# Minimal Kernel & Base Config



## _enso (Sep 10, 2017)

My goal is to create a base system with only the essential tools needed to operate a modern web server. For instance I use IPFW so I don't need PF, IPTABLED and IPFILTER. However this is my first time doing this so I would like advice / feedback on anything that looks incorrect or is a bad decision altogether.

Thank, You

KERNEL
/usr/src/sys/_amd64_/conf/MINIMAL


```
#
# MINIMAL -- minimal kernel configuration file for FreeBSD/amd64
#
# $FreeBSD: releng/11.1/sys/amd64/conf/GENERIC 318763 2017-05-24 00:00:55Z jhb $

cpu             HAMMER
ident           MINIMAL

makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug symbols
makeoptions     WITH_CTF=1              # Run ctfconvert(1) for DTrace support

options         SCHED_ULE               # ULE scheduler
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
options         INET6                   # IPv6 communications protocols
options         IPSEC                   # IP (v4/v6) security
options         TCP_OFFLOAD             # TCP offload
options         SCTP                    # Stream Control Transmission Protocol
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         MD_ROOT                 # MD is a potential root device
options         NFSCL                   # Network Filesystem Client
options         NFSD                    # Network Filesystem Server
options         NFSLOCKD                # Network Lock Manager
options         NFS_ROOT                # NFS usable as /, requires NFSCL
options         CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         GEOM_PART_GPT           # GUID Partition Tables.
options         GEOM_RAID               # Soft RAID functionality.
options         GEOM_LABEL              # Provides labelization
options         COMPAT_FREEBSD9         # Compatible with FreeBSD9
options         COMPAT_FREEBSD10        # Compatible with FreeBSD10
options         SCSI_DELAY=5000         # Delay (in ms) before probing SCSI
options         KTRACE                  # ktrace(1) support
options         STACK                   # stack(9) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options         PRINTF_BUFR_SIZE=128    # Prevent printf output being interspersed.
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         HWPMC_HOOKS             # Necessary kernel hooks for hwpmc(4)
options         AUDIT                   # Security event auditing
options         CAPABILITY_MODE         # Capsicum capability mode
options         CAPABILITIES            # Capsicum capabilities
options         MAC                     # TrustedBSD MAC Framework
options         KDTRACE_FRAME           # Ensure frames are compiled in
options         KDTRACE_HOOKS           # Kernel DTrace hooks
options         DDB_CTF                 # Kernel ELF linker loads CTF data
options         INCLUDE_CONFIG_FILE     # Include this file in kernel
options         RACCT                   # Resource accounting framework
options         RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default
options         RCTL                    # Resource limits

# Debugging support.  Always need this:
options         KDB                     # Enable kernel debugger support.
options         KDB_TRACE               # Print a stack trace for a panic.

# Make an SMP-capable kernel by default
options         SMP                     # Symmetric MultiProcessor Kernel
options         DEVICE_NUMA             # I/O Device Affinity
options         EARLY_AP_STARTUP

# CPU frequency control
device          cpufreq

# Bus support.
device          acpi
options         ACPI_DMAR
device          pci
options         PCI_HP                  # PCI-Express native HotPlug
options         PCI_IOV                 # PCI SR-IOV support

# ATA controllers
device          ahci                    # AHCI-compatible SATA controllers
device          ata                     # Legacy ATA/SATA controllers
device          mvs                     # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA
device          siis                    # SiliconImage SiI3124/SiI3132/SiI3531 SATA

# RAID controllers
device          mrsas                   # LSI/Avago MegaRAID SAS/SATA, 6Gb/s and 12Gb/s
device          pmspcv                  # PMC-Sierra SAS/SATA Controller driver
#XXX pointer/int warnings
#device         pst                     # Promise Supertrak SX6000
device          twe                     # 3ware ATA RAID

# NVM Express (NVMe) support
device          nvme                    # base NVMe driver
device          nvd                     # expose NVMe namespaces as disks, depends on nvme

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc                  # AT keyboard controller
device          atkbd                   # AT keyboard

device          kbdmux                  # keyboard multiplexer

device          vga                     # VGA video card driver
options         VESA                    # Add support for VESA BIOS Extensions (VBE)

device          splash                  # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device          sc
options         SC_PIXEL_MODE           # add support for the raster text mode

# vt is the new video console driver
device          vt
device          vt_vga
device          vt_efifb

device          agp                     # support several AGP chipsets

# Parallel port
device          ppc
device          ppbus                   # Parallel port bus (required)
