Category Archives: FreeBSD

Best console tool for finding disk usage

Just a post to pay tribute to the awesome tool ncDu is. If you ever need to find where the lost diskspace went to use this tool.
(https://dev.yorhel.nl/ncdu)

find large files

du -a /var | sort -n -r | head -n 10

Upgrade Perl on FreeBSD with portupgrade

Upgrading perl is very simple. It just takes a long time to compile everything again. See the script below how to do it. If you have an other version of perl from which you upgrade don’t forget to change the version number then!

# lang/perl5.12 is out. If you want to switch to it from, for example
#  lang/perl5.10, that is:
# Portupgrade users:
 
# 0) Fix pkgdb.db (for safety):
pkgdb -Ff
 
# 1) Reinstall new version of Perl (5.12):
env DISABLE_CONFLICTS=1 portupgrade -o lang/perl5.12 -f perl-5.10.\*
 
# 2) Reinstall everything that depends on Perl:
portupgrade -fr perl

[warn] (2)No such file or directory: Failed to enable the ‘httpready’ Accept Filter

What to do when you find this nasty error!
The solution is pretty simple!

Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
[Wed Sep 17 22:01:58 2008] [warn] (2)No such file or directory: Failed to enable the 'httpready' Accept Filter

Just open shell prompt and type the following command to load accf_http under FreeBSD :

kldload accf_http

Restart apache:

/usr/local/etc/rc.d/apache22 restart

Type the following command so that driver get loaded at the time of booting system:

echo 'accf_http_load="YES"' >> /boot/loader.conf

Send postfix-logwatch from previous day

I like to monitor my mail servers with postfix-logwatch which is a great tool to tell what was happening on you’re server. And because I don’t wanna miss anything I added the following line to my crontab to mail me an update every night around 4 in the morning.

0       4       *       *       *       
    root    /usr/bin/zcat /var/log/maillog.0.bz2 
    | /usr/local/bin/postfix-logwatch 
    | mail -s "Mailserver log summary for: `hostname`" sysadmin@example.com

All of this in actually in one line in my cronfile but it does not fit the page :). If you don’t compress you’re logs. remove bz2 and use cat instead of zcat.

telnet client for a ssl line.

Sometimes it is handy to debug services by hand. For plain services telnet is always a handy tool. But it is completely useless for ssl encoded services. But OpenSSL to the rescue!

openssl s_client -connect

Error: pw: user ‘username’ disappeared during update

Today I ran into a problem which made pw produce an error on creation of a new user.
When i tried to create a user it simply told me:

“pw: user ‘nagios’ already exists”

What the hell!?!?! Luckily the problem was quickly fixed by recreating the /etc/passwd file.

pwd_mkdb -p /etc/master.passwd

Install chroot bind on FreeBSD

Sometimes when you search on the internet you’ll find howto’s that are good enough. This one explained greatly how to install bind in a chroot envirioment. The original how to is located here. Just for my own reference and updates it is copied and altered below.

 

FreeBSD known as one of the most rock solid reliable and perfect operating systems, I personally lover of FreeBSD OS, so I want to publish a very nice howto about dns (Bind).

In this tutorial I’ll describe to you that how to set up secure FreeBSD based master/slave DNS server. You can use this tutorial on both 64-bit and 32-bit platforms.

 

We will use 192.168.0.1 as a Master Server and 192.168.0.2 as Slave Server

Installing and Configuring DNS:

FreeBSD 9.0 will be use for this tutorial. BIND is already installed in FreeBSD installation. You can check installed bind version using this link

1) Update your ports tree, I personally preferred portsnap for ports tree management. After updating ports tree check the version you have in the ports collection.

cat /usr/ports/dns/bind99/Makefile | grep PORTVERSION

If ports version equal your existing installed bind version then we don’t need to installation new bind version otherwise we will install new version.

Installation from Ports: Master/Slave

cd /usr/ports/dns/bind99
make configure ; make clean

You have to select REPLACE_BASE from options menu using press spacebar, you can leave other options.

Configuration:

We need to add “NO_BIND = YES” in /etc/make.conf file on both master/slave, you can do that using the following command:

echo "NO_BIND = YES" >> /etc/make.conf

The above configuration will let the make command not to build the base version of BIND in case you rebuild FreeBSD from the source.

