注：本文仅供参考，具体参数可能根据FreeBSD不同版本而有所不同。

－－－－－－－－－－－－－－－－－－－－－

■■■■编译定制内核■■■■

1) 我们需要使用FreeBSD 5.3 Release的安装光盘装好一个默认的系统，安装时候一定要选择“Kern-Developer”，即安装编译内核所需要的组件。然后选择屏幕最下边的 Custom，按空格进入下一层菜单，在里边找到src，按空格进入下一层菜单，选中sys，即安装内核源代码到/usr/src/sys目录下。

2) 使用默认的内核启动系统。备份当前的内核：

cp -R /boot/kernel /boot/kernel.good

这样当新内核出现问题时候，可以随时恢复到原内核。

3) 复制默认内核的配置文件，并且重新命名：

/usr/src/sys/i386/conf
cp GENERIC Prima-Kernel

4) 修改内核配置文件：
vi Prima-Kernel

查找关键字“ident”，并修改如下:
ident Prima-Kernel # set kern’s name

为了支持SMP多对称处理器和HTT超线程，在文件中加入下内容：
options SMP # Symmetric MultiProcessor Kernel

为了优化网络性能，添加如下参数：
options TCP_DROP_SYNFIN
options ZERO_COPY_SOCKETS

加入Quota磁盘配额的支持：
options QUOTA

注意：内核配置文件的注释说：“Do not remove isa, even if you have no isa slots”。即使没有ISA插槽，也不要去掉ISA支持，否则会导致系统崩溃。

5) 编译并安装新内核：

/usr/sbin/config Prima-Kernel
cd ../compile/Prima-Kernel/
make depend
make
make install

注意：整个编译估计需要15分钟左右，根据CPU速度而定。

6) 重新启动系统，默认就会启动新内核。

－－－－－－－－－－－－－－－－－－－－－

■■■■内核升级失败时使用其他内核文件启动■■■■

1) 启动系统时候，出现1到7的选项列表，按下6。

2) 现在进入提示符“OK”状态，可以进行如下操作：

如果需要启动当前系统内核，则输入：
boot kernel

如果需要启动上一个版本的内核，则输入：
boot kernel.old

假如编译新内核前按照本文将原内核备份成了kernel.good，则输入如下内容可以启动这个备份内核：
boot kernel.good

用别的内核启动成功之后，将可以正常使用的内核复制承认默认内核：
rm -rf /boot/kernel
cp -R /boot/kernel.good /boot/kernel

重新启动系统，即可使用原内核正常运行。

－－－－－－－－－－－－－－－－－－－－－

■■■■典型Prima-Kernel内核配置文件■■■■

注意：本配置文件来自FreeBSD 5.3 Release，支持SMP和HTT，仅保留了对Intel板载网卡（em/fxp）以及AIC7xxx SCSI适配器的支持，如果需要支持其他设备，请启用相关配置项。

#
# GENERIC — Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you’ve installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.413.2.6.2.2 2004/10/24 18:02:52 scottl Exp $

machine i386
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
ident Prima-Kernel

# To statically compile in device wiring instead of /boot/device.hints
#hints “GENERIC.hints” # Default places to look for devices.

options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MD_ROOT # MD is a potential root device
#options NFSCLIENT # Network Filesystem Client
#options NFSSERVER # Network Filesystem Server
#options NFS_ROOT # NFS usable as /, requires NFSCLIENT
#options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
options ADAPTIVE_GIANT # Giant mutex is adaptive.

device apic # I/O APIC

options SMP
options APIC_IO
options QUOTA
options TCP_DROP_SYNFIN
options ZERO_COPY_SOCKETS

# Bus support. Do not remove isa, even if you have no isa slots
device isa
device eisa
device pci

# Floppy drives
#device fdc

# ATA and ATAPI devices
device ata
#device atadisk # ATA disk drives
#device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
#device atapifd # ATAPI floppy drives
#device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering

# SCSI Controllers
#device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
#device ahd # AHA39320/29320 and onboard AIC79xx devices
#device amd # AMD 53C974 (Tekram DC-390(T))
#device isp # Qlogic family
#device mpt # LSI-Logic MPT-Fusion
#device ncr # NCR/Symbios Logic
#device sym # NCR/Symbios Logic (newer chipsets + those of `ncr’)
#device trm # Tekram DC395U/UW/F DC315U adapters
#device adv # Advansys SCSI adapters
#sdevice adw # Advansys wide SCSI adapters
#device aha # Adaptec 154x SCSI adapters
#device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
#device bt # Buslogic/Mylex MultiMaster SCSI adapters

#device ncv # NCR 53C500
#device nsp # Workbit Ninja SCSI-3
#device stg # TMC 18C30/18C50

# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)

# RAID controllers interfaced to the SCSI subsystem
#device amr # AMI MegaRAID
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device ciss # Compaq Smart RAID 5*
#device dpt # DPT Smartcache III, IV – See NOTES for options
#device hptmv # Highpoint RocketRAID 182x
#device iir # Intel Integrated RAID
#device ips # IBM (Adaptec) ServeRAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device twa # 3ware 9000 series PATA/SATA RAID

# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device mlx # Mylex DAC960 family
#device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID

# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
#device psm # PS/2 mouse

device vga # VGA video card driver

#device splash # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device sc

# Enable this for the pcvt (VT220 compatible) console driver
#device vt
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor

device agp # support several AGP chipsets

# Floating point support – do not disable.
device npx

# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer

# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus

# Serial (COM) ports
#device sio # 8250, 16[45]50 based serial ports

# Parallel port
#device ppc
#device ppbus # Parallel port bus (required)
#device lpt # Printer
#device plip # TCP/IP over parallel
#device ppi # Parallel port interface device
#device vpo # Requires scbus and da

# If you’ve got a “dumb” serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device puc

# PCI Ethernet NICs.
#device de # DEC/Intel DC21x4x (“Tulip”)
#device em # Intel PRO/1000 adapter Gigabit Ethernet Card
#device ixgb # Intel PRO/10GbE Ethernet Card
#device txp # 3Com 3cR990 (“Typhoon”)
#device vx # 3Com 3c590, 3c595 (“Vortex”)

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the ‘device miibus’ line in order to use these NICs!
device miibus # MII bus support
#device bfe # Broadcom BCM440x 10/100 Ethernet
#device bge # Broadcom BCM570xx Gigabit Ethernet
#device dc # DEC/Intel 21143 and various workalikes
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device lge # Level 1 LXT1001 gigabit ethernet
#device nge # NatSemi DP83820 gigabit ethernet
#device pcn # AMD Am79C97x PCI 10/100 (precedence over ‘lnc’)
#device re # RealTek 8139C+/8169/8169S/8110S
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (“Starfire”)
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device ti # Alteon Networks Tigon I/II gigabit Ethernet
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 “EPIC”)
#device vge # VIA VT612x gigabit ethernet
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (“Boomerang”, “Cyclone”)

# ISA Ethernet NICs. pccard NICs included.
#device cs # Crystal Semiconductor CS89x0 NIC
# ‘device ed’ requires ‘device miibus’
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device lnc # NE2100, NE32-VL Lance Ethernet cards
#device sn # SMC’s 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet

# ISA devices that use the old ISA shims
#device le

# Wireless NIC cards
#device wlan # 802.11 support
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device awi # BayStack 660 and others
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.

