A new question/answer has been added to the FAQ in the sticky post at the top of this forum. Please review it and add suggestions/corrections to this thread. I'm particularly interested in additional information about NetBSD and whether the generic/default kernel ever has reason to be user-modified.

In the future when posters seek advice about custom kernels, you may point them to this FAQ entry (unless of course they have a reason for a custom config).

chort you might want to mention that with FreeBSD you almost certainly will be able to enable sound support with modules rather than rebuilding. Although rebuilding is common (on desktop machines) to ensure that sound is always there... it is hardly necessary or even desirable.

lol, I say this as I type on my machine with a very trimmed down kernel and sound permenantly compiled in. I will state, in my defense, that I knew exactly what I was doing when I made my custom config and realized the ramifications of my actions (aka panics are much less useful unless I am willing to work much harder to give the full information to developers). But, looking back... it was unnecessary. And on most new machines that I setup for people we just load their modules at boot and away they go.

In machines where 256M of RAM is considered small... a custom kernel is not worth the effort and almost always is the wrong thing (tm) to do.

yeah i've gotta admit that i, a freebsd newbie, recompiled my kernel about a week ago. but it was just for fun, and i only did it because a book i bought, "BSD Hacks" (Dru Lavigne), told me i could. well, i also had to compile sound in because that's the only way it seems to work on my machine. but now i know.

but according to "BSD Hacks," recompiling the freebsd kernel "gives an administrator of an open source system a distinct advantage over his closed source counterparts" (216). "The first advantage to stripping the kernel is an obvious security boost. A vulnerability can't affect an option the kernel doesn't support. The second isa noticeable improvement in speed and performance."..."You may be wasting precious memory resources if you're loading options you have no intention of ever using" (217).

so i guess the point is only do it if your bsd machine is a server and you want higher security? or if you have absolutely no RAM to spare? i don't know, i'm definitely not an expert. but maybe you should include those into the faq if they sound reasonable.

by the way, why does the FreeBSD Handbook seem to encourage recompiling your kernel?

just to add, i gained an ENTIRE ONE MEGABYTE of free RAM after stripping and recompiling my kernel. wow, that 1MB really helps, especially since i only have about 400MB of free RAM left. haha. but it did help boot time by over 10 seconds. interesting....

Well "a noticeable improvement in speed and performance" is certainly not accurate, unless you happen to be running FreeBSD 5.x with the debugging stuff in the kernel. On the other BSDs, it doesn't give *any* performance boost (how could it, all you're doing is removing device drivers?). As you stated, you'll save maybe 1MB of RAM with the smaller kernel, and all it really does it speed up the boot process (doesn't have to do device detection for drivers that don't exist in the kernel).

About the so-called security advantage (again, this is reponding to the book author, not you) what exactly do you remove to increase security? About the only thing I can think of is removing certain binary compatibilities to prevent malicious users from loading their own binary that can exploit a vulnerability, but at least in OpenBSD you must also edit a sysctl variable to enable binary compatibility, even if it's compiled into the kernel. Only root can change those kernel variables, so an attacker wouldn't be able to do that. Removing device drivers (which is what makes up the bulk of the kernel configuration) is highly unlikely prevent exploits.

All in all, I'd have to say the advice in that book is quite bad and countrary to what most BSD users will tell you. I guess as an author you have to write about changing something or else you wouldn't have any content for your book! BSDs in general are designed so the kernel does not need to be modified, which lends itself poorly to a book on hacking the kernel.

i see, i see. there are however 99 other really useful (non-kernel-related) hacks in the book that are pretty cool.

but i'm still curious: why does the freebsd handbook say basically the same thing as the book? in the synopsis for the section on the kernel, they say basically the same thing: security and performance.

in addition to recompiling to add devices (i.e. sound cards), one might also recompile the bsd kernel to make it possible for only root to reboot, halt, or ctrl+alt+del in situations where the machine is a server. or is there a way to do it w/o a recompile that i don't know of?

It's true that FreeBSD has some additional security controls that you can configure if you build a new kernel, so in that case it would raise security, but that is specific additions to the kernel, not things that you would remove.

I use FreeBSD 5.2.1 . I built a custom kernel to add ipfw support to the kernel and remove support for devices that I would never need(it sped up the boot process).

Bob W.

it's still hard to neglect the fact that the source on FreeBSD (the FreeBSD Handbook) encourages kernel recompilations. how could someone resist it? - it's so much easier to recompile the kernel in FreeBSD than in Linux. but i see that it's not a necessity and why it's generally not recommended.

You shouldn't need to recompile the kernel any more to add packet filtering, at least as of 5.3beta.