Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Nov 2005 00:44:38 +0000 (GMT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Colin Percival <cperciva@freebsd.org>
Cc:        Richard Bejtlich <taosecurity@gmail.com>, freebsd@voidmain.net, freebsd-stable@freebsd.org
Subject:   Re: What should be in GENERIC? (was Re: Facilitating binary kernel upgrades)
Message-ID:  <20051109003617.U85371@fledge.watson.org>
In-Reply-To: <4370D0A9.4030707@freebsd.org>
References:  <120ef0530511041210s6d3dbee8pc2db36129b44be2c@mail.gmail.com> <436BCA7B.6060700@voidmain.net> <4370D0A9.4030707@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On Tue, 8 Nov 2005, Colin Percival wrote:

> Tom Grove wrote:
>> Richard Bejtlich wrote:
>>> After speaking with Colin, he mentioned that IPSec, NAT, and disk
>>> quotas (enabled via options QUOTA) are the three most popular kernel
>>> changes that prevent people from running GENERIC and hence using
>>> freebsd-update for binary kernel updates.
>>>
>>> Can anyone shed light on why those three features are not available in
>>> GENERIC?
>>
>> My guess is that just because those are the three most popular kernel
>> changes that prevent people from running GENERIC doesn't mean that the
>> majority of users implement these changes.
>
> I find this argument hard to accept.  The vast majority of FreeBSD users 
> will never need the NFS_ROOT option, and many systems do not even have 
> the hardware for serial or parallel ports, yet those are supported in 
> the GENERIC kernel.

While I agree with you in principle, I think many people would disagree 
with your assertion about serial ports :-).

> In deciding what options should go into the GENERIC kernel, I think the 
> question we should be asking is not "how many people use this?", but 
> instead "would adding this option inconvenience more people than it 
> would help?".

With regard to the specific three kernel options mentioned above:

KAME IPSEC adds significant additional overhead to the processing of every 
packet, and also requires that Giant be held over the entire network 
stack.  Also, as there's a competing IPSEC implementation, FAST_IPSEC, 
it's not clear that all users of IPSEC will want to use KAME IPSEC rather 
than FAST_IPSEC, and right now they are mutually exclusive.  You can argue 
that these are technical problems that need to be fixed, but I think they 
need to be fixed before we change GENERIC, not after.

In 6.x, IPDIVERT no longer needs to be compiled into the kernel.  You can 
load ipdivert.ko, I believe, although I've not personally tested that. 
The natd rc.d start script looks like it will even auto-load it for you 
when nat is started, but again, not personally tested.

In 6.x, UFS disk quotas require that Giant be placed over the entire UFS 
implementation, resulting in significant overhead for users who don't need 
the feature.  Again, an implementation problem, but a good reason to not 
have it in GENERIC until it is fixed.  I expect to see Giant fall off 
quotas in the next minor release or so of 6.x, but it hasn't happened yet.

On the topic of a few of the options you've mentioned:

- A wide range of people do use serial ports frequently with FreeBSD --
   it's the recommended configuration for headless servers (which I promise
   there are a lot of), and it's the recommended configuration for
   debugging.

- NFS_ROOT minimally expands the kernel, but is required for PXE booting
   diskless systems, which is actually quite widely used.  It might more
   usefully be argued that we should have NFS_ROOT there, but not the
   NFSCLIENT or NFSSERVER, as NFS_ROOT really just does minor tweaks and
   inclusions for the nfsclient, which is already loadable as a module.

Robert N M Watson



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051109003617.U85371>