Archive for June, 2008

Installing bcron on FreeBSD 7.0

Posted by Ville Walveranta in Technical on 30 June 2008

bcron is a better cron (though the “b” in the name probably comes from the first name of its writer, Bruce Guenter).  It was created with security in mind, and is especially well suited for multi-user systems where the individual users need to be given access to their respective crontabs. With bcron this can be accomplished without compromising the system security.  Here’s a quote from the bcron page:

This is bcron, a new cron system designed with secure operations in mind. To do this, the system is divided into several seperate programs, each responsible for a seperate task, with strictly controlled communications between them. The user interface is a drop-in replacement for similar systems (such as vixie-cron), but the internals differ greatly.

As of writing of this bcron can not be found in the FreeBSD 7.0 ports system. Fortunately its installation is fairly straightforward.  Yet the included documentation is rather spartan so I provide a more complete outline below.

  1. Install latest bglibs if not yet installed** bglibs is best to install from a downloaded tarball rather than from the ports (while the ports version installs the libs in a more logical location at /usr/local/lib/bglibs/ the programs that utilize the library (bcron, ucspi-unix, etc.) have difficulty locating it.

    ** few symlinks are required (these refer to the locations bglibs installs itself when compiled from the tarball rather than from the ports):

    /usr/local/bglibs -> /usr/local/lib/bglibs
    /usr/local/bglibs/lib/libbg-sysdeps.so.2 -> /usr/local/lib/libbg-sysdeps.so.2
    /usr/local/bglibs/lib/libbg.so.2 -> /usr/local/lib/libbg.so.2

  2. Install ucspi-unix if not yet installed as bcron components communicate via UNIX sockets. This requires bglibs and also compiles and installs well using a downloaded tarball (it’s also available in ports at /usr/ports/sysutils/ucspi-unix, but I prefer to compile it from the downloaded tarball).
  3. Make sure /var has been moved off the root to /usr/var before proceeding. See an older post for details.
  4. Make sure daemontools (and hence supervise) has been installed and is operational as bcron will be started with it.
  5. Create a system user “cron” (for example by using vipw command) and group “cron” (by editing /etc/group). This user/group will own all the crontab files (though not /etc/crontab as it’s system crontab and needs to be owned by root:wheel).

    user:
    cron:*:50:50::0:0:BCron Sandbox:/nonexistent:/usr/sbin/nologin

    group:
    cron:*:50:

  6. Create the spool & tmp directories:
    mkdir -p /var/spool/cron/crontabs /var/spool/cron/tmp
    mkfifo /var/spool/cron/trigger
    sh
    for i in crontabs tmp trigger; do
    chown cron:cron /var/spool/cron/$i
    chmod go-rwx /var/spool/cron/$i
    done
  7. Create the configuration directory /usr/local/etc/bcron:mkdir -p /usr/local/etc/bcron** You can put any common configuration settings into this directory (it is an “ENVDIR”), like alternate spool directories in BCRON_SPOOL.
  8. Create the bcron service directories (there are three services) and add the scripts below it:

    mkdir -p /var/bcron/supervise/bcron-sched/log
    mkdir /var/bcron/supervise/bcron-spool
    mkdir /var/bcron/supervise/bcron-update

    Set their permissions to 1750 for security purposes (no world access, sticky bit):

    chmod 1750 /var/bcron/supervise/bcron-sched
    chmod 1750 /var/bcron/supervise/bcron-spool
    chmod 1750 /var/bcron/supervise/bcron-update

    Make all the run and log/run scripts executable by root, readable by group:

    chmod 740 /var/bcron/supervise/bcron-sched/run
    chmod 740 /var/bcron/supervise/bcron-sched/log/run
    chmod 740 /var/bcron/supervise/bcron-spool/run
    chmod 740 /var/bcron/supervise/bcron-update/run

    and make log bcron-sched subdir accessible by root, group:

    chmod 750 /var/bcron/supervise/bcron-sched/log

    RUN SCRIPTS:
    /var/bcron/supervise/bcron-sched/run:

    #!/bin/sh
    exec 2>&1
    exec envdir /usr/local/etc/bcron bcron-start | multilog t /var/log/bcron

    /var/bcron/supervise/bcron-sched/log/run:

