On 10. Feb 2012, at 15:56 , Panagiotis Christias wrote: > On 10/2/2012 15:56, Alexander Leidinger wrote: >> Hi, >> >> during some big discussions in the last monts on various lists, one of >> the problems was that some people would like to use freebsd-update but >> can't as they are using a custom kernel. With all the kernel modules we >> provide, the need for a custom kernel should be small, but on the other >> hand, we do not provide a small kernel-skeleton where you can load just >> the modules you need. >> >> This should be easy to change. As a first step I took the generic kernel >> and removed all devices which are available as modules, e.g. the USB >> section consists now only of the USB_DEBUG option (so that the module is >> build like with the current generic kernel). I also removed some storage >> drivers which are not available as a module. The rationale is, that I >> can not remove CAM from the kernel config if I let those drivers inside >> (if those drivers are important enough, someone will probably fix the >> problem and add the missing pieces to generate a module). >> >> Such a kernel would cover situations where people compile their own >> kernel because they want to get rid of some unused kernel code (and >> maybe even need the memory this frees up). >> >> The question is, is this enough? Or asked differently, why are you >> compiling a custom kernel in a production environment (so I rule out >> debug options which are not enabled in GENERIC)? Are there options which >> you add which you can not add as a module (SW_WATCHDOG comes to my >> mind)? If yes, which ones and how important are they for you? > > Hello, > > we are currently using on every server (in order to maintain a single custom > kernel) the following options: > > IPFIREWALL IPFIREWALL_DEFAULT_TO_ACCEPT
loadable, tunable there for this > IPFIREWALL_FORWARD > ROUTETABLES=n melifaro and I are working on this; he'll fix the netgraph netflow part and I'll fix the #ifdefs and the tunable will be enough. > Soon, we will also add: > > IPSEC IPSEC_FILTERTUNNEL IPSEC_NAT_T crypto enc IPSEC_FILTERTUNNEL has long been obsolete. > Finally, once we upgrade our jail setup VIMAGE will be also a must. I have read that multiple times already and I'd love to but that's a looong way. The plan might be to one day provide a 2nd kernel to install from and that freebsd-update can handle but we'll see. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
