FreeBSD

This is my page with some hints and tips about FreeBSD, with a focus on running it on servers. I try to link to the official FreeBSD pages which are a very good source for information as well as to some blog posts I found for some topics that might be of interest. Feel free to contribute if you have anything to say.

enjoy

Installation
I usually do an express install to make sure I have a minimal system as a base.

Paritioning:
 * unless you have a good reason using the whole disk for FreeBSD is the way to go.

Disklabels:
 * /: 1GB
 * swap: twice the RAM size (old rule, not sure if this still makes sense but I do so)
 * /var: 2GB, if you use logrotate and clean up your things this should be enough
 * /usr: at least 10GB, fills up pretty fast if you install a few ports
 * /etc: 100MB, I do that because I use snapshots on /etc, see XXX

After the install I add users and set the root password. Don't forget to add the admin-users to the group wheel, otherwise they will not have the right to do a su. I usually also select to autostart sshd in sysinstall.

Basic ports setup
I usually just install source packages from ports for my servers. This makes it possible to adjust it to my needs and stay up to date when required. We start with some basic ports.

net/csup

 * Description: csup is used to update our port collection. So far this was done using cvsup but that's depricated and should no longer be used. You do not have to install csup separately as this is shipped with the base system it seems.
 * Config file: Copy a file from /usr/share/examples/cvsup</tt> to /etc</tt>, I recommend to use ports-supfile</tt> unless you want to update more than just ports.
 * Changes: Adjust the host=</tt> entry to host=cvsup.ch.freebsd.org</tt>
 * Documentation: Using CVSUp

net/openntpd

 * Description: This is OpenBSD's Network Time Protocol daemon, my recommendation to synchronize time on a system. It is easy to configure and works flawlessly.
 * Config file: /usr/local/etc/ntpd.conf</tt>
 * Changes: servers europe.pool.ntp.org</tt>: like this we use servers which are based in Europe, not worldwide.
 * rc.conf: openntpd_enable="YES"</tt>
 * rc.d: /usr/local/etc/rc.d/openntpd</tt>
 * Remarks: If your machine has a big difference to the real time run /usr/local/sbin/ntpd -s</tt> first to change the time immediately. If you do not do that ntpd will adjust the time very slowly to not confuse any applications. Once you did that you can kill the process and run it via rc.d

sysutils/freebsd-snapshot

 * Description: Frontend to UFS/ZFS snapshots
 * Documentation: Website, see FreeBSD Backup for more information

sysinstall
In case you want to change something in your FreeBSD configuration the easiest way to do that is to run sysinstall</tt> again. This is the FreeBSD installer you saw during the install itself. To launch it you have to type the full path:

/stand/sysinstall

Then, select Do post-install configuration</tt> in the menu to continue.

CVSup
Install CVSup cd /usr/ports/net/cvsup-without-gui make all install clean Selecting your supfile: Copy the ports-supfile from /usr/share/examples/cvsup</tt> to /etc/ports-supfile</tt>. Edit it and change it according to your needs (at least the host=</tt> entry.

Update the tree with cvsup /etc/ports-supfile

Rebuild the index & readmes cd /usr/ports make index && make readmes

Alternatively you can simply type make fetchindex to get a pre-compiled version from a server, which is much faster

Now you can check if you have the most recent revisions installed: pkg_version -v

Reference:
 * Absolute BSD, Chapter 6: Upgrading FreeBSD and Chapter 10: Making Your System Useful
 * FreeBSD Manual about CVSup

Upgrading Ports
pkgdb -F portupgrade -arR: will update all packages, including all dependencies. I usually don't do that as this is a lot of work for making sure all services still work fine aftewards, at least on a bit more complex server setups. I prefer the second way of upgrading a single packet at a time only: portupgrade -rR pkgname: This will update the package itself, but will first compile all things on which that package depends including all other ports that depend on our upgraded package. Like this a package and its dependencies are really up to date.
 * install sysutils/portupgrade
 * create/update package-database:
 * run portupgrade:
 * to update a single package:

References:
 * FreeBSD handbook, using ports)
 * OnLAMP.com article

Flags for Ports
Many ports contain flags as compile-options, if you compile the stuff yourself you usually do something like ./configure --with-bdb</tt>. On FreeBSD we can do something similar:

make install WITH_OPENSSL=YES

To get a list of flags you can simply start it without flags and hit <tt>ctrl-z</tt> soon enough (quite hard on fast machines) or you simply have a look at the <tt>Makefile</tt>.

