Small Homeserver - What to do?

twilight

twilight

Dear Community,

thanks for taking the time! ;-) I am really glad about communities like this one and I do have a few questions related to my little home server. Maybe one day I am able to contribute something back to this one :)

You can skip ahead to the bold-marked sections if you want to leave out "my history" with FreeBSD ;-)

I am living together with 6 other guys, inside a bigger community of alltogether around 20 people. We want to have our own little wiki-server, filesharing and maybe print-server.

Coming from Gentoo-Linux I am quite experienced in compiling my own system. About 10 years ago a friend showed me FreeBSD and I was interested, but not "ready". Then I switched to MacOS-X and now came back to FreeBSD.

I played with FreeBSD 8.0 the last couple of days and think it is time to install my new server that arrived yesterday.

Hardware configuration server:
Intel Atom 330 (dualcore with hyperthreadding, looks like 4 cores)
NVidia ION-Chipset
NVidia 9400M GPU
2 GB DDR2 RAM
320 GB 3,5" hdd.

Setup:
  • We have a small little router (FritzBox), which needs to be used due to VoIP :-(
  • dLink AccessPoint, this one is for the Laptops and is DHCP-Server as I can configure, what DNS-IPs it distributes
  • My cute little Server above ;-)

What happend so far:

  • Registered with dyndns.org and having our router login and updating the dns-entry.
  • Installed FreeBSD 8.0 on the server
  • Configured inetd (only running service as of now is sshd without root-login!)
  • Portforwarding on the Router of Port 22 (ssh) to the server so I have remote access from my work-place
  • installed tools like nano and bash to make myself a little more comfortable
  • created /etc/adduser.conf and fitted to my needs and paths

What do I want to do?

  • I want to have a FreeBSD that is fitted to my hardware
  • Have mediawiki installed and locked into a jail (as I plan on making it publicly available, too!)

Next steps:

  • update the installed ports-tree: How do I do that? I could only find a howto about how to install not how to update ports
  • configure and compile the kernel. I will do that when I am at home, not at work for obvious reasons! ;-)
  • update the system according to the freshly upgraded ports-tree
  • install and configure -> apache, mysql, php, mediawiki and jail it
  • portforwarding the port 80 (or maybe 443 for https) to my server in order to have others outside our network (but "inside" our community) to access the wiki

Questions:

  • ports: When I make install clean a software, top shows me a cpu-idle of about 75%. I guess that is because FreeBSD sees 4 cores but only uses 1 for the make. How do I make it use all 4 cores?
  • jails: What should I jail? Just the apache, or the apache and the mysql?
  • VPN or sshd? Should I rather setup a PPTP-VPN-server on my FreeBSD-Machine and vpn into my network, rather then portforward the sshd to the public? I mean security-wise. It would have the benefit of me having access to the router and the accesspoint from work, too!

So any comments, tipps, hints, howtos, critics are welcome :)

Thanks and have a nice day!

Thomas
 
twilight said:
[*]Configured inetd (only running service as of now is sshd without root-login!)
Click to expand...
inetd isn't needed for sshd.

[*]Have mediawiki installed and locked into a jail (as I plan on making it publicly available, too!)
Click to expand...
The jail(8) manpage has all the info you need on how to set up a jail.

  • update the installed ports-tree: How do I do that? I could only find a howto about how to install not how to update ports
  • configure and compile the kernel. I will do that when I am at home, not at work for obvious reasons! ;-)
  • update the system according to the freshly upgraded ports-tree
  • install and configure -> apache, mysql, php, mediawiki and jail it
  • portforwarding the port 80 (or maybe 443 for https) to my server in order to have others outside our network (but "inside" our community) to access the wiki
Click to expand...
Almost everything can be found in the handbook.


[*]jails: What should I jail? Just the apache, or the apache and the mysql?
Click to expand...
What ever you want. You can even use 2 seperate jails.

