I am looking forward to presenting “Bastille: Secure Container Automation” at SCaLE18x. This demonstrates the container automation I’ve layered atop FreeBSD’s mature container system, jails. Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. * Bastille uses FreeBSD Jailsas the container platform.To learn more about getting started with containers on FreeBSD see the Bastille Getting Started Guide.
I’ve been reconfiguring my Irssi installation this morning and wanted to document the steps I took. I use irssi on FreeBSD 8.0-RELEASE. Required Certificates In order to connect securely over SSL to freenode you need to ensure you have the certificate installed. On FreeBSD, this port is ca_root_nss. portmaster security/ca_root_nss Configure the Network and Server /network add -nick 'nick' -realname 'real name' freenode<br /> /server add -auto -ssl_verify -ssl_cafile /usr/local/share/certs/ca-root-nss.crt -network freenode chat.freenode.net 7000<br /> /save Note: If the blog wraps the content, there are three commands above, prefixed with /. /network, /server and /save. Now, when you open irssi, you’ll automagically connect to Freenode over SSL.
I spent some time this afternoon setting up a public git repository for my project, Origami. I had a little bit of trouble getting the repository set up initially, particularly the cgi aspect of it all. Below outlines the steps I took to configure Lighttpd for gitweb, hosted on FreeBSD. Installation First, of course, I installed the git port: portmaster devel/git I made sure to select the gitweb option, which is de-activated by default. The other options are up to you. Configuration Second, I configured Lighttpd in the simplest manner I could find. This solution uses the existing gitweb files in-place. This is contrary to what the pkg-message prescribes, but I like this idea because it’ll ensure that upgrades are handled automatically. I don’t plan to run any additional repositories either, so using the one central set of files is preferable in my situation. This is my configuration: Read more
I’ve recently migrated my server(s) to a new VPS, one which offers BSD as a hosting option. I have long been a fan of FreeBSD on my servers, so this was a deal I couldn’t pass up. I did, however, run into one fairly difficult problem based on my combination of FreeBSD and lighttpd web server. I felt it was important to blog about it so that “teh internets” could share the wisdom and, hopefully, others could solve this same issue quickly. Problem The web server seemed to work great. It was handling traffic efficiently. Logs were going where they were expected. Rewrites were working. All the main things that I would expect to test were working just fine. And then I uploaded a file. Hard lock. Panic. Do not pass go. Do not collect $200. This was bad. I was even able to reproduce it. Anytime I would upload a file to the server (in my case via WordPress upload form), the server would hard-lock and I’d have to manually bring it back up. Read more
I needed to mount an .iso file this morning, which I’ve done dozens of times in Linux, and I realized the command I’d normally use in Linux does not work. For example: Linux mount -o loop image.iso /mnt This works fine in Linux and lets you “mount” the .iso file as if it were burned and in the drive. This does not work on FreeBSD. You get an error like: mount: image.iso mount option is unknown: Invalid argument FreeBSD The solution (the only one I’ve found so far) is to use a much more in-depth command like: mount_cd9660 -o ro /dev/$(mdconfig -a -t vnode -f /path/to/file.iso) /mount-point Hopefully this little note helps someone else have less trouble than I did in mounting .iso images in FreeBSD.
I’ve been spending a lot of time lately researching FreeBSD security solutions. Topics such as pf (packet filter), system hardening, etc. One of the tips that I thought I’d share here is a method of configuring your system to use blowfish encryption for passwords as opposed to the default MD5. If you are on a system that has a lot of users it might be prudent to update the encryption type to make your stored passphrase safer. Configure /etc/login.conf The password format is stored within the /etc/login.conf file. The default value being “md5”. To update your configuration to use blowfish instead make the following change to your file: – :passwd_format=md5:\ :passwd_format=blf:\ After you’ve made this change you’ll need to rehash the login database, which is done using the cap_mkdb command: cap_mkdb /etc/login.conf At this point any newly assigned passwords will be created using blowfish instead of MD5. Read more
I’m looking for some good pf (packet-filter) documentation if anyone has anything to suggest. I’ve added a second FreeBSD machine to my public-facing network, and may be adding a third soon. I want to make sure that my firewall is setup properly but I’m not very familiar with pf. Can anyone suggest a book, online document, etc that has good examples for setting up pf?
A friend of mine shot me this article today (What’s cooking for FreeBSD 8?), which is a pretty detailed outline of the things coming up for FreeBSD 8. I have to say, some of the things have got be excited! Some of the highlights that I want to see: Parallel Ports Build (announcement) Jails v2 (commit message) Xen Dom-U support (wiki page) There is actually quite a bit more, but those are the immediate ones that look like they’d noticeably affect me. I’d really love to have FreeBSD setup on a VPS via Xen, with Jails for each of my services. Currently I have that setup at home (jails), but its on old hardware that takes forever to compile. Parallel Ports Build would sure be a nice improvement, assuming the hardware can handle it (which my current hardware cannot). To any of you other FreeBSD users out there, what are you excited for in the list and why? Read more
Not long ago we rebuilt a number of servers within our production environment at work, migrating from FreeBSD to CentOS. One of the requirements in this migration was that we needed a server that would act as an SSH-only Jail on the new platform. This meant I needed to setup a system where users could SSH into a machine but the only thing they could do on that machine was SSH back out again. We used this as our “bounce” machine. Users would have outside access to their Desktops or other machines only by way of this secured SSH-only machine. The solution I found was a tool called “JailKit“, which allows you to create chroot jails is a very simple way. Below I’ll outline the requirements for installing JailKit and using it to create an SSH chrooted “Jail”. Step 1: Install JailKit I was unable to find an up to date package for JailKit on CentOS, so I did the following to install from source: Read more
For those using FreeBSD, there has been another security update to the 7.1 release family. According to the UPDATING file: 20090323: p4 FreeBSD-SA-09:06.ktimer, FreeBSD-EN-09:01.kenv<br /> Correctly sanity-check timer IDs. [SA-09:06]<br /> Limit the size of malloced buffer when dumping environment<br /> variables. [EN-09:01] If you’re interested in applying this update to your system, here is the method I use: csup -g -L2 cvsup.freebsd.org /usr/share/examples/cvsup/standard-supfile<br /> cd /usr/src<br /> make buildkernel && make installkernel<br /> make buildworld && make installworld<br /> reboot There are other methods for keeping your base system updated, but I prefer the compiling method. What other methods might you suggest?