    #!/bin/sh
    exec >/dev/null 2>&1
    exec \
    multilog t /var/log/bcron

    /var/bcron/supervise/bcron-spool/run:

    #!/bin/sh
    exec >/dev/null 2>&1
    exec \
    envdir /usr/local/etc/bcron \
    envuidgid cron \
    sh -c ‘
    exec \
    unixserver -U ${BCRON_SOCKET:-/var/run/bcron-spool} \
    bcron-spool

    /var/bcron/supervise/bcron-update/run:

    #!/bin/sh
    exec >/dev/null 2>&1
    exec \
    bcron-update /etc/crontab

  9. Kill the deafult cron daemon and add the following to rc.conf so it won’t restart on reboot:

    #disable default cron; bcron is used instead (started by supervise)
    cron_enable=”NO”

  10. Symlink bcron services’ primary supervise directories to under /var/service to start bcron services (you can also use svc-add command if you have installed supervise-scripts):
    ln -s /var/bcron/supervise/bcron-sched /var/service/bcron-sched
    ln -s /var/bcron/supervise/bcron-spool /var/service/bcron-spool
    ln -s /var/bcron/supervise/bcron-update /var/service/bcron-update
  11. Set /etc/crontab permissions to 600, and make sure it’s owned by the root.
    chmod 600 /etc/crontab
    chown root:wheel /etc/crontab

    ** For other users the owner of the crontab file in their respective home folders would be cron:cron.

  12. Edit /etc/crontab and test that it gets updated. Note that there is a brief delay, perhaps one minute or so, after you save the crontab until the change becomes effective. Also note that the default shell for the crontab is /bin/sh. You might want to change it to something more powerful like c-shell (/bin/csh) or bash (/bin/bash) that you’re familiar with. You may also want to augment the default path, for example, by including /usr/local/bin for user-installed commands.

, ,

No Comments

Installing daemontools service supervisor on FreeBSD 7.0

Posted by Ville Walveranta in Technical on 30 June 2008

D. J. Bernstein’s daemontools includes a service supervisor which ensures services it supervises are restarted should they ever stop due to a program/system error. Daemontoos is easy to install, and is best installed from FreeBSD’s ports system at /usr/ports/sysutils/daemontools.  Be sure to also install the manual, which you can find in a sub-directory work/daemontools-man. The README file that can be found within instructs to [manually] install the manual entries using the command gzip *.8 ; cp *.8.gz /usr/share/man/man8/ (while residing in the daemontools-man directory). Once installed, there are few additional steps to do:

  1. Copy /usr/ports/sysutils/daemontools/work/svscan.sh.sample to
    /usr/local/etc/rc.d/svscan.sh and give it owner execute privileges with
    chmod 700 /usr/local/etc/rc.d/svscan.sh
  2. Create /var/service and create a symlink to it from /service
    mkdir /var/service
    ln -s /var/service /service
  3. Add following to /etc/rc.conf:
    #start /var/service scanning
    svscan_enable=”YES”
  4. Reboot the system (svscan will *not* start on a BSD system before the system is rebooted)

Optionally you can also install Bruce Guenter’s supervise-scripts that make life a whole lot easier with daemontools’ supervise.

  1. Install latest bglibs if not yet installed
    ** bglibs is best to install from a downloaded tarball rather than from the ports (while the ports version installs the libs in a more logical location at /usr/local/lib/bglibs/ the programs that utilize the library (bcron, ucspi-unix, etc.) have difficulty locating it.** few symlinks are required (these refer to the locations bglibs installs itself when compiled from the tarball rather than from the ports):
    /usr/local/bglibs -> /usr/local/lib/bglibs
    /usr/local/bglibs/lib/libbg-sysdeps.so.2 -> /usr/local/lib/libbg-sysdeps.so.2
    /usr/local/bglibs/lib/libbg.so.2 -> /usr/local/lib/libbg.so.2
  2. Download, compile, and install supervise-scripts. Once installed, you’ll find new commands svc-start, svc-stop, svc-restart, svc-add, svc-remove, svc-isdown, svc-isup, svc-waitdown, svc-waitup, and svc-status in /usr/local/bin. These make scripting and managing services much easier.