Chroot Environment: master/slave

Now, let’s set up the directory structure for chroot jaild BIND. The directory can be anywhere on your system’s file system. I have planed to use /var/chroot/named as BIND directory. Let’s start by creating the following directory structure.

mkdir -p /var/chroot/named/etc/namedb/log
mkdir -p /var/chroot/named/etc/namedb/master
mkdir -p /var/chroot/named/etc/namedb/slave
mkdir -p /var/chroot/named/dev
mkdir -p /var/chroot/named/var/run

Placing existing Data

We need to copy named.root file into chroot directory, so BIND can easily communicate with root servers. For example:

cp /etc/namedb/named.root /var/chroot/named/etc/namedb/

We need another file in the /etc directory inside the chroot jail. You must copy /etc/localtime, so that BIND logs things with the right time on them.

cp /etc/localtime /var/chroot/named/etc

System Supported Files

When BIND is running in the chroot jail then it will not be able to access files outside the jail. However, few necessary files required for proper working within chroot environment.

cd /var/chroot/named/dev
mknod zero c 2 12
ln -s /dev/random .
mknod null c 2 2
chmod 666 zero random null

When you’ve created the directories, (re)move ore take backup old /etc/namedb directory.

cd /etc
mv namedb old.namedb
ln -s /var/chroot/named/etc/namedb .

Change the ownership newly created directories

cd /var/chroot
chown -R bind:bind named
chmod 700 named

RNDC Key

Now we need to generate rndc.key file and then add its contents into named.conf, rndc.key is an encryption key that rndc utility needs to work, also it’s used in case you are using dynamic DNS together with DHCP.

rndc-confgen -a -c /etc/namedb/rndc.conf -k dnsadmin -b 256

This will create a key named dnsadmin with the size of 256 bits. At least 256 bits is recommended is you’re using this for a public server. When you‚Äôve generated the key, edit /etc/namedb/rndc.conf and add these line end of this file.

options {
    default-key "dnsadmin";
    default-server 127.0.0.1;
};

That’s all every thing is now configured and placed now we need to create named.conf files for both master and slave server, lets create named.conf file on master and slave dns server.

named.conf – master/slave

 vi /etc/named.conf

First we will create ACL for our slave servers

acl "slaves" {
        192.168.1.2;
        };

Set general options like base directory, pid file and other controlling options

options {
        directory "/etc/namedb";
        pid-file "/var/run/named.pid";
        };

In above configuration we have defined /etc/namedb as a base directory which is linked from /var/chroot/named/etc/namedb & then pid file path has been mentioned.

Now wee need to define control clause and key section for rndc connection and port where bind will be listen.

controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { dnsadmin; };
        };
key "dnsadmin" {
        algorithm hmac-md5;
        secret "o/cb6L1GDSbJWfRBpY3L=";
        };

In the above configuration we have created key “dnsadmin” for rndc connection, you may need to copy secret line from /etc/namedb/rndc.conf file and then place within key { } section mentioned above.

For caching name server we need to define root server’s file

zone "." {
        type hint;
        file "named.root";
        };

Our named.conf file has been configured on both servers, lets configure /etc/rc.conf file on master/slave servers so bind can start on system startup.

named_enable="YES"
named_program="/usr/sbin/named"
named_chrootdir="/var/chroot/named"
named_flags="-u bind -c /etc/named.conf"

Let’s configure our domain’s forward and reverse lookup zone on master server and then start bind server

For forward lookup zone add the following into named.conf file

zone "techbabu.com" {
        type master;
        file "master/techbabu.com";
        allow-transfer { slaves; };
};

Now we need to add the reverse lookup zone, same thing need to be add after forward zone section into named.conf file

zone "0.168.192.in-addr.arpa" {
        type master;
        file "master/techbabu.rev";
        allow-transfer { slaves; };
};

Creating forward lookup zone files

cd /var/chroot/named/etc/namedb/master/
vi techbabu.com

Add these lines

$TTL 3600
$ORIGIN techbabu.com.
@       IN      SOA     ns1.techbabu.com. postmaster.techbabu.com.  (
               300000328  ; serial
               28800      ; refresh (8 hours)
               7200       ; retry (2 hours)
               604800     ; expire (1 week)
               86400      ; minimum (1 day)
               )
              NS      ns1.techbabu.com.
              NS      ns2.techbabu.com.
              MX      10 mailbox.techbabu.com.
ns1       A       192.168.0.1
ns2       A       192.168.0.2