If you want your flags to be persistent during a port-upgrade you can write them into the file

/usr/local/etc/pkgtools.conf

Example:

MAKE_ARGS = { 'mail/vpopmail' => [ 'WITH_PASSWD=yes', 'WITH_VALIAS=yes', 'WITH_MYSQL=yes', 'WITH_CLEAR_PASSWD=yes', 'WITH_QMAIL_EXT=yes', ],   'mail/qmailadmin' => [ 'WITH_MODIFY_QUOTA=yes', 'WITH_DOMAIN_AUTOFILL=yes', 'CGIBINDIR=www/cgi-bin', 'WEBDATADIR=www/data', ],   'graphics/ImageMagick' => [ 'WITHOUT_X11=YES', ], }

Note this just works for pkg-tools!

There is an article about that here

Find out system information
as the /proc-filesystem in bsd doesn't contain various information like cpuinfo and others, you have to use another way to access such information. you can use "sysctl" for that purpose.

sysctl -a

to find out specific information about a running system. you can specify which part of the information you want to see by appending the name of the flags:

sysctl -a hw

will only display fields which begin with hw.

SMTP configuration
If you want your FreeBSD box to be able to send mail the easiest way to go is to configure ssmtp. Note, if you want that the <tt>From:</tt> does not get overwritten, you have to set this line:

FromLineOverride=YES

Now you can test it like this on a shell:

/usr/sbin/sendmail -ti From: <test@example.com> To: <destination@example.org> Subject: Test Hello Test, This is a test. <ctrl-d>

<tt><Ctrl-d></tt> is generic end-of-file.

(Credits: ftc :)

X11 forwarding
If you need to have X11 forwarding you need to install <tt>XFree86-4-clients</tt> or <tt>xorg-clients</tt> respectivly. Also you have to change the <tt>/etc/ssh/sshd_config</tt> file and set <tt>X11Forwarding yes</tt>.

Compile-time flags for PHP used on mushroom/grinsekatz
the following flags have been used for compilation of php4 on the hosts mushroom/grinsekatz:

NOTE: Those flags are in <tt>lang/php4-extensions</tt>! Not in <tt>php4</tt> itself.

BCMATH CALENDAR CTYPE DOMXML DOMXSLT EXIF FTP GD MCAL MCRYPT MHASH MIME MING MYSQL OPENLDAP OVERLOAD PCRE POSIX SESSION TOKENIZER XML XMLRPC XSLT ZIP ZLIB

LDAP Auth on FreeBSD
quick & dirty, don't complain if it doesn't work ;)

References:
 * http://www.gwdg.de/GWDG-Nachrichten/GN0508/gn0508_01.html
 * http://freebsd.de-q.net/index.php/FreeBSD_Mailsystem_mit_Postfix,_Spamassassin,_LDAP_und_mehreren_Servern

Step by step:
 * install <tt>security/pam_ldap</tt>
 * Adjust <tt>/usr/local/etc/openldap/ldap.conf</tt>
 * make a symlink: <tt>ln -svf /usr/local/etc/openldap/ldap.conf /usr/local/etc</tt>
 * add <tt>session sufficient  /usr/local/lib/pam_ldap.so</tt> to <tt>/etc/pam.d/sshd</tt> (XXX 2 more...)
 * add <tt>/etc/nsswitch.conf</tt>

Copy <tt>/usr/local/etc/ldap.conf.dist</tt> to <tt>/usr/local/etc/ldap.conf</tt>, then edit <tt>/usr/local/etc/ldap.conf</tt> in order to use this module. Add a line similar to the following to <tt>/etc/pam.conf</tt> on 4.X, or create an <tt>/etc/pam.d/ldap</tt> on 5.X and higher with a line similar to the following:

login  auth    sufficient      /usr/local/lib/pam_ldap.so

iSCSI on FreeBSD
Load the iSCSI kernel module or add iSCSI support to your kernel according to http://www.cyberciti.biz/faq/freebsd-iscsi-initiator-howto/. Do not run the <tt>iscontrol</tt> command like stated, that does not work with this syntax.

iscontrol -v -d -t192.168.0.41

Note that this is an internal network for freezer in that example, just works if you configured that subnet too for sure.

For stopping the jails on ZFS/iSCSI properly the following steps are required:
 * stop jail services
 * stop jails
 * unmount zfs: <tt>zfs unmount …<tt>
 * <tt>zpool export zpool</tt>
 * <tt>/usr/local/etc/rc.d/iscsi stop</tt>

Configuring mail for the box
We either have to read the mail for the root user on a regular base (using <tt>mail</tt> for example) or we forward the mails to an external mailbox (recommended we forget it anyway otherwise ;).

Do do that we have to edit the file <tt>/etc/aliases</tt>. It should contain:

root: myself@somedomain.org

When you edited that run the command <tt>newaliases</tt> to activate the changes.