Your custom kernels' configs

[SaveTheRbtz]

I've thought that it's kinda helpful to share with others interesting parts of your kernel's configs. Especially with comments!

Let's start with me

#Yeah, project  evil, but it works with my WiFi
options NDISAPI
device ndis

#IPFW 
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
#By default it's deny so i prefer to add this to kernel in case i forgot to add rule in config to be able to connect after restart.
options IPFIREWALL_DEFAULT_TO_ACCEPT
#Forwarding, divert and shaping. Useful for gateways
options IPFIREWALL_FORWARD
options IPDIVERT
options DUMMYNET   

#This is allows me to use big resolution in console 
#line 
# allscreens_flags="-g 132x60 MODE_279" 
#in /etc/rc.conf
options VESA
options SC_PIXEL_MODE

#Disables Ctrl+Alt+Del reboot 
options SC_DISABLE_REBOOT
#changes default console colors
options SC_NORM_ATTR=(FG_GREEN|BG_BLACK)
options SC_KERNEL_CONS_ATTR=(FG_YELLOW|BG_BLACK)
#Allows veeeeery long scroll on console
options SC_HISTORY_SIZE=8192

#This is for FAST_IPSEC
device  crypto
device  cryptodev
options IPSEC

#Various pseudo interfaces very usefull for servers
device vlan
device tap                     #Virtual Ethernet driver
device gre                     #IP over IP tunneling
device if_bridge               #Bridge interface
device carp                    #Common Address Redundancy Protocol
device enc                     #IPsec interface
device lagg                    #Link aggregation interface

#Yes, Use two firewalls. i.ve just love pf's NAT
device pf                      #PF OpenBSD packet-filter firewall
device pflog                   #logging support interface for PF
#Synchronization between redundant firewalls with carp 
device pfsync                  #synchronization interface for PF

#ALTQ for pf
options         ALTQ
options         ALTQ_CBQ
options         ALTQ_RED
options         ALTQ_RIO
options         ALTQ_HFSC
options         ALTQ_PRIQ

#Good for http servers. See tuning(7) to know how to use it.
options         ACCEPT_FILTER_DATA
options         ACCEPT_FILTER_HTTP


#NetGraph for VPN server/client
options         NETGRAPH
options         NETGRAPH_BPF
options         NETGRAPH_IFACE
options         NETGRAPH_KSOCKET
options         NETGRAPH_MPPC_ENCRYPTION
options         NETGRAPH_PPP
options         NETGRAPH_PPTPGRE
options         NETGRAPH_SOCKET
options         NETGRAPH_TCPMSS

#This is for polling(4)
options         HZ=1000
options         DEVICE_POLLING

PS. May be create thread with some useful sysctl's with comments?

 

[richardpl]

Many of that settings do not need custom kernel ....


Less is more:

cpu             I686_CPU
ident           kernel

options         SCHED_ULE
options         PREEMPTION
options         INET
options         INET6
options         SCTP
options         FFS
options         SOFTUPDATES
options         UFS_ACL
options         UFS_DIRHASH
options         UFS_GJOURNAL
options         COMPAT_FREEBSD4
options         COMPAT_FREEBSD5
options         COMPAT_FREEBSD6
options         COMPAT_FREEBSD7
options         SCSI_DELAY=5000
options         _KPOSIX_PRIORITY_SCHEDULING
options         KBD_INSTALL_CDEV
options         STOP_NMI

options         SMP
device          apic

device          eisa
device          pci

device          atkbdc
device          atkbd
device          psm

device          vga

device          sc

device          pmtimer
device          loop
device          ether
device          tun
device          pty
device          md
device          gif
device          faith

device          bpf

nodevice        io
nodevice        mem

 

[lme@]

PS. May be create thread with some useful sysctl's with comments?

Please take a look at this project proposal: http://www.freebsd.org/projects/ideas/#p-docsysctl

The sysctls should be documented in the base system, not a forum.

