Building & administering jails on FreeBSD, Part 1

June 21st, 2010

The FreeBSD jail(8) manpage & Chapter 15 of the FreeBSD handbook do a great job of explaining jails & helping you get on your way with creating jails, this post builds on that information, covering alternative methods for getting your jails installed & adding what’s not covered already such as maintenance of jails (patching to be specific) & version upgrades.

  • Part 1 (this post :) ) will cover alternative install methods & jail maintenance
  • Part 2 (not yet published) will cover upgrading to a new version FreeBSD

Once completed the information from these posts will be submitted for inclusion in the handbook.

So lets begin, when creating a “complete” jail you have two options for the source of the userland, compile from source code or use the prebuilt binaries from install media, both the jail manpage & handbook cover building from source code, we wont go over it again here.

One thing worth mentioning though is if you want to build from source code, create a src.conf file & disable items which are not required, this should speed up the time required to build world & reduce the amount of disk space used by jails.

Here are two sample src.conf files, which disable building items such as firewalls (no use unless you’re using vimage), acpi or documentation:
Sample src.conf #1
Sample src.conf #2

To install the userland from installation media
first create the root directory for the jail, eg
mkdir -p /usr/jails/mynewjail
set the $DESTDIR variable to this location
if using sh
export DESTDIR=/usr/jails/mynewjail
if using csh/tcsh
setenv DESTDIR /usr/jails/mynewjail
mount the media (using the 8.0-RELEASE cd 1 iso in this example)
mount -t cd9660 /dev/`mdconfig -f /some/path/to/8.0-RELEASE-i386-disc1.iso` /mnt

Extract the binaries from the tar balls on the install media into your declared destination, realistically, you’ll only need to extract base, but you can do a complete install if you wish to.
To install just base:
cd /mnt/8.0-RELEASE/base; ./install.sh

You are about to extract the base distribution into /usr/jails/mynewjail – are you SURE
you want to do this over your installed system (y/n)?

To install everything but kernel:
if using sh
cd /mnt/8.0-RELEASE; for dir in base catpages dict doc games info manpages ports; do (cd $dir ; ./install.sh) ; done
if using csh/tcsh
foreach dir ( base catpages dict doc games info manpages ports )
cd /mnt/8.0-RELEASE/$dir; ./install.sh
end

All configuration steps from here on to get up and running are as specified in the jail man page & handbook.

Keeping jails up to date with patches
On a host with default settings the freebsd-update(8) tool doesn’t work as
chflags(1) is not permitted in a jail, set sysctl security.jail.chflags_allowed to 1 to allow it & freebsd-update can be used.
The other option is to patch the userland manually from the host OS. All the needs to be done is the $DESTDIR has to be passed to the make install command eg.
In section 2b of the FreeBSD-SA-10:04.jail advisory you’re told to
# make obj && make depend && make && make install
after patching, instead you would issue
# make obj && make depend && make && make install DESTDIR=/usr/jails/mynewjail

Tags: , ,
Posted in FreeBSD | No Comments »

OpenNMS-dev port for FreeBSD

June 9th, 2010

I’ve created a new FreeBSD port for installing releases from the unstable branch of OpenNMS.
This port suffers from the same issue as the stable port

You can grab the port here

9/6/10
Initial port, installs version 1.7.92

Tags: , ,
Posted in FreeBSD | No Comments »

Configuring OpenSolaris with IPv6 connectivity

May 27th, 2010

To configure OpenSolaris to use IPv6 NDP (neighbour discovery protocol) create an empty file named in the following convention:
/etc/hostname6.interface#:#
first hash being the interface number & the second being a user defined number for a logical interface
eg
/etc/hostname6.e1000g0:1

If you’re having DNS resolution issues, do
cp /etc/nsswitch.dns /etc/nsswitch.conf

To configure OpenSolaris to use a static IPv6 address
create a file using the same convention as mentioned during the NDP stage above & inside it add
addif ipv6address/mask up
eg
addif 2a01:300:200::1/64 up

To configure your default IPv6 router on OpenSolaris
create a file named /etc/defaultrouter6 & add the ip address inside

The instructions above make the changes persist across reboots, if you’d like to make changes to a current session, the configuring an IPv6 network section of the IP services Solaris administration guide is a handy reference.
These instructions should also apply to Solaris as well though I haven’t tested it.
The source of information for this article was the IPv6hostsolaris wiki article.

