# Customised build of FreeBSD for internal rollout



## shepherdAZ (Nov 28, 2013)

Hi all.

I am seeking some advice on customising a hardened, minimised build of FreeBSD.

I currently maintain a mixed environment of FreeBSD, Solaris and Linux servers, both physical and virtual. Many systems are different versions, and in the case of Linux, mixed distribution flavours too. This environment has grown over time as various sysadmins have come and gone, with almost no standardisation for anything whatsoever. Looking after all of it is a bit of a nightmare.

With an upcoming major application update, new hardware and some other changes, the plan is to standardise on FreeBSD 9.2 across the board. Having reviewed some similar questions on this forum (and others) in the past, I have read release(7) and sysinstall(8) and believe that checking out the source then applying our local changes, followed by creating our own build for ISO images, is the way forward.

I need to create an installable ISO image which can be used on our varying physical and virtual servers, which contain the following example changes ("out of the box" and therefore not requiring a load of post-install activity for the admins):

Change Sendmail for Postfix;
Use the latest versions of OpenSSH and OpenSSL;
Various custom configuration files under /etc;
Add some additional software such as Nginx (all of which is available in ports);
Add some in-house programs, already compiled and packaged;
Preconfigured jails for some services;
Strip out/omit unnecessary OS files.
The presence of some air-gapped networks, data-diodes and obstinate firewall administrators in our environment means that a central FTP server for driving sysinstall is not practical for us. Also, a "master" dd'd disk image might be problematic across our varied environment. So, I'd like to make a CD/DVD ISO image with all of our changes integrated/automated and simply set disk/network/user accounts as necessary during installation on each of the target systems.

Is making our changes to a local checkout of the 9.2 source and then building a "release" the right way to go or am I missing a far more elegant/efficient solution?

Many thanks!


----------



## fonz (Nov 29, 2013)

It may not be an answer to your question, but please note: sysinstall(8) is dead, long live bsdinstall(8).


----------



## SirDice (Nov 29, 2013)

shepherdAZ said:
			
		

> Is making our changes to a local checkout of the 9.2 source and then building a "release" the right way to go or am I missing a far more elegant/efficient solution?


No, I think that's the 'right' way to do it. If there's such a thing as a 'right' way to do anything. Definitely check out src.conf(5) to remove parts of the base OS. And create an ISO or memstick image with a bunch of pre-built packages. To build those you may want to check out ports-mgmt/poudriere.


----------



## shepherdAZ (Dec 3, 2013)

Thank you both for the replies - very useful. I am going to spend some time in the next few weeks trying out some simple changes and builds to see how it goes.


----------



## ShelLuser (Dec 3, 2013)

Installing those systems is one thing, how are you going to keep those up to date?

The reason I'm asking: the environment which you might use to keep your systems up to date might also be usable to distribute the initial software which you need to install. For example; you mentioned the latest versions of OpenSSH and OpenSSL as well as using Postfix. Those software packages are not part of the base system (although both OpenSSH and OpenSSL are part of the base system these are not the latest versions). But they are part of the ports collection and distributed as such.

Although FreeBSD provides a lot of customization options, and I can imagine the same applying to the base system, I can't help wonder if it might be more feasible to combine your options up front. So basically keeping your base system as minimal as possible and providing the extra software (Postfix, OpenSSH, OpenSSL, etc.) through your own repository of the ports collection. You could use that repository to apply and test updates to the ports collection on a single, central, environment after which you can then distribute the updates as binary packages to the rest of your network.

The advantage to this, as I imagine it right now, would be that the post installation of said software could be done by simply adding an extra installation routine which basically takes care of installing those software packages through use of the ports collection. A kind of automated installation.

I wonder if that couldn't be another feasible approach here.


----------

