I am looking forward to presenting “Bastille: Secure Container Automation” at SCaLE18x. This demonstrates the container automation I’ve layered atop FreeBSD’s mature container system, jails. Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. * Bastille uses FreeBSD Jailsas the container platform.To learn more about getting started with containers on FreeBSD see the Bastille Getting Started Guide.

I needed to mount an .iso file this morning, which I’ve done dozens of times in Linux, and I realized the command I’d normally use in Linux does not work. For example: Linux mount -o loop image.iso /mnt This works fine in Linux and lets you “mount” the .iso file as if it were burned and in the drive. This does not work on FreeBSD. You get an error like: mount: image.iso mount option is unknown: Invalid argument FreeBSD The solution (the only one I’ve found so far) is to use a much more in-depth command like: mount_cd9660 -o ro /dev/$(mdconfig -a -t vnode -f /path/to/file.iso) /mount-point Hopefully this little note helps someone else have less trouble than I did in mounting .iso images in FreeBSD.

I’ve been spending a lot of time lately researching FreeBSD security solutions. Topics such as pf (packet filter), system hardening, etc. One of the tips that I thought I’d share here is a method of configuring your system to use blowfish encryption for passwords as opposed to the default MD5. If you are on a system that has a lot of users it might be prudent to update the encryption type to make your stored passphrase safer. Configure /etc/login.conf The password format is stored within the /etc/login.conf file. The default value being “md5”. To update your configuration to use blowfish instead make the following change to your file: – :passwd_format=md5:\  :passwd_format=blf:\ After you’ve made this change you’ll need to rehash the login database, which is done using the cap_mkdb command: cap_mkdb /etc/login.conf At this point any newly assigned passwords will be created using blowfish instead of MD5. Read more

I’m looking for some good pf (packet-filter) documentation if anyone has anything to suggest. I’ve added a second FreeBSD machine to my public-facing network, and may be adding a third soon. I want to make sure that my firewall is setup properly but I’m not very familiar with pf. Can anyone suggest a book, online document, etc that has good examples for setting up pf?

A friend of mine shot me this article today (What’s cooking for FreeBSD 8?), which is a pretty detailed outline of the things coming up for FreeBSD 8. I have to say, some of the things have got be excited! Some of the highlights that I want to see: Parallel Ports Build (announcement) Jails v2 (commit message) Xen Dom-U support (wiki page) There is actually quite a bit more, but those are the immediate ones that look like they’d noticeably affect me. I’d really love to have FreeBSD setup on a VPS via Xen, with Jails for each of my services. Currently I have that setup at home (jails), but its on old hardware that takes forever to compile. Parallel Ports Build would sure be a nice improvement, assuming the hardware can handle it (which my current hardware cannot). To any of you other FreeBSD users out there, what are you excited for in the list and why? Read more

For those using FreeBSD, there has been another security update to the 7.1 release family. According to the UPDATING file: 20090323: p4 FreeBSD-SA-09:06.ktimer, FreeBSD-EN-09:01.kenv<br /> Correctly sanity-check timer IDs. [SA-09:06]<br /> Limit the size of malloced buffer when dumping environment<br /> variables. [EN-09:01] If you’re interested in applying this update to your system, here is the method I use: csup -g -L2 cvsup.freebsd.org /usr/share/examples/cvsup/standard-supfile<br /> cd /usr/src<br /> make buildkernel && make installkernel<br /> make buildworld && make installworld<br /> reboot There are other methods for keeping your base system updated, but I prefer the compiling method. What other methods might you suggest?

Not so long ago I wrote about how you can configure FreeBSD to email you regarding available updates on a weekly basis. This is something that I have had in place for a while now, and I really enjoy the ability to keep things on the patched (read: bleeding) edge. Recently I found a small issue with the setup I had been using. I wanted to share the fix with anyone that may have been doing the same thing. First of all, let me tell you about the issue I came across. When I would recieve an email regarding available updates I would connect to the FreeBSD Jail and use portmaster -a -d to apply all available updates. I noticed that the number of updates applied did not match the number of updates listed in the email. Odd. Well, after thinking about it for a bit I realized what the problem was. Read more

I love FreeBSD for how efficient and minimalistic it can be. For my web servers I like to add to this efficiency by using Lighttpd instead of the larger, older, Apache. The one little issue with Lighttpd vs Apache is getting all the same module support setup for all the little tweaks that you’ve come to enjoy. I should mention that Lighttpd supports many of the same modules that Apache does, and once you learn how they work I think they are even more intuitive than Apache’s config. One of the most important to me is the mod_rewrite for use with my WordPress blogs. As you can see from the URL I use fancy addresses for my posts. %date%/%name%, etc. I think this is more user friendly (not to mention Google-friendly) than something like php?=53. What kind of URL is that? In any case, a very simple way to achieve this in Lighttpd is to use the following single line in your lighttpd. Read more

Update: I have suggested a minor improvement to this setup. Read More… For some time now I’ve been maintaining about a dozen FreeBSD jails, each running a different set of services. Everything from email to BIND, DHCP to nagios. One of the difficulties of trying to maintain so many servers has been tracking and applying updates, particularly servers that use the ports system which is updated so frequently. The solution that I’ve come up with is to use portmaster inside a weekly cron job to notify me of available updates on each machine. This requires a slightly different cron job on the host system that within the jails. Here is an example of what I’m running within each: #!/usr/local/bin/bash /usr/sbin/portsnap cron /usr/local/bin/ezjail-admin update -P /usr/local/sbin/portmaster -L | egrep -B1 ‘(ew|ort) version|Aborting|installed|dependencies|IGNORE|marked|reason:|MOVED’ | grep -v ‘^–‘ | mail -s “Portmaster Weekly Check for $(hostname)” [email protected] <br /> #! Read more

I have had all kinds of problems getting dhcpd running properly inside a FreeBSD jail. I finally got it running this morning and wanted to document what I’ve done in hopes that I can recreate it. On the host system I had to allow sockets within jails. This is done by adding this line to your /etc/sysctl.conf: security.jail.allow_raw_sockets=1 The above will make it a persistent change, but you’ll also need to make it an immediate change using the sysctl tool directly: sysctl -w security.jail.allow_raw_sockets=1 Within the jail I then installed the net/isc-dhcp30-server port. I configured this with just two of the available options. Allow sockets instead of bpf (jails-only) Use base openSSL After this was compiled I configured my /usr/local/etc/dhcpd.conf and added the following lines to my /etc/rc.conf: ## dhcpd options dhcpd_enable=”YES” dhcpd_flags=”-q” dhcpd_conf=”/usr/local/etc/dhcpd.conf” dhcpd_ifaces=”” Read more