the monitoring of system fan settings and conditions.


SMM.7.3 Power Monitoring

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a capability that supports the monitoring of system power settings and conditions.


SMM.7.4 Media Monitoring

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a capability that supports the monitoring of media settings and conditions for system media, such as hard disks or hardware specific disk sub-systems.


SMM.7.5 Network Monitoring

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a capability that supports the monitoring of system network settings and conditions.


SMM.7.6 CPU Monitoring

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a capability that supports the monitoring of CPU settings and conditions, such as current utilization totals, per process totals and trends, and current speed settings.


SMM.7.7 Memory Monitoring

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a capability that supports the monitoring of memory conditions, such as current utilization totals, and per process totals and trends.


SMM.7.9 Support for Precise Process Accounting

Priority: P2

Description: CGL specifies that carrier grade Linux shall support
precise process accounting of CPU usage. This shall be accomplished by time
stamping various kernel execution paths using the native platform high
resolution counter. This accounting activity shall be run-time configurable,
including partial or total disabling, via the proc file system. When totally
disabled no additional overhead will be measurable. Disabling or enabling
precise accounting shall not affect Linux native tick accounting. All data
shall be accessible from the proc file system. For task perCPU metrics, a
range of 1 through N rows may be configured such that each row accrues metrics
for one CPU, a range in between 1 and N CPUs (all metrics summed together).
Where N is the number of logical CPUs. Additional Sub-requirements follow.

Sub-requirement 1: The following metrics shall be accrued on per-CPU basis:

  • Per task CPU usage user, system, interrupt (in tasks context), and time

spent on run queue

  • System wide CPU usage idle, user, system, interrupt,

softirq

  • Per task occurrence counts of system calls, signals, reschedules,

voluntary blocks, preemption due to higher priority task and preemptions due
to time slice expirations.

  • System wide occurrence counts of interrupts, system

calls, signals, and softirqs, with softirqs grouped by types.

Sub-requirement 2: A per task table of schedule latency counts shall be
implemented such that a schedule latency value is indexed into predetermined
ranges, and the count for that range is incremented. For example a table size
of three will correspond to three scheduling latency ranges such as:

  • index 0: 0-10 mili-seconds
  • index 1: 10-100 mili-seconds
  • index 2: greater then 100 mili-seconds The table size and ranges may be build time configurable

Sub-requirement 3: Certain OS timers and CPU caps may be configured to
increment or expire precisely with the initial list being SIGXCPU,
SIGVTALARM, SIGPROF.


SMM.8.1 Kernel Message Structuring

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support that allows the structuring of kernel messages using an event log format to provide more information to identify the problem and its severity, and to allow client applications registered for the fault event to take policy-based corrective action.


SMM.8.2 Platform Signal Handler

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide an infrastructure to allow interrupts generated by "hardware errors" to be logged using the event logging mechanism. A default handler shall be provided.


SMM.8.3 Remote Access to Event Log

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide support for a remote access capability that allows a centralized system to access the Linux OS event log information of a remote system.


SMM.9.0 Disk and Volume Management

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for the installation of a subsystem that supports hard disks to be managed without incurring downtime:

  • Physical disks can be grouped into volumes and the volume definitions can be

modified without downtime.

  • Filesystems that are defined within volumes can be enlarged without

requiring unmounting.

  • Support can be configured out if desired.


SMM.10.0 System Initialization Error Handling Enhancements

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide a
mechanism to detect errors during system initialization. When such an
initialization error occurs, this mechanism shall be able to report the event
to a remote system over the network. CGL further specifies the following error
conditions shall apply to this requirement:

  • The kernel image fails before

init is started

  • The init process fails to fully complete the startup

initialization to the point where the conventional error reporting mechanisms
are available


SMM.13.0 Diskless Systems (was PMS.4.0)

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide for Linux on diskless systems.


SPM.1.0 Remote Package Update and Installation

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a remote software package update feature. The package shall include functions that allow kernel modules and application software to be installed or upgraded remotely, while minimizing downtime of the system. The use of the term "remotely" does not imply a central package management platform, nor does it preclude such a system. This requirement only necessitates that a single device may be upgraded without requiring the administrator to be physically at the device. Note: Due to the wide range of platforms and applications in use, CGL does not specify a specific downtime limit metric. Downtime targets will vary based on the system application.