When switching programs to be svscan-started and svscan-managed, remember to make sure they’re not being started either as default services by the system, or that a prior startup setting doesn’t exist in  /etc/rc.conf. Disable them (depending on the service) by commenting out the startup in /etc/rc.conf, by adding a “NO” clause in /etc/rc.conf (such as cron_enable=”NO”), or by disabling the corresponding startup script in /usr/local/etc/rc.d.

If you mess up a service initialization, uninstall the failed service (i.e. unlink the service’s primary service directory from /var/service), delete the “supervise” subfolders (and “down” file if present) from the service’s primary service directory (there’s one also in the “log” subfolder). Then reboot the system, and reinstall the service either by using the supervise-scripts command svc-add, or by simply symlinking the service’s primary service directory to /var/service (for example ln -s /var/db/mysql-supervise /var/service/mysql).

, , ,

3 Comments

Moving var, tmp Off the Root in FreeBSD

Posted by Ville Walveranta in Technical on 28 June 2008

One one of the first things I do on a newly installed FreeBSD system is to move /var and /tmp to under /usr. Since I usually allocate about 4Gb for the root slice and the rest of a disk—usually several hundred gigabytes—goes to /usr (well, there’s also the swap slice that takes few gigabytes) having /var and /tmp there is more comfortable as some log files, database files, or some temp files can sometimes grow to multi-gigabyte size and exhaust the root space.

Below is a simple procedure to move the /var to /usr/var and /tmp to /usr/var/tmp. This is best to do early on in a new system installation since many services tend to hook into /tmp and/or /var, and may thus lock files in those directories making the move more difficult. If you’re making this move on an established system, at least stop all the services that might interfere with the process (such as database services). It might even be a good idea to boot into a single user mode (if you do so, remember to correctly mount your disks before proceeding). I usually do this early in a new system install, before installing any major services, or at least before scripting them to run.

  1. Move /var to /usr/var

    mkdir /usr/var
    cd /var
    tar cvf - . | (cd /usr/var; tar xvf - )
    cd /
    chflags -R noschg /var
    rm -rf /var
    ln -s /usr/var /var

  2. Move /tmp to /usr/var/tmp

    mkdir /usr/var/tmp
    cd /tmp
    tar cvf - . | (cd /usr/var/tmp; tar xvf - )
    cd /
    chflags -R noschg /tmp
    rm -rf /tmp
    ln -s /usr/var/tmp /tmp
    chmod -h 777 /tmp
    chmod 1777 /usr/var/tmp

, , ,

2 Comments

FreeBSD 7.0-RELEASE Kernel Optimization

Posted by Ville Walveranta in Technical on 28 June 2008

Below is my FreeBSD 7.0 kernel configuration file.  I created it on my reference system, to be used on four production servers whose hardware configurations differ some.  For that reason there’re few options (indicated as “[OPTION]“) that are conditional for the configurations. I’ve also left in IPv6 options which are currently commented out, but that I may take into use later if/when IPv6 becomes more prevalent in the environment these servers operate.

  |  copy code |? 
001
002
#
003
# INERTIA -- Inertia kernel configuration file for FreeBSD/i386
004
#
005
# For more information on this file, please read the handbook section on
006
# Kernel Configuration Files:
007
#
008
#    http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
009
#
010
# The handbook is also available locally in /usr/share/doc/handbook
011
# if you've installed the doc distribution, otherwise always see the
012
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
013
# latest information.
014
#
015
# An exhaustive list of options and more detailed explanations of the
016
# device lines is also present in the ../../conf/NOTES and NOTES files.
017
# If you are in doubt as to the purpose or necessity of a line, check first
018
# in NOTES.
019
#
020
# Based on
021
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.474.2.2.2.1 2008/02/06 03:24:28 scottl Exp $
022
 