[*]VPN or sshd? Should I rather setup a PPTP-VPN-server on my FreeBSD-Machine and vpn into my network, rather then portforward the sshd to the public? I mean security-wise. It would have the benefit of me having access to the router and the accesspoint from work, too!
Click to expand...
Both have about the same security risks. So, again, it's up to you ;)
 
aragon said:
Have you read the FreeBSD Handbook yet? It should answer many of your questions...
Click to expand...

actually I did :)

That is how I got up to the point where I am now! But I could not find something about upgrading the actual ports-tree. There is enough about ugrading installed ports but not the tree itself (as far as I could tell)
 
SirDice said:
inetd isn't needed for sshd.
Click to expand...

I guessed I would need it for apache and mysql, no? If not how would I deactivate inetd and still keep sshd running?
 
twilight said:
I guessed I would need it for apache and mysql, no? If not how would I deactivate inetd and still keep sshd running?
Click to expand...
Inetd isn't needed at all.

Just add to /etc/rc.conf:
Code: 
sshd_enable="YES"

For apache, assuming 2.2.x:
Code: 
apache22_enable="YES"

Mysql:
Code: 
mysql_enable="YES"
 
After looking into the rc.conf-file I could see the entry for sshd was enabled.
I then looked into the inetd.conf and it was disabled there, so I just disabled inetd
inside the rc.conf. That did the trick, thanks!
 
twilight said:
We have a small little router (FritzBox), which needs to be used due to VoIP :-(
Click to expand...
Most of these devices can be switched into a bridged mode, acting like a DSL modem. So you could use your FreeBSD machine as a router, and continue using the VoIP features of the device :)

twilight said:
update the installed ports-tree: How do I do that? I could only find a howto about how to install not how to update ports
Click to expand...
[CMD=""]more /usr/share/examples/cvsup/ports-supfile[/CMD]
And read the fine handbook :)

twilight said:
When I make install clean a software, top shows me a cpu-idle of about 75%. I guess that is because FreeBSD sees 4 cores but only uses 1 for the make. How do I make it use all 4 cores?
Click to expand...
As of FreeBSD 8, parallel port building is supported. As not every software builds without problems, when compiled with parallel make jobs, this feature is enabled, based on a whitelist. This means you have to do nothing, to take advantage of it, for ports known to build without problems. If you are daring to try, you may set FORCE_MAKE_JOBS=yes and MAKE_JOBS_NUMBER=XX in /etc/make.conf, where XX is the number of parallel make jobs to start.
 
twilight said:
What do I want to do?

  • update the installed ports-tree: How do I do that? I could only find a howto about how to install not how to update ports
  • configure and compile the kernel. I will do that when I am at home, not at work for obvious reasons! ;-)
  • update the system according to the freshly upgraded ports-tree
  • install and configure -> apache, mysql, php, mediawiki and jail it
  • portforwarding the port 80 (or maybe 443 for https) to my server in order to have others outside our network (but "inside" our community) to access the wiki

Questions:

  • ports: When I make install clean a software, top shows me a cpu-idle of about 75%. I guess that is because FreeBSD sees 4 cores but only uses 1 for the make. How do I make it use all 4 cores?
  • jails: What should I jail? Just the apache, or the apache and the mysql?
  • VPN or sshd? Should I rather setup a PPTP-VPN-server on my FreeBSD-Machine and vpn into my network, rather then portforward the sshd to the public? I mean security-wise. It would have the benefit of me having access to the router and the accesspoint from work, too!

So any comments, tipps, hints, howtos, critics are welcome :)

Thanks and have a nice day!

Thomas
Click to expand...

1)
For ports I generally use portsnap. A quick:
Code: 
# portsnap fetch extract
should get you up and running with your ports. Then anytime you wish to update them run:
Code: 
# portsnap fetch update
Check out the handbook page on ports for other ways of installing/updating.

