Archives for category: Uncategorized

 

Excellent laptop for having a wireless chip which is compatible with stock Debian and FreeBSD installation! This is one of the first hardware I have come across where the OS detected the wireless chip during installation.

Next, I used UEFI based dual boot installation and had to manually add the Debian entry in the BIOS setup. FreeBSD EFI partition got detected out of the box, sweet!

The hardware list from lspci on Debian:

00:00.0 Host bridge: Intel Corporation Broadwell-U Host Bridge -OPI (rev 09)
00:02.0 VGA compatible controller: Intel Corporation Broadwell-U Integrated Graphics (rev 09)
00:03.0 Audio device: Intel Corporation Broadwell-U Audio Controller (rev 09)
00:04.0 Signal processing controller: Intel Corporation Broadwell-U Camarillo Device (rev 09)
00:14.0 USB controller: Intel Corporation Wildcat Point-LP USB xHCI Controller (rev 03)
00:16.0 Communication controller: Intel Corporation Wildcat Point-LP MEI Controller #1 (rev 03)
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection (3) I218-LM (rev 03)
00:1b.0 Audio device: Intel Corporation Wildcat Point-LP High Definition Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #1 (rev e3)
00:1c.3 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #4 (rev e3)
00:1c.4 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #5 (rev e3)
00:1d.0 USB controller: Intel Corporation Wildcat Point-LP USB EHCI Controller (rev 03)
00:1f.0 ISA bridge: Intel Corporation Wildcat Point-LP LPC Controller (rev 03)
00:1f.2 SATA controller: Intel Corporation Wildcat Point-LP SATA Controller [AHCI Mode] (rev 03)
00:1f.3 SMBus: Intel Corporation Wildcat Point-LP SMBus Controller (rev 03)
01:00.0 SD Host controller: O2 Micro, Inc. SD/MMC Card Reader Controller (rev 01)
02:00.0 Network controller: Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)

 

On Debian everything works fine, but you might want to remove the intel xorg driver(xserver-xorg-video-intel), as that is for hardware older than 2007, with the old driver installed the graphics were not that smooth and the CPU utilization increased.

Other than this I was unable to suspend to RAM when HT was disabled. Enabling HT in BIOS would solve this.

On FreeBSD, the integrated GPU is not yet supported :(, so just command line for now).

Will consider Dell again for my computing.

Advertisements

While many speak of web servers like Apache or NginX, I wanted to try out lighttpd, I disliked the way NginX Inc is releasing its product, which is Open Core. I prefer something which is completely Libre.

The aim is to deploy Zerobin with whatever PHP version was available on FreeBSD 11. The installation of zerobin itself is simple, we just have to extract the package in the document root of the web server.

Install the required packages:

# pkg install php70 lighttpd

You might want to install php7-gd package in case you are using the gd module.

Once installed, configure lighttpd, there are a few quirks of lighttpd to make it work.

In file /usr/local/etc/lighttpd/lighttpd.conf

Disable IPv6.

server.use-ipv6 = “disable”

If you don’t disable IPv6 when your node is not using it, you will get error messages like “protocol not supported”.

Next, bind the webserver to listen on server IP address and change the server root value if you want to change the default.

server.bind = “192.168.1.18”

We will be using fastcgi module of lighttpd, enable that by un-commenting the entry from /usr/local/etc/lighttpd/modules.conf:

include “conf.d/fastcgi.conf”

Next, enable the lighttpd FastCGI module to point to php-cgi binary, edit the file /usr/local/etc/lighttpd/conf.d/fastcgi.conf, uncomment the block starting from “fastcgi.server =”, also change the value of “bin-path” directive as we will be making changes related to the value here.

fastcgi.server = ( “.php” =>
( “php-local” =>
(
“socket” => socket_dir + “/php-fastcgi-1.socket”,
“bin-path” => server_root + “/bin/php-cgi”,
“max-procs” => 1,
“broken-scriptfilename” => “enable”,
)
),
( “php-tcp” =>
(
“host” => “127.0.0.1”,
“port” => 9999,
“check-local” => “disable”,
“broken-scriptfilename” => “enable”,
)
),

