Jails

Jail allows you to separate system running in "jail" from your base system. It's not virtualization, just separation of multiple live systems running in their own environment on the same machine.
Sufficient manual is placed in FreeBSD handbook and man-page for jail.

1. IP address for jail

Every jail is stuck to IP address. Fortunately we don't need so many network cards as number of jails. We can create IP aliases under real NIC or create new loopback, or you can create loopback and create aliases under this loopback.
Loopbacks are bit different so first, I'll show alias under real NIC.
Another way is to create sub-interface under real interface.

Assume, you have one interface "rl0" with IP 192.168.1.10/24.
You would like to create IP alias 192.168.1.20/24 under rl0:

ifconfig rl0 inet 192.168.1.20 netmask 255.255.255.0 alias

Try to run "ifconfig" to see what has changed.
We want to preserve this alias after reboot so edit "rc.conf":
ifconfig_rl0_alias0="192.168.1.20 netmask 255.255.255.0"

2. Preparation of system hierarchy - Handbook version

These steps are normally used, when you don't have any base for your own hierarchy(explained later in this post).

mkdir -p /usr/jails/my_jail - the location of jail. Dir "jails" is created by "-p" flag.

cd /usr/src/

make buildworld - check earlier post about compilation.

make installworld DESTDIR=/usr/jails/my_jail

make distribution DESTDIR=/usr/jails/my_jail

mount -t devfs devfs /usr/jails/my_jail/dev

3. Preparation of system hierarchy - my version

I'm not sure if this way is correct, but it works and I have no problem so far.

This way is connected with post about dump/restore. As you can recall, what I had done, I installed minimal FreeBSD installation, did some post-install setings, updates, upgrades, compiled some ports and than created a "snapshot" of system. Every time I start with new "project", installation, I use this snapshot to skip time consuming process to set up the basic environment. I'll use this method to create new jail.
Assume, you have dumped your own system you want to start with.

mkdir -p /usr/jails/my_jail - the same as previous

cd /usr/jails/my_jail

restore -r -b 65536 -f /mnt_src/root.dmp

#Change "/mnt_src/root.dmp" to path of your dump file.

cd /usr/jails/my_jail/var

restore -r -b 65536 -f /mnt_src/var.dmp

cd /usr/jails/my_jail/tmp

restore -r -b 65536 -f /mnt_src/tmp.dmp

cd /usr/jails/my_jail/usr

restore -r -b 65536 -f /mnt_src/usr.dmp

That's it. Just few more and less important hints:

-remove everything in /usr/jails/my_jail/var/run directory

-remove everything in /usr/jails/my_jail/etc/fstab file

-remove everything in /usr/jails/my_jail/etc/rc.conf file

-remove everything in /usr/jails/my_jail/usr/src

-remove everything in /usr/jails/my_jail/usr/obj

-remove everything else what you don't want to have in Jail or what you 

 don't want to users have in jail.

4. Configuration of jail

Do that in "rc.conf" file. You have various options to set up the jail.
Some essential of them:

#####################
ifconfig_rl0_alias0="192.168.1.20 netmask 255.255.255.0" - you already know
#####################
jail_enable="YES"
jail_list="my_jail" - list of jails separated by space
jail_set_hostname_allow="NO" - to avoid change hostname from inside of jail
#####################
jail_my_jail_rootdir="/usr/jails/my_jail"
jail_my_jail_hostname="MCBSD_Jail"
jail_my_jail_ip="192.168.1.20"
jail_my_jail_devfs_enable="YES
#####################

As I said, these values are just simple point-outs how to start. Google, man-pages helps you to find more options to fulfill your desires.

5. Managing the jail

/etc/rc.d/jail start

/etc/rc.d/jail stop

jls - command to list running jails
ps - check for "J" in "STAT" column
jexec - command to execute commands inside of the jail

Example of starting shell inside of the jail:

jls output:

JID  IP Address      Hostname                      Path
 1  192.168.1.20     MCBSD_Jail                   /usr/jails/my_jail

The unique identifier of jail is Jail ID. In this case "1".
We want to run tcsh inside of the jail:
jexec 1 tcsh - "1" for particular jail and "tcsh" for command. Path for "tcsh" is defined in environment.

After you hit enter, you will jump into jail with tcsh shell. Working in the jail has no effect to host machine. You can do almost all as in the normal system.
Type exit, to exit the shell in order to exit jail.

6. Hints
**Don't forget that jail is not fully independent. The usage of jail has some boundaries which you meet by using of jail. Some of them can be removed/adjusted but some of them not. Mainly for security reason which is the point of jail.

