Freebsd Administration Basics

FreeBSD Administration Basics

Deomid [email protected]

We have Linux, why'd we care?

● Diversity● Diversity is good

– Having competing implementations results in better performance● This applies not only to flavors of BSD, having completely different

implementation of POSIX keeps Linux on its toes

– Monoculture increases exposure: “one exploit to rule them all”

– One more playground to develop your ideas

● Licensing● BSD license is very easy to understand: do whatever you

want, just keep our copyright strings.– Very appealing to vendors (NetApp, Juniper, Apple)

● No obligations, but still getting contributions

History of the BSD

● 4.2BSD (1983) – TCP/IP, FFS

● 4.3BSD (1986) – portability, performance

● Net/1 (1989) – release of networking code

● Net/2 (1991) – rewrite of remaining proprietary parts

● 386BSD (1992) – port to 80386

● FreeBSD, NetBSD

● Lawsuit by AT&T, slows development for 2 years

● 4.4BSD R2 (1995) – Last release from Berkeley

● OpenBSD (1995) – security-oriented fork of NetBSD

● FreeBSD 4 (2000) – outstanding stability and performance, jails

● FreeBSD 5 (2003) – SMP, GEOM, netgraph● DragonFly BSD (2003) – fork of 4.8, different take on SMP

● FreeBSD 6 (2005) – more kernel SMP work

● FreeBSD 7 (2008) – SCTP, UFS journaling, ZFS, DTrace, jemalloc, sched_ule

Starting Installation

Slices vs partitions

● DOS partitions are called slices – s1,s2,...● fdisk /dev/ad0

– Painful to use, use sysinstall if you need to edit slices interactively

– Or -I to use whole disk

● Further subdivided into (BSD) partitions – a,b,...● bsdlabel -e /dev/ad0s1

● c is “raw” disk by convention. Do not use or alter.

● /dev/ad0● /dev/ad0s1

– /dev/ad0s1a

– /dev/ad0s1d

● /dev/ad0s2

– /dev/ad0s2a

– /dev/ad0s2b

Selecting distributions

Installing Ports Collection

Post-install Configuration

Adding users

Final reboot

Notable differences

● /bin/sh is not bash● root's shell is /bin/sh

– Keep it that way and do not login as root.

● /bin/csh sucks

– pkg_add -r bash (or some other shell)

● /usr/bin/vi is not vim– pkg_add -r vim-lite

● Not just vim, that wil pull whole world along with it

– Stuck in vi(m)? Don't panic, <Esc>:q!● Set your $EDITOR to “ee” - a gentler approach to editing, with on-screen help

● To su to root user needs to be in @wheel

● sysinstall is there

● sshd has PermitRootLogin off by default● Keep it that way, do not login as root over ssh

/usr vs /usr/local

● /bin, /sbin, /lib – essential system bins and libs● /usr/{bin,sbin,lib} – other base system bins, libs● /usr/local/{bin,sbin,lib} – ports bins, libs● /etc

● /etc/namedb (BIND is in base)● /usr/local/etc/postfix (Postfix is in ports)

/etc/rc.conf

● A shell script, but not to be (mis)used as such: declarations only please.

hostname="web.example.com"

ifconfig_bge0="inet 10.0.0.2/24”

defaultrouter="10.0.0.1"

sshd_enable="YES"

pf_enable="YES"

ntpd_enable="YES"

sendmail_enable="NONE" # Can be “YES”, “NO” or “NONE”

postfix_enable = "YES" # Invalid – no spaces allowed around “=”: (it's a shell script!)

...

● /etc/defaults/rc.conf

System startup

● /etc/rc.d/* - base system services● /usr/local/etc/rc.d/* - services from ports● /etc/rc.conf – enable/disable services

● foo_enable=”YES”

● Order depends on set of REQUIRES/PROVIDES declarations● rcorder /etc/rc.d/* /usr/local/etc/rc.d/*

Logging

● syslog● /etc/syslog.conf, /var/log/*● /var/log/all.log – useful to have, easy to find stuff

● newsyslog – log rotation● Not just syslogs, any logs - /etc/newsyslog.conf● Compression, pid files, signals; runs in parallel● Time spec is a bit odd, but manpage is good and

there's a dry-run mode: newsyslog -n -v/logs/www/access.log root:www 660 12 * @01T00 JC /var/run/httpd.pid 30