Tags: , ,
Posted in SPARC / Solaris / OpenSolaris | No Comments »

Running rndc without specifying a port on Mac OS X

April 11th, 2010

The stock BIND config on Mac OS X (both client & server versions) is set to listen on TCP port 54 for control commands via rndc(8), the rndc utility however doesn’t have a config file, so it defaults to using TCP port 953, this mean it has to be invoked with -p 54 to work properly, to rectify the issue create /etc/rndc.conf & add the following to it
include "/etc/rndc.key";
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 54;
};

Tags: , ,
Posted in OS X | 1 Comment »

IPlike port for FreeBSD

January 5th, 2010

As part of getting OpenNMS on FreeBSD via ports I’ve created a port for the IPLIKE which is a C implementation of the iplike stored procedure that’s used by OpenNMS.
You can download a copy of the port here

If I haven’t heard any bad reports by the end of the week, I will raise a PR to have it added to ports.

ports/142581 was commited earlier today

iplike commit message on freshports.org

The port can be found at databases/iplike, please update your ports

Tags: , ,
Posted in FreeBSD | No Comments »

OpenNMS port for FreeBSD

January 27th, 2009

The port is for the current stable version, v1.6.2. It is in its very early stages, there are still some issues which need to be ironed out:

* The port will install just fine except that it complains about some files listed in the pkg-plist which are not there, well they are there but the files named are dynamically generated everytime a build is attempted (jetty-webapps & webapps cache files) so this will need to be fixed.

* As there are issues with these filenames in the pkg-plist, make package fails.

* A problems with the jicmp dependency, it fails to detect that jicmp is installed & attempts to build & install it no-matter what & obviously fails if it is.

All previous issues with the port listed above have been resolved, the port now just needs to be tested before submission for inclusion in ports.

You can grab the port here

11/5/09
Port updated to version 1.6.4, use the link above to fetch a new copy of the port.
There is an issue with the packing list as it currently doesn’t take into account new files that are created from things such as availability reports, which means when you come to remove the package some files are left behind as well as empty directories, this will be solved in the next revision when I’ll separate out the location the data resides from the binary & config files.

17/5/09
Port updated to version 1.6.5, again use the link above to fetch a new copy of the port.
The issue with the packing list still existed in this version.

3/8/09
Updated the packing list so that it now includes some files which I missed before.
There are issues with the packing list which still need to be resolved.

5/1/10
Updated the port to 1.6.8, if you have a previous version of the port installed, backup your opennms directory before doing the upgrade as files will be removed.
I have a been working on separating the config files, logs & rrd data from the libraries & binaries etc, the OpenNMS build mechanism has support for this, allowing one to pass -Dinstall.etc.dir=/confdir/opennms-data/etc -Dopennms.home=/opt/opennms -Dinstall.logs.dir=/var/log to build.sh
Unfortunately the source code doesn’t, there are 2 major hurdles which need be passed before this will work correctly
1) some files ignore some of the variables passed to build.sh, most important one being install.etc.dir, see bug report
2) source files are hardcoded to look for files/directories under $opennms.home eg the etc directory.
I have a whole bunch of diffs which I need to go over again as I’ve hit a wall, I would’ve included the patches with this update but, all the diffs manage to do is break things, so I removed them from this version.
The port now use openjdk as it doesn’t suffer from the SIGSEGV issue experienced by some, including myself, a workaround if you want to remain with diablo or sunjdk is to disable IPv6 support in the JDK. You will also need to remove the if condition from the OpenNMS port Makefile aswell.
I’ve also created a seperate port for iplike here

18/3/10
Thanks to David Okeby for updating the port to version 1.6.9 & sharing a link in the comments section below, I’ve mirrored a copy of the port on this site & updated the download link, the original had resource files inside which I’ve removed.