( “php-num-procs” =>
(
“socket” => socket_dir + “/php-fastcgi-2.socket”,
“bin-path” => server_root + “/bin/php-cgi”,
“bin-environment” => (
“PHP_FCGI_CHILDREN” => “16”,
“PHP_FCGI_MAX_REQUESTS” => “10000”,
),
“max-procs” => 5,
“broken-scriptfilename” => “enable”,
)
),
)

If you have not changed the value of “bin-path”  like above or according to the value of “var.server_root” (in /usr/local/etc/lighttpd/lighttpd.conf)  , you will see following errors during lighttpd startup in the file /var/log/lighttpd/error.log:

2016-10-20 19:35:13: (log.c.216) server started
2016-10-20 19:35:13: (mod_fastcgi.c.1133) the fastcgi-backend /usr/local/www/data/us
r/local/bin/php-cgi failed to start:
2016-10-20 19:35:13: (mod_fastcgi.c.1137) child exited with status 2 /usr/local/www/
data/usr/local/bin/php-cgi
2016-10-20 19:35:13: (mod_fastcgi.c.1140) If you’re trying to run your app as a Fast
CGI backend, make sure you’re using the FastCGI-enabled version.\nIf this is PHP on
Gentoo, add ‘fastcgi’ to the USE flags.

You see that the path the configuration takes is by appending the value to server_root value, which is wrong.

For my configuration to work I had to have set ‘var.server_root = “/usr/local” ‘.

Once the above config changes are done, untar the zerobin package in the document root, which is by default set to ‘/usr/local/www/data’, and change the owner and group to ‘www’.

chown -R www:www /usr/local/www/data

References:

https://box.matto.nl/freebsd10lighttpd.html

 

Install Redmine, Apache, MySQL, and the passenger module(rubygem-passenger).

# pkg install redmine apache24 mysql56-server mysql56-client rubygem-passenger

Things to note about locations where we will place files and edit them:

Installation directory of Redmine:

/usr/local/www/redmine

Redmine Config directory:

/usr/local/www/redmine/config

Apache virtualhost directory:

/usr/local/etc/apache24/Includes

Next start MySQL :

# service mysql-server onestart

Create the necessary DB, user for Redmine and grant privileges:

CREATE DATABASE redmine CHARACTER SET utf8;
CREATE USER 'redmine'@'localhost' IDENTIFIED BY 'my_password';
GRANT ALL PRIVILEGES ON redmine.* TO 'redmine'@'localhost';

In the above commands change the password, database name, and user name for your setup.

DB Data load:

Load DB dump data from taken from old Redmine instance to the new as root user:

# mysql -u REDMINE_USER -p < DB_DUMP_FILENAME_here.sql

You might need to add the line “USE REDMINE_DB_NAME;” to the .sql file, like for the above one “USE redmine;” to the top of the .sql dump file as the script might not have statement to select what DB to populate.

Redmine configuration:

Copy old database.yaml file and change adapter type to ‘mysql2’ from ‘mysql’, under config directory of Redmine.
Copy the old configuration.yaml file under config directory of Redmine.
Copy the attachments directory(named files) from old installation to new installation directory.

After above ran follow below guide to upgrade the DB schema, generate new session token, etc.
https://www.redmine.org/projects/redmine/wiki/RedmineUpgrade

Apache virtual hosts configuration:

I followed the message posted when the passenger module got installed.

Copy the following under a any file ending with extension .conf, like redmine.conf under Apache Includes directory:

#Redirect all http requests to https

<VirtualHost *:80>
        Redirect / https://52.70.124.168:443/   <= Replace with FQDN or the IP address of your server/service.
</VirtualHost>

#Enable server to listen on TCP port 443
Listen 443

<VirtualHost *:443>

        #Load SSL module and enable SSL using certificates
        LoadModule ssl_module libexec/apache24/mod_ssl.so
        SSLEngine on
        SSLCertificateFile "/usr/local/etc/apache24/FQDN_NAME.crt"
        SSLCertificateKeyFile "/usr/local/etc/apache24/FQDN_NAME.key"

        #Load Passenger module and point to Ruby and Gems
        LoadModule passenger_module /usr/local/lib/ruby/gems/2.2/gems/passenger-5.0.28/buildout/apache2/mod_passenger.s
o
        PassengerRoot /usr/local/lib/ruby/gems/2.2/gems/passenger-5.0.28
        PassengerRuby /usr/local/bin/ruby22

