FreeBSD: Difference between revisions

This is my page with some hints and tips about FreeBSD, with a focus on running it on servers. I try to link to the official FreeBSD pages which are a very good source for information as well as to some blog posts I found for some topics that might be of interest. Feel free to contribute if you have anything to say.

enjoy

Installation

I usually do an express install to make sure I have a minimal system as a base.

Paritioning:

• unless you have a good reason using the whole disk for FreeBSD is the way to go.

Disklabels:

• /: 1GB
• swap: twice the RAM size (old rule, not sure if this still makes sense but I do so)
• /var: 2GB, if you use logrotate and clean up your things this should be enough
• /usr: at least 10GB, fills up pretty fast if you install a few ports
• /etc: 100MB, I do that because I use snapshots on /etc, see XXX

After the install I add users and set the root password. Don't forget to add the admin-users to the group wheel, otherwise they will not have the right to do a su. I usually also select to autostart sshd in sysinstall.

Basic ports setup

I usually just install source packages from ports for my servers. This makes it possible to adjust it to my needs and stay up to date when required. We start with some basic ports.

net/csup

• Description: csup is used to update our port collection. So far this was done using cvsup but that's depricated and should no longer be used. You do not have to install csup separately as this is shipped with the base system it seems.
• Config file: Copy a file from /usr/share/examples/cvsup to /etc, I recommend to use ports-supfile unless you want to update more than just ports.
• Changes: Adjust the host= entry to host=cvsup.ch.freebsd.org
• Documentation: Using CVSUp

net/openntpd

• Description: This is OpenBSD's Network Time Protocol daemon, my recommendation to synchronize time on a system. It is easy to configure and works flawlessly.
• Config file: /usr/local/etc/ntpd.conf
• Changes: servers europe.pool.ntp.org: like this we use servers which are based in Europe, not worldwide.
• rc.conf: openntpd_enable="YES"
• rc.d: /usr/local/etc/rc.d/openntpd
• Remarks: If your machine has a big difference to the real time run /usr/local/sbin/ntpd -s first to change the time immediately. If you do not do that ntpd will adjust the time very slowly to not confuse any applications. Once you did that you can kill the process and run it via rc.d

sysutils/freebsd-snapshot

• Description: Frontend to UFS/ZFS snapshots
• Documentation: Website, see FreeBSD Backup for more information

sysinstall

In case you want to change something in your FreeBSD configuration the easiest way to do that is to run sysinstall again. This is the FreeBSD installer you saw during the install itself. To launch it you have to type the full path:

/stand/sysinstall

Then, select Do post-install configuration in the menu to continue.

CVSup

Install CVSup

cd /usr/ports/net/cvsup-without-gui
make all install clean

Selecting your supfile:
Copy the ports-supfile from /usr/share/examples/cvsup to /etc/ports-supfile. Edit it and change it according to your needs (at least the host= entry.

Update the tree with

cvsup /etc/ports-supfile

Rebuild the index & readmes

cd /usr/ports
make index && make readmes

Alternatively you can simply type

make fetchindex

to get a pre-compiled version from a server, which is much faster

Now you can check if you have the most recent revisions installed:

pkg_version -v

Reference:

• Absolute BSD, Chapter 6: Upgrading FreeBSD and Chapter 10: Making Your System Useful
  
• FreeBSD Manual about CVSup

Upgrading Ports

• install sysutils/portupgrade
• create/update package-database:

pkgdb -F

• run portupgrade:

portupgrade -arR: will update all packages, including all dependencies. I usually don't do that as this is a lot of work for making sure all services still work fine aftewards, at least on a bit more complex server setups. I prefer the second way of upgrading a single packet at a time only:

• to update a single package:

portupgrade -rR pkgname: This will update the package itself, but will first compile all things on which that package depends including all other ports that depend on our upgraded package. Like this a package and its dependencies are really up to date.

References:

• FreeBSD handbook, using ports)
• OnLAMP.com article

Flags for Ports

Many ports contain flags as compile-options, if you compile the stuff yourself you usually do something like ./configure --with-bdb. On FreeBSD we can do something similar:

 make install WITH_OPENSSL=YES

To get a list of flags you can simply start it without flags and hit ctrl-z soon enough (quite hard on fast machines) or you simply have a look at the Makefile.