6/4/10
Updated to version 1.6.10, as mentioned before, backup your opennms directory before upgrading to prevent data loss.

9/6/10
Update to version 1.8.0, the port now requires openjdk 1.6 to run

Tags: , ,
Posted in FreeBSD | 30 Comments »

USB & Firewire support for NetBSD/cobalt 4.0

October 15th, 2008

The GENERIC kernel for NetBSD/cobalt 4.0 does not support USB or Firewire out of the box, I’ve created a set of patches (sourced from various threads on port-cobalt@) to add support.
You can grab the patches here
Once you have built & installed your new kernel, you will need to make a new MAKEDEV script.
cd /usr/src/etc
make MAKEDEV
& place the new copy of the script in /dev
then generate the device files for the newly supported devices by running
sh MAKEDEV usbs
I’ve successfully used 5 rs232 > USB on my Qube2 via a PCI ALi chipset USB & Firewire card on NetBSD 4.0.
ohci0 at pci0 dev 10 function 0: Acer Labs M5237 USB 1.1 Host Controller (rev. 0x03)
ohci0: interrupting at irq 9
ohci0: OHCI version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ohci1 at pci0 dev 10 function 1: Acer Labs M5237 USB 1.1 Host Controller (rev. 0x03)
ohci1: interrupting at irq 9
ohci1: OHCI version 1.0, legacy support
usb1 at ohci1: USB revision 1.0
uhub1 at usb1
uhub1: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
ohci2 at pci0 dev 10 function 2: Acer Labs M5237 USB 1.1 Host Controller (rev. 0x03)
ohci2: interrupting at irq 9
ohci2: OHCI version 1.0, legacy support
usb2 at ohci2: USB revision 1.0
uhub2 at usb2
uhub2: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 10 function 3: Acer Labs M5239 USB 2.0 Host Controller (rev. 0x01)
ehci0: interrupting at irq 9
ehci0: BIOS has given up ownership
ehci0: EHCI version 1.0
ehci0: companion controllers, 2 ports each: ohci0 ohci1 ohci2
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Acer Labs EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
fwohci0 at pci0 dev 10 function 4: Acer Labs product 0x5253 (rev. 0x00)
fwohci0: interrupting at irq 9
fwohci0: OHCI version 1.10 (ROM=1)
fwohci0: No. of Isochronous channels is 4.
fwohci0: EUI64 00:90:e6:xx:xx:xx:xx:xx
fwohci0: Phy 1394a available S400, 2 ports.
fwohci0: Link S400, max_rec 2048 bytes.
ieee1394if0 at fwohci0: IEEE1394 bus
fwip0 at ieee1394if0: IP over IEEE1394
fwohci0: Initiate bus reset
uplcom0 at uhub4 port 1
uplcom0: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 3
ucom0 at uplcom0
uplcom1 at uhub4 port 2
uplcom1: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 4
ucom1 at uplcom1
uplcom2 at uhub4 port 3
uplcom2: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 5
ucom2 at uplcom2
uplcom3 at uhub4 port 4
uplcom3: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 6
ucom3 at uplcom3
uplcom4 at uhub0 port 2
uplcom4: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 7
ucom4 at uplcom4

Tags: ,
Posted in NetBSD | No Comments »

BarCamp 3 slides from my talk

September 6th, 2008

As a first time attendee of BarCamp Brighton I had to do a short presentation/talk about a topic of my choice, I decided to cover some basic pointers on how to avoid being flagged up on the radar of script kiddies, the talk was titled “Protecting your server against
script kiddie attacks”
You can grab a copy of the slides here
Cover image courtesy of linuxisforbitches.com
Thank you for the support Paul, Jim, Mike & the other people who attended.