2)
Building and installing a custom kernel is something I've never actually had time to do properly (I've done them but I just haven't had time to test them thouroughly). But the handbook page on instructions is here if you are interested.

3)
For upgrading the system I always have the same method. Update the kernel then update the ports. If you decide to stick with the generic kernel then an update is:
Code: 
# freebsd-update fetch
# freebsd-update install
Followed by a reboot. Keep in mind
Code: 
# freebsd-update rollback
is available if something goes wrong.
And for upgrading the ports I always use
Code: 
# portupgrade -ca
The "-c" flag loads all your configs first. I'd recommend it.
Here's the relevant page.

4)
The jail man page and the handbook page on jails should be enough to get you started. As for the configs of the services themselves SirDice's suggestions are top noch.

5)
Don't quote me on this one but I believe port forwarding will be handled by your router, so poke around in those manuals (unless I'm wrong which could be entirely possible).

Q1) I believe you can make that work by compiling more than one app at once. I know I read something somewhere about trying to get the system to utilize all the cores naturally but f me if I can remember where that was.

Q2) Jails are nice but I would suggest not using them. Not because the security isn't there but just because the jails seem like it would be too much of a hassle to warrants the added security. Esp if you're just running a web server / print server. I gen use jails to test out software that doesn't yet have a port like monkey web server. It has a port but the latest and greatest is still in devel so when I wanted to test that out I used a jail.

Q3) VPN or ssh? Your call which would you rather use?

CRH
 
-> mickey and chalbersma:

Now that was very helpful. After re-reading the ports-passage in the handbook, I am using portsnap to fetch and update my ports-tree!

thanks for the headsup to updating the kernel and the system, too!

I just read the FreeBSD_Update-Page, ran the commands but I've got a problem:
freebsd-update fetch fetches as it should (it said "fetching 6 patches" among other stuff),
and then said the new Release would be 8.0-RELEASE-p1 but uname -a still says it is 8.0-RELEASE #0

The handbook said that default is to run the /boot/GENERIC - kernel. That file is nowhere to be found on my system. Instead I have "kernel" an "kernel.old". Whil kernel.old has a new timestamp, the "kernel" still has the same timestamp as it had before.

Am I doing something wrong? I am definitely sure I have not compiled a new kernel ;-)


as for portforwarding: I already did that, otherwise I would not have any access to the FreeBSD-Box at all ;-) I am a network-admin after all, just not familiar with FreeBSD as of now :-(

Well, I guess I have to read some more about jails before I try and use them!
 
I still can't edit. :-(

after running "freebsd-update fetch" I of course ran "freebsd-update install" and rebootet!!

But uname -a says the same, before fetching, before installing and after rebooting
 
mickey said:
If you are daring to try, you may set FORCE_MAKE_JOBS=yes and MAKE_JOBS_NUMBER=XX in /etc/make.conf, where XX is the number of parallel make jobs to start.
Click to expand...

Coming from gentoo linux (which features a similar to ports portage-collection, you bet I am daring to try ;-)

I did and what I found was: compiling took less than half the time than before. CPU load increased drastically and idle dropped drastically. And on some ports it still just uses one CPU, so I guess there are ports that are difficult in parallel making, and they don't get overridden bye FORCE_MAKE_JOBS=yes, but everything else does make use of all 4 cpus now, and so far now make complained (updating the whole system right now ;-))

Thanks again!

So I guess I need to get the kernel-update running and I could actually start configuring my wiki-server ;-) sweet!!
 
I really need to be more thorough before submitting my posts :p

Meant to write: "and so far no make complained""
 
twilight said:
I did and what I found was: compiling took less than half the time than before. CPU load increased drastically and idle dropped drastically. And on some ports it still just uses one CPU, so I guess there are ports that are difficult in parallel making, and they don't get overridden bye FORCE_MAKE_JOBS=yes, but everything else does make use of all 4 cpus now, and so far now make complained (updating the whole system right now ;-))
Click to expand...