Creating reverse lookup zone files

cd /var/chroot/named/etc/namedb/master/
vi techbabu.rev

Add these lines

$TTL 3600
$ORIGIN 0.168.192.in-addr.arpa.
@       IN      SOA     ns1.techbabu.com. postmaster.techbabu.com.  (
           300000328  ; serial
           28800      ; refresh (8 hours)
           7200       ; retry (2 hours)
           604800     ; expire (1 week)
           86400      ; minimum (1 day)
           )
              NS      ns1.techbabu.com.
              NS      ns2.techbabu.com.
1       PTR      ns1.techbabu.com.
2       PTR      ns2.techbabu.com.

Our Master server has been configured completely now start our server.

/etc/rc.d/named start

Now edit your /etc/resolv.conf file and set the nameserver 192.168.0.1 then try to dig your domain’s NS (A) record to make sure that Master DNS server running.

dig ns1.techbabu.com

If you saw the output something like this:

;; ANSWER SECTION:
ns1.techbabu.com.  3600  IN	 A  192.168.0.1

So this means your DNS server is working fine.

You can try then to ping outside domains to check either caching is working or not.

That is our Master DNS server is fully functional and ready to use now configure slave named.conf file for slave dns

vi /etc/namedb/name.conf

For forward lookup zone add these lines

zone "techbabu.com" {
        type slave;
        file "slave/techbabu.com";
        masters { 192.168.0.1; };
        allow-notify { 192.168.0.1; };
};

And for reverse lookup

zone "0.168.192.in-addr.arpa" {
        type slave;
        file "slave/techbabu.rev";
        masters { 192.168.0.1; };
        allow-notify { 192.168.0.1; };
};

Our Salve server also configured now start slave server.

/etc/rc.d/named start

Now edit your /etc/resolv.conf file and set the nameserver 192.168.0.2 then try to dig your domain’s NS (A) record to make sure that Slave DNS server running.

If you get the response the its means your slave dns is also functional and ready to use.

Congratulation you have successfully configured Secure Master/Slave DNS server

If you have any suggestion regarding this tutorial please tell us, your comments will be very helpful for us

Upgrade FreeBSD 8.2 to 9.0

Yesterday I tried to update some of the 8.2 servers
to 9.0. which made me run into a error.

The update metadata is correctly signed, but failed an integrity check.
Cowardly refusing to proceed any further.

After some googling I found the solution to this problem. To fix this problem you have to patch the
freebsd-update file. Which can be done with the following see command.

sed -i '' -e 's/=_/=%@_/' /usr/sbin/freebsd-update

The re-run the the upgrade command.

freebsd-update upgrade -r 9.0-RELEASE

If all went fine. Then you can update your system. Just run:

freebsd-update install

When the install is done restart you’re system.

shutdown -r now
OR
init 6

When the system comes back you need to re-run the install command again to install all the user land updates.

freebsd-update install

After this is done. The system prompts for a message which makes the upgrade a huge pain in the but.

Completing this upgrade requires removing old shared object files.
 
Please rebuild all installed 3rd party software (e.g., programs
installed from the ports tree) and then run
"/usr/sbin/freebsd-update install"  again to
finish installing updates.

The rebuild of all application can take from a couple of minutes till long….
I found a couple of lines in the FreeBSD manual which makes life a bit easier.

# portupgrade -f ruby
# rm /var/db/pkg/pkgdb.db
# portupgrade -f ruby18-bdb
# rm /var/db/pkg/pkgdb.db /usr/ports/INDEX-*.db
# portupgrade -af

The system now rebuild all the installed applications.
To finish of the upgrade just re-run:

freebsd-update install

And you’re done.

Lsof

A tool i loved to use under linux was lsof. The tool is available under FreeBSD but not installed by default. It can easily be added through:

# pkg_add -r lsof

 

But FreeBSD as to tools which are installed by default and can give you the same information. They are called fstat and sockstat