023
ident		INERTIA
024
machine		i386
025
cpu		I686_CPU
026
 
027
options		SMP 			# Symmetric MultiProcessor Kernel (`device apic' is also required for multiprocessor use)
028
options 	SCHED_4BSD		# 4BSD scheduler
029
options 	PREEMPTION		# Enable kernel thread preemption
030
options 	INET			# InterNETworking
031
#options 	INET6			# IPv6 communications protocols
032
options 	FFS			# Berkeley Fast Filesystem
033
options 	SOFTUPDATES		# Enable FFS soft updates support
034
options 	UFS_ACL			# Support for access control lists
035
options 	UFS_DIRHASH		# Improve performance on big dirs
036
options 	CD9660			# ISO 9660 Filesystem
037
options 	PROCFS			# Process filesystem (requires PSEUDOFS)
038
options 	PSEUDOFS		# Pseudo-filesystem framework
039
options		MSDOSFS			# MSDOS filesystem support (for floppies)
040
options 	COMPAT_43		# Compatible with BSD 4.3 (required)
041
options 	COMPAT_FREEBSD4		# Compatible with FreeBSD4
042
options 	COMPAT_FREEBSD5		# Compatible with FreeBSD5
043
options 	COMPAT_FREEBSD6		# Compatible with FreeBSD6
044
options 	SCSI_DELAY=15000	# Delay (in ms) before probing SCSI (TWA/TWE issue)
045
options 	KTRACE			# ktrace(1) support
046
options 	SYSVSHM			# SYSV-style shared memory
047
options 	SYSVMSG			# SYSV-style message queues
048
options 	SYSVSEM			# SYSV-style semaphores
049
options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
050
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev, may be needed to hot-plug USB keyboards
051
options 	AHC_REG_PRETTY_PRINT	# Print register bitfields in debug output
052
options 	AHD_REG_PRETTY_PRINT	# Print register bitfields in debug output
053
options 	ADAPTIVE_GIANT		# Giant mutex is adaptive
054
options		ACCEPT_FILTER_HTTP	# Must be here or AcceptFilter won't work w/Apache2
055
options		SC_DISABLE_REBOOT	# Disable Ctrl-Alt-Del reboot (this is a server)
056
 
057
device		apic			# I/O APIC (required)
058
device		npx   			# The Numeric Processing eXtension driver (required)
059
 
060
device		pci
061
device		isa			# Required by npx
062
 
063
device		fdc			# Floppy drives
064
 
065
device		ata			# ATA and ATAPI devices
066
device		atadisk			# ATA disk drives
067
device		ataraid			# ATA RAID drives [OPTION]
068
device		atapicd			# ATAPI CDROM drives
069
options 	ATA_STATIC_ID		# Static device numbering
070
 
071
device		scbus			# SCSI bus (required for SCSI, ALSO REQ'D FOR SATA-RAID, USB/umass)
072
device		da			# Direct Access (disks)
073
device		pass			# Passthrough device (direct SCSI access)
074
 
075
#device		twe			# 3ware ATA RAID [OPTION]
076
#device		twa			# 3ware 9000 series PATA/SATA RAID [OPTION]
077
#options	TWA_DEBUG		# 0-10; 10 prints the most messages; enable for twa debug only
078
 
079
device		atkbdc			# AT keyboard controller
080
device		atkbd			# AT keyboard
081
device		kbdmux			# keyboard multiplexer
082
 
083
device		vga			# VGA video card driver
084
device		sc			# syscons, the default console driver
085
device		sio			# 8250, 16[45]50 based serial ports
086
 
087
device		ppc			# Parallel port
088
device		ppbus			# Parallel port bus (required)
089
device		lpt			# Printer
090
device		ppi			# Parallel port interface device
091
 
092
#device		miibus			# MII bus support (required by some NICs) [OPTION]
093
#device		fxp			# Intel EtherExpress PRO/100B (82557, 82558); requires miibus [OPTION]
094
device		em			# Intel PRO/1000 adapter Gigabit Ethernet Card [OPTION]
095
 
096
options		DEVICE_POLLING		# Imporoves network driver performance
097
 
098
device		coretemp		# On-die temperature sensor on Intel Core and newer CPUs [OPTION]
099
 
100
device		loop			# Network loopback
101
device		random			# Entropy device
102
device		ether			# Ethernet support
103
device		pty			# Pseudo-ttys (telnet etc)
104
#device		gif			# IPv6 and IPv4 tunneling
105
#device		faith			# IPv6-to-IPv4 relaying (translation)
106
device		bpf			# Berkeley packet filter
107
 