    # This is the passenger config
    RailsEnv production
    PassengerDefaultUser www
    DocumentRoot /usr/local/www/redmine/public/
    <Directory "/usr/local/www/redmine/public/">
        Allow from all
        Options -MultiViews
        Require all granted
    </Directory>
</VirtualHost>

Finally run the mysql_secure_installation script to disable remote root user login.
Start Apache process and add it and MySQL services in /etc/rc.conf file to start at boot time:

service apache24 onestart

sysrc mysql_enable="YES"
sysrc apache24_enable="YES

This will ensure that Redmine starts up during boot, when Apache and MySQL are running.

I faced an issue where the email notifications were not working, for this check the configuration.yaml file for issues with the Redmine wiki, in my case the file from previous installation had incorrect settings.

https://www.redmine.org/projects/redmine/wiki/EmailConfiguration

I prefer using the binary packages included in the repository. The task was to install Redmine and migrate data from an old Redmine(1.4.0) installation running on Debian 6. In this post I will detail the hurdles I faced and solutions.

Installation is easy using Debian’s apt. Follow the official documentation:
https://wiki.debian.org/redmine

After installing Redmine, get configuration files(configuration.yaml, database.yaml) and DB dump from the the older installation.

In my case we were not using plugins and so the configuration summary was:

Copy old database.yaml file and change adapter type to ‘mysql2’ from ‘mysql’, under config directory.
Copy the old configuration.yaml file under config directory.
Copy the attachments directory(named files) under installation directory.
Follow this Redmine guide to upgrade:
https://www.redmine.org/projects/redmine/wiki/RedmineUpgrade

After following above instructions, that is, after loading the DB with data from the dump, run the mysql_secure_installation command on the host. This is necessary as we may not want to set root password and allow remote root login.

Start Apache process and Redmine should work with the passenger module. If it fails for any reason, first check for any visible error messages in Apache’s error log, then check the Redmine configuration files, the .yaml ones that you copied. I spent a whole day believing they were right and the issue lay there.  🙂

I did an exercise to find out in which cases will crontab send email notifications.
The objective of this exercise was to get an email notification when the job runs AND fails(errors, etc).
Another objective was to see if we get an email if the cron job fails to start due to incorrect command/script.
This was tested on a FreeBSD box with bash.
The Observations:

By default we receive mails only when the job(command) is executed and it either, fails or succeeds. Now depending upon how we redirect sterr and stdout, any of these can be suppressed.

An example where failure messages are sent:

crontab -l

MAILTO=user@email.com
 @hourly ls /home/another_user_   1>/home/user/crontab_log.txt

Will send an email if there are errors when the ls command executes, for example due to permissions on /home/another_user_ dir. This works because we have not redirected stderr(2) and cron gets content to forward over email.

An example when the command is not found:

crontab -l

MAILTO=user@email.com
 @hourly lss /home/user 1>/home/user/crontab_log.txt

Will send an email as the stderr(2) (lss not found)is not redirected and is instead sent over email.

Lastly, if the job is not executed at all due to various reasons(crond dead), then we get no notification.

To redirect both stdout(1) and stderr(2):

<command_to_run> 1>/path/to/save/or/dump  2>&1

You want to download an application/game package for your FreeBSD PC, without internet it is hard on *BSD or, GNU/Linux unless you have the software on discs.

This made me to resolve to write a basic shell script to download a package and its dependencies for a FreeBSD 10 machine. As this is the OS I am using day to day.

However, when I started dwelling deeper I noticed FreeBSD’s pkg already had it covered!  🙂

You need following:

  1. A FreeBSD PC which is connected to internet, the architecture must match that of the target where you want to install the packages.
  2. pkg installed on this internet machine running FreeBSD.
  3. root privileges on this machine
  4.  A storage medium to transfer packages from this machine to another.

 

With above ready you can then use the following command to download a package and its dependencies.

# mkdir /root/off-pac

# pkg fetch   -d -o  /root/off-pac   vlc

Updating FreeBSD repository catalogue…
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following packages will be fetched:

New packages to be FETCHED:

.

.