**I had some problem with user/password database. I don't know what was the reason but to fix it:
pwd_mkdb /etc/master.passwd - in case you have corrupted pwd database
pwd_mkdb -p /etc/master.passwd - to create /etc/passwd from pwd database

  
**You can bind jail to loopback interface:
ifconfig lo1 create inet 10.10.10.10 netmask 255.255.255.0
After I did this, starting the jail hangs. That's because of some services which are trying to start inside of jail. If you have plain jail, mainly for sendmail. So edit rc.conf inside of the jail to stop sendmail to start:
sendmail_enable="NONE"

**Be aware to which IP you bind the jails. According to this, adjust your routing table, firewall permissions, NAT options, redirecting....

**To increase the comfort, set up the SSH connection inside of your jail and eventually user "screen" command from "screen" port.

**It's interesting to have jail with resource restrictions because of security reasons.
To restrict CPU/MEM/... you can use values in "login.conf" in your jail. Some of them are useful, but for me CPU is a bit useless because this value is defined in time. Better than nothing but I would appreciate this value in percentage. There is some side workaround, but I've not tried yet...Will check.
To restrict the disk usage, one way is to use "quota" for particular users in jail. This method is not ideal for me, I suggest to have every jail in separate file-system so it's fully separated from host system. Depends on how many jails you have, with more jails there is more maintenance time for all those file-systems...check the internet for examples from real life.

**Be aware that every jail shares the kernel of the host system.

**Protect the key files inside of jail with "chflags" command.

**Create one jail with all modifications and hints above, dump it and then use as template for another ones.

**Create your own automatized system of maintaining  all jails you have.

**To save disk space, remove man-pages from jails. You can use those in your host machine or use internet.

**Check the user database of your jail before putting jail into production. Look out for account which won't be in use.

X Window, Xorg, Fluxbox

Maybe you have already noticed, while you do something, you always need to search something on the internet, have multiple CLIs to be open or so and all in the same time.
One option is to have multiple OSs, but who wants to switch to another everytime you need something.

Installation of X window is not so difficult to not to do that, what's more difficult, is adjustment your X window, at least you don't install KDE or GNOME or another heavy environment with preinstalled environment.
After basic installation of X window and window manager, you are fully able to run some GUI browser, media player. If you need to adjust window appearance, styles, desktop icons, it takes a huge time I think. But at the end, you can get very nice desktop version of system.

What I don't like at all are environments like KDE, GNOME, at least not on FreeBSD. I don't like trash I don't need, and it takes more time to remove it compared to install light envir. and install what you need. I like to have everything under control and I start always with light base and than add what I need.

1.Xorg
Xorg is window server. Bridge between hardware and what you see on display.
There is normal version and light version of Xorg. I don't know the difference but of course I'm going to install light one.

cd /usr/ports/x11/xorg-minimal/
make install clean

Config file for Xorg is in "/etc/X11/xorg.conf". Actually there is no by default. You have to create it.
I think that best practice is to make "xorg.conf" be created and than edit it.

Xorg -configure

Above will search for video devices, keyboards...and generate initial xorg.conf which you can copy to /etc/X11 directory.

I have nvidia card so first, nvidia drivers are essential.

cd /usr/ports/x11/nvidia-driver

make install clean

Nvidia.ko modul is installed to "/boot/modules" and you can load it to system by: kldload nvidia
Than you should be able to run Xorg by typing: Xorg.
Now black/gray screen appears. If you are not returned to CLI with some error messages, than everything is OK. Otherwise the only way is to read error messages and figure out with friend Google what's going on.
To shut Xorg down, use Alt+F1.

If you want to be nvidia loaded after booting put below to "/boot/loader.conf":
nvidia_load="YES"

2.Fluxbox
Ok, you have X server which can communicate with hardware but what's missing is, some software which can work with windows. Arrange them, control them...
As I said I like light systems and Fluxbox is one of the lightest window managers.
It has many options to adjust and you can create really nice work place.

cd /usr/ports/x11-wm/fluxbox/

make install clean

vi /root/.xinitrc - new file will be created, I use root account
exec startfluxbox - create this line

Now to start your window env. type into CLI: startx

You should see gray screen with bar at the bottom with clock in the bottom right corner.

