From owner-freebsd-stable@FreeBSD.ORG Fri Feb 10 16:12:06 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC14F106564A for ; Fri, 10 Feb 2012 16:12:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 5370E8FC12 for ; Fri, 10 Feb 2012 16:12:06 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 47C1B25D3AB3; Fri, 10 Feb 2012 16:12:05 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 290C4BDB10D; Fri, 10 Feb 2012 16:12:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id SzzFTdcWf56u; Fri, 10 Feb 2012 16:12:02 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id A0AC9BDB10B; Fri, 10 Feb 2012 16:12:02 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <4F353E4A.6030903@noc.ntua.gr> Date: Fri, 10 Feb 2012 16:12:00 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20120210145604.Horde.ewjpSpjmRSRPNSH0YRHxgAk@webmail.leidinger.net> <4F353E4A.6030903@noc.ntua.gr> To: Panagiotis Christias X-Mailer: Apple Mail (2.1084) Cc: stable@freebsd.org Subject: Re: Reducing the need to compile a custom kernel X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2012 16:12:07 -0000 On 10. Feb 2012, at 15:56 , Panagiotis Christias wrote: > On 10/2/2012 15:56, Alexander Leidinger wrote: >> Hi, >>=20 >> during some big discussions in the last monts on various lists, one = of >> the problems was that some people would like to use freebsd-update = but >> can't as they are using a custom kernel. With all the kernel modules = we >> provide, the need for a custom kernel should be small, but on the = other >> hand, we do not provide a small kernel-skeleton where you can load = just >> the modules you need. >>=20 >> This should be easy to change. As a first step I took the generic = kernel >> and removed all devices which are available as modules, e.g. the USB >> section consists now only of the USB_DEBUG option (so that the module = is >> build like with the current generic kernel). I also removed some = storage >> drivers which are not available as a module. The rationale is, that I >> can not remove CAM from the kernel config if I let those drivers = inside >> (if those drivers are important enough, someone will probably fix the >> problem and add the missing pieces to generate a module). >>=20 >> Such a kernel would cover situations where people compile their own >> kernel because they want to get rid of some unused kernel code (and >> maybe even need the memory this frees up). >>=20 >> The question is, is this enough? Or asked differently, why are you >> compiling a custom kernel in a production environment (so I rule out >> debug options which are not enabled in GENERIC)? Are there options = which >> you add which you can not add as a module (SW_WATCHDOG comes to my >> mind)? If yes, which ones and how important are they for you? >=20 > Hello, >=20 > we are currently using on every server (in order to maintain a single = custom kernel) the following options: >=20 > IPFIREWALL IPFIREWALL_DEFAULT_TO_ACCEPT loadable, tunable there for this > IPFIREWALL_FORWARD > ROUTETABLES=3Dn melifaro and I are working on this; he'll fix the netgraph netflow part = and I'll fix the #ifdefs and the tunable will be enough. > Soon, we will also add: >=20 > IPSEC IPSEC_FILTERTUNNEL IPSEC_NAT_T crypto enc IPSEC_FILTERTUNNEL has long been obsolete. > Finally, once we upgrade our jail setup VIMAGE will be also a must. I have read that multiple times already and I'd love to but that's a = looong way. The plan might be to one day provide a 2nd kernel to install from and = that freebsd-update can handle but we'll see. /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!