Beastie Blog

In a previous post I talked about using something like ezjail or the jail setup found in the handbook. Like the mijail patch, I’m finding that once I get into it, it’s not really worth it. ezjail and the handbook method use the same idea of sharing the OS part of FreeBSD with read-only partitions. This means that you update FreeBSD for all your jails by updating just one read-only partition. This sounds great in practice, and probably is, but with binary updates via freebsd-update it’s not as compelling.

Updating all your jails with freebsd-update is simple. Just run it inside of each of your jails. Since it doesn’t compile anything, it’ll be quick and easy.

My jail setup is pretty much what I did before. Create a jail template and reproduce it using cpdup. I could save some disk space by linking certain parts to the base template, much like how ezjail and the handbook do it, but saving 200MB is not a high priority to me.

My original plan was to install the multiple ip patch so I could assign two IP’s to a jail. I went about updating my sources and applying the patch. I was tracking the 6_2 branch.

# cp stable-supfile /root/6_2_stable.portfile
# csup 6_2_stable.portfile
# cd /usr
# patch < ~/FreeBSD_6.2-STABLE-mijail.patch
# cp /usr/src/sys/netinet/in_pcb.h /usr/include/netinet/
# cp /usr/src/sys/sys/jail.h /usr/include/sys/

# cd /usr/src
# make buildworld
# make kernel
# mergemaster -p
# make installworld
# mergemaster

Since I was already on the 6.2 RELEASE, there weren’t lots of files for mergemaster.

Now when I went to finish the patch I got this error:

# cd /usr/src/usr.sbin/jail/
# make clean && make depend && make install

rm -f jail jail.o jail.8.gz jail.8.cat.gz
rm -f .depend
mkdep -f .depend -a     /usr/src/usr.sbin/jail/jail.c
echo jail: /usr/lib/libc.a /usr/lib/libutil.a >> .depend
install -s -o root -g wheel -m 555   jail /usr/sbin
install: jail: No such file or directory

So the buildworld was successfully, but I couldn’t get the mijail patch to take. I tried redownloading the sources and applying the patch exactly as prescribed here.

I could have spent more time debugging this, but in the end I decided against using the mijail patch. One reason was the lack of documentation on it. Without being an official feature of FreeBSD, I don’t feel that confident about my abilities to deal with issues related to the patch.

I also found out that the control panel that I thought required two IP’s for dns control, did not. So I have no reason to use mijail. Plus, it would have kept me from using freebsd-update!

With setting up this server, I wanted to document everything I did. The problem is that when I’m the middle of a problem, i.e. port not building correctly, I forgot to log what I’m doing. I just go into trouble-shooting mode. I end up fixing the problem but without having details of the exact error or solution I came up with.So the obvious solution is to keep logs on everything that goes between me and the terminal. The easiest way to do this is using GNU Screen. If you’re not using screen, start. Not only can I access the same session everywhere I go, it’ll be logged in one place.I used directions here. Well, I actually just added this to my .screenrc:

logfile $HOME/log/screen-logs/%Y%m%d-%n.logdeflog on

Make sure to create the ~/log/screen-logs directory, screen will not do it for you.Before I go. You shouldn’t cat the log files. I had a clear in my log and it ran clearing the output. Don’t worry, the log file still has everything.

I needed to know which port built my python.

pkg_info -o python\*

Tried to update portupgrade and got this error:

missing key: categories: Cannot read the portsdb!

Looked in /usr/ports/UPDATING and found this:

20070102:
  AFFECTS: users of sysutils/portupgrade
  AUTHOR: sem@FreeBSD.org

  If you have a problem with upgrading the tools from version 2.2.1 and less,
  remove the package with pkg_delete portupgrade\* command and reinstall it
  from scratch. Remove /usr/ports/INDEX*.db and run portsdb -u.

Followed the instructions, except I installed from /ports-mgmt/portupgrade and everything worked out.

Put this in your zone file:

www             IN      CNAME   web.mac.com.