3.Hints
Above steps are basic steps how to start. All further is about customizing.
For me, I need two important things at the beginning, firefox and xterm.
Installation of firefox is very simple, but with very long compilation.

cd /usr/ports/www/firefox

make install clean

cd /usr/ports/x11/xterm

make install clean

I don't like default appearance of xterm.
vi /root/.Xdefaults - new file will be created, I use root account
I have following lines:
xterm*background: black - black background
xterm*foreground: white - white foreground
xterm*faceName: luxi mono - font I prefer
xterm*faceSize: 16 - font size
xterm*selectToClipboard: true - make copy/paste to work
xterm*scrollBar: true - visible scrollbar
xterm*rightScrollBar: true - scrollbar on the right side

To find out right name for font may be really difficult, I use simple port to browse through fonts.

cd /usr/ports/x11-fonts/xfontsel

make install clean

If you want to have icons on desktop, you need another port for it.
I will write more about customizing in further time.

Backup with restore/dump

After previous post, we have fresh install with hardened system(kernel+world) and basic ports installed.
It's time wasting to install everything again and again on new machine or jail or reinstall current machine. The solution is to backup whole hierarchy of system and restore if needed.
One of the methods is using "dd" tool. It has pros and cons for me.
Pros: You can do a mirror of disk and copy this mirror to new unformated disk.
Cons: With disk which has been in use for a while you have to zero-out the "free" space on the disk. Than you can compress dd output. Otherwise you will get the output size as the size of your disk. Etc. you want to backup disk with capacity 320GB. The output would be 320GB in size...because it's more like disk mirroring.
For me, it's faster to install some random FreeBSD version to create system hierarchy and than restore this system with dump/restore (offline).

###

As you recall we made a hardened system installation. If you want to restore this system to another machine, there will be a problem. We left in kernel config just those lines which we need to run system on current machine. After the restore on another machine, some peripherals/devices won't work. I don't count the "problem" with fstab edit which is quite normal with every "migration". So be aware of this. I will write about workaround later.

###

1.Dump
This is fstab on test system:
/dev/ada1s4a    /               ufs     rw      1       1
/dev/ada1s4f    /var            ufs     rw      2       2
/dev/ada1s4d    /tmp            ufs     rw      2       2
/dev/ada1s4e    /usr            ufs     rw      2       2
/dev/ada1s4b    none            swap    sw      0       0

Let say we would like to backup root directory.

dump -a -h 0 -0 -C 128 -L -f root.dmp /dev/ada1s4a

-a: autosize, I don't use tape device...
-h 0: I want to exclude some files/dirs from dump at level 0 (default L1).
-0: Level 0, which means full backup. Other ones are for incremental backup. I don't use "dump" for incremental backups.
-C 128: Use value from 32 to 128 etc. It's size of cache in MB. This is I think only one value which can really improve speed of process. You can use "-b" flag (that without "-C") to set block size but I've tested with many options and the best speed I reached with "-C". With this flag, the block size is 65535, I think in kB. Make your own testing. Dump etc. root with various options and check the disk usage in another terminal with command: iostat -c 20.
-L: To tell dump we are dumping live system
-f root.dmp: Write to file. You can use "-f - " to redirect output to stdout and process it via pipe etc...
/dev/ada1s4a: This is partition which is mounted to "/" dir.

I can reach with above dump cca 35-40MB/s speed on 5400rpm SATA 320GB disk.

2.Restore
This is not "dd" so you have to have system hierarchy created.
I don't recommend to restore live system, actually I've not tried this.
These are my steps:
I use PCBSD live DVD to run independent system so both, source and destination is mounted as offline. Why PCBSD? Because it's FreeBSD system so I know what to expect and how the disks will be named.
You can have dump files on any media but I recommend to use disks because USB, Cards, DVDs are bottleneck for restore.

mkdir /mnt_src

mkdir /mnt_dst

mount your source media (with dump files) to /mnt_src
mount your destination to /mnt_dst. Etc. mount -t ufs /dev/ada1s2a /mnt_dst
cd /mnt_dst !!!!!

restore -r -b 65536 -f /mnt_src/root.dmp

-r: restore...:)
-b: block size in kB. Use the value which was used for dump.
-f: specify the file from which the restore will read

If you want to restore again for what ever reason, first remove the content from previous restore. Some dot files are marked with "secure" flag so you can't delete them as normal.

chflags -R 0 /mnt_dst

rm -R /mnt_dst/*

I can reach with above restore cca 50-55MB/s speed on 5400rpm SATA 320GB disk.