Ports

● /usr/ports/$category/$package● Makefiles pushed to their limits.● Search

– /usr/ports # make search name=foo● Build and install:

– /usr/ports/category/package # make install● Will build from sources

– pkg_add -r package● Will download and install a pre-built package

● Port options in /var/db/ports/$package

Package management

● portupgrade● pkg_add -r portupgrade● portupgrade -aP● /usr/local/etc/pkgtools.conf – per-package options

● Package database● pkg_info● /var/db/pkg – plain text files describing installed

packages and dependencies– Cached in a BDB file /var/db/pkg/pkgdb.db

Versioning (uname -r)

● Stable branch, X-STABLE. Currently X=7.● X.Y-RELEASE – offical release, no patches. What you get by installing from

an offical CD/DVD.

– X.Y-RELEASE-pN – official release + security patch N.● N starts with 0. Patches are provided for 2 years after release.

– Stable, only security fixes. Easy to track via binary updates.

● X.Y-STABLE – stable development branch between X.Y and X.(Y+1)

– Reasonably stable, but requires updating from source. Can be considered for production if contains features/fixes not yet released.

● Development branch, (X+1)-CURRENT● Bumpy ride on the bleeding edge. Latest and greatest but not necessarily

stable. Requires compiling from source. Not recommended for production.

Updating the base system

● Binary updates on the RELEASE branch● freebsd-update fetch && freebsd-update install

– This will keep you up to date on security patches to your current release

● freebsd-update -r X.Y-RELEASE upgrade– Upgrade to release X.Y

● Source updates, for STABLE and CURRENT branches● Yes, you will build and install the world.

– Do not be alarmed. Concentrate on the kittens.

Updating base system from source

● Copy and edit /usr/share/examples/cvsup/stable-supfile● Set host= to one of the mirrors (see link in the file)

● Set tag= to the desired branch, e.g. RELENG_7

● cd /usr/src; csup /path/to/my_supfile

● make buildworld

● make buildkernel && make installkernel

● Reboot (required if performing major upgrade, i.e. X.Y -> (X+1).0)

● mergemaster -p● Review and apply config changes required to install binaries (e.g. addition of new

users)

● make installworld

● mergemaster● Review and apply config changes

Updating packages

● Update ports tree in /usr/ports● csup /usr/share/examples/cvsup/ports-supfile

● Install portupgrade● pkg_add -r portupgrade

● See what's to be updated● portupgrade -an

● Perform the update● portupgrade -aP

– -P tells portupgrade to use binary packages when available.● Packages are only provided for several latest RELEASE branches and are not available on

STABLE and CURRENT.

● Reboot is recommended at this point to reload all binaries. Restarting individual services also works.

Packet filtering

● User sanity first● getopt() is NOT a good rule language

– yes, i'm looking at you, iptables

● ipfw● Abandoned for a while, development resumed recently

● pass tcp from any to me 80 in via bge0 keep-state

● ipf● Ported from NetBSD

● Better than original ipfw but no recent development

● pass in on bge0 proto tcp from any to bge0 port 80

● pf● OpenBSD's rewrite of ipf, further improvements

– tables, packet reassembly, traffic shaping, pfsync

Jails

● Para-virtualization● Shares running kernel● Provides separate userland with process isolation● Restricted root privileges

● Appeared in FreeBSD 4.0● “chroot() on steroids”

● Isolation is being improved● Multiple IP addresses in 7.2● Own networking stack with filtering expected in 8.0

Performance monitoring

● vmstat● systat -XXX: {if,io,vm}stat, ip, tcp● iostat● gstat● top

● “S” (or -S) to display kernel threads● “H” (or -H) to display user-level threads

● /proc is not mounted by default● “mount_procfs proc /proc” but usually can do without● sysctls are used. sysctl -a, -d will give short descriptions

Case study: MySQL performance

● Red is Linux 2.6.20.1, green is 2.6.21. Drop at > 8 thr assumed to be MySQL's fault

● Others are various snapshots of FreeBSD 7.0. Caused a lot of noise.

MySQL performance: 3 months later

● Red is FreeBSD 7.0, green is Linux 2.6.22, blue is 2.6.23

● Scaling issue has been fixed, but change of scheduler in 2.6.23 caused a regression (later resolved)

Give FreeBSD a try

It's freeIt's there

It's NOT dead(NetCraft confirms it!)

http://www.freebsd.org/

Freebsd Administration Basics

Questions?