Unfortunate dynamic linking for everything
Matthew Dillon
dillon at apollo.backplane.com
Tue Nov 18 18:26:24 PST 2003
:Our rationale for encouraging Gordon is as follows:
:
:1. 4.x upgrade path: As we approach 5-STABLE, a lot of users might want
: to upgrade from 4-STABLE. Historically in 4.x, the / partition has
: been very modest in size. One just simply cannot cram the bloat that
: has grown in 5.x into a 4.x partition scheme. Of course there is the
: venerable 'dump - clean install - restore' scheme, but we were looking
: for something a little more user-friendly.
This argument would apply to very old 4.x users but not to anyone who
installed it as of March 2001. I bumped the nominal size of the
root partition to 128MB in 1.98.2.7 of sysinstall/label.c.
Prior to that Jordan had bumped the root partition size to 100MB
in 1.98.2.3 in March 2001. It was 50MB before then, which is too small
even for 4.x.
:2. NSS support out-of-the-box: Again, this is a user-experience issue
: in that forcing NSS users to recompile world was seen as a potential
: roadblock to them.
Users have to recompile the world anyway, I don't think NSS is an issue.
Or to put it another way: Nobody in their right mind should be
contemplating upgrading a 4.x system to 5.x for production purposes.
There will simply be too much 4.x cruft left over. Upgrading
really requires a wipe and reinstall in this instance.
I seem to recall that the main reason 5.x went to a dynamic /bin was
to work around a terribly broken PAM design. The other issues were
just eye candy compared to the PAM problems. Personally speaking, I
think the solution is to fix PAM instead :-)
:3. Binary security updates: there is a lot of interest in providing a
: binary update mechanism for doing security updates. Having a dynamic
: root means that vulnerable libraries can be updated without having to
: update all of the static binaries that might use them.
Non-issue if you have an automatic security update mechanism or script
to do the work for the user, which we don't. Even so, /bin and /sbin are
sufficiently self-contained in the source hierarchy that recompiling and
reinstalling them is not a big deal.
I think the security argument is a red-herring because, frankly,
security problems are far more prevalient with ports and larger services
(Apache, sendmail, sshd, etc... mostly in /usr/bin and /usr/local),
and not as big an issue for /bin and /sbin.
:As for performance, we felt that the typical use of FreeBSD did not fall
:into the category of doing forkbomb performance tests. While there might
:certainly be users that do continuously create lots of short-lived
:processes, we felt that the above benefits outweighed this, but left the
:door open for tailoring to this need (recompiling world with
:NO_DYNAMICROOT).
fork() is a non-issue (forking overhead for a dynamic executable imposes
a slight time penalty but does not really impose any resource penalty).
However, I personally believe that anything run by a shell script is
an issue in regards to performance, and anything you exec multiple
separate copies of is an issue in regards to memory overhead. A system
running a large number of JAIL'd environments will wind up with a larger
number of swap-managed dirty pages.
But, all this aside, the reason I am decidedly against a dynamic /bin is
simply one of system recovery and safety. I've blown up /usr so many
times over the years that had /bin and /sbin been dynamic I would have
been in real trouble on many occassions.
If I recall correctly, some people have proposed and/or implemented some
sort of emergency fall back or safety bin in 5.x to make up for this
issue. I would humbly submit that this simply acknowledges that a dynamic
/bin and /sbin is a bad idea in the first place.
I do not intend to make /bin or /sbin dynamic in DragonFly by default.
I don't mind adding support for those people who want it, but I am not
going to make it the default.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the freebsd-current
mailing list