3.Excluded files in dump process
Let say we don't want to dump file /root/exclude.exc.
First check the current flags: ls -lso /root/exclude.exc
4 -rw-r--r--  1 root  wheel  -  304 Mar 26 01:13 exclude.exc
"-" in the middle says that this file will be dumped (dump flag, default)

chflags nodump /root/exclude.exc

Now you can see the new flag from "ls" output.

To clear the flag, use: chflags dump /root/exclude.exc


Don't forget to use "-h 0" option with dump.
(If you don't want to dump the directory, I'm not sure if you have to use chflag with "-R" option or without...try.)

4.Compression of dump files
You can save a lot of space (under some conditions) with compressing the dump files.

gzip -c root.dmp > root.dmp.gz

Install port "pigz" which is same as gzip but it can uses benefits of muti-core CPUs!
(Be aware that gzip is not for compressing directories! In this case use "tar".)
gzip -c -d root.dmp.gz > root.dmp - use this for unzip.

You can save the time and temporary space with compressing on fly within dump process. Just redirect dump to stdout and use gzip via pipe.
Etc. my whole (fresh and ready to go) system is 3,3GB in size and compressed 810MB in size.

5.Hints
If you have multiple BSD installations on one computer, and you have problems with booting one of them after major change(resotre, new installation), always check if your system you want to boot has correct "/etc/fstab" information.
Etc. you created new system with same structure as your old, but in different order so /dev/ada1s2e on one system is etc. "var" and on another system /dev/ada1s4e is etc. "usr". So it's not just about changing number "2" to "4" and backward.

If you want to make another system to be bootable, run some which is working and run sysinstall, than option "Configure" and than "Fdisk". And with letter "S" as in the legend, you can choose which partition is bootable.
Before any change on live system via "Fdisk" change this before sysinstall:

sysctl kern.geom.debugflags=16

One of essential step after restore, before starting to boot new system, is to remove following on new system:

rm -R /var/run/*

That's because if you dump /var of your live system, content of this directory will be dumped and the content are pid files of current running processes.
If you started new system without deleting content before, for system it seems like services were not stopped and it causes problems. When the system is shutting down, content is removed by stopping services so system doesn't expect to find something in this directory after new boot process.

Installation/upgrade/settings/hints summary

As I needed to reinstall whole system, I wrote down some notes as summary from beginning up to last post plus some new hints.

1. Minimal install
I started with version 9.0-Release. Than you don't have problems to upgrade to latest major version. Etc. from 8.2 to 9.0.
The post about installation is in this article.

2. Post install settings
a)Post install settings include steps from articles part1, part2, part3.
If you have already your settings in your current system and you would like to transfer them, just backup configuration files and put them into new system in the same place. Don't forget to install all ports/packages as before.

b)Edit your "make.conf" for instance like this. Do it before anything else, because from this point you will compile ports so let them be compiled with customized way.

c)HINT:Edit loader.conf. First important option we need to adjust is boot delay. By default the delay is 10s. Just put this line into "/boot/loader.conf":

autoboot_delay="1"

d)Install cvsup and create ports tree/source code. Don't forget to refuse what you don't need. I added to refuse file also:

src/games

Later we will cut off unnecessary features for compilation. We won't compile games so we don't need to download them.

e)HINT:As you recall about mutli-threaded source compilation, we can do this for ports compilation as well with very simple way.

cd /usr/ports/Mk/

vi bsd.port.mk

FORCE_MAKE_JOBS=yes

MAKE_JOBS_NUMBER=5

Why 5?As I've noticed, every time you upgrade ports tree, the "bsd.port.mk" is overwritten. So be aware of this. Of course there is workaround,I have to find it.

f)Install helpful ports like mc, vim...and adjust their configuration.

3. Compilation prepare of your own kernel/world
The aim is to skip everything unnecessary in compilation.

a)Make your own kernel config. Edit GENERIC in currently downloaded source! GENERICs may be different in content among major versions.

b)HINT:Adjust "world" compilation by refusing some stuff. This is my example:

cd /etc

touch src.conf

vi src.conf and what I have there:

WITHOUT_ATM=

WITHOUT_BLUETOOTH=

WITHOUT_CALENDAR=

WITHOUT_CVS=

WITHOUT_CTM=

WITHOUT_DICT=

WITHOUT_FLOPPY=

WITHOUT_GAMES=

WITHOUT_HTML=

WITHOUT_IDEA=

WITHOUT_INFO=

WITHOUT_IPFILTER=

WITHOUT_IPFW=

WITHOUT_LEGACY_CONSOLE=

WITHOUT_NCP=

WITHOUT_PORTSNAP=

WITHOUT_PPP=

WITHOUT_ROUTED=

c)HINT:Install "screen". Screen creates virtual terminals which you can detach and reconnect without loss of content or process output...
For example you can run the compilation in virtual terminal, detach terminal so switch back to normal shell, do your work and time to time switch to virtual terminal to check the process status. You can do the same with ssh connection, open terminal, run command, log off and another day log in back to remote machine, reconnect to virtual terminal and continue with work.

