kb.hurricane-ridge.com » FreeBSD

Setting SCSI Timeout Values for FreeBSD VMs on VMware/NetApp

admin — Wed, 23 Jun 2010 23:07:29 +0000

NetApp requires setting a timeout value of 190 seconds for all VMware data stores on their filers to handle “long fabric or storage-side I/O interruptions”; this is done as follows on FreeBSD:

# sysctl kern.cam.da.default_timeout=190

This can be set permanently in /etc/sysctl.conf:

kern.cam.da.default_timeout=190

Elsewhere, I have seen a recommendation for FreeBSD on ESX that kern.cam.da.retry_count be set to 120.

Passing options to the Exim port on FreeBSD

admin — Wed, 31 Dec 2008 20:20:37 +0000

The Exim port on FreeBSD does not have a menu-driven configuration system accessible by running make config, although it does have a plethora of options described in /usr/ports/mail/exim/options. If using portupgrade, you can pass these options with the -m flag; for example:

# portupgrade -m "WITH_CONTENT_SCAN=yes WITH_SASLAUTHD=yes WITH_DOMAINKEYS=yes" exim

Reloading and Testing pf rulesets

admin — Tue, 30 Dec 2008 20:31:48 +0000

To test the ruleset in /etc/pf.conf, do the following:

sudo pfctl -n -f /etc/pf.conf sudo pfctl -n -v -f /etc/pf.conf

The second pfctl command displays the rules you’ve created; however, it can be easy to miss a syntax error warning in the verbosity – the first command will make it easy to spot those.

You can test the ruleset by having a second, completely open firewall ruleset that you can revert to called pf.conf-open containing just:

pass all

Then do the following, as root:

pfctl -f /etc/pf.conf; sleep 90; pfctl -f /etc/pf-open.conf

When you’re ready to reload the ruleset permanently, use the FreeBSD start/stop script:

sudo /etc/rc.d/pf reload

FreeBSD Jail Upgrade Instructions

admin — Mon, 29 Dec 2008 19:10:55 +0000

When upgrading via a patch, installing the patch can be done by adding a “DESTDIR” argument to make:# make install DESTDIR=/u1/jail/192.168.0.12
When upgrading from source (Adapted from Upgrading a Jail from Source):# setenv JAIL /u1/jail/192.168.0.12 # mergemaster -pd -D $JAIL # cd /usr/src && make installworld DESTDIR=$JAIL # mergemaster -svd -D $JAIL

Editing rc_conf_files on FreeBSD

admin — Mon, 29 Dec 2008 19:09:26 +0000

In FreeBSD’s /etc/default/rc.conf, the location of the rc.conf system configuration files is defined in the variable rc_conf_files. If you’re modularizing your rc.conf files – say, for use with Cfengine – you may be tempted to change the value of rc_conf_files in /etc/rc.conf or/etc/rc.conf.local. However, this change will not be picked up by itself – you need to call source_rc_confs after changing rc_conf_files, similar to this:

rc_conf_files="/etc/rc.conf /etc/rc.conf.local /etc/rc.conf.amd" source_rc_confs

(Tip seen on the freebsd-ports list.)

Overriding portaudit’s known vulnerabilities check

admin — Mon, 29 Dec 2008 19:07:52 +0000

When attempting to upgrade a port on FreeBSD, you may run into a problem like this:

> sudo portupgrade -rR php5 ---> Upgrading 'php5-5.1.6' to 'php5-5.1.6_1' (lang/php5) ---> Building '/usr/ports/lang/php5' ===> Cleaning for autoconf-2.59_2 ===> Cleaning for pkg-config-0.21 ===> Cleaning for libxml2-2.6.26 ===> Cleaning for perl-5.8.8 ===> Cleaning for m4-1.4.4 ===> Cleaning for help2man-1.36.4_1 ===> Cleaning for gmake-3.81_1 ===> Cleaning for libiconv-1.9.2_2 ===> Cleaning for p5-gettext-1.05_1 ===> Cleaning for gettext-0.14.5_2 ===> Cleaning for libtool-1.5.22_2 ===> Cleaning for php5-5.1.6_1 ===> php5-5.1.6_1 has known vulnerabilities: => php -- open_basedir Race Condition Vulnerability. Reference: => Please update your ports tree and try again. *** Error code 1 Stop in /usr/ports/lang/php5.

Portaudit has stopped your portupgrade because one of the ports you are installing has a known security vulnerability – it’s even handy enough to provide a link to more information.

But what if you are willing to accept or mitigate the risk of the security hole – how do you build the port without portaudit stopping you? The answer is the-DDISABLE_VULNERABILITIES flag:

> sudo portupgrade -rR -m -DDISABLE_VULNERABILITIES php5 Password: ---> Upgrading 'php5-5.1.6' to 'php5-5.1.6_1' (lang/php5) ---> Building '/usr/ports/lang/php5' with make flags: -DDISABLE_VULNERABILITIES ===> Cleaning for autoconf-2.59_2 ===> Cleaning for pkg-config-0.21 ===> Cleaning for libxml2-2.6.26 ===> Cleaning for perl-5.8.8 ===> Cleaning for m4-1.4.4 ===> Cleaning for help2man-1.36.4_1 ===> Cleaning for gmake-3.81_1 ===> Cleaning for libiconv-1.9.2_2 ===> Cleaning for p5-gettext-1.05_1 ===> Cleaning for gettext-0.14.5_2 ===> Cleaning for libtool-1.5.22_2 ===> Cleaning for php5-5.1.6_1 ===> Found saved configuration for php5-5.1.6_1 [...]