SPM.2.0 No System Reboot for Upgrade of Kernel Modules

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide remote software installation and upgrade mechanisms that requiring no system reboots:

  • No reboot shall be required to upgrade kernel modules.
  • Remote software installation and upgrade mechanisms will not require more reboots than the same upgrade done using the console.


SPM.2.1 No System Reboot for Application Package Update

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide remote software installation and upgrade mechanisms that require no system reboots:

  • No reboot shall be required to upgrade user-space applications provided by CGL system software.


SPM.3.0 Version and Dependency Checking via Package Management

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide remote software installation and upgrade capabilities that include provisions for version compatibility and dependency checking at the package level.


SPM.4.0 Upgrade Log

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide remote software installation and upgrade mechanisms that perform transaction logging of dates, times, changes, and the identity of the user performing a change.


SPM.5.0 Manual Software Rollback

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide mechanisms that allow manual rollback to a previous version of software without having to reinstall the previous version.


SFA.1.0 Kernel Panic Handler Enhancements

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide enriched capabilities in response to a system panic. Currently the default system panic behavior is to print a short message to the console and halt the system. CGL systems shall provide a set of configurable functions, including:

  • Logging the panic event to the system event log
  • Cycling power (rebooting) or powering off
  • Forcing a crash dump

CGL shall support enhanced kernel panic reporting, at a minimum supporting proper resolution of in-kernel symbols. This will make kernel panic reports useful to administrators that do not have access to the kernel for which the report was generated.


SFA.2.1 Live Kernel Remote Debugger

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for remote debugging of a live kernel. This shall include support over serial and/or local Ethernet.


SFA.2.2 Dynamic Probe Insertion

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for the ability to dynamically insert software instrumentation into a running system in the kernel or applications.

  • The instrumentation must be insertable to any part of the kernel.
  • The instrumentation should allow control to be passed to a user-provided module.
  • The instrumentation should not require interactive direction, i.e., no user

sitting at the kernel debugger.

  • The user-provided modules should have access to data the kernel would

normally be expected to have access to, e.g., hardware registers, kernel


SFA.2.3 User Space Debug Support for Threads

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support to fully enable debugging of multi-t hreaded programs. This support should allow any actions available for debugging a single-threaded (non-threaded) process be extended to be available for every thread in a multi-threaded process. CGL shall provide specific additional debugging capabilities that are unique to multi-threaded applications:

  • Automatic notification of a new thread.
  • List of threads and the ability to switch among them.
  • Apply specific debug commands to a list of threads.


SFA.2.4 Multithreaded Core Dump Support for Threaded Applications

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for correctly storing core dumps of multi-threaded user-space applications.


SFA.3.0 Kernel Dump: Analysis

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for tools to enable enhanced analysis of kernel dumps. These enhancements must include, but not be limited to, the following capabilities:

  • Access to kernel structures
  • Virtual-to-physical address translation
  • Module access
  • Preserve all tools and CPU states


SFA.4.0 Kernel Dump: Limit Scope

Priority: P3

Description: CGL specifies that carrier grade Linux shall provide support for configuring the amount of system information that is retained. The minimum type of configuration would be only kernel memory or all system memory. A way must be provided for a system administrator to specify which type of system dump should be performed.


SFA.10.0 Kernel Dump: Configurable Destinations

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for producing and storing kernel dumps as follows:

  • It must be possible to store kernel dumps to disk and across a network.
  • Regardless of the specific dump target, dumps must be preserved across the next system boot.


Performance Requirements


PRF.1.1 Low Scheduling Latency

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the
ability to configure the kernel to provide real time support so the scheduling
latency of a given task will not exceed a target defined by the vendor. Based
on commodity hardware commonly supported by Linux, latency responses of less
than 1 millisecond should be considered a reasonable and likely target.

See general information at:


PRF.1.3 1 ms Tick Support

Priority: P1

Description: CGL specifies that carrier grade Linux shall support a 1 ms tick value on all compatible architectures The base overhead of the timer interrupt handler should remain less than 0.1% of CPU time.