Yes, from what I've read, there's also the possibility to mark specific ports as not buildable in parallel. I am not sure though, how many of the ports have been marked (either as parallel build safe or unsafe) at this time.

twilight said:
So I guess I need to get the kernel-update running and I could actually start configuring my wiki-server ;-) sweet!!
Click to expand...

Guess it will find your interest, that if you are building world/kernel from source, you may as well do that in parallel, by specifying the -j <numjobs> option to make :p
 
twilight said:
actually I did :)

That is how I got up to the point where I am now! But I could not find something about upgrading the actual ports-tree. There is enough about ugrading installed ports but not the tree itself (as far as I could tell)
Click to expand...

portsnap()
 
twilight said:
I still can't edit. :-(

after running "freebsd-update fetch" I of course ran "freebsd-update install" and rebootet!!

But uname -a says the same, before fetching, before installing and after rebooting
Click to expand...

uname outputs the version number embedded in the kernel itself. If the kernel is not patched by freebsd-update (ie it's other parts of the OS that are updated), then the version will not change.
 
thanks, that is interessting :)

But I still have not figured out how to update my kernel.

All my tools and stuff are upgraded, but the kernel still is not. I am still running 8.0-RELEASE while freebsd-update fetch finds version 8.0-RELEASE-p1. After issuing freebsd-update install and rebooting it still is running the "old" version of the kernel.

Is 8.0-RELEASE-p1 a new release?

I thought so and that is why I did freebsd-update -r 8.0-RELEASE-p1 upgrade.
It found the release, asked me about wether my installed and not installed packages look reasonable, which they did. Then it tried to download, but that did not work. Then it said installing, and after a reboot I still have the old kernel-release, but another freebsd-update fetch says No updates needed to update system to 8.0-RELEASE-p1.

And under /boot/ there still is no GENERIC. loader.conf is empty, /boot/defaults/loader.conf says it is using /boot/kernel instead of /boot/GENERIC AND the folder still has the old time/date, only the /boot/kernel.old has a newer time.
 
phoenix said:
uname outputs the version number embedded in the kernel itself. If the kernel is not patched by freebsd-update (ie it's other parts of the OS that are updated), then the version will not change.
Click to expand...

so you are saying my system is up to date?
 
twilight said:
And under /boot/ there still is no GENERIC. loader.conf is empty, /boot/defaults/loader.conf says it is using /boot/kernel instead of /boot/GENERIC AND the folder still has the old time/date, only the /boot/kernel.old has a newer time.
Click to expand...
GENERIC is the name of the config used to create the kernel. There will never be a file called /boot/GENERIC.
 
tangram said:
Chapter 8 Configuring the FreeBSD Kernel

Everything you need to know to customize and compile a FreeBSD kernel.
Click to expand...

thank you, but I know that chapter and have read it already. But it did not answer my question about why freebsd-update did not do it's job (at least, that's what I thought and it turned out to be correct, read 3 or so posts above

SirDice said:
GENERIC is the name of the config used to create the kernel. There will never be a file called /boot/GENERIC.
Click to expand...

Now that is something I find sort of confusing :-( Why is in every documentation that I find a path /boot/GENERIC when it is not an actual path but tells me, that /boot/kernel is compiled using the GENERIC-Config file. I really find that confusing :\ but thanks for the hint!
 
twilight said:
and it turned out to be correct, read 3 or so posts above
Click to expand...

that should read: The tool turned out to be correct, not my thought about the tool did something wrong ;-)
 
twilight said:
Now that is something I find sort of confusing :-( Why is in every documentation that I find a path /boot/GENERIC when it is not an actual path but tells me, that /boot/kernel is compiled using the GENERIC-Config file. I really find that confusing :\ but thanks for the hint!
Click to expand...
I can imagine it's confusing because /boot/GENERIC is simply not correct ;)

Couldn't find it mentioned in the handbook either.
 
You must log in or register to reply here.
Back
Top