.

libdvbpsi-1.2.0 (0.09% of 118 MiB: 104 KiB)
opus-1.1.1_1 (0.20% of 118 MiB: 243 KiB)

The process will require 118 MiB more space.
118 MiB to be downloaded.

Proceed with fetching packages? [y/N]:

That is it!

This will download all packages necessary to install vlc. Now you  need to transfer the directory /root/off-pac to your storage medium and install the application on your FreeBSD PC which is not connected to internet.

This is easier than I was expecting, I wonder what I can do for Debian similarly.

Update[10 March 2016]:

There is a gotcha which I had not covered as I had not faced it ;), the default FreeBSD repository is pointed to the quarterly release branch, that is applications are updated once in three months or so.

But as the RELEASE disc comes with a fixed package set, using applications from the quarterly can cause issues, especially with the dependencies. It is better to stick to the RELEASE repository.

In my example I had tried this on FreeBSD RELEASE 10.2, but some of the libraries were old by the time I started downloading packages from the official quarterly repository.

This is simple to solve as pkg in FreeBSD supports configuring and use of multiple repositories.

How to configure this:

Find out the release URI for the FreeBSD version you want packages for by visiting pkg.freebsd.org

In my case the OS was 64 bit and RELEASE 10.2, so I noted the following URI:

http://pkg.freebsd.org/freebsd:10:x86:64/release_2/

Copy the default pkg repository at /etc/pkg/FreeBSD.conf config to /usr/local/etc/pkg/repos/r102.conf

I choose r102.conf, it could be any arbitrary name. But must end with .conf! Choose something meaningful 🙂

cp /etc/pkg/FreeBSD.conf /usr/local/etc/pkg/repos/r102.conf

Now edit the r102.conf file replace the url variable and it would look something like this:

r102: {
url: “pkg+http://pkg.freebsd.org/${ABI}/release_2“,
enabled: true,
signature_type: “fingerprints”,
fingerprints: “/usr/share/keys/pkg”,
mirror_type: “srv”
}

Refresh the repository cache:

pkg update

You can now install applications from this repository:

pkg install-r r102 vlc

Now to fetch packages from this repository, use the -r switch, like:

pkg fetch   -d -o  /root/off-pac  -r r102  vlc

What this does is it downloads vlc from the repository configured in r102. The packages downloaded like this should be compatible with the libraries you might have installed using the RELEASE disc.

Continuing with the previous blog where we learned how to create a Jail on FreeBSD 10 without internet, here we will see two ways to provide internet access to the Jail one using PF(employing the NAT feature) and another where we piggy back a host interface(FreeBSD aliases the interface).

 

First the easy one(without NAT):

This is easy, while creating a Jail just use the host network interface and select an available IP from the same subnet as the host is on. Following is a logical representation of our setup.

Logical diagram of what we will achieve.

To start with, first determine the interface you want to use:

ifconfig

Sample output:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:57:37:49
inet6 fe80::a00:27ff:fe57:3749%em0 prefixlen 64 scopeid 0x1
inet 10.0.2.15 netmask 0xffffff00 broadcast 10.0.2.255

em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:63:4f:4b
inet 192.168.56.9 netmask 0xffffff00 broadcast 192.168.56.255
inet 192.168.56.50 netmask 0xffffffff broadcast 192.168.56.50 vhid 1
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active

On my PC em0 is the interface I would like to place my jail, as that is connected to internet.

So create a jail like:

# ezjail-admin create YOUR-jail-name ‘em0|10.0.2.16

By default ping is disabled on Jails, try using telnet to connect to one of the public websites.

In the following example I am sending a GET request on gnu.org on TCP:80(http) from the Jail, after getting its IP address:

# ezjail-admin console your-jail-name

Jail shell> host gnu.org
gnu.org has address 208.118.235.148
gnu.org mail is handled by 10 eggs.gnu.org.

Jail shell> telnet 208.118.235.148 80
Trying 208.118.235.148…
Connected to 208.118.235.148.
Escape character is ‘^]’.
GET
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=”http://savannah.nongnu.org/”>here</a&gt;.</p>
<hr>
<address>Apache/2.4.7 Server at http://www.nongnu.org Port 80</address>
</body></html>
Connection closed by foreign host.

