« Newer Snippets
Older Snippets »
9 total  XML / RSS feed 

Set up apache2+SSL on FreeBSD

A nice commandline walkthrough. Replace 'eyebeam' with your org name


# setting up apache2 + SSL on FreeBSD
# a list of commands you can copy/paste!
# @author Jamie Wilkinson 
# ganked from 

# edit /etc/openssl.conf to set some nice defaults for location, org. name, etc.
# important! change the default dir ./demoCA to /root/sslCA


# setup
cd ~root/
mkdir sslCA
chmod 700 sslCA
cd sslCA
mkdir certs private newcerts
echo 1000 > serial
touch index.txt

# generate certs
openssl req -new -nodes -out eyebeam-req.pem -keyout private/eyebeam-key.pem -config /etc/ssl/openssl.cnf
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf
openssl ca -config /etc/ssl/openssl.cnf -out eyebeam-cert.pem -days 3650 -infiles eyebeam-req.pem 

# keep them somewhere handy
mkdir /etc/ssl/crt
mkdir /etc/ssl/key
cp ~root/sslCA/eyebeam-cert.pem /etc/ssl/crt
cp ~root/sslCA/private/eyebeam-key.pem /etc/ssl/key

# add below to an ssl.conf that you include in your httpd.conf
<VirtualHost *:443>
        ServerName colossus.eyebeam.org:443
        SSLEngine on
        SSLCertificateFile /etc/ssl/crt/eyebeam-cert.pem
        SSLCertificateKeyFile /etc/ssl/key/eyebeam-key.pem
        DocumentRoot /www
        CustomLog /var/log/httpd-ssl-access.log combined
        ErrorLog /var/log/httpd-ssl-error.log
VirtualHost>

Build OpenLDAP 2.3 on FreeBSD using unixODBC instead of libODBC

cd /usr/ports/net/openldap23-server
sudo make install WITH_ODBC=y WITH_ODBC_TYPE=unixodbc


More to come on configuring the beast and accompanying phpLDAPadmin...

Netperf benchmarks of FreeBSD versus Solaris

{Disclaimer: these were with FreeBSD 5. FreeBSD 6 doesn't seem to have the same issues}

Netperf server running on yumi.textdrive.com (solaris nevada build) and comox.textdrive.com (freebsd 5.4).

Tested from emi.textdrive.com (solaris) and pacific.textdrive.com (freebsd)

Restricted to one 3.2 Ghz Intel Xeon CPU

Representative numbers below and maximum of a gigabit is 128MB/sec

Also done with file sizes of 6400 and 64000 with insignificant differences

---------
LOOPBACKS
---------

Loopback speeds comox -> comox via private IP (All FreeBSD)

# /usr/local/netperf/netperf -fM -H private.comox.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST to private.comox.textdrive.com
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

65536  32768   1472    10.00      59.79

Loopback speeds comox -> comox via localhost (All FreeBSD)

# /usr/local/netperf/netperf -fM -H 127.0.0.1 -tTCP_STREAM -- -m1472
TCP STREAM TEST to 127.0.0.1
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

65536  32768   1472    10.00     180.22


Loopback speed yumi -> yumi via private IP (All Solaris)

[yumi:/] root# /opt/csw/bin/netperf -fM -H private.yumi.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST from ::ffff:0.0.0.0 (0.0.0.0) port 0 AF_INET to private.yumi.textdrive.com (10.0.0.247) port 0 AF_INET

Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

49152  49152   1472    10.00     303.60

Loopback speed yumi -> yumi via 127.0.0.1 (All Solaris)

[yumi:/] root# /opt/csw/bin/netperf -fM -H 127.0.0.1 -tTCP_STREAM -- -m1472
TCP STREAM TEST from ::ffff:0.0.0.0 (0.0.0.0) port 0 AF_INET to ::ffff:127.0.0.1 (127.0.0.1) port 0 AF_INET
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

49152  49152   1472    9.99      331.41

-------------
OVER A SWITCH
-------------

FreeBSD -> FreeBSD

pacific# /usr/local/netperf/netperf -fM -H private.comox.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST to private.comox.textdrive.com
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

65536  32768   1472    10.02       4.86

FreeBSD -> Solaris

pacific# /usr/local/netperf/netperf -fM -H private.yumi.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST to private.yumi.textdrive.com
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