 

[SaveTheRbtz]

Please take a look at this project proposal: http://www.freebsd.org/projects/ideas/#p-docsysctl

The sysctls should be documented in the base system, not a forum.

yeh, thanks for link, but i meant something like performance tuning sysctls that i have on almost every my highload servers.

kern.ipc.somaxconn=4096
kern.ipc.shmmax=2147483648
kern.ipc.shmall=32768
kern.maxfiles=204800
kern.maxfilesperproc=200000
kern.maxvnodes=200000
kern.ipc.nmbclusters=200000
net.inet.tcp.recvspace=8192
net.inet.tcp.sendspace=16384
net.inet.ip.portrange.first=1024
net.inet.ip.portrange.last=65535
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.tcp.msl=3000
net.inet.tcp.maxtcptw=40960
net.inet.tcp.nolocaltimewait=1
net.inet.ip.redirect=0
net.inet.icmp.maskrepl=1
net.inet.icmp.drop_redirect=1
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1

 

[Djn]

Please take a look at this project proposal: http://www.freebsd.org/projects/ideas/#p-docsysctl

The sysctls should be documented in the base system, not a forum.

That's a slightly different proposal, though - this would be about "sysctl x y and z are worth looking at", while that project is about providing answers to "what does sysctl x do".

The latter isn't very useful if you don't know about sysctl x in the first place, and that's what a forum thread could be useful for.

 

[graudeejs]

killabsd:

cpu		I686_CPU
ident		killabsd

options 	SMP			# Symmetric MultiProcessor Kernel
device		apic			# I/O APIC


options		MD_ROOT
device		md

options		SCHED_ULE		# FreeBSD new sheduler
options 	PREEMPTION		# Enable kernel thread preemption
options 	INET			# InterNETworking
#options		INET6
options 	FFS			# Berkeley Fast Filesystem
#options		NTFS
options 	SOFTUPDATES		# Enable FFS soft updates support
options 	UFS_DIRHASH		# Improve performance on big directories
options 	UFS_GJOURNAL		# Enable gjournal-based UFS journaling
options 	MSDOSFS			# MSDOS Filesystem
options 	CD9660			# ISO 9660 Filesystem
options		UDF
options		LIBICONV
options		CD9660_ICONV
options		MSDOSFS_ICONV
#options		NTFS_ICONV
options 	GEOM_LABEL		# Provides labelization
options 	COMPAT_43TTY		# BSD 4.3 TTY compat [KEEP THIS!]
#options		COMPAT_FREEBSD5
#options		COMPAT_FREEBSD4
options		COMPAT_FREEBSD6
options 	SCSI_DELAY=5000		# Delay (in ms) before probing SCSI
options 	SYSVSHM			# SYSV-style shared memory
options 	SYSVMSG			# SYSV-style message queues
options 	SYSVSEM			# SYSV-style semaphores
options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
options 	STOP_NMI		# Stop CPUS using NMI instead of IPI
options 	AUDIT			# Security event auditing

device		npx

device		pci

device		ata
device		atadisk		# ATA disk drives
device		ataraid		# ATA RAID drives
device		atapicd		# ATAPI CDROM drives
options 	ATA_STATIC_ID	# Static device numbering

device		scbus		# SCSI bus (required for SCSI)
device		ch		# SCSI media changers
device		da		# Direct Access (disks)
device		pass		# Passthrough device (direct SCSI access)
device		ses		# SCSI Environmental Services (and SAF-TE)

device		atkbdc		# AT keyboard controller
device		atkbd		# AT keyboard

device		vga		# VGA video card driver

device		sc
options		SC_ALT_MOUSE_IMAGE
options		SC_MOUSE_CHAR=0x3
options		SC_HISTORY_SIZE=500

options		VESA
options		SC_PIXEL_MODE

device		pmtimer

device		miibus		# MII bus support
device		rl		# RealTek 8129/8139
device		loop		# Network loopback
device		random		# Entropy device
device		ether		# Ethernet support
device		pty		# Pseudo-ttys (telnet etc)
#device		gif		# IPv6 and IPv4 tunneling
#device		faith		# IPv6-to-IPv4 relaying (translation)
device		firmware	# firmware assist module

device		bpf		# Berkeley packet filter

device		uhci		# UHCI PCI->USB interface
#device		ohci		# OHCI PCI->USB interface
device		ehci		# EHCI PCI->USB interface (USB 2.0)
device		usb		# USB Bus (required)
device		ugen		# Generic
device		uhid		# "Human Interface Devices"
device		umass		# Disks/Mass storage - Requires scbus and da
device		ums		# Mouse

