Tag Archives: ports

Debian NAS

I wanted a centralized home storage system that could feed all my other toys. Data stored on this will include MySQL datafiles, our MP3 collection, website directories and all our receipts printed out in PDF format (Yay! CutePDF) among other things. And so the fun began…

I did some test installs of various “turnkey” solutions such as Openfiler.

Openfiler just didn’t seem stable enough. Arrays would claim to have faulty drives and start rebuilding the arrays at the strangest times. Only to find out, via 3rd party tools, that the drive was fine. The web interface was ok but I would have organized it differently. Minus that, Openfiler has a lot of potential.

In the end, for what I wanted, it was easier to do a netinstall of Debian and add the things I needed.

Started with this: Debian RAID

Changes:
Raid5 first
Raid1 with leftovers
Flat filesystem
Swap on Raid5

Problems:
Bad mainboard
Bad harddrive
BIOS truncation of HD hardware address forcing me to "find" the bootdisk manually.

Hardware:
ECS RS482-M754 w/ AMD Sempron 3200+ (Bundled)
4x Seagate Barracuda 7200.10 ST3250620AS 250GB
2x AllComponents 512MB 184-Pin SDRAM DDR 400

The mainboard had problems POSTing but I couldn't really determine if it was board, memory or CPU, so it (board, memory and processor) was replaced with:

MSI K9AGM2-L AM2 AMD 690V Micro ATX
AMD Sempron 64 3400+ Manila 1.8GHz Socket 754
2x Kingston 512MB 240-Pin SDRAM DDR2 800

Ended up having a dodgey harddrive too. Awaiting the RMA return. But that didn't stop the project, it's just running without a spare at the moment.

NFS with assigned ports: Securing NFS

This is used for our websites' files and MP3 collection. The MP3's are accessed internally via Jinzora and accessed via laptops, HTPC's etc.

Samba:
9 times out of 10, we're accessing the NAS interactively from laptops running windows. I didn't really look for a site that explained how to setup Samba on Debian. Just knit picked around google until my shares were up and running.

AoE for database files: AoE on Debian

First, the above URL is not quite complete, it's missing a few steps, which I have outlined below.

There are some security risks one should be aware of when implementing AoE. One item is the ability to X-mount an AoE LUN on another server causing corruption and all sorts of other nastiness. I've heard there are certain implementations that allow MAC filter and other security mechanisms to make this more secure. But in the end, you will still be shipping data in the clear over the wire.

I decided the ease of use were worth the risks.

Given that data files were going to live on the AoE devices, I wanted some extensive, longterm testing. I kept the originals and did some link chicanery for the test.

As I stated earlier, the AoE How-To linked is not complete but still makes a decent starting point. Below is a quick step-by-step.

Keep in mind the initiator is the "client" and the target is the "server". These are Debian specific instructions.

Initiator:
Install the client tools
apt-get install aoe-tools

Create the /dev structure
aoe-mkdevs /dev/etherd

Target:
apt-get install vblade

Create a device to export
lvcreate -n myAoE --size 10g my_vg0

Export device in userland for testing
vblade 0 1 eth1 /dev/my_vg0/myAoE &

Initiator:
aoe-discover

List AoE devices
aoe-stat

Create filesystem on device
mkfs.ext3 /dev/etherd/e0.1

Mount our new AoE device
mount /dev/etherd/e0.1 /data

And there you have it. In the end, I have 500GB of usable space in the first array. This includes a spare. All told, $415 delivered from NewEgg.

Next, I will be adding 4x 500GB drives for another array. At the current prices, you just can't beat the $ per GB.

PPTP VPN server using MPD-Netgraph

Currently, I am testing a few different vpn solutions to secure my wireless network at home. This is just the barebones steps I went through to get MPD setup and running for Windows XP clients.

mpd-netgraph setup:

I followed the suggestions in the following urls:
http://lists.freebsd.org/pipermail/freebsd-security/2003-July/000466.html
http://www.blackh0le.net/articles/vpn-dun-howto.html

Background Info:

10.x.x.0/24 was my internal network
192.168.0.0/24 was my wireless cloud

1. System specs:

Celeron 333
128MB RAM
4GB Harddisk
2 NICs

The rest really doesn’t matter.