device          ppi                     # Parallel port interface device
#device         vpo                     # Requires scbus and da

device          puc                     # Multi I/O cards and multi-channel UARTs

# PCI Ethernet NICs.
device          bxe                     # Broadcom NetXtreme II BCM5771X/BCM578XX 10GbE
device          de                      # DEC/Intel DC21x4x (``Tulip'')
device          em                      # Intel PRO/1000 Gigabit Ethernet Family
device          igb                     # Intel PRO/1000 PCIE Server Gigabit Family
device          ix                      # Intel PRO/10GbE PCIE PF Ethernet
device          ixv                     # Intel PRO/10GbE PCIE VF Ethernet
device          ixl                     # Intel XL710 40Gbe PCIE Ethernet
device          ixlv                    # Intel XL710 40Gbe VF PCIE Ethernet
device          le                      # AMD Am7900 LANCE and Am79C9xx PCnet
device          ti                      # Alteon Networks Tigon I/II gigabit Ethernet
device          txp                     # 3Com 3cR990 (``Typhoon'')
device          vx                      # 3Com 3c590, 3c595 (``Vortex'')

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device          miibus                  # MII bus support
device          ae                      # Attansic/Atheros L2 FastEthernet
device          age                     # Attansic/Atheros L1 Gigabit Ethernet
device          alc                     # Atheros AR8131/AR8132 Ethernet
device          ale                     # Atheros AR8121/AR8113/AR8114 Ethernet
device          bce                     # Broadcom BCM5706/BCM5708 Gigabit Ethernet
device          bfe                     # Broadcom BCM440x 10/100 Ethernet
device          bge                     # Broadcom BCM570xx Gigabit Ethernet
device          cas                     # Sun Cassini/Cassini+ and NS DP83065 Saturn
device          dc                      # DEC/Intel 21143 and various workalikes
device          et                      # Agere ET1310 10/100/Gigabit Ethernet
device          fxp                     # Intel EtherExpress PRO/100B (82557, 82558)
device          gem                     # Sun GEM/Sun ERI/Apple GMAC
device          hme                     # Sun HME (Happy Meal Ethernet)
device          jme                     # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
device          lge                     # Level 1 LXT1001 gigabit Ethernet
device          msk                     # Marvell/SysKonnect Yukon II Gigabit Ethernet
device          nfe                     # nVidia nForce MCP on-board Ethernet
device          nge                     # NatSemi DP83820 gigabit Ethernet
device          pcn                     # AMD Am79C97x PCI 10/100 (precedence over 'le')
device          re                      # RealTek 8139C+/8169/8169S/8110S
device          rl                      # RealTek 8129/8139
device          sf                      # Adaptec AIC-6915 (``Starfire'')
device          sge                     # Silicon Integrated Systems SiS190/191
device          sis                     # Silicon Integrated Systems SiS 900/SiS 7016
device          sk                      # SysKonnect SK-984x & SK-982x gigabit Ethernet
device          ste                     # Sundance ST201 (D-Link DFE-550TX)
device          stge                    # Sundance/Tamarack TC9021 gigabit Ethernet
device          tl                      # Texas Instruments ThunderLAN
device          tx                      # SMC EtherPower II (83c170 ``EPIC'')
device          vge                     # VIA VT612x gigabit Ethernet
device          vr                      # VIA Rhine, Rhine II
device          wb                      # Winbond W89C840F
device          xl                      # 3Com 3c90x (``Boomerang'', ``Cyclone'')

# Pseudo devices.
device          loop                    # Network loopback
device          random                  # Entropy device
device          padlock_rng             # VIA Padlock RNG
device          rdrand_rng              # Intel Bull Mountain RNG
device          ether                   # Ethernet support
device          tun                     # Packet tunnel.
device          md                      # Memory "disks"
device          gif                     # IPv6 and IPv4 tunneling
device          firmware                # firmware assist module

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device          bpf                     # Berkeley packet filter

# MMC/SD
device          mmc                     # MMC/SD bus
device          mmcsd                   # MMC/SD memory card
device          sdhci                   # Generic PCI SD Host Controller

# VirtIO support
device          virtio                  # Generic VirtIO bus (required)
device          virtio_pci              # VirtIO PCI device
device          vtnet                   # VirtIO Ethernet device
device          virtio_blk              # VirtIO Block device
device          virtio_scsi             # VirtIO SCSI device
device          virtio_balloon          # VirtIO Memory Balloon device

# HyperV drivers and enhancement support
device          hyperv                  # HyperV drivers

# VMware support
device          vmx                     # VMware VMXNET3 Ethernet

# Netmap provides direct access to TX/RX rings on supported NICs
device          netmap                  # netmap(4) support

# The crypto framework is required by IPSEC
device          crypto                  # Required by IPSEC
```