cd /usr/ports/sysutils/screen

make install clean

Usage example:

I want to create virtual terminal with name "MCBSD": screen -S MCBSD
I do something in new terminal and I want to switch back to normal shell:
Ctrl+a+d - this is for detach
I want to list the running terminals: screen -ls
I want to reconnect back to MCBSD terminal: screen -r MCBSD
I'm in the MCBSD terminal and want to terminate this terminal because I don't need it anymore: Ctrl+d

d)Edit "make.conf" to not to compile modules.

4. Compilation of your own kernel/world
-do a backup of config files

cd /usr/src

make buildworld

make buildkernel KERNCONF=[your_kernel]

make installkernel KERNCONF=[your_kernel]

-reboot to single user mode. On boot screen option something like "boot prompt". Type: "boot -s"

mount -a

cd /usr/src

mergemaster -p - leave everything in tmp folder

make installworld

mergemaster - leave everything in tmp folder
-Check differences between tmp and current files.
-manually copy files from tmp folder to final destination if needed.

make delete-old

make delete-old-libs - be careful, google first about it or don't do it

reboot

-if everything works fine, done
-You can reinstall all your ports, this is what I do.

 5. Reinstall ports/packages
It's not necessary if everything goes well. But I do it.
HINT:Install "portmaster". You will need it anyway (or another port-mgmt).

cd /usr/ports/ports-mgmt/portmaster

make install clean

man portmaster

To reinstall all ports with creating packages after compilation which saves time further. Will write about.

portmaster -a -f -g

Packages are stored in "usr/ports/packages".

Now you have fresh system waiting to be backed-up.
This is perfect stage when you can do a backup of whole system.
Every time you will need to install or reinstall computer/server or create new server or even a jail, you will do a restore and in few minutes(bit longer) you have a fresh system ready to go.

FreeBSD system upgrade/kernel upgrade 3

1.make.conf

The "make.conf" is configuration file with options for every compilation used via "make" command. So basically for compilation ports and system source.
Some point outs which seem interesting:
*MAKEOBJDIRPREFIX - this is used when compiling the source. Default is "/usr/obj". Its directory used as working directory during compilation. You can change it to yours. For example to ramdisk.
*CPUTYPE?=nocona - I have this value even I have core 2 duo. According /usr/src/share/mk/bsd.cpu.mk, they are the same. Check man for make.conf.
*CFLAGS= -O -pipe - according article, "-O" is faster than "-O2", defines optimization. "-pipe" defines pipes instead of files, more memory / less disk space, faster.
*COPTFLAGS= -O -pipe - the same as previous but for kernel compilation.

*LOADER_TFTP_SUPPORT= YES - than you recompile /usr/src/sys/boot and you will get new pxeboot file with TFTP support. PXE has default NFS support.

###
#SUP=            /usr/bin/csup
#SUPFLAGS=       -L 2
#SUPHOST=        cvsup.sk.FreeBSD.org
#SUPFILE=        /usr/share/examples/cvsup/standard-supfile
#PORTSSUPFILE=   /usr/share/examples/cvsup/ports-supfile
#DOCSUPFILE=     /usr/share/examples/cvsup/doc-supfile
###
#-fill up these files if you want to use "make update" in "/usr/src" as a "general" update for ports,docs,src. I prefer to run each manually.

*NO_MODULES= - leave it without "yes" or "true". It will cause skip the module compilation within kernel build. By default, with kernel compilation also modules are compiled.
*MODULES_OVERRIDE= - list modules you want to compile
*WITHOUT_MODULES= - like previous but in opposite meaning

During your system maintenance you can find more options to put into "make.conf" accordingly to specific situation.

If you observe problems like compilations ends with errors etc., the reason may be the CPU optimization flags, so comment them out and try again. Do not forget if you put something to "exclude" options for modules, so than you are not wondering that your module is not or wrong compiled or working due to version mismatch.