PRF.1.4 High-Resolution Timers

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide high-resolution timer support. As specified by POSIX 1003.1b section 14, Clocks and Timers API.


PRF.1.6 Protecting Against Priority Inversion On Mutex

Priority: P1

Description: CGL specifies that carrier grade Linux shall support a mechanism for protecting against priority inversion when using a mutex to synchronize tasks. This mechanism shall support transitive priority inheritance and resolve cases where several mutexes are owned by the same task. It shall be supported in UP and SMP contexts.


PRF.1.7 Handling Interrupts As Threads

Priority: P1

Description: CGL specifies that carrier grade Linux shall enable handling of interrupt handlers (top half and bottom half) as a task-based process rather than in interrupt processing routine mechanism to allow:

  • A mutex-based critical section inside an interrupt handler.
  • The ability for an interrupt handler to sleep.
  • Prioritization of an interrupt handler based on real-time scheduling priorities.
  • Affinity and load-balancing in an SMP.

Context switching overhead should be considered case by case in the application design. The interrupts are divided into a critical urgent part that kernel needs to execute quickly, and deferrable part. The thread based interrupt handler should be applied at deferrable part.


PRF.2.1 Enabling Process Affinity

Priority: P1

Description: CGL specifies that carrier grade Linux shall enable process affinity. Process affinity enables a process to run on an explicitly designated processor. When process affinity is used, it provides more efficient caching. For example, it must be possible to bind real-time processes to specified processors.


PRF.2.2 Enabling Interrupt CPU Affinity

Priority: P1

Description: CGL specifies that carrier grade Linux shall enable interrupt CPU affinity. The interrupts are divided into a critical urgent part that the kernel needs to execute quickly and a deferrable part. CGL should enable interrupt CPU affinity on the critical urgent part. Note: The latest stable kernel enables interrupt affinity based on the /proc configuration interface.


PRF.2.3 (Hyper-Threading) Optimized SMT Support

Priority: P1

Description: CGL specifies that carrier grade Linux shall enable optimized symmetric multi-threading (SMT) processors and interrupt migration between logical processors. Note: The latest stable kernel enables this feature.


PRF.2.4 Support for Task Exclusive Bind to Logical CPU

Priority: P3

Description: CGL specifies that carrier grade Linux shall support
exclusive bind of processes or threads to any number of logical CPUs. Once the
binding is established the logical CPU(s) become exclusively dedicated to the
execution of the bound processes/threads, and idle. CGL further specifies
the following conditions shall also apply to this requirement:

  • There must be at least one logical CPU available for unbound tasks. Because

of this, binding need not be supported on systems with only one logical CPU

  • A logical CPU is defined as any CPU or part of a CPU/node that Linux

represents as a single processing unit to the user


PRF.3.1 Dynamic allocation with low space loss

Priority: P1

Description: CGL specifies that carrier grade Linux shall allow less than 10% loss of application memory space, due to internal memory usage by the system and by fragmentation during periods of intense dynamic allocation of memory for applications.


PRF.4.2 Support of Gigabit Ethernet Jumbo MTU

Priority: P1

Description: CGL specifies that carrier grade Linux shall enable support for a 9000 byte Maximum Transmission Unit (MTU) for the Gigabit Ethernet protocol to enable lower CPU overhead and better throughput. This shall be a configurable option as some applications may prefer low latency to large message sizes. Hardware support is required.


PRF.5.0 Efficient Low-Level Asynchronous Events

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide an efficient capability for handling a large number of essentially simultaneous asynchronous events arriving on multiple channels, such as multiple sockets or other similar paths.

This mechanism is needed to enforce system scalability and soft real-time responsiveness by reducing contentions appearing at the kernel level, especially under high load.


PRF.6.0 Managing Transient Data

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for a selfresizing file system for transient data that can be limited to a maximum size.


PRF.7.0 Interruptless Ethernet Delivery

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide for the capability for Ethernet drivers to operate in a pure polling mode in which they do not generate interrupts for arriving frames. This is to prevent interrupt-storms from consuming too many CPU cycles. This is primarily an issue for gigabit Ethernet.