49152  32768   1472    10.01       4.95

Solaris -> FreeBSD

[emi:/] root# /opt/csw/bin/netperf -fM -H private.comox.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST from ::ffff:0.0.0.0 (0.0.0.0) port 0 AF_INET to private.comox.textdrive.com (10.0.0.189) port 0 AF_INET
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

65536  49152   1472    10.07      44.13

Solaris -> Solaris

[emi:/] root# /opt/csw/bin/netperf -fM -H private.yumi.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST from ::ffff:0.0.0.0 (0.0.0.0) port 0 AF_INET to private.yumi.textdrive.com (10.0.0.247) port 0 AF_INET
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

49152  49152   1472    10.00      75.59

What to do when new kernel does not work

Ocassionally things go bad(tm). This has bit me for the second time in approx 3 years now, but generally one needs to load the old FreeBSD kernel to start debugging and going through a box with a fine toothcomb.

The following snipbit gives you an idea what steps to take when rebooting the server so that you can load the previous working copy of the FreeBSD kernel:
When the boot menu appears hit the spacebar to stop the countdown.
Press "6" for "to escape to loader prompt"
unload
load /boot/kernel.old/kernel
boot

Now the old working FreeBSD kerenl is booting up. It would be recommended to copy the last working version to /boot/kernel.last for example so that you can "load /boot/kernel.last/kernel", especially if you are going to be building your kernel multiple times on a server.

Cron zombie killer

This searches for and destroys the zombie processes that linger (and block I/O for an indefinite amount of time) after cron starts up on a shared server:

for each in `ps jauxww | grep Z | grep -v PID | awk '{print $3}'`; do for every in `ps auxw | grep $each | grep cron | awk '{print $2}'`; do kill -9 $every; done; done

exim router for relaying via a smarthost

User the "begin routers" section add:

route_append:
    driver = manualroute
    domains = *
    transport = remote_smtp
    route_data = "smarthost.host.name byname"

Formatting a disk for use in FreeBSD

Given that this isn't something I do regularly, it's handy to have the commands to hand so I don't have to scroll through man pages trying to remember how to do it.

Clear the disk
# dd if=/dev/zero of=/dev/ad1 bs=1k count=1


Initialise it
# fdisk -BI ad1


Label it, then edit the labels created
# bsdlabel -B -w ad1s1 auto
# bsdlabel -e ad1s1


Format it with a filesystem
# newfs /dev/ad1s1e


Make directories and mount as appropriate, and you're done!

Upgrading a kernel

Install CVSup

cd /usr/ports/net/cvsup-without-gui
make install distclean


Make and populate the CVSup config file

touch /root/cvsup-stable-src.sup
echo '*default host=cvsup14.us.FreeBSD.org' >> /root/cvsup-stable-src.sup
echo '*default base=/var/db' >> /root/cvsup-stable-src.sup
echo '*default prefix=/usr' >> /root/cvsup-stable-src.sup
echo '*default release=cvs tag=RELENG_5' >> /root/cvsup-stable-src.sup
echo '*default delete use-rel-suffix compress' >> /root/cvsup-stable-src.sup
echo ' src-all' >> /root/cvsup-stable-src.sup


Update the /usr/src/ tree

cvsup /root/cvsup-stable-src.sup


Get rid of any old "worlds" and make a new one

rm -rf /usr/obj/usr
cd /usr/src/
make buildworld


Make changes to /usr/src/sys/i386/conf/GENERIC and name it was what you want.

Build the kernel, install the kernel, verify it and dot.old in /boot/, run mergemaster, and install the new world.

make buildkernel KERNCONF=GENERIC
make installkernel KERNCONF=GENERIC
mergemaster -p
make installworld
mergemaster
ls -l /boot/
shutdown -r now


Note, we often run in a securelevel of 1 and have immutable binaries in the system folders. You'll need to edit rc.conf.

nano /etc/rc.conf

kern_securelevel_enable="NO"
kern_securelevel="1"


Reboot
shutdown -r now


Then make things mutable

chflags noschg /bin/*
chflags noschg /sbin/*
chflags noschg /bin
chflags noschg /sbin
chflags noschg /usr/bin/*
chflags noschg /usr/sbin/*
chflags noschg /usr/bin
chflags noschg /usr/sbin

Using pw to add a group and user in FreeBSD

Using "textdrive" as an example

pw groupadd textdrive
pw useradd textdrive -m -c "Main Textdrive account" -d /home/textdrive -s /bin/tcsh -G textdrive -k /usr/share/skel/


Then set the password:

passwd textdrive

« Newer Snippets
Older Snippets »
9 total  XML / RSS feed