BASE SYSTEM
src.conf

```
# +
WITH_BIND_LARGE_FILE=yes
WITH_BSD_GREP=yes
WITH_CLANG_EXTRAS=yes
WITH_CLANG_IS_CC=yes
WITH_DEBUG_FILES=yes
WITH_LIBRESSL=yes
WITH_LLDB=yes
WITH_NAND=yes
# WITH_OFED=yes
# WITH_OPENNTPD=yes
WITH_SHARED_TOOLCHAIN=yes
WITH_ZFS=yes

# –
WITHOUT_AMP=yes
WITHOUT_ATM=yes
WITHOUT_AUTHPF=yes
WITHOUT_BLUETOOTH=yes
WITHOUT_CALENDAR=yes
WITHOUT_CTM=yes
WITHOUT_CVS=yes
WITHOUT_DICT=yes
WITHOUT_EE=yes
WITHOUT_EXAMPLES=yes
WITHOUT_FLOPPY=yes
WITHOUT_FORTH=yes
WITHOUT_FREEBSD_UPDATE=yes
WITHOUT_GAMES=yes
WITHOUT_GCC=yes
WITHOUT_GDB=yes
WITHOUT_GNU=yes
WITHOUT_GNU_GREP_COMPAT=yes
WITHOUT_GPL_DTC=yes
WITHOUT_GROFF=yes
WITHOUT_GSSAPI=yes
WITHOUT_HTML=yes
WITHOUT_INFO=yes
WITHOUT_IPX=yes
WITHOUT_IPFILTER=yes
WITHOUT_KERBEROS=yes
WITHOUT_KERBEROS_SUPPORT=yes
WITHOUT_KVM=yes
WITHOUT_LEGACY_CONSOLE=yes
WITHOUT_LIB32=yes
WITHOUT_LOCATE=yes
WITHOUT_LPR=yes
WITHOUT_MAIL=yes
WITHOUT_MAN=yes
WITHOUT_NCP=yes
WITHOUT_NETGRAPH=yes
WITHOUT_NLS=yes
WITHOUT_NLS_CATALOGS=yes
WITHOUT_NTP=yes
WITHOUT_PF=yes
WITHOUT_PKGTOOLS=yes
WITHOUT_PORTSNAP=yes
WITHOUT_QUOTAS=yes
WITHOUT_SENDMAIL=yes
WITHOUT_SHAREDOCS=yes
WITHOUT_SYSINSTALL=yes
WITHOUT_SYSCONS=yes
WITHOUT_TELNET=yes
WITHOUT_USB=yes
WITHOUT_USB_GADGET_EXAMPLES=yes
WITHOUT_VI=yes
WITHOUT_WIRELESS=yes
WITHOUT_WPA_SUPPLICANT_EAPOL=yes
```


----------



## rigoletto@ (Sep 10, 2017)

I will not comment on details but many of those are already default, like ZFS, or are nonexistent.