PRF.8.0 Network Storage block level Replication Performances

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide a network storage replication service with the following performance levels:

  • Less than 30% decrease in user throughput compared to local storage access using a network interface and with full available network bandwidth.
  • Less than 25% decrease in user throughput during resynchronization of redundant devices compared with normal throughput when devices are synchronized.


PRF.14.0 RAID 0 Support

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide RAID 0 (striping) support that stripes data across multiple disks without any redundant information to enhance performance in either a request-rate-intensive or transfer-rate-intensive environment.


Standards Requirements


STD.1.0 Linux Standard Base Compliance

Priority: P1

http://www.linuxbase.org Description: CGL specifies that carrier grade Linux shall be compliant with the Linux Standard Base (LSB) 3.0 The LSB 3.0 specification has been split into a generic LSB core, a generic module for C++, and a set of architecture specific modules. Required LSB 3.0 modules for CGL are:

  • Generic LSB-Core
  • Generic LSB-CXX
  • For each supported architecture, one LSB-Core module and one LSB-CXX module

The developer may choose to implement more than one architecture platform . In this case, each supported architecture platform shall contain an implementation of at least one architecture specific LSB-Core module and one architecture specific LSB-CXX module.


STD.3.1 SCTP - Base Features

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs below.

  • RFC 2960 - The base standard for SCTP.
  • RFC 3309 - An RFC that corrects a weakness in the original SCTP for very small packets.


STD.3.2.1 RFC 4460/2960

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the
functionality listed in the RFCs below:


STD.3.2.2 Extensions to BSD Sockets to support SCTP

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the Internet draft below:

  • draft-ietf-tsvwg-sctpsocket-13.txt

Carrier Grade Linux Standards Requirements Definition Version 4.0


STD.3.2.3 RFC 3873 MIB for SCTP

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the Internet draft below.


STD.3.2.4 Extension for adding IP addresses to SCTP association

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the
functionality listed in the Internet draft below:

  • draft-ietf-tsvwg-addip-sctp-15.txt - An extension to SCTP that allows adding

and removing IP addresses to an existing SCTP association. This extension is
needed to allow for associations that last longer than expiring IPv6
addresses.


STD.3.2.5 RFC 3758 Partial reliability

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the
functionality listed in the RFC below:

  • RFC 3758 - An extension to SCTP allowing for partial reliability. Introduces

a mechanism for canceling messages no longer worth sending.


STD.3.2.6 SCTP Threats

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the Internet draft below:

  • draft-ietf-tsvwg-sctpthreat-02.txt - Documents additional security issues

that implementers need to address.


STD.3.2.7 SCTP signing chunks

Priority: P3

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the Internet draft below.

  • draft-ietf-tsvwg-sctp-auth-04.txt -allows an SCTP sender to sign chunks using shared keys between the sender and receiver to prevent blind attacks against static Verification tag.


STD.4.1 IPv6 Base Features

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the
IPv6 functionality listed in the RFCs below:

  • RFC 2460: IPv6 Specification
  • RFC 2463: ICMPv6 for IPv6 Specification
  • RFC 2461: Neighbor Discovery for IP Version 6 (IPv6)
  • RFC 2462: IPv6 Stateless Address Autoconfiguration
  • RFC 1981: Path MTU Discovery for IP version 6
  • RFC 3493: Basic Socket Interface Extensions for IPv6
  • RFC 3542: Advanced Sockets Application Program Interface (API) for Ipv6
  • RFC 3587: Global Unicast IPv6 Address Format
  • RFC 2710: Multicast Listener Discovery for Ipv6
  • RFC 3810 : Multicast Listener Discovery Version 2


STD.4.2.1 IPv6 Additional Features: RFC 2451 Ciphers

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 2451: The ESP CBC-Mode Cipher Algorithms


STD.4.2.2 IPv6 Additional Features: RFC 4213/2893 Tunnels

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 4213 which replaces
  • RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers (IPv6 over IPv4 Tunnel)


STD.4.2.3 IPv6 Additional Features: RFC 3484 Default Address Selection

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 3484: Default Address Selection for Internet Protocol version 6 (IPv6).