2. Install FreeBSD:

minimal + kern developer install

kernel compile:

ipfilter
ipfilter_log
ipfilter_default_block

mpd-netgraph is a ‘userspace’ daemon.

disable the rest that we usually disable.

Enable ipf:
create /etc/ipf.rules (fully open set until we’re done with setup)

3. cvsup:
cd /usr/ports/net/cvsup-without-gui
make install clean
/usr/local/bin/cvsup -g -L 2 /usr/src/sup-ports

4. mpd installation:
cd /usr/ports/net/mpd
make install clean

7. cd /usr/ports/net/isc-dhcp3
make install clean

/usr/local/etc/dhcpd.conf

# dhcpd.conf

# option definitions common to all supported networks…
option domain-name “test.net”;
option domain-name-servers 10.x.x.253,10.x.x.249;
option subnet-mask 255.255.255.0;

default-lease-time 3600;
max-lease-time 86400;
authoritative;

ddns-update-style none;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.1 192.168.0.250;
# IPs 51-75 are for pptp clients
option routers 192.168.0.254;
}

8. mpd.conf:

default:
load pptp0
load pptp1
load pptp2

pptp0:
new -i ng0 pptp0 pptp0
set iface disable on-demand
set bundle disable multilink
set iface enable proxy-arp
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp ranges 10.x.x.250/32 10.x.x.51/24
set ipcp dns 10.x.x.249
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e128
set ccp yes mpp-stateless
set bundle yes crypt-reqd

pptp1:
new -i ng1 pptp1 pptp1
set iface disable on-demand
set bundle disable multilink
set iface enable proxy-arp
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp ranges 10.x.x.250/32 10.x.x.52/24
set ipcp dns 10.x.x.249
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e128
set ccp yes mpp-stateless
set bundle yes crypt-reqd

pptp2:
new -i ng2 pptp2 pptp2
set iface disable on-demand
set bundle disable multilink
set iface enable proxy-arp
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp ranges 10.x.x.250/32 10.x.x.53/24
set ipcp dns 10.x.x.249
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e128
set ccp yes mpp-stateless
set bundle yes crypt-reqd

9. create mpd.links:
pptp0:
set link type pptp
set pptp self 192.168.0.254
set pptp enable incoming
set pptp disable originate

pptp1:
set link type pptp
set pptp self 192.168.0.254
set pptp enable incoming
set pptp disable originate

pptp2:
set link type pptp
set pptp self 192.168.0.254
set pptp enable incoming
set pptp disable originate

10. create mpd.secret:
username1 “password1”
username2 ” password2″

11. create /usr/local/etc/rc.d/mpd.sh startup script:
#!/bin/sh
# Set the environment variables
. /etc/profile
. ~/.profile

pidf=/var/run/mpd.pid

case “$1” in
start|””) mpd -b;;
stop) if [ -r $pidf ]; then
kill -TERM `cat $pidf`
fi;;
*) echo “usage: $0 [start|stop]” 1>&2; exit 1;;
esac

12. create /usr/local/etc/rc.d/zzz_ipf_sync.sh

#! /bin/sh

echo “Sleeping for 30 seconds before syncing IPF.”
sleep 10

# Syncs IPF with the active interface list
ipf -y

echo “VPN interfaces are now available.”

# some simple logging
echo “IPF synced at:” >> /var/log/general.log
date >> /var/log/general.log

This script allows mpd to finish loading and create the ng* interfaces. Once this is done, ipf then syncs ALL interfaces.

Conclusion:
The end result of this little experiment was somewhat of a disappointment. In the end, I had a working VPN that had less than stable connections over an 802.11b wireless link. It would drop connections at random, even though the link remained strong and network connectivity remained for wireless clients NOT on the vpn.