2.Separate compilation
As you can notice, with "NO_MODULES=" option, just the kernel will be build.
If you want to have it like this and manually compile modules afterwards, go to "/usr/src/sys/modules" and do "make". It will compile all modules. You can type "make install" to install them to "/boot" directory.
Another way, if you want just particular module, go to appropriate sub-directory in above path and do "make" and "make install" or instead of "make install" copy compiled module manually.
Choosing modules just you need saves time. Hardened kernel compilation takes about 1,45 minute for me (Acer 8930g with Core 2 Duo T9600 @ 2,8 GHz, 6GB RAM) without modules and with multi-thread compilation.

Don't forget to have modules with same version as kernel, otherwise mismatch errors can appear during module loading.


3.Multi-threaded compilation
Are you wondering you have a fast hardware and the compilation is still slow? Try to check top during kernel compilation. See example.
I have computer as above (section 2). If I run standard "make" of kernel and check top during compilation, I can see CPU idle around 50% and load average in last minute (first value, second is for 5, third for 15 minutes) around 1,0.  That means my CPU is about half sleeping. So lets burn the CPU.
We want to achieve 0,0% idle all the time. The magic is to add "-j [num]" flag to "make" command. By default it seems just one thread is working. I made a little test with "num" value which means number of jobs during compilation.
It seems to have a balanced, use this (my own) calc.: number of CPUx2 + 1.
In my case I have two CPUs so the result is 5.
Compare your own compilation with command:

time make buildkernel KERNCONF=MY_OWN_KERNEL 

and than

time make -j 5 buildkernel KERNCONF=MY_OWN_KERNEL

In my case it's 2min 45s minute for first and 1min 40s minute for second way.

What about making ports? You use "make" command as well right?
In ports, using "-j" flag causes breaking of compilation frequently. So if you want to try this flag do partial compilation as "make", "make install", "make clean" and for plain "make" use this flag. Sometimes it's possible to run make, run it for a while ( 20sec ) than Ctrl+C so all directories and links are created and start again with flagged "make". Yes these ways are not normal, so rather don't use it. There is some normal workaround with flagged compilation for ports, but this is for another article.

4.Compilation using Ramdisk
There is not a huge improvement to compile source code in Ramdisk, but anyway it's possible and you can use it for anything else.
Why there is not huge improvement?
I use 7200rpm disk. You probably too. As you can notice in previous section, with multi-threaded compilation, we have 0,0% idle CPU. Already with this value, we can say that CPU is limiting factor of compilation. You can prove it with "iostat" command, (etc. iostat -c 50). The disk activity is almost nothing during compilation. So with Ramdisk we won't get much better read/write spead in this case, only noticeable improvement is access time, for RAM almost zero compared to disk. So at all, there is a little performance improvement. In my case I have improvement 5~6s for above kernel compilation. I think would be greater for bigger compilation.
I prefer to create two Ramdisks, one for soure and one for "/usr/obj".
mdmfs -s 600M md /mnt - will create and mount Ramdisk to /mnt for source

mdmfs -s 200M md /usr/obj 

cp -R /usr/src/ /mnt

df or mount - check the mounted disks (should be md0 and md1)
do "make" in "/mnt" directory
after operation remove files, umount directories and:
mdconfig -d -u 0 - to remove Ramdisk md0

mdconfig -d -u 1 - to remove Ramdisk md1

One negative of doing this is, you need to have a lot of RAM memory. I mean, for whole compilation (with world and modules), you need around 1600MB Ramdisk size total. For only kernel compilation the space you need is arround 800MB. 

FreeBSD system upgrade/kernel upgrade 2

1. Kernel hardening
Let's check hierarchy of files we need.
I assume you have source in your computer according this post.

cd /usr/src/sys/amd64/conf

You can copy files I'll write about to /root/kernel etc.

GENERIC: 

-full default kernel configuration used for standard installation

NOTES:

-additional options with explanations which you can stick to your own kernel
-Notes in amd64 dir. are just for amd64 architecture. There are another "Notes" in "/usr/src/sys/conf" dir. which should be valid for all architectures. Notice that "universal" "Notes" are much bigger than arch. specific.

MY_OWN_KERNEL:

-according to post I have sym link of my own kernel configuration from home directory to this location
-do not edit GENERIC. Copy GENERIC to your own named file.