STD.4.2.4 IPv6 Additional Features: RFC 3315 Dynamic Host Configuration

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6).


STD.4.2.5 IPv6 Additional Features: RFC 3633 Prefix Options for Dynamic Host Configuration Protocol

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 3633: IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6


STD.4.2.6 IPv6 Additional Features: RFC 4191 Default Router Preferences

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 4191: Default Router Preferences, More-Specific Routes, and Load Sharing


STD.4.2.7 IPv6 Additional Features: RFC 2428 FTP Extensions

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 2428: FTP Extensions for IPv6 and NATs


STD.4.2.8 IPv6 Additional Features: RFC 3596 DNS Extensions

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:


STD.4.2.9 IPv6 Additional Features: RFC 2874 DNS Address Aggregation and Renumbering

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 2874: DNS Extensions to Support IPv6 Address Aggregation and Renumbering


STD.4.2.10 IPv6 Additional Features: RFC 3646 DNS options for DHCP

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 3646: DNS options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)


STD.5.1 IPSec Major CGL Features

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs below.

  • RFC 2367: PF_KEY Key Management API, Version 2
  • RFC 2401: Security Architecture for the Internet Protocol
  • RFC 2402: IP Authentication Header
  • RFC 2406: IP Encapsulating Security Payload (ESP)
  • RFC 2403: The Use of HMAC-MD5-96 within ESP and AH
  • RFC 2404: The Use of HMAC-SHA -1-96 within ESP and AH
  • RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV
  • RFC 2409: Support for IKE daemon
  • RFC 2410: The NULL Encryption Algorithm and Its Use With Ipsec
  • RFC 2451: The ESP CBC-Mode Cipher Algorithms


STD.5.2.1 IPSec Minor CGL Features: RFC 4301 Security Architecture for IP

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 4301: Security Architecture for the Internet Protocol (obsoletes 2401)NEPS/Motorola flush needed RFCs.


STD.5.2.2 IPSec Minor CGL Features: RFC 4302 IP Authentication Header

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 4302: IP Authentication Header (obsoletes 2402)


STD.5.2.3 IPSec Minor CGL Features: RFC 4303 IP Encapsulating Security Payload

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 4303: IP Encapsulating Security Payload (ESP) (obsoletes 2406)


STD.5.2.4 IPSec Minor CGL Features: RFC 4305 Cryptographic Algorithm Requirements

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 4305: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) (obsoletes 2402 and 2406)


STD.5.2.5 IPSec Minor CGL Features: RFC 4307 Cryptographic Algorithms for Use in IKE

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2


STD.5.2.6 IPSec Minor CGL Features: RFC 4322 Opportunistic Encryption using IKE

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 4322: Opportunistic Encryption using the Internet Key Exchange (IKE) -- This document is not part of the basic set of standards required to support IPSec, but is useful if a customer wants to set up IPSec tunnels without coordinating with the administrators at the other end of the tunnels.


STD.5.2.7 IPSec Minor CGL Features: RFC 4434 AES Algorithm for IKE

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs and internet drafts below:

  • RFC 4434: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)


STD.6.1 MIPv6 CGL Major Features

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFC below.


STD.6.2 MIPv6 Minor CGL Features

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the functionality listed in the RFCs below.

  • RFC 3776: Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents.


STD.7.1 SNMP v1, v2, v3

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide SNMPv1, SNMPv2, and SNMPv3 functionality as defined in the RFCs listed below.

  • SNMPv1 - RFC 1155-1157
  • Community-based SNMPv2 - RFCs 1901-1908
  • SNMPv3 - RFC 2571-2575


STD.7.2 SNMP MIBs for IPv6/IPv4

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the functionality for the SNMP IPv6/IPv4 MIBs as defined by the RFCs listed below:

Note: There is currently an ongoing effort within IETF to combine IPv4 and
IPv6 MIBs into unified MIBs. The developer may choose to implement RFC 2011,
RFC 2012, and RFC 2013 instead of RFC 2452, RFC 2454, RFC 2465, and RFC 2466.