108
# USB support [OPTION]
109
device		uhci			# USB support / UHCI PCI->USB interface
110
device		ohci			# USB support / OHCI PCI->USB interface
111
device		ehci			# USB support / EHCI PCI->USB interface (USB 2.0)
112
device		usb			# USB support / USB Bus (required)
113
device		ugen			# USB support / Generic
114
device		uhid			# USB support / "Human Interface Devices"
115
device		ukbd			# USB support / Keyboard
116
device		umass			# USB support / Disks/Mass storage - Requires scbus and da
117
 
118
options		COMPAT_LINUX		# Linux compat / Enable Linux ABI emulation
119
options		COMPAT_AOUT		# Linux compat / Enable i386 a.out binary support
120
options		LINPROCFS		# Linux compat / Enable procfs support (COMPAT_LINUX / PSEUDOFS)
121

      

                      
, , , , 

                    

                        No Comments
          

          

      

      
          
      

        
FreeBSD 7.0 New Install

        
        

            

            

            Posted by Ville Walveranta in Technical on 28 June 2008 

            

        

        
      

        
I’ve been running various versions of FreeBSD since 2001, and over that time the installation procedure has changed several times as new versions of the operating system have been released. Since I’m jack of all trades (or at least many trades), often several months or more passes without significant work in the UNIX environment, and my memory fades as I’m engrossed in something completely different such as software development work. I’m still running FreeBSD 6.1 in production environments, but want to make the move to 7.0 soon. Before doing so, however, I decided to set up a reference system and document the setup process to avoid major surprises (or my own memory glitches) as I reinstall the OS on the production systems — and hopefully have as a result minimum downtime possible.


Step one… FreeBSD installation using the Custom install. I post my notes below; perhaps someone will find this useful. The system is being set up as a web/db/mail server that is administered remotely; no X11 is needed or desired.


    

  1. Use custom install w/defaults except..
    
Skip PCCARD: YES
    
Media Type: CDROM
    2. 

  2. Set keymap if not ASCII (I use Finnish keyboard so I selected “Finnish ISO”) and timezone in post install.
    3. 

  3. Old mount point & label info is ok (from the older installations). I use “4069M” for boot, “6100M” for swap, and rest for application data (generally a largish RAID-5 or RAID-6 array is used), the respective mount point labels are “/”, swap, and “/usr”. I use standard boot record since no other operating systems are installed on the system. Boot drive is made bootable, softupdates is enabled on the data slice.
    4. 

  4. Configure network, system name, keyboard map (sysinstall should’ve created delta for it) in /etc/rc.conf.  Much more should and will go into it, but the basics that will get the system online are:
    

    
keymap="finnish.iso" #obviously optional :)
    
hostname="this.systemname.com"
    
defaultrouter="192.168.1.1"
    
ifconfig_em0="inet 192.168.1.99 netmask 255.255.255.0" #currently installing behind a firewall
    
fsck_y_enable="yes" #this is good to set in case your system crashes during setup without orderly shutdown.. you don't have to press "yes" a million times
    

    
Note that you may have a different kind of network interface and you might have to adjust the “ifconfig_em0 accordingly.
    5. 

  5. Configure DNSes in /etc/resolv.conf. I use OpenDNS servers, like so:
    

    
domain          this.systemname.com
    
nameserver      208.67.222.222
    
nameserver      208.67.220.220
    6. 

  6. If you’re basing this installation on an older install, import your old .cshrc or the equivalent alias/setting file of your favorite shell (makes the life easier as aliases work, etc).
    7. 

  7. If you’re not using X11, enter `WITHOUT_X11′ in /etc/make.conf so you don’t have to set it in the environment every time.
    

    
WITHOUT_X11=yes #don't compile GUI to ports apps
    
CPUTYPE=i686 #set this for modern Intel CPUs
    
KERNCONF=YOUR_KERNEL_CONF_FILE_NAME
    
OPENSSLBASE=/usr/local #obviously if you use OpenSSL
    8. 

  8. Build /usr/ports/net/cvsup with WITHOUT_X11 set in make.conf (as above) or in the environment, or use /usr/ports/net/cvsup-without-gui/ and update the ports tree.First create /usr/local/etc/cvsup/supfile.ports containing:
    

    
*default host=cvsup12.FreeBSD.org
    
*default base=/usr/local/etc/cvsup
    
*default prefix=/usr
    
*default release=cvs tag=.
    