Then put this inside your <VirtualHost>:

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^domain\.com
    RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]

This will make http://domain.com forward to http://www.domain.com

I looked around and the best option for port specific make flags is to put something like:

if ${.CURDIR:M*ports/multimedia/vlc}
	# Your stuff
.endif

into your /etc/make.conf. If you wanted to target all vlc versions (/vlc & /vlc-devel) you would put a wild card after vlc like so:

.if ${.CURDIR:M*ports/multimedia/vlc*}
BROKEN=${.CURDIR}
.endif

The BROKEN variable is used by the ports system to prevent the port from building. If you try to build the port it will stop and print out an error message alongside the BROKEN value. I used this while testing the if statement.

If you’re wondering, the if statement is standard makefile syntax. It took me awhile to find it but if you goto the manpage for make and search for ‘modifier’ you will see the section that explains the :M syntax.

Why should I use this

Well I went years without using this syntax, so it’s possible to make due without it. Flags like WITHOUT_X11=YES I keep global, because I never want X11 built on my server. However, flags like WITH_SSL_MODULES=yes don’t feel global to me. That’s an apache flag and I don’t want it applied anywhere else. I don’t actually know if any other ports use it, but by making it port specific I won’t have to care.

Alternatives

Makefile.local

This file is included by /usr/ports/Mk/bsd.port.mk (which is included by /usr/ports/Mk/bsd.port.post.mk). It should be included by every port.
The reason I don’t like it is that:

1. It does not keep everything in one central file
2. You cannot mount the ports directory for another system. (What if the other system needs different flags? Since Makefile.local is located in the ports tree, it becomes part of the port and not system specific)

Hooking into the /usr/ports/Mk/bsd.port.pre.mk file

I haven’t really research this one. The pre should be included after PORTNAME is set, so that’s good. The few ports I checked include pre BEFORE doing their check on options. Which is good. However, I don’t know if all ports follow this. Need to look into this further

Hooking into the /usr/ports/Mk/bsd.port.post.mk file

This is the place I wanted to hook into early on because the PORTNAME variable is set by then. But then I realized that the port’s Makefile wouldn’t see the flags I set. So it was a non-starter.

The best option would be a file not located in the ports tree AND has access to the PORTNAME variable. bsd.port.pre.mk might be it…

Since this blog has been untouched for a long time and without spam protection. My moderation queue was in the thousands. Running Akismet got me down to about 200! Hopefully there weren’t any false positives, because I was too lazy to double check them. Deleted!

With the 200 left, I just had to hand pick the valid ones and approve them. Now here’s the annoying part, I had about 200 comments I knew were spam and wordpress wanted me to click each one. Blah! Thank god for firefox and firebug, I just popped open my console and put this:

var inputs = document.getElementsByTagName("input");
var spams = []
for (var i=0; i < inputs.length; i++)
{
	var inp = inputs[i];
	if (inp.value == 'spam')
	{
		spams[spams.length] = inp;
	}
}
for (var i=0; i < spams.length; i++)
{
	var spam = spams[i];
	spam.checked = true;
}

That marks all the comments as spam.

EDIT:
Wow, I’m an idiot. As I was typing this post I realized there was an Mark All option on the bottom left. I totally missed it. Oh well, posting anyways…

I’ve implemented the spam protection schemed talked about here. It should lower my spam levels to something manageable. I’m not sure how well it’ll work for site readers. I’ll check into that later.

I had previously implemented a honeypot system on some production systems. The one from ardamis, forgoing any accessibility issues, seems like a cleaner solution.

Been a really long time.

What’s Happened:

• I’ve changed from Layered Tech to SoftLayer. I have nothing bad to say about Layered Tech, just heard a lot of good things about SoftLayer (auto os reloads, IPMI2, etc).
• I’m running the latest version of FreeBSD (6.2).
• I’m running a mac. Two actually! (MBP and MP)

What Now:

Being a firm dis-believer in “If it ain’t broke, don’t fix it”, I’m moving to a new softlayer server. The main impetus was a free double ram and double hard drive special. You can see their current specials here. I put this rss feed (a search for softlayer’s account on webhostingtalk.com) and waited for a deal.

The other reason was that I wanted to start over and try out new things. A rough to-do list is:

• Use Binary updates.
• Patch jails to use multiple IP’s.
• Redo how I manage my jails so it’s easier to create/update them. Maybe something like ezjail.
• Implement PF firewall
• Put bind inside of it’s own jail

That’s just off the top of my head. Some things I need to do, others I just want to try out.

I’ve also changed aspects of my freebsd management that I have not documented in this blog, or any other place for that matter. I will document those here.