STD.8.1 SA Forum AIS http://www.saforum.org

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide the APIs as defined by the SA Forum AIS B.01.01 or a subsequent level of the relevant AIS specification


STD.8.8 SA Forum HPI http://www.saforum.org

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the functionality defined in the SA Forum HPI B.01.01 specification or a subsequent level of the relevant HPI specification.


STD.9.0 IPMI http://www.intel.com

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the System Management Software (SMS) functionality to interface with the below-listed levels of the Intelligent Platform Management Interface (IPMI):

  • IPMI v1.5 specification
  • IPMI v2.0 specification


STD.10.0 802.1Q VLAN Endpoint http://www.ieee802.org/1/pages/802.1Q.html

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the functionality defined in the IEEE Std 802.1Q-1998 specification. This standard defines the operation of virtual LAN (VLAN) endpoints that permit the definition, operation and administration of Virtual LAN topologies within a LAN infrastructure.


STD.11.1 Diameter Protocol CGL Major Features

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the
functionality defined in the following RFCs and Internet drafts.

  • RFC 3588 (Diameter Base Protocol)
  • draft-ietf-eap-rfc2284bis-07.txt
  • draft-ietf-aaa-eap-03.txt


STD.17.1 iSCSI Support: RFC 3270 iSCSI http://www.ietf.org

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide support for Internet Small Computer Systems Interface (iSCSI) Initiators. The iSCSI Initiators shall support IPv6, SNMP MIBs, error handling, target discovery, and multiple sessions. This functionality is defined in the following RFCs:

  • RFC 3720 - Internet Small Computer Systems Interface (iSCSI)reqs, determine which are P1


STD.17.2 iSCSI Support: RFC 3271 iSCSI Naming & Discovery http://www.ietf.org

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide support for Internet Small Computer Systems Interface (iSCSI) Initiators. The iSCSI Initiators shall support IPv6, SNMP MIBs, error handling, target discovery, and multiple sessions. This functionality is defined in the following RFCs:

  • RFC 3721 - Internet Small Computer Systems Interface (iSCSI) Naming and Discovery


STD.17.3 iSCSI Support: RFC 3273 iSCSI Securing Block Storage Protocols over IP http://www.ietf.org

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide support for Internet Small Computer Systems Interface (iSCSI) Initiators. The iSCSI Initiators shall support IPv6, SNMP MIBs, error handling, target discovery, and multiple sessions. This functionality is defined in the following RFCs:

  • RFC 3723 - Securing Block Storage Protocols over IP


STD.18.1 Differentiated Services: RFC 2474 Definition

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide support for differentiated services for IPv4 protocol as defined by the RFCs below. Differentiated services provide network traffic with different levels of service to enable quality of service and traffic control.

  • RFC 2474 � Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers


STD.18.2 Differentiated Services: RFC 2475 Definition

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide support for differentiated services for IPv4 protocol as defined by the RFCs below. Differentiated services provide network traffic with different levels of service to enable quality of service and traffic control.

  • RFC 2475 � An Architecture for Differentiated Services


Security Requirements


SEC.1.1 Dynamic Kernel Security Module Mechanism

Priority: P1

Description: CGL specifies that carrier grade Linux shall support an interface that allows the addition of new access control policy implementations to the kernel without requiring patching or recompilation. This support must allow for the dynamic loading of such policy implementations. The mechanism must govern all of the kernel objects. This requirement does not specify any particular policies. Objectives Satisfied: O.AUTHORIZE-TOE, O.APPLICATION-TOOLS, O.ENTRY-NON-TECHNICAL


SEC.1.2 Process Containment using File System Restrictions

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for constraining the privileges and access to system resources of a process independently of the user account under which the process runs by limiting a process' access to a subset of the file system hierarchy. This limits the effects of a security compromise of a process (such as a buffer overflow exploit). Objectives Satisfied: O.BYPASS-TOE, O.CONTAINMENT


SEC.1.3 Process Containment Using MAC-based Mechanism

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for constraining the privileges and access to system resources of a process independently of the user account under which the process runs, using a mandatory access control (MAC) mechanism. This limits the effects of a security compromise of a process, such as a buffer overflow exploit, even if it running as root. Objectives Satisfied: O.BYPASS-TOE, O.CONTAINMENT, O.ACCESS-MALICIOUS