If anyone has any ideas on ways to stabilize the vpn tunnel, I appreciate any input.

qmail Toaster Recovery

Ok, here is another one that was specifically geared to my setup, but I thought it may help someone else out in a pinch. I lost the motherboard for my web/email server due to that “capacitor problem”. What follows is how I got everything back up and functional. The server consisted of Apache and qmail, plus various other odds and ends. Another item to note is that this is a FreeBSD 5.1-RELEASE system, linux admins change settings accordingly.

First, I get the basics on there so I have network connectivity and the tools I use to make everything go smoothly, not to mention there are some security issues involved.

1. install cvsup-without-gui

2. create /usr/src/sup-ports
*default host=cvsup8.FreeBSD.org
*default base=/usr
*default prefix=/usr
*default release=cvs tag=.
# date=2003.03.25.23.00.00
*default delete use-rel-suffix
*default compress
ports-all

3. cvsup ports

4. install portsupgrade

5. install apache2

6. install mod_php4 (sockets and bcmath)

7. install bind9

8. configure DHCPd
isc-dhcp3 port

Did I forget to mention that this server was also my DHCPd server for the LAN?

9. install irssi

10. install lynx

11. install ntp

12. install openssl (overwrite_base)

13. install opensshportable (point rc.conf to new binary)

14. install screen

15. install mget

16. install zsh (it’s just my preference, thanks stibnite)

Now, we’ll get into the qmail (and vpopmail) install so I can start spooling email locally instead of letting my secondary take care of all the work. As I mentioned before, I use qmail… again, thanks stib. Some of the following items were taken verbatim from Flattie’s qmail toaster howto. I could provide a link, but thats why you have google bookmarked.

1. create users and groups for qmail and vpopmail (this may not be required when using the freebsd port but I did it before hand anyway)

mkdir /var/qmail
pw groupadd -n vchkpw -g 98
pw useradd -n vpopmail -u 98 -g 98 -c Vpopmail-Master -d /home/vpopmail -s /nonexistent (all on one line)
pw groupadd -n nofiles -g 91
pw groupadd -n qmail -g 92
pw useradd -n alias -u 91 -g 91 -d /var/qmail/alias -s /nonexistent
pw useradd -n qmaild -u 92 -g 91 -d /var/qmail -s /nonexistent
pw useradd -n qmaill -u 93 -g 91 -d /var/qmail -s /nonexistent
pw useradd -n qmailp -u 94 -g 91 -d /var/qmail -s /nonexistent
pw useradd -n qmailq -u 95 -g 92 -d /var/qmail -s /nonexistent
pw useradd -n qmailr -u 96 -g 92 -d /var/qmail -s /nonexistent
pw useradd -n qmails -u 97 -g 92 -d /var/qmail -s /nonexistent

2. make directories

mkdir /var/log/qmail
mkdir /var/log/qmail/qmail-send
mkdir /var/log/qmail/qmail-smtpd
mkdir /var/log/qmail/qmail-pop3d
chown -R qmaill.wheel /var/log/qmail
chmod -R 750 /var/log/qmail

3. cd /usr/ports/mail/qmail

make fetch
make patch
download eric johnstons smtpd-auth patch
patch according to the included INSTALL document
vi ./work/qmail*/conf-split change 23 > 199
vi ./work/qmail*/conf-spawn change 120 > 255
make install clean
echo 255 > /var/qmail/control/concurrencyremote
chmod 644 /var/qmail/control/concurrencyremote

4. cd /usr/ports/sysutils/daemontools
make install clean

5. cd /usr/ports/sysutils/ucspi-tcp
make install clean

6. vi /etc/tcp.smtp

127.0.0.1:allow,RELAYCLIENT=””
10.1.1.1-252:allow,RELAYCLIENT=””
:allow

/usr/local/bin/tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp &1 > /dev/null

11. cd /usr/ports/mail/autorespond
make install clean

12. install gdbm /usr/ports/databases/gdbm
make install clean

13. check for files in /var/qmail/control
(restore rcpthosts, virtualdomains, /home/vpopmail/domains and users dir)
(remember to re-chmod if necessary)
If you are actually using this document to help you do a restore and didn’t do a backup, yer fooked.

