dfri/ sysadm/ hosts

Systems and their services

All hosts are now listed in dfriadm/sysadmin/hosts/ instead of here.

Fresh install of FreeBSD

Make sure that all file systems are mounted multilabel -- tunefs -l is required prior to mounting. The root partition can be tricky. Reboot into single user and mount -u / to remount read-write before tunefs. mount -o ro / was needed, at least on FreeBSD 9.1.

Suggested partitioning

4G /
8G swap
2G /tmp
20G /home
20G /usr
10G /var
* /var/jail

Getting a new FreeBSD world and kernel

We almost never want to bulid our own kernel and world. But there are situations.

In order to build the kernel and the world you need FreeBSD sources. Get them through cvsup(1) (net/cvsup-without-gui) and a supfile. The supfile for a machine running FreeBSD-9.0 might look like this:

*default host=cvsup.se.FreeBSD.org
*default base=/var/db
*default prefix=/usr
*default release=cvs tag=RELENG_9_0
*default delete use-rel-suffix
*default compress
src-all

Bring home the source and build the world iwth

cvsup /etc/cvsup
cd /usr/src && make buildworld

See /usr/src/Makefile for detailed information on how to build and install a new kernel. Don't forget to read /usr/src/UPDATING.

Jails

Jails are being run in two different ways -- "service" jails and "full" jails (a.k.a. "complete" jails). We are moving towards running full jails on all machines with sufficient disk space.

Today we're running full jails on all machines.

Full jails

Two nice things with full jails are that you can freebsd-update them and that they can be moved to another host system quite easily. They cost some disk space though, about 550MB.

In order to create a new full jail you can use the dfrijail.sh script, after adding its name in DNS

./dfrijail.sh install JAIL-FQDN

If you for some reason cannot to do that, create a jail by

bsdinstall jail /var/jails/$NEWJAIL

and set it up manually afterwards.

The installer will seem to be hanging after "Add User Accounts" but it's probably just waiting for newaliases to timeout. For debbuging info, try

bsdinstall -D /tmp/$NEWJAIL.log jail /var/jails/$NEWJAIL

See Tor operations for information on how to install and run Tor in a full jail.

Service jails

We base the setup on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html.

Create a new jail like this:

  1. export jail=NAME
  2. edit /etc/fstab
  3. edit rc.conf
  4. cpdup /usr/j/skel /usr/js/$jail
  5. mkdir /usr/j/$jail
  6. mount -a # mount: /usr/j/JAIL-NAME/s/portbuild: No such file or directory
  7. mkdir -p /usr/j/$jail/s/portbuild/usr/ports/packages
  8. mount -a
  9. /etc/rc.d/jail start $jail

Keep the ports tree updated in the jails by running:

portsnap -p /usr/j/mroot/usr/ports fetch update

This is done nightly on some systems ('tex').

Building packages in the 'build' jail (but also see build2)

portmaster -dg --delete-build-only <section>/<port>

Installing/updating packages in other service jails

pkg install <package>

Building packages in the 'build2' jail

To create a new package repository for all ports currently installed and replace the current repository:

pkg create -o /usr/ports/packages.new -a
pkg repo /usr/ports/packages.new /root/dfrirepo.key
mv /usr/ports/packages/All /usr/ports/All.`date "+%Y%m%d%H%M"`
mv /usr/ports/packages.new /usr/ports/packages/All

To add a package to the repository:

portsnap fetch update
nice portmaster -dg <section>/<port>
pkg repo /usr/ports/packages/All /root/dfrirepo.key

To update all ports that need updating, build packages for them and update the repository:

portsnap fetch update
nice portmaster -dyga
#TODO: remove duplicates
pkg repo /usr/ports/packages/All /root/dfrirepo.key

Note that it might be easier to build a new package repository than to remove all the duplicates. See above. It will take longer time though since all packages have to be recreated. Expect this to take about 15 minutes.

Using packages from 'build2'

mkdir -p /usr/local/etc/pkg/repos

cat > /usr/local/etc/pkg/repos/dfrirepo.conf <<EOF
dfrirepo: {
  url: "http://build2.dfri.se"
  mirror_type: "http",
  enabled: yes
  SIGNATURE_TYPE: PUBKEY
  PUBKEY = "/usr/local/etc/pkg/repos/dfrirepo.pub"
}
EOF

cat > /usr/local/etc/pkg/repos/dfrirepo.pub <<EOF
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1q0sGoag4O1kDaXuCfiY
K43ATJBZl8UfMGvcyruZCQBbvir922gCxmmv6owTllDQEWucslQx/B7pzzY4w7rm
Osi72Atb5uTF+/FyaRWe9dioHGe4+razGZxP6Vh1pY/iR4i3F9M62dA822ghsp/8
U8mkuZsP3ZX8sMLHqPiuWiAJvF8BT4OylPOdM0IDN/b4jo9r3QysYZDHLloR9ey4
2LONhmCjAQly0Y+an9zFlxbquBvV3vK8S03/lQhJkDfpEoUd3IwjKRwJRNISZCvH
9Q+xmrfi+loh/086HlhgcSJZtkjVcipPSFnllFYzpfQkgYLb6j807rb7UFVigZrw
OY61TMAgnfOy1Pvf4xCj/gVKOLwO8ZoxS1eXJAi2U7KHYtsbBVXAjYtk9OEqG9Qz
UOcoLzJIFvnFdqaWVgvYZUsi+BI575fEwHM0KRcBCfFEKy5klT07V7MUk3I7DleZ
5QkY3VEL3+3qRaA08eHt9foMO5jpPZoma9TBmTdxbLVTbotPtdQvP3QAvoPrkAHy
AJYKjNvz7cOOe2PFNI2cpMOvRvOzC+MFszzC6IQ/Ysh9rzzY1G8qn04oGyFtQdrx
9pfVlvOaCiQ3tszlG6Yd76nRLTnBYzteQv/gM/qCYXn1/WwPx1KD9/7e7wK0txti
YCbBUpp5uhGZ3WnpLvnTCPsCAwEAAQ==
-----END PUBLIC KEY-----
EOF

/usr/local/etc/pkg.conf: CONSERVATIVE_UPGRADE = false;