What you should do before you start:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

- check if your source tree is one you want to have. Make sure you are downloading right version of source via "cvsup" file.
- be aware, mainly with major upgrade, GENERIC and other files may change. Imagine you have old renamed GENERIC in your home dir. and new in the source tree. This inconsistency may cause real problems.
- be aware, with mainly with major upgrade (from one release to another), also "world" is changing. Serious problems may happen if you have old "world" and new kernel and modules. It has happened to me, and getting all in to the "working" state is really annoying, time consuming, googling...
- with updating kernel due to adding/removing options, there shouldn't be problem with "world" but be aware there can be association with it or other part of source.
- most of the problems during compilation and afterward reboot are created by INCONSISTENCY.
- as time goes, you'll forget what have you changed in kernel configuration. Maybe in further time, you will add new peripheral or you will need something what you have disabled in kernel configuration. So be aware, if something is not working, the problem can be the issue you don't have enabled adequate support in kernel
- Have prepared backup plan in case you can't boot. Etc. you can bump into problem after reboot with mounting issues. Disks have different names as in "/etc/fstab". Download live linux CD or FreeBSD live CD.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

What to have in kernel and what not:

After first clean installation, or before upgrade, check "dmesg" command. With this report you know which peripherals you have. So logically, in kernel, you can remove the rest, simply said.
Hardware you have permanently should be compiled within kernel, rest can be compiled as modules. On the internet, you find many diverse opinions about it.
Components compiled within kernel are considered to work faster. I don't think there is noticeable difference.
Another opinion is, that modules are more susceptible to modifications by intruders etc., as they are loading after reboot or on fly as separated files. So it's security issue.
Here is the brief of my KERNEL.

MY_OWN_KERNEL:

##############

cpu             HAMMER - in amd64 there is no other option
ident           MY_OWN_KERNEL - name of your configuration
makeoptions     DEBUG=-g
#
options         SCHED_ULE
...
...
device          pci
#From SCHED_ULE to pci, I suggest to leave it as it is. They ensure main #function of the system. But if you are sure you don't need something, #comment out particular line. Etc. IPV6, NFS, MSDOSFS, CD9660...
added: options         COMPAT_LINUX32 -  instead of module
removed: floppy
ATA controllers: leaved
SCSI controllers: removed
ATA/SCSI peripherals: leaved
RAID controllers: removed
Keyboard + PS/2: leaved
AGP: removed
PCMCIA: removed
SERIAL: removed
PARALLEL PORT: removed
NICs: all removed except: miibus, alc, ale - leave miibus and NIC you have
ISA NICs: removed
WLAN: all removed except:
wlan
IEEE80211_DEBUG
IEEE80211_AMPDU_AGE
IEEE80211_SUPPORT_MESH
wlan_wep
wlan_ccmp
wlan_tkip
wlan_amrr
ipw + iwi + iwn - mine. Leave your NIC
Pseudo devices: leaved
device          bpf: leaved
USB support: leaved
...
All after USB support I removed. Sound as well, I'll use module for it.

############## 

Looking back, notice I removed a lot I don't need. Kernel is now much lighter.      

2. Kernel additional features 

What I can see interesting from amd64 "NOTES" to implement to kernel:

-watchdog (software/hw)
-device polling
-VESA
-I2C
-LINPROCFS

What I can see interesting from general "NOTES" to implement to kernel:

-disk encryption
-IPSEC
-ALTQ
-PF of course
-bridge interface
-link aggregation
-IPSEC interface
-IPFIREWALL - I use PF
-QUOTA

With traditional way, as you compile kernel, you compile modules in the same time. There are hundreds of modules, together they have cca 300MB I think.
There is is way how to compile kernel and modules separately. In next post.

Last post about upgrade will be about separate compilation kernel/modules, "make.conf" adjustment, multi-thread compilation, compilation using ram-disk. 

FreeBSD system upgrade/kernel upgrade 1

Previously I showed how to upgrade ports tree and update ports.
It's very important to have ports up to date although time to time it's also important to have system up to date or you lack functionality or performance as reason for upgrade.

I've noticed one utility made by BSD individual named freebsd-update. I have really no experience with it, and now I'm going to show how to upgrade manually so you can see whole "background" process of it.
Mentioned utility provides way of upgrade OS or install security patches via fetched binaries. Binaries are compiled source codes, so the process is much quicker I assume.
Anyway I'll show you older way and this utility is nice idea for next topic, why to not make process easier if it's possible but I think it's still important to know background even there are useful utilities like "freebsd-update".

As first step, backup all config files, data, .... you never know what can happen.