Obviously, use the -DDISABLE_VULNERABILITIES flag with caution. Tip seen at TaoSecurity.

Checking for modified files in installed FreeBSD ports or packages

admin — Mon, 29 Dec 2008 18:42:40 +0000

When upgrading FreeBSD ports, you will lose any customizations that you’ve made to files within the port; this is especially problematic with configuration files. A quick and easy way to check for modifications you may have made is to use the -g flag to pkg_info. For example:

> pkg_info -g -x drupal Information for drupal-4.6.9:

Mismatched Checksums: /usr/local/www/drupal/.htaccess fails the original MD5 checksum

In this case, you might want to preserve your .htaccess file to merge it back in to your drupal installation after upgrading.

Building FreeBSD Ports as an Unprivileged User

admin — Mon, 29 Dec 2008 18:40:54 +0000

Set the following in /etc/make.conf:

WRKDIRPREFIX=/home/anl/ports-build DISTDIR=/home/anl/ports-dist

WRKDIRPREFIX is a directory that the unprivileged user as able to write to; DISTDIR is the directory their downloads of source files are written to.

If the port you are building requires another port to be installed for it to be built, you will be prompted for the root password, so this technique is not suitable for unattended port installations.

Index of Sysctl Definitions

admin — Mon, 29 Dec 2008 18:37:56 +0000

EnderUNIX has a large glossary of user-contributed sysctl definitions.

Running a chrooted BIND in a FreeBSD Jail

admin — Mon, 29 Dec 2008 05:17:44 +0000

(N.B. – This document was originally written in 2006; I have not verified that it remains applicable to FreeBSD in 2008.)

Running a chrooted BIND server within a FreeBSD jail requires mounting its devfs outside of the jail; this document provides an RCng start stop script to do that.

Attempting to start BIND using the stock RCng script in a FreeBSD jail results in the following error:

> sudo /etc/rc.d/named start mount_devfs: Operation not permitted /etc/rc.d/named: WARNING: devfs_domount(): Unable to mount devfs on /var/named/dev devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted Starting named.

The reason for this is that you are unable to mount and manipulate the devfs for the chroot within the jail itself; it must be done in the parent of the jail. To do this at boot, the script below can be used.

#!/bin/sh

# PROVIDE: jailedchrootdevfs # REQUIRE: rcconf mountcritremote # BEFORE: jail # KEYWORD: nojail

. /etc/rc.subr

name="jailed-chroot-devfs" start_cmd='start' stop_cmd=':' #rc_debug=1

jailed_named_chrootdir='/u1/jail/192.168.1.234/var/named' start() { umount ${jailed_named_chrootdir}/dev 2>/dev/null devfs_domount ${jailed_named_chrootdir}/dev devfsrules_hide_all devfs -m ${jailed_named_chrootdir}/dev rule apply path null unhide devfs -m ${jailed_named_chrootdir}/dev rule apply path random unhide }

load_rc_config $name run_rc_command "$1"

Next, within the jail, edit /etc/rc.d/named to comment out the equivalent lines to those above, found within the chroot_autoupdate() function:

*** named Thu Feb 23 12:34:41 2006 --- ../../../../../etc/rc.d/named Thu Nov 3 00:12:06 2005 *************** *** 58,67 ****

# Mount a devfs in the chroot directory if needed # ! #umount ${named_chrootdir}/dev 2>/dev/null ! #devfs_domount ${named_chrootdir}/dev devfsrules_hide_all ! #devfs -m ${named_chrootdir}/dev rule apply path null unhide ! #devfs -m ${named_chrootdir}/dev rule apply path random unhide

# Copy local timezone information if it is not up to date. # --- 58,67 ----

# Mount a devfs in the chroot directory if needed # ! umount ${named_chrootdir}/dev 2>/dev/null ! devfs_domount ${named_chrootdir}/dev devfsrules_hide_all ! devfs -m ${named_chrootdir}/dev rule apply path null unhide ! devfs -m ${named_chrootdir}/dev rule apply path random unhide

# Copy local timezone information if it is not up to date. #

Notes on the RCng script:

Specifiying that the RCng script run BEFORE: jail ensures that the directory is mounted before the jail starts up, and starts its BIND process.
The devfs commands in start() are adapted from the /etc/rc.d/namedscript.
/etc/rc.subr contains the devfs_domount subroutine; load_rc_config $name is required to load the devfs variables it needs to work.

Other notes:

You will need to set the security.jail.allow_raw_sockets sysctl to 1 to allow named to open a UDP socket.