FreeBSD Administration Basics
Deomid Ryabkov
[email protected]
We have Linux, why'd we care? ●
Diversity ●
Diversity is good –
Having competing implementations results in better performance ●
– – ●
This applies not only to flavors of BSD, having completely different implementation of POSIX keeps Linux on its toes
Monoculture increases exposure: “one exploit to rule them all” One more playground to develop your ideas
Licensing ●
BSD license is very easy to understand: do whatever you want, just keep our copyright strings. –
Very appealing to vendors (NetApp, Juniper, Apple) ●
No obligations, but still getting contributions
History of the BSD ●
4.2BSD (1983) – TCP/IP, FFS
●
4.3BSD (1986) – portability, performance
●
●
Net/1 (1989) – release of networking code
●
Net/2 (1991) – rewrite of remaining proprietary parts
386BSD (1992) – port to 80386 ●
FreeBSD, NetBSD
●
Lawsuit by AT&T, slows development for 2 years
●
4.4BSD R2 (1995) – Last release from Berkeley
●
OpenBSD (1995) – security-oriented fork of NetBSD
●
FreeBSD 4 (2000) – outstanding stability and performance, jails
●
FreeBSD 5 (2003) – SMP, GEOM, netgraph ●
DragonFly BSD (2003) – fork of 4.8, different take on SMP
●
FreeBSD 6 (2005) – more kernel SMP work
●
FreeBSD 7 (2008) – SCTP, UFS journaling, ZFS, DTrace, jemalloc, sched_ule
Starting Installation
Slices vs partitions ●
DOS partitions are called slices – s1,s2,... ●
fdisk /dev/ad0 – –
●
●
Painful to use, use sysinstall if you need to edit slices interactively Or -I to use whole disk
Further subdivided into (BSD) partitions – a,b,... ●
bsdlabel -e /dev/ad0s1
●
c is “raw” disk by convention. Do not use or alter.
/dev/ad0 ●
/dev/ad0s1 – –
●
/dev/ad0s1a /dev/ad0s1d
/dev/ad0s2 – –
/dev/ad0s2a /dev/ad0s2b
Selecting distributions
Installing Ports Collection
Post-install Configuration
Adding users
Final reboot
Notable differences ●
/bin/sh is not bash ●
root's shell is /bin/sh –
●
/bin/csh sucks –
●
Keep it that way and do not login as root. pkg_add -r bash (or some other shell)
/usr/bin/vi is not vim –
pkg_add -r vim-lite ●
–
Not just vim, that wil pull whole world along with it
Stuck in vi(m)? Don't panic, :q! ●
Set your $EDITOR to “ee” - a gentler approach to editing, with on-screen help
●
To su to root user needs to be in @wheel
●
sysinstall is there
●
sshd has PermitRootLogin off by default ●
Keep it that way, do not login as root over ssh
/usr vs /usr/local ●
/bin, /sbin, /lib – essential system bins and libs
●
/usr/{bin,sbin,lib} – other base system bins, libs
●
/usr/local/{bin,sbin,lib} – ports bins, libs
●
/etc ●
/etc/namedb (BIND is in base)
●
/usr/local/etc/postfix (Postfix is in ports)
/etc/rc.conf ●
A shell script, but not to be (mis)used as such: declarations only please. hostname="web.example.com" ifconfig_bge0="inet 10.0.0.2/24” defaultrouter="10.0.0.1" sshd_enable="YES" pf_enable="YES" ntpd_enable="YES" sendmail_enable="NONE" # Can be “YES”, “NO” or “NONE” postfix_enable = "YES" # Invalid – no spaces allowed around “=”: (it's a shell script!) ...
●
/etc/defaults/rc.conf
System startup ●
/etc/rc.d/* - base system services
●
/usr/local/etc/rc.d/* - services from ports
●
/etc/rc.conf – enable/disable services ●
●
foo_enable=”YES”
Order depends on set of REQUIRES/PROVIDES declarations ●
rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
Logging ●
●
syslog ●
/etc/syslog.conf, /var/log/*
●
/var/log/all.log – useful to have, easy to find stuff
newsyslog – log rotation ●
Not just syslogs, any logs - /etc/newsyslog.conf
●
Compression, pid files, signals; runs in parallel
●
Time spec is a bit odd, but manpage is good and there's a dry-run mode: newsyslog -n -v
/logs/www/access.log root:www 660 12 * @01T00 JC /var/run/httpd.pid 30
Ports ●
/usr/ports/$category/$package ●
Makefiles pushed to their limits.