# Pseudo devices.
device loop # Network loopback
device mem # Memory and kernel memory devices
device io # I/O device
device random # Entropy device
device ether # Ethernet support
#device sl # Kernel SLIP
#device ppp # Kernel PPP
#device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
#device md # Memory “disks”
#device gif # IPv6 and IPv4 tunneling
#device faith # IPv6-to-IPv4 relaying (translation)

# The `bpf’ device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device bpf # Berkeley packet filter

# USB support
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
#device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
#device ugen # Generic
#device uhid # “Human Interface Devices”
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage – Requires scbus and da
#device ums # Mouse
#device urio # Diamond Rio 500 MP3 player
#device uscanner # Scanners
# USB Ethernet, requires mii
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet

# FireWire support
#device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)

Apache2.0将这种模块化的设计延伸到了web服务器的基础功能上。
这个版本带有多路处理模块(MPM)的选择以处理网络端口绑定、
接受请求并指派子进程来处理这些请求。
比如，需要更好伸缩性的可以选择象worker或event这样线程化的MPM，
而需要更好的稳定性和兼容性以适应一些旧的软件可以用prefork 。

在Redhat Linux的主要版本as4上，apache版本为httpd-2.0.5x，
默认为prefork模式，主要是考虑到稳定性的原因。
要切换到worker模式，则需要登录到linux上，进行如下操作：

进入/usr/sbin目录
cd /usr/sbin

将当前的prefork模式启动文件改名
mv httpd httpd.prefork

将worker模式的启动文件改名
mv httpd.worker httpd

修改配置文件vi /etc/httpd/conf/httpd.conf
找到里边的如下一段，可适当修改负载等参数：
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>

重新启动服务
/etc/init.d/httpd restart

即可换成worker方式启动apache2

－－－－－－－－－－－－－－－－－－－－－－－－－－

注意：处于稳定性和安全性考虑，不建议更换apache2的运行方式，使用系统默认prefork即可
另外很多php模块不能工作在worker模式下，例如redhat linux自带的php也不能支持线程安全
所以最好不要切换工作模式。

/etc/logrotate.conf

其内容如下：

—————————————————–
# see “man logrotate” for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

# system-specific logs may be also be configured here.
—————————————————–

这个文件指定了切分周期等参数。具体对每一个log的切分，是由/etc/logrotate.d目录下的脚本完成的。这个目录下包含apache、mysql、resin等若干服务的log文件。（邮件的/var/log/maillog是使用syslog写入系统的）

手工运行/etc/cron.daily/logrotate ，看报告什么错误。

例如报告
error: httpd:1 duplicate log entry for /var/log/httpd/access_log

这是由于在/etc/logrotate.d目录下存在重复项目造成的。经检查用户自行安装了httpd的rpm，所以在etc/logrotate.d目录下存在apache和httpd两个目录切分项目，造成了logrotate程序运行失败。

解决方法：移出/etc/logrotate.d/httpd文件即可。推荐按照一台干净的服务器，检查是否有多余的log切分项目。

step1 – 进入SSH协议存放root用户identity.pub和authorized_keys的文件目录

# cd /root/.ssh
# ls -al
总数 18
drwxr-xr-x 2 root other 512 2月 24 14:35 .
drwxr-xr-x 23 root other 1536 2月 16 17:14 ..
-rw-r–r– 1 root other 678 2002 2月 24 authorized_keys
-rw——- 1 root other 3655 2月 24 14:08 known_hosts
-rw——- 1 root other 512 2月 24 14:35 random_seed

step2 – 使用SSH命令工具ssh-keygen生成公私钥

# /usr/local/bin/ssh-keygen
Generating 1024-bit dsa key pair
6 Oo.oOoo.oOo.
Key generated.
1024-bit dsa, root@local, Tue Feb 24 2004 06:36:32
Passphrase :
Again :
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended.
Don’t do this unless you know what you’re doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without
the deciphering effort.
Private key saved to /root/.ssh2/id_dsa_1024_e
Public key saved to /root/.ssh2/id_dsa_1024_e.pub
# ls -al
总数 18
drwxr-xr-x 2 root other 512 2月 24 14:35 .
drwxr-xr-x 23 root other 1536 2月 16 17:14 ..
-rw-r–r– 1 root other 678 2002 2月 24 authorized_keys
-rw——- 1 root other 3655 2月 24 14:08 known_hosts
-rw——- 1 root other 512 2月 24 14:35 random_seed

step3 – 使用SSH命令工具ssh-keygen1生成本机登录其他机器所需的authorized_key，默认存储于/root/.ssh/identity.pub文件