Posted in General | No Comments »

Gigabyte GN-WI05GS-RH on OpenSolaris

July 19th, 2008

After installing the rum driver run
update_drv -a -i '"usb1044,800a"' rum as root

Tags:
Posted in SPARC / Solaris / OpenSolaris | No Comments »

CoovaChilli 1.0.12 port for FreeBSD

June 18th, 2008

As v1.0.12 is finally released I’ve updated the unfinished port for the SVN builds
The todo list is kinda the same but I’m on the case this time & its fairly trivial to sort out, I just need feedback on any issues building the port & getting it up & running.

Grab the port here
If you need a main.conf to start with grab it here

29/6/08
Thanks to David Bird for working over the issues with coova on FreeBSD this weekend, the random coredump issue has been resolved & chilli_query now works properly aswell as coova itself! :)
I’ve updated the port, use the link above to download & test.

20/11/08
Updated the port to make it build-able on FreeBSD 7.0, added rc script & sample configs, the port is nearly ready for submission, its now lacking documentation & a little cleaning up on scripts, use the link above to fetch a new copy of the port.

11/1/09
Tidied up the scripts by removing linux related references e.g iptables, the port has now been submitted for inclusion in the ports tree ports/130357
Use the link above to fetch a copy in the meantime.

20/1/09
Port Commited
Please note that the sample configs are now located in /usr/local/share/examples/cooovachilli
The chillispot port has also been updated to prevent installation of both packages.


CoovaChilli port for FreeBSD commited

Tags: ,
Posted in FreeBSD | 11 Comments »

Going IPv6

June 9th, 2008

Looking for something to do this weekend I remembered that a few years back after reading Secure Architectures with OpenBSD I’d signed up to freenet6, I retrieved my forgotten account details & logged in to the portal to get started, then remembered why I never got off the ground with this project, the client is a PITA to setup, a quick search of the ports tree showed up net/aiccu.
The description of the port:
AICCU makes it very easy for anybody to get IPv6 connectivity
everywhere they want. It uses the TIC (Tunnel Information & Control)
protocol to request the information needed to setup a tunnel through
which the connectivity is created.

AICCU supports the following tunneling protocols:
– 6in4 static (RFC 2893)
– 6in4 heartbeat (RFC 2893 + draft-massar-v6ops-heartbeat)
– tinc (http://www.tinc-vpn.org)
– AYIYA (draft-massar-v6ops-ayiya)

As AYIYA even works from behind NAT’s, thus unless there is a very
restrictive firewall in place, anybody should be able to get IPv6
connectivity without problems and everywhere they want.

One does need a SixXS account and at least a tunnel. These
can be freely & gratis requested from the SixXS website.

Before installing the port I headed over to the SixXS website to have a nose around, the FAQ is well worth a read, it lays down the basics of the signup process quiet well.
The only hold up between signing up & getting going with your 1st tunnel is the wait for approval by the project admins which though the site says it can be as long as a week took, it only a few hours for me (even on a saturday!:))
The project works on a credit basis (there is no money inolved), costs are broken down in the FAQ, basically you start off with 25 credits, which allows you to get a tunnel for a single host setup at the cost of 15 credits.
Once you’ve been able to demonstrate that you can keep the tunnel up for seven days you’ll be credited 5 credits, this will give you enough credits to apply for a subnet.
Fingers crossed, if it all goes well I’ll be migrating my home network to IPv6 sometime next week.

The setup of the aiccu client was pretty straightforward, I just needed to provide my username & password to the config file. You don’t actually have to use the aiccu client, you can create a gif(4) manually, this is covered in the faq aswell, but seeing as I’m a n00b at this I will ditch the client once I’m more comfortable. Before you fire up the client you need to configure your firewall rules so that ipv6 traffic is allowed, most importantly icmp6, details covered in the faq.