14. edit rc.conf
sendmail_enable=”NONE”

15. edit /etc/mail/mailer.conf
sendmail /var/qmail/bin/sendmail
send-mail /var/qmail/bin/sendmail

Create the file structure for daemontools to run its qmail scripts:

mkdir /service
chmod 755 /service
mkdir /var/qmail/supervise
chmod 755 /var/qmail/supervise

mkdir /var/qmail/supervise/qmail-smtpd
mkdir /var/qmail/supervise/qmail-smtpd/log
chmod +t /var/qmail/supervise/qmail-smtpd

mkdir /var/qmail/supervise/qmail-send
mkdir /var/qmail/supervise/qmail-send/log
chmod +t /var/qmail/supervise/qmail-send

mkdir /var/qmail/supervise/qmail-pop3d
mkdir /var/qmail/supervise/qmail-pop3d/log
chmod +t /var/qmail/supervise/qmail-pop3d

ln -s /var/qmail/supervise/* /service/

ls -la /service/

OUTPUT:
lrwx—— 1 root wheel 32 Jan 01 00:00 qmail-pop3d@ -> /var/qmail/supervise/qmail-pop3d
lrwx—— 1 root wheel 31 Sep 01 00:00 qmail-send@ -> /var/qmail/supervise/qmail-send
lrwx—— 1 root wheel 32 Sep 01 00:00 qmail-smtpd@ -> /var/qmail/supervise/qmail-smtpd

SUPERVISION SCRIPTS

Create the supervision scripts that keep everything from dying.

1. vi /var/qmail/rc

#!/bin/sh
env env – PATH=”/var/qmail/bin:/usr/local/bin” \
qmail-start ./Maildir/

chmod 700 /var/qmail/rc

2. vi /var/qmail/supervise/qmail-pop3d/run

#!/bin/sh
exec /usr/local/bin/tcpserver -H -R -v -c100 0 110 /var/qmail/bin/qmail-popup mail-host1.domain.org \
/home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1

chmod 755 /var/qmail/supervise/qmail-pop3d/run

3. vi /var/qmail/supervise/qmail-pop3d/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s100000 n20 /var/log/qmail/qmail-pop3d 2>&1

chmod 755 /var/qmail/supervise/qmail-pop3d/log
chmod 755 /var/qmail/supervise/qmail-pop3d/log/run

4. vi /var/qmail/supervise/qmail-smtpd/run

#!/bin/sh
exec /usr/local/bin/tcpserver -p -R -x /etc/tcp.smtp.cdb -u92 -g91 -v -c100 0 smtp rblsmtpd /var/qmail/bin/qmail-smtpd 2>&1

chmod 755 /var/qmail/supervise/qmail-smtpd/run

5. vi /var/qmail/supervise/qmail-smtpd/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s100000 n20 /var/log/qmail/qmail-smtpd 2>&1

chmod 755 /var/qmail/supervise/qmail-smtpd/log
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run

6. vi /var/qmail/supervise/qmail-send/run

#!/bin/sh
exec /var/qmail/rc

chmod 755 /var/qmail/supervise/qmail-send/run

7. vi /var/qmail/supervise/qmail-send/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s100000 n20 /var/log/qmail/qmail-send 2>&1

chmod 755 /var/qmail/supervise/qmail-send/log
chmod 755 /var/qmail/supervise/qmail-send/log/run