SEC.1.3.1 MAC-based Policy Administration Tools

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide tools for the administration of MAC-based access control policies. These tools should facilitate the creation, maintenance, and management of policies. The tools should provide at least one of a command line or graphical interface. Objectives Satisfied: O.CONTAINMENT, O.APPLICATION-TOOLS, O.ACCESS-MALICIOUS


SEC.1.4 Buffer Overflow Protection

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide at least one mechanism to protect against the exploitation of software bugs that exploit the lack of boundary checking in many programs and give an attacker some access to a task's address space by writing outside of buffer bounds. Objectives Satisfied: O.ENTRY, O.ENTRY-SOPHISTICATED


SEC.1.5 Access Control List Support for File Systems

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide access control list (ACL) capabilities on file systems that allow the specification of access rights for multiple users and groups. Objectives Satisfied: O.CONTAINMENT


SEC.2.1 Generic Authentication Modules

Priority: P1

Description: CGL specifies that carrier grade Linux shall support a mechanism for implementing new operating system authentication mechanisms. This support must allow for the dynamic loading of authentication modules. Objectives Satisfied: O.APPLICATION-TOOLS, O.KNOWN-TOE


SEC.2.2 Password Integrity Checking

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide tools to check passwords to ensure they cannot be cracked using common attack methods. These tools shall support at least the DES cipher text format and allow the user to specify rules for rejecting passwords. Objectives Satisfied: O.APPLICATION-TOOLS


SEC.3.1 Auditing

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide auditing mechanisms that flag security-relevant events and alert a system administrator. Objectives Satisfied: O.DETECT-SOPHISTICATED, O.ACCOUNT-TOE, O.DETECT-TOE,
O.OBSERVE-TOE, O.DETECT-SYSTEM, O.ENTRY-TOE


SEC.3.2 Secure Transport of Log Information

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide secure transport of log information over a network to the log files. The transport mechanism shall ensure that the information remains confidential, cannot be modified, is not a replay of an earlier log message, and originated at the source it claims. Objectives Satisfied: O.DETECT-SOPHISTICATED, O.ACCOUNT-TOE, O.DETECT-TOE,
O.OBSERVE-TOE, O.DETECT-SYSTEM


SEC.3.3 Periodic Automated Log Analysis

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a mechanism for periodically and automatically analyzing log files. This mechanism shall be able to generate reports if any suspicious or unrecognized log entry is detected. Objectives Satisfied: O.DETECT-SOPHISTICATED, O.ACCOUNT-TOE, O.DETECT-TOE,
O.OBSERVE-TOE, O.DETECT-SYSTEM


SEC.3.4 Active Log Monitoring

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a mechanism for automatically analyzing security-relevant log information. This mechanism shall be able to generate alarms if criteria set by a system administrator are met. Objectives Satisfied: O.DETECT-SOPHISTICATED, O.ACCOUNT-TOE, O.DETECT-TOE,
O.OBSERVE-TOE, O.DETECT-SYSTEM


SEC.4.1 IPsec

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide IPsec support for network level confidentiality and integrity. The implementation shall conform to RFC 2401, 2402, 2406 and at least one encapsulating security payload (ESP) algorithm such as specified by RFC 2451. Objectives Satisfied: O.APPLICATION-TOOLS, O.NETWORK


SEC.4.2 IKE

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide an Internet Key Exchange (IKE) service to perform standards-based key exchange for IPsec. The service shall conform to RFC 2409. Objectives Satisfied: O.APPLICATION-TOOLS, O.NETWORK


SEC.4.3 PF_KEY Version 2

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide PF_KEY support, as defined by RFC 2367, for key management for the IPsec module and the IKE service. Objectives Satisfied: O.APPLICATION-TOOLS, O.NETWORK