So, now I have a tunnel setup, the next step is to find a registrar to move my domains to whom supports IPv6 records, surprisingly the big boys, tucows, 1&1, go daddy don’t (well go daddy allows the creation of AAAA records but you can’t use them for your NS records).
The FAQ once again has this covered here
Once I’ve transfered my domains across, I’ll be ditching OpenBSD 4.3 & moving to -CURRENT temporarily as Apache supports IPv6 there.

RIP Jun-ichiro “itojun” Hagino

Tags: ,
Posted in General | No Comments »

NetBSD 4.0 Cobalt restore CD Mk3

May 16th, 2008

New restore CD for the Cobalt Cube using Izumi Tsutsuis updated restore CD script

You can grab a copy here

Tags:
Posted in NetBSD | No Comments »

Dell PowerEdge T105 & *BSD

February 1st, 2008

Dell where running a special offer this week on the PowerEdge T105 servers.
For £173inc Vat & Shipping they make perfect test boxes, I placed the order on monday & they where here on thursday.
I’ve spent some of today trying ou the AMD64 flavours of FreeBSD 6.3 & 7.0-RC1, NetBSD 4.0 & 200802010002Z snapshot, OpenBSD 4.2 RELEASE & CURRENT.
One word of warning the onboard broadcom network card is a POS, you will need an additional network card installed in the system if you’re planning to have any means of connectivity to you box.
I used a cheapo intel pro/1000 GT PCI network card.

Here are some dmesgs:
FreeBSD 6.3-RELEASE AMD64
FreeBSD 7.0-RC1 AMD64
The broadcom network card was enabled in the bios but wasn’t detected by the kernel

I was unable to NetBSD 4.0 & 200802010002Z as the setup program claimed there where any disks installed.

OpenBSD 4.2-RELEASE GENERIC kernel
OpenBSD 4.2-RELEASE GENERIC.MP kernel
OpenBSD 4.2-CURRENT GENERIC kernel
The broadcom network worked fine during the install process as far as I was able to obtain a IP address from a DHCP server, upon reboot when the system went multiuser & the network card was initialised the system would panic, using the intel card instead stopped the panic onboot, but still panicked on reboot, disabling the broadcom network card in the bios solved any panics. Screenshot
I was unable to test the 4.2-CURRENT GENERIC.MP kernel as the system failed to boot, complaining about em0: watchdog timeout -- resetting
&
wd0a: device timeout writing fsbn 1885728 of 1885728-1885759 (wd0 bn 1885791; cn 11 tn 98 sn 12), retrying Screenshot

I also booted the system off the FreeBSD-CURRENT snapshot using the bootonly iso, the broadcom network card was detected but panicked when attempting to obtain a IP address via DHCP.

Tags: , , ,
Posted in FreeBSD, NetBSD, OpenBSD | 4 Comments »

NetBSD 4.0 Cobalt restore CD Mk2

January 23rd, 2008

I’ve rolled a new restore CD using the updated scripts Izumi Tsutsui posted on port-cobalt@

You can grab a copy here

It seems I made a mistake whilst building this new build, I have rebuilt & uploaded a new copy of the image, please re-download if you grabbed a copy of this yesterday

Tags: ,
Posted in NetBSD | No Comments »

NetBSD 4.0 Cobalt restore cd

December 29th, 2007

Using Izumi Tsutsuis restore cd script I’ve rolled a restore cd for NetBSD/cobalt 4.0
Everything should work A-OK, I’ve managed to restore my Qube2 using this image without any problems.

You can grab a copy here

dmesg output from Qube2 running NetBSD 4.0

Tags: ,
Posted in NetBSD | No Comments »

CoovaChilli for FreeBSD

December 24th, 2007

I’ve created a long overdue port of CoovaChilli for FreeBSD, this should be considered as a work in progress for a couple of reasons:
1) As the current stable release v1.0.11 doesn’t build on the BSD’s the port installs a SVN checkout of build 152 which resolves build issues with FreeBSD
2) this is a result of a couple of hours of faffing around due to me being a bit rusty, the port definitely installs & uninstalls cleanly
but doesn’t install things in the right place as far as where things should live in the BSD userland e.g the www files are installed in {PREFIX}/etc/chilli/www which is wrong + some others bits.
3) The port doesn’t include any of additional docs/configs which where included with the chillispot port, eg a PF config.
4) No testing has been done apart from the fact that it builds correctly

You can grab a copy of the port here
copy the file to /usr/ports/net-mgmt
& uncompress

Update:
Small change, the correct location of the localstate directory (/var) is passed onto configure, redownload the file if you grabbed a copy previously.