#device		firewire	# FireWire bus code
#device		sbp		# SCSI over FireWire (Requires scbus and da)

device		sound
device		snd_ich

options		GEOM_ELI
device		crypto

device		splash

sysctl.conf

security.bsd.see_other_uids=0

kern.coredump=0

#net.inet.tcp.delayed_ack=0
#kern.ipc.maxsockbuf=2097152
#kern.ipc.somaxconn=512
#kern.maxfiles=65536
#kern.maxfilesperproc=32768
#net.inet.tcp.sendspace=65535
#net.inet.tcp.recvspace=65535
#net.inet.udp.recvspace=65535
#net.inet.udp.maxdgram=57344
#net.local.stream.recvspace=65535
#net.local.stream.sendspace=65535
#kern.ipc.nmbclusters=65535

vfs.usermount=1

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.random_id=1

among commented lines in sysctl.conf something caused my rtorrent to make FreeBSD to lag when downloading at medium and high speed.

 

[arp242]

I've never seen the sense in ``optimized custom kernels''.

There is performance improvement vs. the GENERIC kernel, and additional modules can be loaded with kldload(8).

There are only a few options which make some difference and can't be loaded dynamically, you don't need a ``custom kernel'' for that, `echo "option X" >> GENERIC' will do the trick just as well.

 

[graudeejs]

your probably right.
However, how much disk space does GENERIC take?
my custom kernel takes 3.9M + modules
This might be important when loading kernel from usb pen-drives

There are only a few options which make some difference and can't be loaded dynamically, you don't need a ``custom kernel'' for that, `echo "option X" > GENERIC' will do the trick just as well.

echo "option X" > GENERIC
will erease GENERIC, and leave you with unusable kernel config
you probably mean

echo "option X" >> GENERIC

 

[arp242]

However, how much disk space does GENERIC take?
my custom kernel takes 3.9M + modules
This might be important when loading kernel from usb pen-drives

Of course there are some situations where the GENERIC kernel doesn't suffice for one reason or the other, but in most cases it does.

echo "option X" > GENERIC
will erease GENERIC, and leave you with unusable kernel config
you probably mean
echo "option X" >> GENERIC

Whoops, yes, I meant >> (of course).

 

[hedwards]

I've never seen the sense in ``optimized custom kernels''.

There is performance improvement vs. the GENERIC kernel, and additional modules can be loaded with kldload(8).

Well, that would be why you don't see any sense in it. Kldload versus built in isn't going to have much difference if any at all. The real reason to do an optimized custom kernel is mainly to take out things.

The main advantage comes from doing things like removing the older cpu revisions, hardware you don't own and such. I tend to even consider removing the hardware that I may or may not need from the main kernel and just loading it via modules as needed.

The reason being that you waste time and energy compiling things you don't need, if it's in the kernel then it's malloced at all times and if I understand correctly can't be unmalloced. Which leads to somewhat more sluggish performance. But admittedly you may or may not notice enough difference to justify the time.

 

[hark]

That's a slightly different proposal, though - this would be about "sysctl x y and z are worth looking at", while that project is about providing answers to "what does sysctl x do".

The latter isn't very useful if you don't know about sysctl x in the first place, and that's what a forum thread could be useful for.

I'd argue that's what tuning(7) is for.

My kernel config just removes all devices/options for which I have no hardware, then adds in pf and friends.

 

[cajunman4life]

... `echo "option X" >> GENERIC' will do the trick just as well.

True, until you need to rebuild GENERIC. The argument can be made that the method you're using merely appends the lines to the end of the file and shoul be easily removed, however it's advisable to make a copy of GENERIC, name it something else, and do the edits from there.

Also, IIRC, if you sync your system source via csup, GENERIC most likely will be over-written, removing the changes you made. I may be wrong (maybe csup doesn't mess with files that have been edited locally?), but why tempt fate like that?

 

[darkskye]

Here be my FAMP/Gateway's config (7.1-PRE)

include     GENERIC
#include        "SKYNET.nodev"

ident       SKYNET
#options        SMP
#SMP is now included by default in the generic kernel
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_FORWARD
options     IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPDIVERT
options         IPSTEALTH

options         DUMMYNET

options     NETGRAPH
options     NETGRAPH_ETHER
options     NETGRAPH_PPPOE
options     NETGRAPH_SOCKET

options     GEOM_MIRROR

device          sound
device          snd_hda

options     NETATALK
nomakeoptions   DEBUG

I don't remember why NETATALK is in there, i think it was left over from when I was trying to netboot an ageing macbook from a CD image ...