QMAIL RC SCRIPT

Create the qmail rc script if its not already present due to the port install

1. vi /usr/local/etc/rc.d/qmail

#!/bin/sh
case “$1” in
start)
echo -n “Starting qmail: svscan”
if cd /var/qmail/supervise; then
env – PATH=”/var/qmail/bin:/usr/local/bin:/usr/bin:/bin” svscan &
echo $! > /var/run/svscan.pid
fi
echo “.”
;;
stop)
echo -n “Stopping qmail: svscan”
kill `cat /var/run/svscan.pid`
echo -n ” qmail”
svc -dx /var/qmail/supervise/*
echo -n ” logging”
svc -dx /var/qmail/supervise/*/log
echo “.”
;;
stat)
cd /var/qmail/supervise
svstat * */log
;;
doqueue|alrm)
echo “Sending ALRM signal to qmail-send.”
svc -a /var/qmail/supervise/qmail-send
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
echo “Sending HUP signal to qmail-send.”
svc -h /var/qmail/supervise/qmail-send
echo “Sending HUP signal to qmail-pop3d.”
svc -h /var/qmail/supervise/qmail-pop3d
;;
pause)
echo “Pausing qmail-send”
svc -p /var/qmail/supervise/qmail-send
echo “Pausing qmail-smtpd”
svc -p /var/qmail/supervise/qmail-smtpd
echo “Pausing qmail-pop3d”
svc -p /var/qmail/supervise/qmail-pop3d
;;
cont)
echo “Continuing qmail-send”
svc -c /var/qmail/supervise/qmail-send
echo “Continuing qmail-smtpd”
svc -c /var/qmail/supervise/qmail-smtpd
echo “Continuing qmail-pop3d”
svc -c /var/qmail/supervise/qmail-pop3d
;;
restart)
echo “Restarting qmail:”
echo “* Stopping qmail-smtpd.”
svc -d /var/qmail/supervise/qmail-smtpd
echo “* Sending qmail-send SIGTERM and restarting.”
svc -t /var/qmail/supervise/qmail-send
echo “* Restarting qmail-smtpd.”
svc -u /var/qmail/supervise/qmail-smtpd
echo “* Sending qmail-pop3d SIGTERM and restarting.”
svc -t /var/qmail/supervise/qmail-pop3d
;;
cdb)
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp &1 > /dev/null

That should do it.

I’m sure I missed a few steps or software installs in there somewhere. If I did, don’t come crying to me, that’s what your mamma is for. After you’re done crying, feel free to drop me a line and tell me what I missed, thanks.

Inspiron 2650 + FreeBSD

Just slapped together a little how-to on getting FreeBSD installed on a Dell Laptop. As always, comments are welcome. This is the first interation of this how-to, so if you see anything wrong, have a suggestion or whatever, please post a comment!

1. Boot FreeBSD CD
a. At Booting [Kernel] in 10 seconds; hit space
b. At OK type boot -c
c. At config> eisa 0
d. At config> quit

2. Install FreeBSD minimal set
a. Install ports collection
b. Install kernel sources

*NOTE*
If you need assistance with the install of FreeBSD,
visit http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/install.html

3. During the reboot, you will have to accomplish step 1 again

4. Edit fstab as follows
a. Noauto on proc
b. Noatime on all others
c. Leave the /swap alone

5. Edit /etc/make.conf by uncommenting the following
a. touch /etc/make.conf
b. echo “CLFLAGS= -O -pipe” >> /etc/make.conf
b. echo “NOPROFILE= true” >> /etc/make.conf
c. echo “USA_RESIDENT= YES” >> /etc/make.conf

6. Compile new kernel
a. comment out device eisa
b. add device agp
c. add options VESA
d. add options SC_PIXEL_MODE

7. Add soundcard support
a. echo “snd_ich_load=\x94YES\x94” >> /boot/loader.conf

8. Configure console by adding the following commands to rc.local
a. echo “vidcontrol VESA_800x600” >> /etc/rc.local
If you don’t do this, exiting X will completely blow your console, requiring a reboot.
b. reboot