Tags: , ,
Posted in FreeBSD | 7 Comments »

Jetway J7F2WE1G5D-OC-PB

November 24th, 2007

6 Months ago I bought a mini itx motherboard to replace my current ancient web server / firewall, I went for the Jetway J7F2WE1G5D-OC-PB as it was cheaper then the VIA ones & it also supports expansion via daughterboards, there’s a whole range to choose from, I went for the AD3RTLAN-G which gives you three additional gigabit interfaces which are based on the Realtek 8169 chipset. Sadly this chipset does have some limitations as mentioned in re(4) on OpenBSD
The RealTek 8169, 8169S and 8110S chips are only capable of transmitting
Jumbo frames up to 7440 bytes in size.
But I’m sure that should be good enough for a network of 1 user! =)

Hopefully within the next couple of weeks I well get OpenBSD 4.2 installed on this box & replace the current server, the only holdup for me atm is the builtin VIA Rhine-II interface doesn’t support adjustment of the mtu, which is going to cause some problems as I’m using pppoe(4) & don’t want use mssfixup in PF, using one of the gigabit interfaces instead would be a waste.

Dmesg from the 21/11/07 snapshot of -CURRENT

Tags: , , ,
Posted in OpenBSD | 1 Comment »

1.5Ghz VIA C7 Mini-itx motherboard vs 8 Core MacPro

November 24th, 2007

the results from md5 -t

Jetway J7F2WE1G5D-OC-PB Motherboard running OpenBSD
MD5 time trial. Processing 10000 10000-byte blocks...
Digest = 52e5f9c9e6f656f3e1800dfa5579d089
Time = 1.087264 seconds
Speed = 91973982.399859 bytes/second

8 Core MacPro running OS X 10.5
MD5 time trial. Digesting 100000 10000-byte blocks ... done
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time = 2.261262 seconds
Speed = 442230944.000000 bytes/second

Tags: ,
Posted in General | No Comments »

Chillispot 1.1.0 for FreeBSD

August 11th, 2007

I’ve finally gotten around to bringing the FreeBSD port of Chillispot up to date with the current release (v1.1.0).
As v1.1.0 is considered unstable it will not overwrite v1.0 which is currently in the tree, it will instead live alongside it in net-mgmt/chillispot-dev.
I have not had a chance to test this port with any wireless clients yet but it should work in theory, the only difference between this port & the initial patch I made to make it buildable is that I’ve used an alternative method for dealing with clearenv() as pointed out by Joe Marcus Clarke

Grab a copy of the first revision of the port here

Tags: , ,
Posted in FreeBSD | 4 Comments »

My new toy, Nokia 770

July 19th, 2007

I got myself a Nokia 770 after Richard pointed me in the direction of a etailer which had them in stock dirt cheap, I’ve been using the unit for the past 2 days & all I can say is the screen is amazing, the strength of the wifi areal is really really good, its a little slow loading apps but that’s not an issue for me, I’ve got all the essentials on there, openssh, rdesktop & vncviewer, mplayer & scummvm on there plus there’s a whole load more at maemo

The tiny screen which runs at 800×400 means you can use rdesktop & every single detail on your screen is readable, something which my Axim can’t do.
Some of the installed apps on my Nokia 770

Minimo running on my Nokia 770

ScummVM running on my Nokia 770

The builtin Opera running on my Nokia 770

Tags: , , ,
Posted in Nokia 770 | 2 Comments »

« Older Entries