For instance, there is no `WITH_LIBRESSL`, because there is no security/libressl in base *yet*. To use security/libressl by default, you should set it in make.conf: `DEFAULT_VERSIONS+=ssl=libressl`.

I do not know the current state of `bsdgrep` but until recently it was a bit buggy, and probably this is the reason why it is not the default one yet.

I advise you to careful read src.conf(5). And just in case you are mistaking, src.conf do only affect* Base* and not the kernel.

To make a custom kernel you should take a look at proper part of the Handbook.


----------



## _enso (Sep 10, 2017)

I realize I can solve all my problems by just switching to OpenBSD


----------



## _enso (Sep 19, 2017)

lebarondemerde said:


> I will not comment on details but many of those are already default, like ZFS, or are nonexistent.
> 
> For instance, there is no `WITH_LIBRESSL`, because there is no security/libressl in base *yet*. To use security/libressl by default, you should set it in make.conf: `DEFAULT_VERSIONS+=ssl=libressl`.
> 
> ...



*The 'recipe'*
You'll need to select the correct branch for your FreeBSD version


Download the LibreSSL 2.4 tarball

Extract this tarball into /usr/src/crypto and rename the directory from libressl-2.4.2 to libressl

Apply the patch-set from my GitHub repo
(Add WITH_LIBRESSL=yes to /etc/src.conf) No longer required as it now is enabled by default
Rebuild and install your kernel and world (see the FreeBSD handbook chapter for detail)
Reboot


```
#!sh
cd ~
mkdir download && cd download
fetch http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.4.2.tar.gz
fetch https://raw.githubusercontent.com/Sp1l/LibreBSD/FreeBSD-11.0/patchset/11.0-RC1.svndiff
cd /usr/src/crypto
tar xf ~/download/libressl-2.4.2.tar.gz
mv libressl-2.4.2/* libressl/
cd /usr/src
patch -p0 < ~/download/11.0-RC1.svndiff
make buildworld && make buildkernel && make installkernel && make installworld
reboot
```


----------



## _enso (Sep 19, 2017)

In this situation tradeoffs are unavoidable unless you go through the process of building out a custom solution to perfectly match your needs. Switching to OpenBSD only presented more problems I wasn't going to invest the time into solving. Initially it made more sense to go with openBSD since it's closer to the ultimate goal. However choosing openBSD means giving up ZFS. *TLDR;* FreeBSD presents smaller more manageable problems... Which makes it better suited at achieving my ultimate goal. 

This is the ultimate goal.

LLVM/CLANG /IN BASE
LibreSSL /IN BASE
PF 
OpenNTPD
OpenSSH
OpenRC
ZFS
NO GPL - SOFTWARE


----------



## vall (Sep 19, 2017)

Yeah you know, we all just should switch to OpenBSD.


----------



## sidetone (Sep 19, 2017)

```
WITHOUT_LEGACY_CONSOLE=yes
```
_LEGACY_CONSOLE_ is needed for even new hardware such as printers, and bluetooth, which isn't expected for use on your computer as of yet. However, there are a few uses for those in a server.

```
WITHOUT_LPR=yes
WITHOUT_NETGRAPH=yes
WITHOUT_BLUETOOTH=yes
```


```
WITHOUT_LIB32=yes
```
If you do with modern software only.

CPP and CXX are needed for compiling, so it's good you have that.
Your configuration doesn't have CVS, but it has SVN, which is good.

Some programs in ports need (or as of this year needed) GPL_DTC, GNU_SUPPORT or some other GNU utility to compile, even if src.conf(5) says these options do nothing yet.
GSSAPI may be needed for some ports and base programs that need KERBEROS, especially that need networking.

If I remember correctly, FreeBSD seems to alternate between SYSCONS or VT for default use often. Having one of these allows you to drop down to the terminal, for troubleshooting, in case there is trouble logging in to a desktop. If your server absolutely is minimal and has no desktop, then that's fine to remove one of those two options.

You may optionally hold on to FREEBSD_UPDATE, and remove it last, after you've tested that your src.conf settings worked well.

For hardware, which you seem to want to make minimal, first run `kldstat` a few times, to know what not to remove from src.conf and from /usr/src/sys/_amd64_/conf/ KERNCONF.