It works! 🙂

You can now install applications from internet and further configure the Jail, but first add a nameserver by creating a new /etc/resolv.conf 😉

Bonus:

We can extend on this method to attach multiple IP addresses of different networks to the jail.

dual-network

Let say you want to use both em0 and em1 with different IP addresses:

ezjail-admin create YOUR-jail-name ‘em0|10.0.2.16,em1|192.168.56.30

This attaches two new IP address to the respective interfaces and the Jail becomes accessible from both subnets(10.0.2.0/24, 192.168.56.0/24)

The above methods works if you have spare IP addresses, what if you have limited IP addresses and/or you want to isolate the Jails on a separate subnet?

Well that is when NAT comes into picture.

Read more about it at wikipedia =>

https://en.wikipedia.org/wiki/Network_address_translation

Internet connectivity for Jails with NAT(using PF):

NAT is useful when you want to isolate the jails/hosts completely on a private subnet.
And/or, you have limited public IP addresses and want to share it among different Jails.

By following this guide you will achieve something like below:

NAT-network-for-jails

 

 

 

 

 

In the above diagram the Jails are restricted to subnet 172.17.0.0/16, they cannot reach other networks on their own. In order to reach internet(or other subnets) we NAT the outgoing connection using the host as the gateway, which causes the outgoing connections to appear as originating from the host. For hosts on subnets 10. and 192. if a jail contacts them then the connection appears to come 10.0.2.15 and 192.168.56.1 respectively which is not their actual IP address!

First we need to prepare the host to act as a gateway and as router which NATs the connections(firewall/packet filtering is optional).

Enable the host system to act as a gateway:

# sysctl net.inet.ip.forwarding=1

To forward IPv6 traffic, use:

# sysctl net.inet6.ip6.forwarding=1

To enable these settings at system boot(and make them permanent), add the following to /etc/rc.conf:

gateway_enable=”YES” #for ipv4
ipv6_gateway_enable=”YES” #for ipv6

Now we create a cloned interface which the jails will user and later enable NAT using PF.

Clone the loopback interface on which the jails will communicate:

In /etc/rc.conf add:

cloned_interfaces=”lo1″

Then on the host:

# service netif cloneup

If no error is shown then lo1 is created, if you would like to confirm, run ifconfig on host.

Next create a jail with this new interface and an IP address:

# ezjail-admin create your-jail ‘lo1|172.17.1.3

Start the Jail:

# ezjail-admin onestart your-jail

If no errors are shown, your-jail is running attached to lo1, check using ifconfig:

lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 172.17.1.3 netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

However, this jail cannot reach internet, the final step is to enable NAT. I am using PF here as it is very easy to configure, configuring IPFW for NAT with stateful filtering is hard.

To enable PF add following in /etc/rc.conf:

pf_enable=”YES”

There are bunch of other things you can enable, refer the manual for these, I am trying to keep this how to simple. 😉

Next run:

# service pf start

By default PF reads the filtering rules and configuration from /etc/pf.conf. We will be making the bare minimum changes required for NAT here.

For my environment I had to add following in /etc/pf.conf:

#Declare the interfaces, Public IP, private subnet,
EXT_IF0 = “em0”
EXT_IF1 = “em1″

IP_PUB=”10.0.2.15″
NET_JAIL=”172.17.0.0/16″
LAN_IP=”192.168.56.7”
nat pass on $EXT_IF1 from $NET_JAIL to any -> $LAN_IP
nat pass on $EXT_IF0 from $NET_JAIL to any -> $IP_PUB

#### end of pf.conf ####

To make it easy to make further changes we first declare the interfaces, IP addresses the host is on($IP_PUB, $LAN_IP) and the network jails are on(NET_JAIL), you can limit NET_JAIL to a single Jail IP by using /32 as the routing prefix, like 172.17.1.3/32.

Next we have written the NAT rules, which direct PF to NAT(and pass) any packet arriving from jail network($NET_JAIL) on either of interfaces($EXT_IF0, $EXT_IF1) depending upon the destination to either the LAN($LAN_IP) or the internet($IP_PUB). PF maintains the state of the connections and the reply packets are routed back to the jails appropriately.

Done! The network diagram looks something like this:

network-diagram-NAT-network-for-jails

Refer the PF manual if you want to use more advanced features. Enjoy jailing the daemons!