Systems and their services

All hosts are now listed in dfriadm/sysadmin/hosts/ instead of here.

Fresh install of FreeBSD

Make sure that all file systems are mounted multilabel -- tunefs -l is required prior to mounting. The root partition can be tricky. Reboot into single user and mount -u / to remount read-write before tunefs. mount -o ro / was needed, at least on FreeBSD 9.1.

Suggested partitioning

4G /
8G swap
2G /tmp
20G /home
20G /usr
10G /var
* /var/jail

Getting a new FreeBSD world and kernel

We almost never want to bulid our own kernel and world. But there are situations.

In order to build the kernel and the world you need FreeBSD sources. Get them through cvsup(1) (net/cvsup-without-gui) and a supfile. The supfile for a machine running FreeBSD-9.0 might look like this:

*default base=/var/db
*default prefix=/usr
*default release=cvs tag=RELENG_9_0
*default delete use-rel-suffix
*default compress

Bring home the source and build the world iwth

cvsup /etc/cvsup
cd /usr/src && make buildworld

See /usr/src/Makefile for detailed information on how to build and install a new kernel. Don't forget to read /usr/src/UPDATING.


Jails are being run in two different ways -- "service" jails and "full" jails (a.k.a. "complete" jails). We are moving towards running full jails on all machines with sufficient disk space.

Today we're running full jails on all machines.

Full jails

Two nice things with full jails are that you can freebsd-update them and that they can be moved to another host system quite easily. They cost some disk space though, about 550MB.

In order to create a new full jail you can use the script, after adding its name in DNS

./ install JAIL-FQDN

If you for some reason cannot to do that, create a jail by

bsdinstall jail /var/jails/$NEWJAIL

and set it up manually afterwards.

The installer will seem to be hanging after "Add User Accounts" but it's probably just waiting for newaliases to timeout. For debbuging info, try

bsdinstall -D /tmp/$NEWJAIL.log jail /var/jails/$NEWJAIL

See Tor operations for information on how to install and run Tor in a full jail.

Service jails

We base the setup on

Create a new jail like this:

  1. export jail=NAME
  2. edit /etc/fstab
  3. edit rc.conf
  4. cpdup /usr/j/skel /usr/js/$jail
  5. mkdir /usr/j/$jail
  6. mount -a # mount: /usr/j/JAIL-NAME/s/portbuild: No such file or directory
  7. mkdir -p /usr/j/$jail/s/portbuild/usr/ports/packages
  8. mount -a
  9. /etc/rc.d/jail start $jail

Keep the ports tree updated in the jails by running:

portsnap -p /usr/j/mroot/usr/ports fetch update

This is done nightly on some systems ('tex').

Building packages in the 'build' jail (but also see build2)

portmaster -dg --delete-build-only <section>/<port>

Installing/updating packages in other service jails

pkg install <package>

Building packages in the 'build2' jail

To create a new package repository for all ports currently installed and replace the current repository:

pkg create -o /usr/ports/ -a
pkg repo /usr/ports/ /root/dfrirepo.key
mv /usr/ports/packages/All /usr/ports/All.`date "+%Y%m%d%H%M"`
mv /usr/ports/ /usr/ports/packages/All

To add a package to the repository:

portsnap fetch update
nice portmaster -dg <section>/<port>
pkg repo /usr/ports/packages/All /root/dfrirepo.key

To update all ports that need updating, build packages for them and update the repository:

portsnap fetch update
nice portmaster -dyga
#TODO: remove duplicates
pkg repo /usr/ports/packages/All /root/dfrirepo.key

Note that it might be easier to build a new package repository than to remove all the duplicates. See above. It will take longer time though since all packages have to be recreated. Expect this to take about 15 minutes.

Using packages from 'build2'

mkdir -p /usr/local/etc/pkg/repos

cat > /usr/local/etc/pkg/repos/dfrirepo.conf <<EOF
dfrirepo: {
  url: ""
  mirror_type: "http",
  enabled: yes
  PUBKEY = "/usr/local/etc/pkg/repos/"

cat > /usr/local/etc/pkg/repos/ <<EOF
-----END PUBLIC KEY-----

/usr/local/etc/pkg.conf: CONSERVATIVE_UPGRADE = false;