If there are Apple computers on your network, you want IPX.


----------



## sidetone (Sep 19, 2017)

vall said:


> Yeah you know, we all just should switch to OpenBSD.


OpenBSD and most other BSD's lack a lot of wireless hardware support that FreeBSD has. DragonFlyBSD being based on FreeBSD would be fine for a modern server, if you don't mind having a GPL/GNU toolkit _(GCC) toolchain _ in your operating system. DragonFly's support for certain networking hardware might be buggy as well.


----------



## sidetone (Sep 19, 2017)

As for /usr/src/sys/_amd64_/conf/MINIMAL, you can remove a lot of NIC's you aren't using, but keep miibus, for both wired and wireless network hardware, even if your computer doesn't have any that require it.

```
device          miibus                  # MII bus support
```

I noticed that in your src.conf, you did without debuging, which is mentioned in KERNCONF: relating to GDB.

```
#MINIMAL
makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug symbols

#src.conf
WITHOUT_GDB=yes
```
Perhaps the "-" before g means without debug support.

```
device          hyperv                  # HyperV drivers
```
 I think this is for operating system virtualization, so probably it's not needed for a minimal system.

In src.conf:

```
WITHOUT_NTP=yes
```
 NTP is needed for a server to maintain correct time. This option should only be used if you use an NTP replacement form ports.


_enso said:


> OpenNTPD


----------



## tobik@ (Sep 19, 2017)

_enso said:


> Apply the patch-set from my GitHub repo


The link is broken. https://github.com/Sp1l/LibreBSD-patches/tree/FreeBSD-11.0/patchset

Also unless you happen to be brnrd@ (in which case I apologize) maybe give credit where it's due for this.

If you want LibreSSL in base I think it's a lot more practical to just use HardenedBSD instead.


----------



## sidetone (Sep 19, 2017)

Absolutely minimum. It must be an in closet server that requires SSH.

```
WITHOUT_MAIL=yes
...
WITHOUT_SHAREDOCS=yes
...
WITHOUT_USB=yes
WITHOUT_USB_GADGET_EXAMPLES=yes
WITHOUT_VI=yes
WITHOUT_WIRELESS=yes
WITHOUT_WPA_SUPPLICANT_EAPOL=yes
```
WITHOUT_SENDMAIL would do for many. _DragonFlyBSD's mail agent, DMAGENT needs MAILWRAPPER.

If you don't need an optical drive: 


		Code:
	

#options         CD9660                  # ISO 9660 Filesystem

_


----------



## SirDice (Sep 26, 2017)

sidetone said:


> Perhaps the "-" before g means without debug support.


No, it refers to the -g flag of cc(1).

```
-g     Generate debug information.  Note that Clang debug information
              works best at -O0.
```

Note that gdb(1) and the DEBUG flags have nothing to do with each other (although one is fairly useless without the other). The WITHOUT_GDB in /etc/src.conf tells the system not to build/install gdb(1). The DEBUG flags in the kernel config simply tells cc(1) to build the kernel with debug options set.



sidetone said:


> If there are Apple computers on your network, you want IPX.


IPX has _nothing_ to do with Apple. I actually doubt MacOS supports IPX. IPX is an old protocol that was used for Novell Netware networks. Modern networks have all switched to TCP/IP (even Novell Netware itself since version 5.0).
https://en.wikipedia.org/wiki/IPX/SPX


----------



## Karl (Sep 27, 2017)

_enso said:


> In this situation tradeoffs are unavoidable unless you go through the process of building out a custom solution to perfectly match your needs. Switching to OpenBSD only presented more problems I wasn't going to invest the time into solving. Initially it made more sense to go with openBSD since it's closer to the ultimate goal. However choosing openBSD means giving up ZFS. *TLDR;* FreeBSD presents smaller more manageable problems... Which makes it better suited at achieving my ultimate goal.
> 
> This is the ultimate goal.
> 
> ...



Why not just disable unnecessary services? You're going to run in to a few issues. What gain is to be had from the time you're investing?


----------