If you want your flags to be persistent during a port-upgrade you can write them into the file

/usr/local/etc/pkgtools.conf

Example:

 MAKE_ARGS = {
   'mail/vpopmail' => [
      'WITH_PASSWD=yes',
      'WITH_VALIAS=yes',
      'WITH_MYSQL=yes',
      'WITH_CLEAR_PASSWD=yes',
      'WITH_QMAIL_EXT=yes',
   ],
   'mail/qmailadmin' => [
      'WITH_MODIFY_QUOTA=yes',
      'WITH_DOMAIN_AUTOFILL=yes',
      'CGIBINDIR=www/cgi-bin',
      'WEBDATADIR=www/data',
   ],
   'graphics/ImageMagick' => [
      'WITHOUT_X11=YES',
   ],
 }

Note this just works for pkg-tools!

There is an article about that here

Find out system information

as the /proc-filesystem in bsd doesn't contain various information like cpuinfo and others, you have to use another way to access such information. you can use "sysctl" for that purpose.

 sysctl -a 

to find out specific information about a running system. you can specify which part of the information you want to see by appending the name of the flags:

 sysctl -a hw

will only display fields which begin with hw.

SMTP configuration

If you want your FreeBSD box to be able to send mail the easiest way to go is to configure ssmtp and [1]. Note, if you want that the From: does not get overwritten, you have to set this line:

FromLineOverride=YES

Now you can test it like this on a shell:

/usr/sbin/sendmail -ti
From: <test@example.com>
To: <destination@example.org>
Subject: Test
  
Hello Test,
This is a test.
<ctrl-d>

<Ctrl-d> is generic end-of-file.

(Credits: ftc :)

X11 forwarding

If you need to have X11 forwarding you need to install XFree86-4-clients or xorg-clients respectivly. Also you have to change the /etc/ssh/sshd_config file and set X11Forwarding yes.

Compile-time flags for PHP used on mushroom/grinsekatz

the following flags have been used for compilation of php4 on the hosts mushroom/grinsekatz:

NOTE: Those flags are in lang/php4-extensions! Not in php4 itself.

 BCMATH
 CALENDAR
 CTYPE
 DOMXML
 DOMXSLT
 EXIF
 FTP
 GD
 MCAL
 MCRYPT
 MHASH
 MIME
 MING
 MYSQL
 OPENLDAP
 OVERLOAD
 PCRE
 POSIX
 SESSION
 TOKENIZER
 XML
 XMLRPC
 XSLT
 ZIP
 ZLIB

LDAP Auth on FreeBSD

quick & dirty, don't complain if it doesn't work ;)

References:

• http://www.gwdg.de/GWDG-Nachrichten/GN0508/gn0508_01.html
• http://freebsd.de-q.net/index.php/FreeBSD_Mailsystem_mit_Postfix,_Spamassassin,_LDAP_und_mehreren_Servern

Step by step:

• install security/pam_ldap
• Adjust /usr/local/etc/openldap/ldap.conf
• make a symlink: ln -svf /usr/local/etc/openldap/ldap.conf /usr/local/etc
• add session sufficient /usr/local/lib/pam_ldap.so to /etc/pam.d/sshd (XXX 2 more...)
• add /etc/nsswitch.conf

Copy /usr/local/etc/ldap.conf.dist to /usr/local/etc/ldap.conf, then edit /usr/local/etc/ldap.conf in order to use this module. Add a line similar to the following to /etc/pam.conf on 4.X, or create an /etc/pam.d/ldap on 5.X and higher with a line similar to the following:

login   auth    sufficient      /usr/local/lib/pam_ldap.so

iSCSI on FreeBSD

Load the iSCSI kernel module or add iSCSI support to your kernel according to http://www.cyberciti.biz/faq/freebsd-iscsi-initiator-howto/. Do not run the iscontrol command like stated, that does not work with this syntax.

iscontrol -v -d -t192.168.0.41

Note that this is an internal network for freezer in that example, just works if you configured that subnet too for sure.

For stopping the jails on ZFS/iSCSI properly the following steps are required:

• stop jail services
• stop jails
• unmount zfs: zfs unmount …
• zpool export zpool
• /usr/local/etc/rc.d/iscsi stop

Configuring mail for the box

We either have to read the mail for the root user on a regular base (using mail for example) or we forward the mails to an external mailbox (recommended we forget it anyway otherwise ;).

Do do that we have to edit the file /etc/aliases. It should contain:

root:  myself@somedomain.org

When you edited that run the command newaliases to activate the changes.