# /usr/local/bin/ssh-keygen1
Initializing random number generator…
Generating p: ………………++ (distance 268)
Generating q: ……………………………………………………………………..++ (distance 1312)
Computing the keys…
Testing the keys…
Key generation complete.
Enter file in which to save the key (/root/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /root/.ssh/identity.
Your public key is:
1024 33 137759100819686934520696481763778829517032347151848709
931347613191606803521634302106373663429062391373471487290158025
105706619724046969007187994783371342003069780832585343903142348
95784990163707656346620364648020005147382681862785569947494342
0765419444885608631362197508294196811654926997336929202808042681631 root@local
Your public key has been saved in /root/.ssh/identity.pub
# ls -al
总数 22
drwxr-xr-x 2 root other 512 2月 24 14:38 .
drwxr-xr-x 23 root other 1536 2月 16 17:14 ..
-rw-r–r– 1 root other 678 2002 2月 24 authorized_keys
-rw——- 1 root other 533 2月 24 14:38 identity
-rw-r–r– 1 root other 337 2月 24 14:38 identity.pub
-rw——- 1 root other 3655 2月 24 14:08 known_hosts
-rw——- 1 root other 512 2月 24 14:38 random_seed
# cat /root/.ssh/identity.pub
1024 33 137759100819686934520696481763778829517032347151848709
931347613191606803521634302106373663429062391373471487290158025
105706619724046969007187994783371342003069780832585343903142348
95784990163707656346620364648020005147382681862785569947494342
0765419444885608631362197508294196811654926997336929202808042681631 root@local

step4 – 将identity.pub文件中的authorized_key内容原样拷贝到需要免SSH认证的对方机器上，位置为对方机器ssh协议存放root用 户identity.pub和authorized_keys的文件目录，要修改的文件为/root/.ssh/authorized_keys

# ssh 192.168.0.2
warning: Executing /usr/local/bin/ssh1 for ssh1 compatibility.
root@192.168.0.2′s password:
Warning: Remote host denied X11 forwarding, perhaps xauth program could not be run on the server side.
Last login: Tue Feb 24 14:28:00 2004 from 192.168.8.252
You have new mail.
[root@remote root]#
[root@remote root]# cd /root/.ssh
[root@remote .ssh]# cat /root/.ssh/authorized_keys
1024 37 1510957817385891963372652439207842737027918140859621507
380729138329114441416521776984491500781874021566354104804727884
519240069872528441273975697342453100667500263238390614807313900
317593282635376291882684337383945048992455560162257982416115871
07142667649373550013275351594257842948752831502084375880349649893 root@remote
1024 33 137759100819686934520696481763778829517032347151848709
931347613191606803521634302106373663429062391373471487290158025
105706619724046969007187994783371342003069780832585343903142348
95784990163707656346620364648020005147382681862785569947494342
0765419444885608631362197508294196811654926997336929202808042681631 root@local
[root@remote .ssh]# exit
#

注意：在上述修改中，在remote(192.168.0.2)的/root/.ssh/authorized_keys添加了local(192.168.0.1)的/root/.ssh/identity.pub文件内容

step5 – 验证免SSH认证功能（using ssh from 192.168.0.1 to 192.168.0.2）
# ssh 192.168.0.2
warning: Executing /usr/local/bin/ssh1 for ssh1 compatibility.
root@192.168.0.2′s password:
Warning: Remote host denied X11 forwarding, perhaps xauth program could not be run on the server side.
Last login: Tue Feb 24 14:28:00 2004 from 192.168.8.252
You have new mail.
[root@remote root]#

step6 – 典型应用场景：免认证的SCP数据传输测试（基于SSH免认证，通过SCP文件传输）
local（192.168.0.1）->remote（192.168.0.2）

—
L2 Tech Support
SWsoft China