1. Download source code
First,we have to download source code of considering version of system we are going to upgrade to.
Etc. I use 8.2 and I want to upgrade whole system to 9.0.
I'm upgrading without preparation so everything can happen.
Source code location is in "/usr/src/". If there is something, just delete it or backup.
As you can recall, we have used "cvsup" to download ports tree. We will use the same utility for downloading source code.
cp /usr/share/examples/cvsup/stable-supfile /root/cvsup/
chmod 600 /root/cvsup/stable-supfile
Edit lines in above file:
*default host=cvsup.sk.FreeBSD.org # use your favorite server
*default release=cvs tag=RELENG_9_0 # 9.0 will be fetched
Run cvsup:
cvsup -L 2 /root/cvsup/stable-supfile


2. Customize make.conf
There is file named "make.conf" in "/etc/". I don't know real performance results of doing this but it's like a habit to specify CPU type and characteristics for compiler to make the compilation more effective. I'll write about this in further article as there is no room now.

3. Kernel hardening
This really needs individual article. Kernel is the brain or core of our OS system(FBSD). In some cases like high performance network server, database server or any focused use of FreeBSD there is best practice to remove all unnecessary balast from kernel and on other hand, add some features and functionality which are not included in standard kernel.
Basically, all you need, you can do within running live kernel but difference is, that you adjust source and this source will be compiled to binary data. Result of doing this aims to faster processing of data, queries....and security as well.  

We will skip this step and we are going to use "GENERIC" standard kernel configuration. The same as we would get from CD installation etc.

Anyway we are going to use default configuration, make a copy of GENERIC to your own file. Just copy, rename and edit will be part of next article.
cd /usr/src/sys/amd64/conf - use i386 dir instead of amd64 when you use i386 architecture
cp GENERIC /root/kernel/MY_OWN_KERNEL
ln -s /root/kernel/MY_OWN_KERNEL - nice tip from handbook, cause your kernel conf should be placed in "conf" directory I think. So this way, your kernel is stored in special directory and you create a symbolic link towards to "conf" directory.

4. Compilation
You can make a dinner during the compilation. The process takes a lot of time even with consideration everything will go with no problems.
We can make it shorter with hardening so at the end, the system will compile just what you need. Now, we have chosen standard compilation without hardening so everything must be compiled. We'll get "universal" system for general use.
In case your compilation fails, clean "/usr/obj" directory and start over.

*
If it's not your purpose to upgrade to higher version of OS, if it's just matter of rebuilding kernel in order of whatever, you don't need to make buildworld. So the process is much easier and quicker. All you need is make buildkernel and make installkernel.
*

make buildworld -this is the most time consuming process. It builds surrounding components for kernel. At least what I know...
make buildkernel KERNCONF=MY_OWN_KERNEL
make installkernel KERNCONF=MY_OWN_KERNEL
reboot to single user mode -check the menu at the boot seq. We do this because in singe user mode, there is just base system running so we can update files from "world" for services which would normally run.
mount -a -if mount doesnt work, try full path to mount
cd /usr/src
mergemaster -p -I suggest leave the new files so they will be written to some temp dir and then manually compare a adjust with existing ones. Follow the wizard.
make installworld
mergemaster
reboot


Now check "uname -a" and check if everything works as it should. 


5.Hints
1. Make sure your kernel comes from right architecture
2. Make sure you have at least 300M free space in "/" because your old kernel will be backed up in "/boot" directory so you can roll back.
3. If you have problem within compilation, try to uncomment CPU tunnings in "make.conf" and try again.
4. In my case I did upgrade from 8.2 to 9.0. It's a quite huge step and it ended with problems.
My system is booting right but many ports and kernel modules are not working properly. System is freezing frequently due to mismatch of installed ports and new libraries from "world".
My situation is more complicated because I have FreeBSD as desktop so I have more ports, more libraries running so more problems can show up.
I've noticed as I reinstalled some ports that some problems has disappeared but some still exist.
Maybe the solution would be to reinstall everything you have. Another way is to install new version of OS from media and then install everything you need and restore config files from backup. Or, as I mentioned at the beginning of this article, there is a original update tool from FreeBSD, I assume less problems using this utility as the process of upgrade I showed is quite knowledge demanding because a lot of problem might occurred after this "raw" upgrade. Anyway, at least it's the best way how to learn about system.

Summarized, this way of upgrade is not bad, but at first, have a great knowledge of your system before upgrade. Do some documentary what you have installed, what modules are loaded, what is more important to run and what is not, do a backup scenario and so on...
Seems complicated and this is just because FreeBSD is so powerful and you need to subdue it. After the system is running OK, will be running right this for ever so its worth.

In next article I'll show something about make.conf adjustment and kernel hardening so you can have a system focused just to your needs which leads to better performance and security.