*default delete use-rel-suffix
    
ports-all
    

    
If you want to use the fastest cvs server available, install /usr/ports/sysutils/fastest_cvsup/ and run with fastest_cvsup -c us (replace ‘us’ with your local country code if you’re not in the U.S. :-) ), then use the cvs server indicated as the default host. Then update ports with
    
/usr/local/bin/cvsup -g -L 2 /usr/local/etc/cvsup/supfile.ports
    

    You can use an optional `-d 100′ to limit file deletions to 100 initially to make sure update is working and the entire ports tree won’t be wiped out. Then remove it for full run (intial run *will* need to delete more than 100 files, but they’re not all in sequence)
    9. 

  9. Build & install /usr/ports/editors/joe (or whatever your favorite editor might be); this makes life easier as configuration progresses.
    10. 

  10. Build & install /usr/ports/security/openssh-portable. Use defaults + select `Enable CHROOT support’ (for later use)
    11. 

  11. Create a non-root user for remote login. vipw is an easy way to manage users.
    12. 

  12. Configure OpenSSH daemon in /usr/local/etc/ssh/sshd_config & make sure sshd starts (set openssh_enable=”yes” in /etc/rc.conf, and make sure the start file is called /usr/local/etc/rc.d/openssh.sh; reboot may be required to create the necessary server keys & start the service (confirm with ps -waux | grep “ssh”).sshd_config params of note (for initial access) are..
    

    
AllowUsers root MyUserName
    
PermitRootLogin without-password #allow root login only with a RSA-key
    
PasswordAuthentication yes
    
UsePAM no
    
UseDNS no
    

    
** remote login should be possible at this point **
    13. 

  13. Create /usr/local/etc/cvsup/supfile.sources with the below content, then update sources with /usr/local/bin/cvsup -g -L 2 /usr/local/etc/cvsup/supfile.sources
    

    
*default host=cvsup17.FreeBSD.org
    
*default base=/usr/local/etc/cvsup
    
*default prefix=/usr
    
*default release=cvs tag=RELENG_7_0
    
*default delete use-rel-suffix
    
src-all
    
doc-all
    14. 

  14. Review kernel configuration at /usr/src/sys/i386/conf (see my kernel defaults in the next post).
    15. 

  15. Build & install new world if any deltas were applied in source update:
    
cd /usr/src && make buildworld.
    
If there are problems, try the following, then run buildworld again.
    

    
cd /usr/obj
    
chflags -R noschg *
    
rm -rf *
    

    
When buildworld completes, reboot the system, select option 4, or interrupt the reboot (option 6) and type boot -s to boot into single user mode; accept /bin/sh as the shell, then continue with the following commands to install new world:
    

    
mount -u /
    
mount -a -t ufs
    
swapon -a
    

    cd /usr/src
    
make installworld
    

    exit (goes multi-user)
    16. 

  16. Build custom kernel & install with below commands:
    

    
cd /usr/src
    
make cleandir
    
make buildkernel
    
    if this fails, try cd /usr/src/usr.sbin/config/ && make depend all install clean and also check your kernel configuration file for problems, then start the above build process again.
    17. 

  17. Make a backup copy of the old kernel and install the new:
    

    
cp -Rp /boot/kernel /boot/kernel.recent
    
make installkernel
    18. 

  18. Reboot & confirm that the latest kernel version is running with uname -a  (or uname -rs).
    19. 

  19. Make a copy of the functional kernel if boot is ok:chflags -R noschg /boot/kernel && cp -Rp /boot/kernel /boot/kernel.save && chflags -R schg /boot/kernel
    

    20. 

  20. Set /boot/loader.conf parameters, like so:
    

    
kern.ipc.nmbclusters=16384   # Set the number of mbuf clusters
    
kern.ipc.maxsockets=16384    # Set the number of tcp sockets
    
kern.ipc.maxpipekva=67108864
    
kern.maxusers=128
    21. 



Basic install & kernel setup is now complete.

      

                      
, , 

                    

                        5 Comments