9. Install the following package
a. pkg_add -r cvsup-without-gui

10. cvsup the ports collection

*NOTE*
If you need help with the cvsup process,
visit http://bsdvault.net/sections.php?op=viewarticle&artid=3

11. Install the Xfree 4.2.x from ports (must be installed from ports, we will need to patch this with the nv (nvidia) driver.)
a. Compile XFree 4.2.x (yes, we will recompile the server, but this picks up everything we need)
b. Patch XFree86-4-Server with the nvidia code
i. Get the nv.tar.gz patch (http://www.marcuscom.com/g2g-xfree86/article.html)
ii. Cd /usr/ports/x11-servers/XFree86-4-Server
iii. Make clean
iv. Make patch
v. Cd work
vi. Tar -zxvf /path/to /nv.tar.gz
vii. Cd ..
viii. Make all
ix. Make deinstall
x. Make reinstall
c. configure X using the graphical utility from the /stand/sysinstall menu
i. Vert refresh 50 – 100
ii. HorizSync 31.5 – 90

12. Install Gnome2 port
a. I don’t recommend starting gdm from rc.local until you are completely certain that everything is working right
b. I usually just log in as root and do a gdm && exit real quick. (learned that from Super Stibbers)

Staying on top of your ports, the easy way

I submitted this over at Soup’s BSDHound.com but I’m such a literary genius, I thought I would put it here too:

A lot of people try to claim various things are the “mother of invention”, but as ?n*x or ?BSD admins, we know the truth. And that truth is…. LAZINESS. Yep, if it weren’t for lazy admins, we wouldn’t have half of the automation scripts we have today. This affliction is what finally forced me to learn some Perl.

Keeping your ports tree and, subsequently, your installed binaries up to date can be a tedious task to say the least. To help alleviate this situation (and to help resume my laziness and boredom) I wrote up a script to automate cvsup’ing my ports tree. I’m not going to sit here and tell you that I’m a scripting genius, the syntax of the script would just call me a liar. But I will tell you that this script works for me on both 4.x, 5.x and 6.x stable systems. If you find out it works on others, or modify it to do so, drop me a line at packetmad[at]kulish[dot]com.

Anyway, back to what we we’re talking about. What this script does is cvsup your ports tree, run portupgrade -na (NO PORTS ARE INSTALLED) and generate a nice looking email report sent to the address of your choosing. It’s actually fairly well documented with in the script itself (amazing, huh?)

Here is an example report:

cvsup SUCCEEDED on Thu Nov 13 00:30:00 CST 2003!!
For host hivemind.some.net!!

PORTUPGRADE Results:
Legend: +:Upgrade / -:No Upgrade / *:Skipped / !:Failed

– security/openssl (openssl-0.9.7c)
– devel/libtool13 (libtool-1.3.5_1)
– security/openssh-portable (openssh-portable-3.7.1p2)
– lang/ruby16 (ruby-1.6.8.2003.10.15)
– lang/ruby16-shim-ruby18 (ruby-shim-ruby18-1.8.1.p2)
– shells/zsh (zsh-4.0.7)
– net/ntp (ntp-4.2.0)
– converters/libiconv (libiconv-1.9.1_3)
– textproc/expat2 (expat-1.95.6_1)
– devel/gettext (gettext-0.12.1)
– devel/gmake (gmake-3.80_1)
– net/mpich (mpich-1.2.5_2)
– net/cvsup-without-gui (cvsup-without-gui-16.1h)
+ lang/perl5.8 (perl-5.8.1_2)
– sysutils/portupgrade (portupgrade-20030723)
– misc/screen (screen-4.0.1_1)

From there you can decide what/when you want to upgrade. It makes it A LOT easier to schedule your updates between Nethack sessions this way.

A note on requirements. It needs to have cvsup-without-gui, portupgrade and Perl 5 installed to work correctly.

If you are still interested, after all this rambling, the script can be obtained from www.lanside.net ‘s download section.