●
Search –
●
/usr/ports # make search name=foo
Build and install: –
/usr/ports/category/package # make install ●
–
pkg_add -r package ●
●
Will build from sources Will download and install a pre-built package
Port options in /var/db/ports/$package
Package management ●
●
portupgrade ●
pkg_add -r portupgrade
●
portupgrade -aP
●
/usr/local/etc/pkgtools.conf – per-package options
Package database ● ●
pkg_info /var/db/pkg – plain text files describing installed packages and dependencies –
Cached in a BDB file /var/db/pkg/pkgdb.db
Versioning (uname -r) ●
Stable branch, X-STABLE. Currently X=7. ●
X.Y-RELEASE – offical release, no patches. What you get by installing from an offical CD/DVD. –
X.Y-RELEASE-pN – official release + security patch N. ●
– ●
Stable, only security fixes. Easy to track via binary updates.
X.Y-STABLE – stable development branch between X.Y and X.(Y+1) –
●
N starts with 0. Patches are provided for 2 years after release.
Reasonably stable, but requires updating from source. Can be considered for production if contains features/fixes not yet released.
Development branch, (X+1)-CURRENT ●
Bumpy ride on the bleeding edge. Latest and greatest but not necessarily stable. Requires compiling from source. Not recommended for production.
Updating the base system ●
Binary updates on the RELEASE branch ●
freebsd-update fetch && freebsd-update install –
●
freebsd-update -r X.Y-RELEASE upgrade –
●
This will keep you up to date on security patches to your current release Upgrade to release X.Y
Source updates, for STABLE and CURRENT branches ●
Yes, you will build and install the world. –
Do not be alarmed. Concentrate on the kittens.
Updating base system from source ●
Copy and edit /usr/share/examples/cvsup/stable-supfile ●
Set host= to one of the mirrors (see link in the file)
●
Set tag= to the desired branch, e.g. RELENG_7
●
cd /usr/src; csup /path/to/my_supfile
●
make buildworld
●
make buildkernel && make installkernel
●
Reboot (required if performing major upgrade, i.e. X.Y -> (X+1).0)
●
mergemaster -p ●
Review and apply config changes required to install binaries (e.g. addition of new users)
●
make installworld
●
mergemaster ●
Review and apply config changes
Updating packages ●
Update ports tree in /usr/ports ●
●
Install portupgrade ●
●
pkg_add -r portupgrade
See what's to be updated ●
●
csup /usr/share/examples/cvsup/ports-supfile
portupgrade -an
Perform the update ●
portupgrade -aP –
-P tells portupgrade to use binary packages when available. ●
●
Packages are only provided for several latest RELEASE branches and are not available on STABLE and CURRENT.
Reboot is recommended at this point to reload all binaries. Restarting individual services also works.
Packet filtering ●
User sanity first ●
getopt() is NOT a good rule language –
●
ipfw ● ●
●
Abandoned for a while, development resumed recently pass tcp from any to me 80 in via bge0 keep-state
ipf ● ● ●
●
yes, i'm looking at you, iptables
Ported from NetBSD Better than original ipfw but no recent development pass in on bge0 proto tcp from any to bge0 port 80
pf ●
OpenBSD's rewrite of ipf, further improvements –
tables, packet reassembly, traffic shaping, pfsync
Jails ●
●
Para-virtualization ●
Shares running kernel
●
Provides separate userland with process isolation
●
Restricted root privileges
Appeared in FreeBSD 4.0 ●
●
“chroot() on steroids”
Isolation is being improved ●
Multiple IP addresses in 7.2
●
Own networking stack with filtering expected in 8.0
Performance monitoring ●
vmstat
●
systat -XXX: {if,io,vm}stat, ip, tcp
●
iostat
●
gstat
●
top
●
●
“S” (or -S) to display kernel threads
●
“H” (or -H) to display user-level threads
/proc is not mounted by default ●
“mount_procfs proc /proc” but usually can do without
●
sysctls are used. sysctl -a, -d will give short descriptions
Case study: MySQL performance ●
Red is Linux 2.6.20.1, green is 2.6.21. Drop at > 8 thr assumed to be MySQL's fault
●
Others are various snapshots of FreeBSD 7.0. Caused a lot of noise.
MySQL performance: 3 months later ●
Red is FreeBSD 7.0, green is Linux 2.6.22, blue is 2.6.23 ●
Scaling issue has been fixed, but change of scheduler in 2.6.23 caused a regression (later resolved)
Give FreeBSD a try
It's free It's there It's NOT dead (NetCraft confirms it!) http://www.freebsd.org/
Freebsd Administration Basics
Questions?