SEC.4.4 PKI Support for Applications

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide basic PKI features, which shall conform to the IETF PKIX standards, specifically RFC 2527, 3279 & 3280. Support for processing certification revocation lists (CRLs) is required, although a specified delivery mechanism such as HTTP/FTP (RFC 2585) is not specified. Objectives Satisfied: O.ACCESS-TOE, O.APPLICATION-TOOLS, O.NETWORK


SEC.4.5 SSL/TLS Support for Applications

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide basic SSL/TLS support, which shall conform to the legacy SSL and IETF TLS standards. Objectives Satisfied: O.ACCESS-TOE, O.APPLICATION-TOOLS, O.NETWORK


SEC.4.6 PKI Certificate Authority (CA)

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a basic PKI CA service. This service shall conform to the IETF PKIX standards, specifically RFC 2527, 3279 & 3280. Support for the management of certification revocation lists (CRLs) is required. Certificate management and request protocols as defined by RFC 2527, 3279, and 3280, are not requirements. Objectives Satisfied: O.APPLICATION-TOOLS, O.NETWORK


SEC.5.1 Periodic User-Level File Integrity Checking

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a mechanism to enable a periodic checking of the integrity of files at user-level. Files to be checked are both binary files, which should not change after installation, and text files, such as configuration and log files, which may change. File integrity checks shall be able to be scheduled at any time of the day. The checking mechanism shall be able to send alarms to a system administrator when inconsistencies are detected. Objectives Satisfied: O.DETECT-SOPHISTICATED


SEC.7.1 Memory Limits

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for perprocess limits for the use of system memory. Objectives Satisfied: O.RESOURCES


SEC.7.2 File System Quotas

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for per-user file system quotas. Objectives Satisfied: O.RESOURCES


SEC.7.3 Process Quotas

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide support for per-user quotas on the number of processes which may be created. Objectives Satisfied: O.RESOURCES


SEC.7.4 Execution Quotas

Priority: P3

Description: CGL specifies that carrier grade Linux shall provide support for per-user CPU execution quotas. Objectives Satisfied: O.RESOURCES


SEC.8 Trusted Platform Module (TPM) Support

Priority: P2

Description: CGL specifies that, if and only if it is installed and executing on a TPMenabled platform, carrier grade Linux shall provide OS support for the TPM hardware, as defined in TCG TPM Specification, version 2. Objectives Satisfied: O.PHYSICAL


Hardware Requirements


PMT.1.1 IPMI support

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide the functionality defined in the Intelligent Platform Management Interface (IPMI):

  • IPMI v1.5 specification
  • IPMI v2.0 specification
  • See STD.9.0 IPMI.


PMT.1.3 IPMI Accessibility

Priority: P1

Description: CGL specifies that carrier grade Linux shall provide a
user space library for manipulating the IPMI directly for IPMI function
accessibility. It shall also provide an interface for accessing IPMI functions
from kernel space.


PMS.1.0 CPU Throttle

Priority: P2

Description: CGL specifies that carrier grade Linux shall provide a CPU power consumption management capability that enables adjustment of the CPU frequency. Any power, voltage and frequency settings shall be within the allowed range for the hardware.


PMS.5.1 iSCSI Initiator Support

Priority: P1

Description: CGL specifies that carrier grade Linux shall support the iSCSI protocol to enable block level access to SCSI storage devices using the TCP/IP transport. The support shall be compliant with the RFC 3270 specification and should provide iSCSI initiator support. At a minimum the supported iSCSI initiators should be able to authenticate themselves to potential iSCSI targets using the two-way CHAP authentication algorithm. See STD.17.0 iSCSI.


PMS.5.2 iSCSI Initiator IPv6 Support

Priority: P3

Description: CGL specifies that the iSCSI Initiators implemented by carrier grade Linux should support the IPv6 protocol. This would enable the iSCSI Initiator nodes to connect to iSCSI targets that have IPv6 addresses. See STD.4 IPV6 and STD.17.0 iSCSI.


PMS.5.3 iSCSI Target Discovery

Priority: P1

Description: CGL specifies that the iSCSI Initiators implemented by carrier grade Linux shall support the SendTargets Discovery mechanism to discover potential iSCSI targets they can connect. See STD.17.0 iSCSI.


Appendix A:

To be supplied

Groups: