Re: Backup Solution
> I am relatively new to the FreeBSD game and have a bit of a problem which I > am not sure how to tackle. I recently build a server running VMWare ESX > Server 3 which will eventually run 6-7 small production VM's. These Virtual > Machines obviously have the need for backups and it poses quite a problem > for me unless I connect 6-7 external tape drives and give each VM it's own > tape device. I have looked into a few solutions using VM products > (consolidated backup) but it can only be done if you utilise a SAN. > > The server is running RAID 5 with around 700GB of space. Each VM may take up > to 50GB and backups might be around 15-20GB per VM. The machine itself has > an internal LTO3 tape drive, has anyone come across this kind of situation > before, and if so what would be a good way to backup each VM? It is easy > enough to backup the image files from the host machine but I need file level > backups within each VM also. > > I will be very grateful for suggestions or ways people have tackled this > kind of problem in a production environment. We use rdiff-backup to perform incremental backups of VMWare machine files. It works very well. Check it out at http://www.nongnu.org/rdiff-backup/ Let me know if you need help on the setup. On the other hand, if you prefer to backup the VMWare machines as if they were physical ones, then I suggest rsnapshot. Of course, this will only work with UNIX VMs. More info here http://www.rsnapshot.org/ Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Recommended servers for FreeBSD.
> Nice, I think those use the ServeRAID-8k controller. Have you tried > hot-swapping the disks? Does it work on FreeBSD? No, I haven't tried to hot-swap the disks. The machines are redundant web heads and DNS servers which we can bring down without service down-time. But come to think of it, I have one here in the lab. I'll see if I can spare a few minutes to test the hot-swap. I'll let you know how it turns out. David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Recommended servers for FreeBSD.
> I'm interested to see what servers people use for FreeBSD. I used to > buy the IBM xSeries x306 for firewalls and web servers and the x206 for > low budget file servers, but both aren't being sold anymore. I recently > got a few IBM x3200 and x3550. They are really nicely built and I > hardly have any problems. However, the on-board RAID controllers > (Adaptec AIC-9580W) aren't supported under FreeBSD so I fit them with > 3ware 9000 series RAID cards. Although I really like those 3ware cards, > it seems like an extra expense that could be avoided. We run FreeBSD 6.2-RELEASE on several IBM x3550 machines with the onboard RAID controller using the aac(4) driver. We haven't had any problems, the machines are stable and backed by IBM Professional Services. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Recommended servers for FreeBSD.
On Oct 29, 2007 10:45 AM, Andrew Wasilczuk <[EMAIL PROTECTED]> wrote: > On Mon, Oct 29, 2007 at 09:08:12AM -0400, David Robillard wrote: > > > > We run FreeBSD 6.2-RELEASE on several IBM x3550 machines with the > > onboard RAID controller using the aac(4) driver. We haven't had any > > problems, the machines are stable and backed by IBM Professional > > Services. > > Nice, I think those use the ServeRAID-8k controller. Have you tried > hot-swapping the disks? Does it work on FreeBSD? I've finally found some spare time to test the hot-swap capability of the IBM x3550 machines with FreeBSD 6.2-RELEASE-p8. Good news, it works as expected. Here's the info required to make it happen: Kernel configuration lines to include. Note that you can omit the AAC_DEBUG line. If you do so, you won't see anything in the logs when the controller is working. I've only tried debug level zero and you'll see below that it generates quite a lot of info. device aac # Adaptec FSA RAID device aacp# SCSI passthrough for aac (requires CAM) options AAC_DEBUG=0 # Set debug level from 0 to 3. Here's what FreeBSD reports: grep -i raid /var/run/dmesg.boot aac0: port 0x4000-0x40ff mem 0xcce0-0xccff,0xcafe-0xcaff irq 17 at device 0.0 on pci2 aac0: Adaptec Raid Controller 2.0.0-1 aacd0: on aac0 Now when you pull a drive out from the machine, wait a around a minute or so and then plug it back in, you'll get those messages in /var/log/messages: +aac0: EventNotify(0) +aac0: (EnclosureManagement) EMPID 0 unit 1 event 17 +aac0: EventNotify(0) +aac0: (DeviceFailure) handle 1 +aac0: EventNotify(0) +aac0: (EnclosureManagement) EMPID 0 unit 1 event 31 +aac0: EventNotify(0) +aac0: (23) +aac0: EventNotify(0) +aac0: (ConfigChange) +aac0: EventNotify(0) +aac0: (FailoverChange) +aac0: EventNotify(0) +aac0: (ContainerChange) container 0,0 +aac0: EventNotify(0) +aac0: (23) +aac0: EventNotify(0) +aac0: (23) +aac0: EventNotify(0) +aac0: (ContainerChange) container 0,-1 +aac0: EventNotify(0) +aac0: (ContainerEvent) container 0 event 7 +aac0: EventNotify(0) +aac0: (ContainerChange) container 0,-1 +aac0: EventNotify(0) +aac0: (ConfigChange) +aac0: JobProgress (1) - running (3123200, 312317952) +aac0: (ConatainerRebuildMirror) container 0 +aac0: JobProgress (2) - running (6246400, 312317952) +aac0: (ConatainerRebuildMirror) container 0 [ ... removed a lot of similar JobProgress lines ... ] +aac0: (ConatainerRebuildMirror) container 0 +aac0: JobProgress (100) - finished (312317952, 312317952) +aac0: (ConatainerRebuildMirror) container 0 +aac0: EventNotify(0) +aac0: (23) +aac0: JobProgress (101) - success (312317952, 312317952) +aac0: (ConatainerRebuildMirror) container 0 +aac0: EventNotify(0) +aac0: (ContainerChange) container 0,-1 +aac0: EventNotify(0) +aac0: (ConfigChange) There you go. Thanks to the aac(4) & FreeBSD teams. Enjoy! David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: syslog time resolution
> I would like to increase the number of decimals reported in logfiles by > syslogd(8), anyone knows if it is possible and perhaps a hint on how to do > it? > > tcpdump for instance, has six decimals: 21:25:20.160833 whereas the > standard syslog has zero decimal secs. > > I am only referring to events within a single system so it's not related to > clock accuracy. > > Thanks and sorry if I missed the obvious! You might want to try changing the base system's syslogd(8) for a more feature rich syslog solution. I'd suggest using syslog-ng which is available in the FreeBSD ports as sysutils/syslog-ng2 http://www.freebsd.org/cgi/url.cgi?ports/sysutils/syslog-ng2/pkg-descr It has quite a lot more features then the base system's syslogd(8) as you can see from the online Administrator's Guide http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html Should you like to check out other syslogd replacements, check the Library at http://www.loganalysis.org/ Have fun! David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Does anyone know how to get the required downloads from Sun to build Java?
> It appears as if jdk 1.5 is now at version 14, but the FreeBSD ports > still requires version 13. > > Luckily, Sun is run by a bunch of Nazis, and doesn't use a standard > directory tree to distribute their stuff. After 15 minutes of searching > I can't figure out how to get the version 13 stuff off their site, and > thus I can't build OpenOffice.org for my shiny, new laptop ... > > Does anyone have any advice on how to get the required files from Sun? Hi Bill, If you need to run Java on FreeBSD, get it from the FreeBSD Foundation. As it says on the website: "The FreeBSD Foundation has a license with Sun Microsystems to distribute FreeBSD binaries for the Java Runtime Environment (JRE) and Java Development Kit (JDK). These implementations have been made possible through the hard work of the FreeBSD Java team as well as through donations to the FreeBSD Foundation that supported hardware, developer costs, and legal fees." Here's the direct link: http://www.freebsdfoundation.org/downloads/java.shtml HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: named.conf - unable to set control bit
>Hi list,
>
>I have got the following issue. I have added the following settings in
>named.conf but am unable to get it working. If I read the man page it
>seems that what I have put in is completely correct.
>
>REason to put it in is that I want the DHCP server to automatically update
>the DNS zone.
>
>the error I get is:
>
>Nov 30 14:09:31 hulk named[6848]: reloading configuration failed: failure
>Nov 30 14:09:45 hulk named[6848]: /etc/namedb/named.conf:20: expected
>'allow' near ';'
>Nov 30 14:09:45 hulk named[6848]: reloading configuration failed:
>unexpected token
>
>head -n 25 /etc/named/named.conf
># generated with dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
>key DHCP_UPDATER {
> algorithm HMAC-MD5.SIG-ALG.REG.INT;
> secret hashedstring==;
> };
>
>acl "home" {10.202.77.0/24;127.0.0.1;};
>
>options {
> // Relative to the chroot directory, if any
> directory "/etc/namedb";
> pid-file"/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> allow-query {"home"; };
>
>};
>
>controls {
> inet 127.0.0.1 port 953;
>allow { 127.0.0.1;10.202.77.110; } keys { "DHCP_UPDATER"; };
>};
>
>Line 20 is where controls start.
>
>Any help much appreciated.
>
>rgds,
>
>Patrick
Patrick,
When you update your named.conf file, make sure you run a syntax check
before (re)starting named. Here's how you do it:
named-checkconf /path/to/your/named.conf && echo $?
If echo returns zero, then you're good to go. Otherwise, fix whatever
problem is displayed.
In your case, you need to remove one semi-colomn (";") to fix your
problem. Here's what your control statement should look like:
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1;10.202.77.110; }
keys { "DHCP_UPDATER"; };
};
Cheers,
David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Issues configuring cyrus-imapd
/var/log/cyrus.log !tls_prune *.* /var/log/cyrus.log Then tell newsyslog.conf(5) about these files. /var/log/saslauthd.log 640 5 1024 * J /var/log/cyrus.log 640 5 1024 * J Of course, you must change rc.conf(5) too: cyrus_imapd_enable="YES"# Enable imapd(8). cyrus_imapd_flags="-d" # Flags to imapd program. saslauthd_enable="YES" # Enable saslauthd(8) (or NO). If you need more detailed info, I can send you my cyrus.conf(5) and imap.conf(5) files. As you can see, it's quite a lot more complicated then with Dovecot :) HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to install FreeBSD remotely from Debian Linux Environment?
>> Maybe you can get some ideas from this (now outdated) script I used >> for this >> purpose years ago: >> >> http://www.bzerk.org/files/mk-livecd > > thank you - this is what I've been looking for. Not a complete > solution - but a base to avoid figuring out those nasty hacks by > myself :) Say Steve, If you make it out alive and everything works as planned, may I suggest you post your solution online so that the entire FreeBSD community can benefit from your efforts? Good luck & Have fun! David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: High Performance Computing Mini-Cluster
You might want to talk to the author of this: http://www.bsdcan.org/2007/schedule/events/6.en.html "Reflections on Building a High-performance Computing Cluster Using FreeBSD" by Brooks Davis. Regards, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says "Send this to everyone you know", then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: High Performance Computing Mini-Cluster
On Tue, Oct 21, 2008 at 2:25 PM, Gerardo Paredes <[EMAIL PROTECTED]> wrote: > From what i have read, Matt Olander and Brooks Davis are the foremost experts > at cluster building on FreeBSD. However i believe a document needs to be > written explaining in detailed steps how to do it, so the common user can do > it. Obviously not every "common" man needs a cluster. > > In my case i am pitching the project of a big cluster to our University here > in Honduras to run some kinds of apps we have, like a Trade Exchange Market > Simulation written in Python we have about two years developing which we plan > to run distributed across the cluster. > > > Since I cannot attend that seminar, i will be expecting for at least the > presentation to be posted. Actually, this was a presentation I attended last year. So the slides already exist. You can also grab their old paper at http://people.freebsd.org/~brooks/papers/bsdcon2003/ but this is a bit out-dated. My advice would be to try and contact Mr. Brooks Davis directly. If you can't find him, try and send an email to the organisers of BSDCan from http://www.bsdcan.org/2008/contact.php. I believe you should talk to Dan Langille on the BSDCan commitee http://www.bsdcan.org/2008/committee.php Good luck and have fun! Your project seems quite interesting :) David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says "Send this to everyone you know", then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: VMWare Tools for FreeBSD
> Basically the only reason I have for using VM Tools is for the ability > of Vmotion and such with our ESX Server farm. It's really the only > benefit that the VM tools will give me on FreeBSD as all my virtual > machines which are running FreeBSD are servers and don't use any GUI's > either. > > Currently there is nothing that doesn't run correctly under VMWare and I > have not seen any lack of performance or anything compared to a physical > machine. Maybe if enough of us push to have the VMWare Tools developed > and certified for use with VMWare that they might actually get started. > > I might develop some sort of E-Petition for it, what you think? Why not? I'm in the exact same position as you are with ESX & FreeBSD. Hence I'd love to have VMWare Tools developed and certified for use with FreeBSD. Actually, I'd really like to see VMWare Server and Player certified for FreeBSD i386 and amd64. David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sudo Commands on New 6.2 System Cause Last Login Message.
> The commands always work but I would rather not get that message
> each time. Am I missing something obvious?
A quick google search will show you that it's the
${LOCALBASE}/etc/pam.d/sudo file which is the root of your "problem".
It's pam_lastlog(8) which makes the message. If you don't need it,
comment out the...
session include system
... line in ${LOCALBASE}/etc/pam.d/sudo to get rid of this behavior.
Cheers,
David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Remote backups using ssh and dump
> Has anyone done this? > > I'm presently using rsync over ssh, but I think dump would be better if it > will > work. I've been reading the man page, but I'm wondering if anyone is doing > this successfully and would like to share their cmdline. Hi Paul, We're not using dump over ssh but I was curious to know why you'd prefer dump over rsync? We're using rsync and it's been good to us. So, I'd like to share with you our backup strategy. Just in case it can help you or anyone running various UNIX flavors. We use FreeBSD, RedHat Enterprise Linux, Ubuntu Linux and IBM AIX in this setup. This is a disk to disk to tape scenario. All clients are configured with a user called "backup" with a UID of zero (so that he can read everything). It's shell is set to rssh which in turn is configured to allow rsync only to the backup user. We limit who can connect to each clients via sshd_conf's AllowUsers config. Each client has the central backup server's special ssh key file installed in ~backup/.ssh/authorized_keys edited to have from="backup.domain.com", in it to restrict which machine can use this key. The central FreeBSD backup server has ssh access to every clients and has rsnapshot installed. We have an rsnapshot configuration for each client. Each backup run is scheduled via the server's crontab. Backup data is stored on the server's encrypted backup volume. The nice thing about rsnapshot is that it uses efficient links to save disk space. In the first run of a new client it takes the entire data set. But each subsequent run only takes the changes. But the backup data is kept online so you can actually browse it live and use scp/tar/rsync to perform a restore. Be it a single file or the entire file system. Using rsnapshot enables us to save a week's worth of data of all our 100+ machines without using more than 300Gb of disk space on the backup server (lots of machines, but not much data, we're quite lucky :) Each day, the backup data is passed with dd into OpenPGP before being sent to tape with tar. This way our tapes are encrypted and impossible to read without the appropriate password. That password is kept on an encrypted file. We can therefore send our tapes off site with any company knowing our data is safe. All the admins keep a detailed howto and the important encrypted password files on a USB stick in case the data center fails and we loose our wiki and the file server. If anyone is interested in the exact configuration of this backup setup, we have it all in a wiki, so it's easy to share it. Hope that can help anyone, Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD on IBM Blade Servers
> Somebody using FreeBSD & IBM Blade hardware in production? Hello Maximillian, I'm not using it myself, but a friend of mine is running FreeBSD 6.1-STABLE on IBM BladeCenter LS20, AMD Opteron 2.4GHz/800 MHz. He says the big problems are getting the BladeCenter's USB console working across reboots and multipathing the HBAs. His FreeBSD blades boot of the SAN and they all have dual HBAs. Since FreeBSD 6.1 has zero multipath support, he has to disable one of the HBA for the boot process to work. I think FreeBSD 7.0 is a *lot* better with respect to the USB console. But I have no idea about the HBA multipath support? Anyway, if you do have more specific questions, please feel free to send them to me. I'd forward them to my friend or hook you two together. HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Openldap server install failure - openldap client conflict
> I'm trying to install OpenLDAP as a server to "attempt" to try it out > for our network. The problem is the openldap client is already installed > for other apps as php, apache, asterisk, etc. So my question is: is it > possible to uninstall the client? Will the server include the client > required for these other apps? You can always remove the old client and install the new version. You simply need to shutdown the services which depend on the client before you remove the old one and install the new one. Then start the services again. Of course you should do this on a test machine and make sure all your applications work as expected with the new client (i.e. don't do this on your production machine AND backup before you do!). For what it's worth, I've removed and installed the OpenLDAP client from a few machines and never had any problems with Apache nor with PHP. But I did have a problem with sudo(8). If you use sudo (you probably should IMHO) and it was compiled with LDAP support, then the minute you remove the old OpenLDAP client, sudo will be broken. It's easy to work around this by using su(1) and switch to root. Of course, make sure you know the root password and that you're part of the wheel group before you do this. Here's how I proceed to update the OpenLDAP client. I use SASL also, but it's not mandatory. Notice that I run a first make(1) without options. This will help reduce the time required between the `make deinstall` and `make install clean`. cd /usr/ports/net/openldap24-sasl-client sudo make sudo /all/your/ldap/dependent/applications/rc.d/scripts stop sudo make deinstall sudo make install clean sudo /all/your/ldap/dependent/applications/rc.d/scripts start Also, on a side note, I would suggest adding a few lines to make.conf(5) so that all your applications will require the same OpenLDAP versions (and the same Berkeley DB too). That change did help me quite a lot. The downside of this is that if you have many hosts, you may have to edit quite a few make.conf(5) files when either OpenLDAP or BDB changes versions. Using rsync, rdist WANT_OPENLDAP_VER= 24 WITH_BDB_VER= 46 Good luck with OpenLDAP. Should you need help with it, SASL and Kerberos integration, feel free to contact me. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Openldap server install failure - openldap client conflict
> On Wed, 2008-04-16 at 10:37 -0400, David Robillard wrote: > > > I'm trying to install OpenLDAP as a server to "attempt" to try it out > > > for our network. The problem is the openldap client is already installed > > > for other apps as php, apache, asterisk, etc. So my question is: is it > > > possible to uninstall the client? Will the server include the client > > > required for these other apps? > > > > You can always remove the old client and install the new version. You > > simply need to shutdown the services which depend on the client before > > you remove the old one and install the new one. Then start the > > services again. Of course you should do this on a test machine and > > make sure all your applications work as expected with the new client > > (i.e. don't do this on your production machine AND backup before you > > do!). > > > > For what it's worth, I've removed and installed the OpenLDAP client > > from a few machines and never had any problems with Apache nor with > > PHP. But I did have a problem with sudo(8). If you use sudo (you > > probably should IMHO) and it was compiled with LDAP support, then the > > minute you remove the old OpenLDAP client, sudo will be broken. It's > > easy to work around this by using su(1) and switch to root. Of course, > > make sure you know the root password and that you're part of the wheel > > group before you do this. > > > > Here's how I proceed to update the OpenLDAP client. I use SASL also, > > but it's not mandatory. Notice that I run a first make(1) without > > options. This will help reduce the time required between the `make > > deinstall` and `make install clean`. > > > > cd /usr/ports/net/openldap24-sasl-client > > sudo make > > sudo /all/your/ldap/dependent/applications/rc.d/scripts stop > > sudo make deinstall > > sudo make install clean > > sudo /all/your/ldap/dependent/applications/rc.d/scripts start > > > > Also, on a side note, I would suggest adding a few lines to > > make.conf(5) so that all your applications will require the same > > OpenLDAP versions (and the same Berkeley DB too). That change did help > > me quite a lot. The downside of this is that if you have many hosts, > > you may have to edit quite a few make.conf(5) files when either > > OpenLDAP or BDB changes versions. Using rsync, rdist > > > > WANT_OPENLDAP_VER= 24 > > WITH_BDB_VER= 46 > > > > Good luck with OpenLDAP. Should you need help with it, SASL and > > Kerberos integration, feel free to contact me. > > I did just get it worked out, but those other apps were worrying me (see > last post). At least I know where to look now... Indeed. I've never used Asterisk myself so you'll have to test it. I'd be surprised if a change in the LDAP client breaks anything, but you never know. Better test it first on a non-production system. > I am very interested in kerberos integration if you could provide some > hints. I looked into before for another reason and set it aside in the > too hard basket for a while... I posted back to the list to help others > if they're interested too. I've successfully integrated OpenLDAP with SASL and Kerberos along with nss_ldap, pam_ldap, sudo and ssh on FreeBSD. I agree with you that it's not very easy to find good documentation on this subject on the web. So I'll try to post my own setup online in case it can help anyone. But before I do, I still need to clean up my notes :) I'd also like to publish documentation on these items: - Setup the OpenLDAP replication with a Kerberos user. - Describe a backup and recovery plan. - Configure Apache to use mod_auth_kerb to achieve Single Sign-On. - Describe how to replace NIS with OpenLDAP. - Configure the OpenLDAP/Kerberos setup in HA using Open Source tools. - Test some web based applications to manage the OpenLDAP accounts (so that I can give the user management to a junior admin or first level support teams) So unless you really need my docs right away, I would suggest waiting a bit for me to clean the whole thing. I'd like to have all that up and running around the first week of May. > One thing, I installed the lam webapp for administration (and I did also > try this manually too) but when I'm asked for a password I have no idea > what password its looking for (I do feel rather stupid!). Hummm, I've never used LAM before. But my (wild) guess would be that it's looking for your rootdn user's password. Or any other user in which you've granted full read/write access in your OpenLDAP acls. > This was something I was going to try to solve nex
Re: Support for Stallion Serial Controllers in FreeBSD 7
> From some reading I have been doing including here: > <http://www.freebsd.org/doc/en_US.ISO8859-1/articles/console-server/setting-up-server.html> > > ...I have been given to understand that FreeBSD supports Stallion multiport > serial cards, provided that I enable it in the kernel. > > However, the link in the document above to stl comes up with nothing, > I can find no other references doing a site search and doing: > > grep -r -i stallion * We still have an old FreeBSD 4.11-RELEASE-p26 machine lying around only because it's using those Stallion multiport serial cards. It's working, but it's quite annoying to keep such an old FreeBSD version online. We had to isolate this machine into it's own network DMZ since version 4.11 isn't covered by the FreeBSD Security team. To get around this problem, we recently built another console server with a Digi Digiboard PCI PC/Xem card on FreeBSD 6.2-RELEASE-p12. It's working great, so we're going to ditch the old Stallion cards. Unless of course someone ports the stl(4) driver to FreeBSD 7.x If you'd like to read the documentation on how I've setup the console server with both the Digi board and the Stallion cards, check http://wiki.zerocatastrophe.com/wiki/UNIX/FreeBSD/ConsoleServer HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
> On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
[ --- 8< --- SNIP! --- 8< --- ]
> It's true that an object can only belong to one structural class (although it
> can belong to many auxiliary classes).
>
> I use the auxiliary class extensibleObject, which allows you to add any
> attribute to an LDAP object. My user accounts have three object classes:
> inetOrgPerson (the structural class), posixAccount and extensibleObject. The
> rules for the first two are still enforced, but I am able to add the Host:
> attribute.
>
> Jonathan
That sounds very interesting Jonathan. Could you please share with us
the complete LDIF data used to create such a user?
Something like this for example:
# test.user.ldif
#
# Create a test user.
dn: cn=test.user, ou=users, dc=domain, dc=com
objectclass: top
objectclass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Test User
sn: test.user
uid: test.user
userPassword: {SSHA}GmbwsRvJugoiT5NIIJ2bk+5YVfWMUVa1
uidNumber:
gidNumber:
gecos: Test User
mail: [EMAIL PROTECTED]
telephonenumber: 123 456 7890 x1234
loginShell: /usr/local/bin/bash
homeDirectory: /nfs/home/test.user
# Link this user to it's group.
dn: cn=test, ou=groups, dc=domain, dc=com
objectClass: top
objectClass: posixGroup
cn: test
gidNumber:
memberUid: test.user
# EOF
Many thanks,
DA+
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OpenLDAP/FreeBSD: How to implement attribute HOST without STRUCTURAL account?
> On Wednesday 30 April 2008 16:43, David Robillard wrote:
> > > On Wednesday 30 April 2008 11:00, O. Hartmann wrote:
> >
> > [ --- 8< --- SNIP! --- 8< --- ]
> >
> > That sounds very interesting Jonathan. Could you please share with us
> > the complete LDIF data used to create such a user?
>
> This is live from my LDAP server:
>
> # jfm, group, hst.org.za
> dn: cn=jfm,ou=group,dc=hst,dc=org,dc=za
> objectClass: posixGroup
> gidNumber: 1001
> cn: jfm
>
> # jfm, people, hst.org.za
> dn: uid=jfm,ou=people,dc=hst,dc=org,dc=za
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: extensibleObject
> sn: McKeown
> cn: Jonathan McKeown
> uidNumber: 1001
> gidNumber: 1001
> mail: [EMAIL PROTECTED]
> loginShell: /usr/local/bin/bash
> host: charlotte.hst.org.za
> host: clare.hst.org.za
> uid: jfm
> homeDirectory: /home/jfm
>
> There is, of course, also a userPassword attribute in the user account. (You
> didn't expect me to show you that, did you?!)
lol Well, if it's in {SSHA} format and you change a few digits here
and there, that's not a security issue :)
> Using posixGroup, the attribute for adding additional members to a group is
> memberUid.
>
> There's a bit more to getting this all working: configuring slapd.conf with
> appropriate schemas, installing and configuring pam_ldap and nss_ldap, and
> setting up PAM correctly. I can go into excruciating detail if you like...
Well, I'd certainly love to see how you've set things up. We could
compare with what I've published on my wiki. The documentation is not
finished, but it's a start. I'd really appreciate if people could
check it out and tell me where the document could be enhanced, if I
made any mistakes, things like that. Check it out here:
http://wiki.zerocatastrophe.com/wiki/UNIX/FreeBSD/Kerberos+OpenLDAP
Notice that I've updated my documentation to reflect your LDIF data as
I believe it to be the very flexible. Thanks!
I know that Edward Capriolo (in Cc: to this email) has also published
some Kerberos & OpenLDAP documentations online. Edward, care to join
us here?
> My only irritation is that although passwd(1) in 6.3 has the code within it to
> allow it to be controlled by PAM, it's all currently diked out, so that you
> can't use passwd(1) transparently with LDAP users. (As far as I know this
> hasn't changed in 7.0).
Indeed, that's also a problem I have. How do you go about to solve this?
> inetOrgPerson gives you a huge number of optional fields for other
> information, up to and including a JPEG photo. It inherits from
> organizationalPerson which inherits from person, so you need to combine all
> three sets of attributes to get the complete spec for inetOrgPerson (note the
> only MUST attributes are sn and cn from person):
>
> [ --- 8< --- SNIP! --- 8< --- ]
>
> We're hardly using any of these, but it seemed to make more sense to build it
> in, in case.
You're right, I totally agree.
> Jonathan
Cheers!
DA+
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Large filesystems help/ideas
> Hi, > I'm implementing a backup solution at work.We've bought a x86 server > with two hardware raid 5 with for a total storage capacity of about 7Tb. > > For the software we are using for backups, the ideal scenario would be > to have just one "big disk" so that no space problems would appear. > > I've tried to install FreeBSD 7 with no success, as it seems... the > sysinstall tool doesn't support such big slices. > > I've read about the "Large Data Storage on FreeBSD" but I'm still confused. > > I've also thought on using slices of 1Tb, and join all them using vinum. > What do you think about this last option? > > Thanks a lot for your help. I would suggest to use different partitions for your OS and another big one for your backup data. In fact, if you can use two smaller disks in RAID 1 for the OS and leave your two RAID 5 for the backup data alone, that would be even better. This way you can both a) install the OS without any problem and b) prevent a *very* long fsck in case the machine crashes and your 7TB partition is broken beyond the background fsck process. Once you have the OS installed on the smaller partitions, you can then use gpt(8) to create your 2TB+ filesystems. YMMV. We use a scenario quite identical as what you're trying to do. We use a few ports to do so, like sysutils/rsnapshot and shells/rssh with rsync and OpenSSH along with an encrypted backup volume and OpenPGP to encrypt the tapes. For VMWare images, we use sysutils/rdiff-backup. It works very well for 100+ mixed FreeBSD, RedHat, Ubuntu and AIX hosts. If you need any help with the backup setup and all, just ask, I'll send you the howto. Have fun, DA+ -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Reverse proxy recommendation
On Sat, 2008-05-31 at 10:26 -0400, Thomas Mullins wrote: > Hello, > > We have three internal web servers that we make accessible to the > internet. Right now we simply use pf and port redirection. Works > great. > > But, we would like to tighten up security. I know you can do this with > squid, apache and a few others. Could someone please make a > recommendation on what solutions they have used or seen in the past? > > Thanks > Shane You may want to check the www/varnish port. From the ports description: This is the Varnish high-performance HTTP accelerator. Documentation and additional information about Varnish is available on http://varnish.projects.linpro.no/>. Technical questions about Varnish and this release should be addressed to <[EMAIL PROTECTED]>. Questions about commercial support and services related to Varnish should be addressed to <[EMAIL PROTECTED]>. WWW: http://www.varnish-cache.org/ And from wikipedia: http://en.wikipedia.org/wiki/Varnish_cache I've never used it myself, but looks interesting since it's been created by Poul-Henning Kamp which is a major FreeBSD developer. HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Local portaudit server.
Hello, We use the port security/portaudit on all of our FreeBSD servers. Currently, every machine has to out on the internet to download the portaudit vulnerability database from the FreeBSD server. Since all of the machines are downloading the exact same file, we would like to setup a local portaudit server. This server would fetch the vulnerabilty file and all the rest of our servers would fetch it from the local portaudit server. Has anyone done this setup? Any help/pointers would be great. Thanks, David -- David Robillard UNIX systems administrator, CISSP Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sendmail and Jails
--
Message: 23
Date: Sat, 25 Mar 2006 19:32:01 -0500
From: Anish Mistry <[EMAIL PROTECTED]>
Subject: Re: Sendmail and Jails
To: freebsd-questions@freebsd.org
Cc: Jack Stone <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
On Saturday 25 March 2006 18:42, Jack Stone wrote:
> I have been setting up jails on various production servers on
> FBSD-6.0 & 4.11.
>
> I was wondering how/where to configure & avoid the port conficts
> for sendmail as follows:
>
> - main host - all sendmail services in & out (or at least out)
> - jail - just outgoing services
>
> I gather I will need to configure one or the other on a non-std
> port as both will try to grab the same ports: 25 & 587
>
> Any tips appreciated.
Hi Jack,
Since all jails and the main host have their own IP address, it is
quite easy to do the setup you ask for. The idea here is to tell
sendmail(8) on which IP it should bind to. No need to fuss around with
ports or anything like that :o)
For the sake of example, let's say we have this:
main.host.com: 192.168.1.1
jail.host.com: 192.168.1.2
On the main host, make sure you have
sendmail_enable="YES"
in /etc/rc.conf. This will tell sendmail to run and listen for outside requests.
Next, edit the /etc/mail/`uname -n`.mc file (make sure the uname(1)
command is enclosed in back-ticks).
sudo vi /etc/mail/`uname -n`.mc
Include whatever sendmail(8) MC macro configuration you need and make
sure you have this line which tells sendmail(8) to listen on
192.168.1.1 on TCP port 25.
DAEMON_OPTIONS(`Port=25, Addr=192.168.1.1, Name=MTA, Family=inet')dnl
Save the `uname -n`.mc file and restart sendmail:
cd /etc/mail
sudo make install restart
Make sure you check /var/log/maillog for any errors.
Now for the jails, you only have to configure sendmail in whatever way
you need and have this
sendmail_enable="NO"
in /etc/rc.conf. This tells sendmail to process mail only if it is
originating from the localhost. I would recommend configuring each
jails as a sendmail null client to your main host. For example:
OSTYPE(`freebsd6')dnl
FEATURE(`nullclient', `main.host.com')dnl
Which will cause all jails to "punt" their mail directly to your
main.host.com machine.
If you're not sure about which ports are opened by sendmail in the
main host or the jails, run the sockstat(1) command.
Also, sendmail relies on DNS for everything, so make sure your DNS
systems is on par with the various hostnames you use. Otherwise,
you'll end up with long boot time and a whole bunch of broken mail
problems.
Finally, make sure you upgrade sendmail to version 8.13.6 because
previous versions contain a vulnerability. Install port mail/sendmail.
(this is my sendmail configuration in make.conf)
sudo vi /etc/make.conf
NO_SENDMAIL= true
SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf
.if ${.CURDIR:M*/mail/sendmail}
SENDMAIL_WITHOUT_IPV6=yes \
SENDMAIL_WITHOUT_NIS=yes \
SENDMAIL_WITH_TLS=yes \
SENDMAIL_WITH_SMTPS=yes \
SENDMAIL_WITH_SASL=yes \
SENDMAIL_WITH_SASL2=yes \
SENDMAIL_WITH_LDAP=yes \
SENDMAIL_WITH_BERKELEYDB_VER=42 \
SENDMAIL_WITH_SOCKETMAP=yes \
# SENDMAIL_WITH_CYRUSLOOKUP=no \
SENDMAIL_WITH_PICKY_HELO_CHECK=yes \
SENDMAIL_WITH_SHARED_MILTER=yes
.endif
cd /usr/ports/mail/sendmail
sudo make install
sudo make mailer.conf
sudo make clean
Check if you're using the right one:
sendmail -bt -d0.1 < /dev/null
Let me know if you need more assistance. Of course, YMMV.
Cheers,
David
--
David Robillard
UNIX systems admin, CISSP
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Java and tomcat
> Martin, > > this 'how to' isn't working... It isn't up to date, > some downloads doesn't exist > > What can I do ? The java page on the FreeBSD server is for an old version of Tomcat and Java. To get Tomcat 5.5 running, try this instead. Note that if you don't have porteasy(1), just install it: sudo pkg_add -rv porteasy # Change your Kernel configuration with this line: options COMPAT_LINUX # Rebuilt, install, reboot, as always... # Hint: Make sure you update your src tree with the latest sources from # your favorite cvsup mirror :) # Install the linux binary compatibility. sudo porteasy -uv emulators/linux_base-rh-9 cd /usr/ports/emulators/linux_base-rh-9 sudo make install clean # Make sure the /compat/linux/proc file system is mounted at each reboot. # Edit fstab(5) and add this line: linproc /compat/linux/proc linprocfs rw 0 0 # Check that it works by rebooting. sudo init 6 # Install port java/tomcat5.5 and follow instructions as they appear when you run make. sudo porteasy -uv www/tomcat55 cd /usr/ports/www/tomcat55 sudo make # Follow what will be printed. Basically, what you need to do is download # java from sun's website and place the file inside your ports tree. # It's super easy from there. Good luck, David --- Martin Hepworth <[EMAIL PROTECTED]> escreveu: > Hi > > there's an excellant 'how to' here... > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/java-tomcat/ > > -- > Martin > > On 3/22/06, Aguiar Magalhaes <[EMAIL PROTECTED]> > wrote: > > > > Hi list, > > > > I´d like to install java (virtual machine) and > tomcat > > on the freebsd 6.0.. > > > > Are they full compatible ?? Are they in ports ?? > > > > Help me please, > > > > Aguiar -- David Robillard UNIX systems administrator, CISSP Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Help clarify the '-l' option of ls(1).
Hello everyone, I'd like to have an explication about the '-l' (minus L) option of the ls(1) command. What exactly is the signification of the second column in the display? The man page states that it is 'the number of links'. But what does it mean exactly? The man page states: -l (The lowercase letter ``ell''.) List files in the long format, as described in the The Long Format subsection below. So we check 'The Long Format' section which says: The Long Format If the -l option is given, the following information is displayed for each file: file mode, number of links, owner name, group name, MAC label [output truncated] Does anyone know any details about this 'number of links' ??? Many thanks, David _ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Unattended 5.3 install post-configuration problem.
Hello everyone, I've setup an unattended automatic FreeBSD-5.3 install server. Clients boot via PXE and receive the OS in around 15 minutes using a sysinstall(8) script. I need to perfom post-install configuration, so I wrote a post_install.sh shell script which is called at the end of the sysinstall(8) script. My problem is that I can't get my post-install script to modify rc.conf(5) because sysinstall(8) re-writes the file and removes my configurations (all lines from rc.conf(5) starts with `#REMOVE' ). The sysinstall(8) man page only says: This utility may edit the contents of /etc/rc.conf, /etc/hosts, and /etc/resolv.conf as necessary to reflect changes in the network configuration. How can I prevent or circumvent this "feature" of sysinstall??? Any help would be really appreciated. Here are the files: # From sysinstall(8) install.cfg: # command=/stand/post_install.sh system # From /stand/post_install.sh # cat <<- "END" > /tmp/a # rc.conf # # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. # # David Robillard, December 13th, 2004 check_quotas="YES" # Check quotas. hostname="hostname.domain.com" # Hostname. ifconfig_bge0="inet 192.168.1.1 netmask 255.255.255.0" # Configure NIC bge0. keyrate="normal"# Set normal keyboard repeatrate. nisdomainname="NO" # We don't run NIS. saver="blank" # Blank screen when idle. scrnmap="NO"# Screen map in /usr/share/syscons/scrnmaps/* sshd_enable="YES" # Start sshd(8). usbd_enable="YES" # Start usbd(8). tcp_drop_synfin="YES" # Prevent OS finger printing. sendmail_enable="NO"# Bind sendmail(8) to locahost only. syslogd_enable="YES"# Start syslogd(8). syslogd_flags="-ss" # Receive syslogd(8) from local machine only. inetd_enable="NO" # Don't run inetd(8). icmp_drop_redirect="YES"# Drop ICMP redirect. icmp_log_redirect="YES" # Log dropped ICMP redirect. clear_tmp_enable="YES" # Clear /tmp at startup. update_motd="NO" # Don't update motd(5) at startup. # EOF END mv /tmp/a /root/rc.conf cp /root/rc.conf /etc/rc.conf Cheers, David -- David Robillard UNIX systems administrator [EMAIL PROTECTED] +1 514 966 0122 -- David Robillard UNIX systems administrator [EMAIL PROTECTED] +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Kernel problems on 5.3.
Hi Jacob,
You should try to CVSup your FreeBSD machines to get the latest code.
Read section A.5 of the FreeBSD Handbook. Here's the link:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
I can't say this will fix your current problem, but for sure it can only
be good, at least from a security stand point.
You can proceed to do so via ssh.
What you want to do is this:
a) Create the file /root/cvs-supfile which contains the following:
sudo vi /root/cvs-supfile
# cvs-supfile
#
# $Id: cvs-supfile,v 1.7 2005/03/03 15:53:56 drobilla Exp drobilla $
#
# Check /usr/share/examples/cvsup/cvs-supfile for
# more information.
#
# David Robillard, December 9th, 2004
# Host from which files are fetched.
#
# *default host=cvsup.ca.freebsd.org
*default host=cvsup4.freebsd.org
# *default host=cvsup.ch.freebsd.org
# Directory where CVSup stores info about it's work.
# Will never grow beyond ~1MB and creates ${base}/sup.
# NOTE: The `refuse' file is thus: /var/db/cvsup/sup/refuse
#
*default base=/var/db/cvsup
# Directory where to place the downloaded files.
#
*default prefix=/usr
# Which version of FreeBSD do we want?
# Check http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html
#
# BROKEN?! *default tag=RELENG_5
*default tag=RELENG_5_3
# Defaults. Don't need to change this.
#
*default release=cvs delete use-rel-suffix compress
# What do we want to download?
#
src-all
# EOF
c) Create the cvsup directory.
sudo mkdir -p /var/db/cvsup/sup
d) Now copy the refuse file to your cvsup directory.
sudo cp /usr/share/examples/cvsup/refuse /var/db/cvsup/sup
e) Setup your environment. You should set this up in your
favorite shell's rc file. This here is for sh(1) and bash(1).
[EMAIL PROTECTED]:/home/ncvs
export CVSROOT
f) Proceed with cvsup. Note, the first time you run things,
you will be prompted to accept the RSA signature of the
server you connect to.
sudo cvsup -g -L 2 /root/cvs-supfile
g) When the download finishes, rebuild the world and the kernel.
Note, you have a custom built kernel, so you must change KERNCONF=GENERIC
to KERNCONF=YOUR_KERNEL_CONFIG_FILE_NAME
cd /usr/src
sudo make -j2 buildworld
sudo make -j2 buildkernel KERNCONF=GENERIC
sudo make installkernel KERNCONF=GENERIC
sudo mergemaster -p
sudo make installworld
sudo mergemaster
h) Finally, reboot the machine.
Once your machines come back online, run `uname -r` and you will notice
that the current release level of the operating system has changed. For
example, my servers have changed from "5.3-RELEASE" to "5.3-RELEASE-p5".
Cheers,
David
--
David Robillard
UNIX systems administrator
[EMAIL PROTECTED]
Notarius (TSIN) Inc.
465, rue St-Jean, suite 200
Montreal, Quebec, H2Y 2R6
Tel. : +1 514 966 0122
Fax. : +1 514 281 1226
http://www.notarius.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suspending login
What you need is nologin(5). Check nologin(5) and nologin(8) man pages. As the nologin(8) man page says: To disable all logins, investigate nologin(5) David On April 5, 2005 06:42 pm, Bob Ababurko wrote: > Hello all- > > I am trying to figure out how to suspend a login for a user. Do I > have to do this with password aging or is there an easier(read brute > force) way to disallow a user from logging in? -- David Robillard UNIX systems administrator [EMAIL PROTECTED] Notarius (TSIN) Inc. 465, rue St-Jean, suite 200 Montreal, Quebec, H2Y 2R6 Tel. : +1 514 966 0122 Fax. : +1 514 281 1226 http://www.notarius.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Donating to FreeBSD.
Hello everyone, We would like to donate to the FreeBSD project. Unfortunateley, the FreeBSD Foundation website is actually down with no link to the appropriate contact information. Can anybody point me in the right direction as on how to proceed besides waiting for the site to come back online? And for those of you who donated to the FreeBSD project. May I ask how much did you decided to give? I'm just looking for ball park figures, just for curiosity's sake. Many thanks, David -- David Robillard UNIX systems administrator [EMAIL PROTECTED] Notarius (TSIN) Inc. 465, rue St-Jean, suite 200 Montreal, Quebec, H2Y 2R6 Tel. : +1 514 966 0122 Fax. : +1 514 281 1226 http://www.notarius.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: live mirroring
> Hi all, > > I have a question. I want to set-up a site on 3 identical FreeBSD > servers, using Round Robin to distribute the load. > > The site will be running some .cgi and .php scripts and when those > scripts make changes to the configuration files of the sites, they > need to be spread automatically to the other two servers. Also when > files are uploaded to one server, I need them to automatically upload > to the other servers to. > > What is the best program to do this? Or am I looking at it the wrong > way and should I do it different? Take a look at cfengine: http://www.cfengine.org/ (don't mind the ugly web page). This program is used at many very large installations to make sure every machine has the right configuration files. Clients query a master at each interval to check if their configuration has changed. Thus instead of having to log on to each machines to change the configs (which is error prone, not to mention long and painfull), you simply change the file on the master and let it distribute itself. It's relatively easy to setup and works very well. Cheers, David -- David Robillard UNIX systems administrator [EMAIL PROTECTED] Notarius (TSIN) Inc. 465, rue St-Jean, suite 200 Montreal, Quebec, H2Y 2R6 Tel. : +1 514 966 0122 Fax. : +1 514 281 1226 http://www.notarius.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: I'm looking for school of freebsd in montreal.
Hi Eric, I live in Montréal and I now run around 100 FreeBSD servers. They provide all sorts of services from DNS, SMTP, WWW, Proxy, FTP, Databases, Firewalls, you name it. If you can wait a month or two, I can provide you with basic FreeBSD training and then move on to more specialized setups as your FreeBSD skills improve. I've been working as a UNIX systems administrator for 7 years now and it took me to various corporations in located in Canada, France, Luxembourg and Switzerland. Let me know if you're interested, David P.S. En passant, je parle aussi Français. #I'm looking for school of freebsd in montreal and i dont find any. Im #not realy good in BSD, i start to use last year. I use as my main os #on my laptop to become a normal user, but more i get into it, more i #feel stupid about this new world #I'm realy impress by the work of your team. Im am interest to go school #to learn Completely (more as possible). Im am interest to do Server and #network security, then Programmation. #MY QUESTION Someone know if there is an school, in Montreal (canada), #that give cours about FreeBSD? #If not, i put all my money to bank and in couple of year I realy hope #to go Berkeley University (California) to learn more about it. #I hope at the same time to give the hand to Arnold Waterstachi #Tanx for your help #Eric Royal -- David Robillard [EMAIL PROTECTED] Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: need a restricted shell
I am looking for a shell that will allow Subversion to be run over ssh but not allow interactive login or if it allows interactive login, will only allow Subversion commands to be run... Any ideas on how to accomplish this? Hi Chad, You could install the shells/scponly port and build it with it's chroot option. (i.e. sudo make -DWITH_SCPONLY_CHROOT install) Don't run the `make clean` just yet, because you will need the "setup_chroot.sh" script which is inside the work/scponly- directory. Use the script to create a chroot directory. Then populate this new chroot directory with the files required by the commands and libraries which you want to give to your users (such as Subversion). Next, use vipw(8) to assign /usr/local/sbin/scponlyc as the shell and the chroot directory for the user(s) which you want to limit only to your Subversion commands. Assign a password to those users then test if you can connect and use the Subversion commands. Basically, this is Hack number 63 on page 269 in the book "BSD Hacks, 100 Industrial-Strength Tips & Tools" by Dru Lavigne published by O'Reilly. (ISBN: 0-596-00679-9). Also, to further restrict access to your machine, configure sshd(8) to allow only a limited subset of users. See AllowUsers and AllowGroups in sshd_config(5) for this. Finally, if you happen to know the origin of the connections, then configure TCP_WRAPPERS via /etc/hosts.allow to limit ssh connections. See hosts_access(5) and section 14.6 of the FreeBSD Handbook for info on how to set this up. Alright, if you have any questions, please be my guest and send them up to me. Cheers! David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: LVM support in FreeBSD
Hi list, I'm wondering whether FreeBSD is able to support reading (at least, but preferably also writing) Linux LVM volumes? I have an itch to try FreeBSD on a desktop but all my data is in a Linux LVM. Is it possible? I really have no idea if it works, but have you tried to export your LVM volume via NFS and then mount it on your FreeBSD machine? All what FreeBSD will see is an NFS volume which we all know work very well. Just an idea, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: trouble with a pair of bind9 servers
the trouble im having is, that my slave (5.5-p3) will not transfer the zone from the master (6.1-p4). my /var/log/messages is filled with these: Sep 7 21:50:24 fbsd55-2 named[1847]: exiting Sep 7 21:50:26 fbsd55-2 named[1924]: starting BIND 9.3.2 -t /var/named -u bind Sep 7 21:50:26 fbsd55-2 named[1924]: /etc/namedb/named.conf:40: option 'allow-update' is not allowed in 'slave' zone 'dlptest.com' Hi Jonathan, First, I would recommend you to send this question to the BIND mailing list at <[EMAIL PROTECTED]>. See ISC's website for more subscribing at http://www.isc.org/index.pl?/sw/bind/bind-lists.php and the archives at http://marc.theaimsgroup.com/?l=bind-users Now, this first error is self explanatory: you can't use 'allow-update' in a slave zone, only in the master. It makes sense, because if the slave had updates, then it would not be able to tell the master about those updates and the zones would become inconsistent between your machines (resulting in quite a mess). The other way around is better: update the master which will then send notifiiy messages to your slave who in turn will download the updates. So just remove 'allow-update' in the slave's named.conf(5). Sep 7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has 0 SOA records Sep 7 21:50:26 fbsd55-2 named[1924]: zone dlptest.com/IN/internal: has no NS records These point to a bad zone file. You should double check your /etc/namedb/dlptest.com.i.hosts file. Make sure you have both SOA and NS records in them. Consider using the named-checkzone(8) command to check your zone files. See the man page for named-checkzone(8) for more info. Hummm, I know it's not my business, but may I suggest you another name for your zone files? I personally use "db.dlptest.com.internal" and "db.dlptest.com.external" for the master files. For the slave, I use "bak.dlptest.com.internal" and "bak.dlptest.com.external". IMHO it's a little more clear whether you're working on a internal slave file or an external master file :) Sep 7 21:50:26 fbsd55-2 named[1924]: running Sep 7 21:50:27 fbsd55-2 named[1924]: dumping master file: /etc/namedb/tmp-UZF5mCCxZP: open: permission denied Sep 7 21:50:27 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from 192.168.125.91#53: failed while receiving responses: permission denied Sep 7 21:51:20 fbsd55-2 named[1924]: dumping master file: /etc/namedb/tmp-SaWWYxV06u: open: permission denied Sep 7 21:51:20 fbsd55-2 named[1924]: transfer of 'dlptest.com/IN' from 192.168.125.91#53: failed while receiving responses: permission denied this was giving me the impression that the bind user was not able to write to /var/named/etc/namedb, but every time i make a chmod or chown adjustment, it just gets changed back: fbsd55-2# /etc/rc.d/named restart Stopping named. etc/namedb changed user expected 0 found 53 modified Starting named. fbsd55-2# I'm afraid I'm not quite sure this problem is? Maybe check your fstab(5) for special options such as noexec or nosuid and friends. Check the mount(8) man page if you find anything. Also have you played with chflags(1) ? Finally, I would check the ISC's BIND mailing list archives to see if you can come up with something. Good luck, David ive been dinking around with this for a few hours now, and im about to pull what little hair i have left out. can someone shed light on this for me please? any help at all would be much appreciated! cheers, jonathan -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
jdk -- jar directory traversal vulnerability (CVE-2005-1080).
Hi everyone, Are there any workaround or a patch for this security problem? FreeBSD Foundation's Java JDK and JRE 5.0 Update 7 binaries for FreeBSD 6.1/i386: Affected package: diablo-jdk-freebsd6.i386.1.5.0.07.00 Type of problem: jdk -- jar directory traversal vulnerability. Reference: <http://www.FreeBSD.org/ports/portaudit/18e5428f-ae7c-11d9-837d-000e0c2e438a.html> Many thanks, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: freeBSD certified server hardware ?
Does anyone know if any server manufacturer of high regard is currently certifying for freeBSD 6.1? I know the general answer is check the components on the release notes. I also know there are a few integrators on the community list (wow, some of their list pricing is much higher than the big names!!). Doesn't HP, Sun, IBM, Dell have anything they certify for FreeBSD? Is this expected to get better over the next year or so? thanks, ke han Hello ke han, To my knowledge, none of the top vendors have any certification for FreeBSD. What I suggest you do is have one of the sales rep set you up with a test machine. The easiest way to do so is to go at their offices with a FreeBSD install disk and try to boot/install it on the hardware you're interested in. That's what I do with HP, Sun and IBM (IMHO, try to avoid Dell). On the other hand, there is a company at http://www.freebsdsystems.com/. By their name, one would think that the hardware they push should work fine with FreeBSD. I never dealt with them, so I really have no idea if they're good? Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Is Active Directory integrated file sharing possible on FreeBSD?
I just wanted to sanity check that it is possible. I think he just doesn't want to work on our server because it isn't Linux :) Have you looked into "Windows Services for UNIX" from Microsoft ? http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx I've tried version 2.0 while at another company and it was already pretty good. They're at version 3.5 now, so one could think it's better now. David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Does mpd (multi-link PPP daemon) support IPv6?
I want to know whether mpd (multi-link PPP daemon) could possibly support IPv6. When I want to establish a PPTP connection with a PPTP server running mpd, could I use IPv6CP instead of IPv4CP to set up the PPP? If it supports, how could I configure the related parameters in the configuration files? I could only find the ipcp syntax. I run mpd and I did a simple `grep -i ipv6 /usr/local/share/doc/mpd/*`. It came up with nothing. No mention of IPv6 in the mpd(8) man page either. Try to contact the project admins, they probably know more then us on this topic. Get their email at http://sourceforge.net/projects/mpd Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: problems ssh'ing debug1: An invalid name was supplied (OSX client)
any clues why ssh is hanging before a prompt is provided from the server side. this prompt stalling behavior is only happening when I am coming from my OSX ssh client. Any clues on this? I have never see this betwe. I had this problem when DNS was broken for the FreeBSD server and the MacOS X client. Make sure the DNS you're using can resolve both forward and reverse for the client and the server. Then your ssh session will be fast and free of this error. Regards, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Bug with tcsh? : if evaluating true instead of false
Ok, so I tried to make a simple script to add users so I wouldn't have to type in groups/pw over and over again... the problem is that it's not behaving like it should =o. [ ...8<... Removed a bunch of lines ...8<... ] IMHO, if you need to script something, use /bin/sh. It's the standard shell interpreter on all flavors of UNIX and Linux (except maybe MacOS X). All of the rc scripts are written with it. So why bother with another shell? Here's an interesting read on the topic: http://www.faqs.org/faqs/unix-faq/shell/csh-whynot/ BTW, Tom Christiansen who wrote this is co-author of "Programming Perl" from O'Reilly. So, Garret, if you need help with this, I have a /bin/sh version of the script you're trying to do. Just drop me a line and I'll send it to you. Just my two cents :) David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Bug with tcsh? : if evaluating true instead of false
I appreciate the help thanks! Sure, I'll send the script to you in an individual email instead of as an attachement to the list. Should anyone on the list want a copy, just drop me an email. I'd appreciate the script though, definitely, as any resource I have to learn all Unix script languages properly will only help in my becoming a better Unix admin as well as script more common tasks to help make my life a bit easier. When I've started to write shell scripts, I read a nice book which covered sh, csh and ksh with lots of examples. That was the first edition, but it's now in it's fourth edition and now have coverage of bash and tcsh plus you get info on sed & awk. "UNIX Shells By Example", Ellie Quigley, Prentice Hall PTR; 4th edition (Sep 24 2004), 1200 pages, ISBN: 013147572 On amazon.ca: http://www.amazon.ca/UNIX-Shells-Example-Ellie-Quigley/dp/013147572X/sr=1-1/qid=1161886975/ref=sr_1_1/701-2925611-9451566?ie=UTF8&s=books Otherwise, you can always Google around for "unix shell script" and such. There are a lot of sites on the topic. I would select one from a University. Have fun! David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Best laptop for Freebsd
Hi Folks, Well I stayed off the beer and other sinful delights for a while (month or so P:) and have raked together enough cash to buy a new laptop. For those of you out there with experience what would you advise. The plan would be for ..unfortunately Windoze (vba stuff for work), Freebsd, and most likely fedora. I had no problems getting my wireless to work on the old one using the ndis stuff and freebsd beat the other two hands down for performance. Is there any one model or product that would be better for Freebsd 6 (as this is my day in day out operating system). Any experiences and or advise would be much appreciated. thanks Geoff Hi Geoff, It's not FreeBSD, but may I suggest an Apple PowerBook running MacOS X ? Or the new MacBook line? I use a PowerBook G4 under MacOS X 10.4.8 as an administration system everyday to manage around 50+ FreeBSD servers. I connect to my server's serial consoles via a USB-to-Serial adapter from Keyspan with ZTerm. You also have access to a ports-like environement on MacOS X via http://www.macports.org/ and http://www.darwinports.com/. It works great. My two cents. David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fwd: solutions for web hosting server
- ftp server ... I don't really know what to install, proftpd it's good ? I personnaly switched from proftpd to vsftpd. I find it easier to configure and is built with security in mind from the ground up. It's also in the ports tree. Using vsftpd (or even most other ftp daemons) you can chroot your users into the root of their public_html site. So that when they connect to you FTP daemon, they will se the root directory as their files. Also enable FTP over SSL to prevent clear-text passwords from going unencrypted on the web. Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Building Sendmail from ports
[ ---8<--- Text has been removed! ---8<---]
But, where will the port install my *.mc and *.cf files? This I can't
seem to figure out. I would like to know before I hit 'make install' in
the port dir. I would think it will install them into
/usr/local/share/sendmail/cf, would that be correct?
Hi DAve,
When you use the mail/sendmail port, it does install files in
/usr/local/share/sendmail. Think of it as the base system's sendmail
files in /usr/share/sendmail.
Now, the .mc and .cf files are still kept in /etc/mail and not in
/usr/local/etc/mail as one could think by using a port.
Note that you will find two scripts in /usr/local/etc/rc.d when you
install the sendmail port. They are `sendmail.sh.sample' and
`sm-client.sh.sample'. But you don't need to use them. The base
system's /etc/rc.d/sendmail script handles both the base system's
sendmail and the port's sendmail.
The key for a pain free mail/sendmail ports usage is to do what you
said. That is to edit make.conf(5) and to use special make(1) targets
from the mail/sendmail's Makefile.
Briefly, here's the way I do things when I update mail/sendmail (YMMV of course)
sudo vi /etc/make.conf
##
# mail/sendmail port configuration.
##
# Do not build and install the base distribution of sendmail.
#
NO_SENDMAIL= TRUE
# Specify where the configuration directory is located.
#
SENDMAIL_CF_DIR=/usr/local/share/sendmail/cf
.if ${.CURDIR:M*/mail/sendmail}
SENDMAIL_WITHOUT_IPV6=yes \
SENDMAIL_WITHOUT_NIS=yes \
SENDMAIL_WITH_TLS=yes \
SENDMAIL_WITH_SMTPS=yes \
SENDMAIL_WITH_LDAP=yes \
SENDMAIL_WITH_BERKELEYDB_VER=42 \
SENDMAIL_WITH_SOCKETMAP=yes \
SENDMAIL_WITH_PICKY_HELO_CHECK=yes \
SENDMAIL_WITH_SHARED_MILTER=yes
.endif
sudo porteasy -uv mail/sendmail
sudo porteasy -uv security/openssl
sudo porteasy -uv security/gnutls
cd /usr/ports/mail/sendmail
sudo make
# -OR if you don't want to edit make.conf(5), you can run something like this:
sudo make -DSENDMAIL_WITHOUT_IPV6 -DSENDMAIL_WITHOUT_NIS
-DSENDMAIL_WITH_TLS -DSENDMAIL_WITH_SMTPS \
-DSENDMAIL_WITH_BERKELEYDB_VER=42 -DSENDMAIL_WITH_SOCKETMAP
-DSENDMAIL_WITH_PICKY_HELO_CHECK -DSENDMAIL_WITH_SHARED_MILTER
sudo make tls-install
sudo make install
sudo make mailer.conf
sudo make clean
Now, you might not need the exact same features of Sendmail as I do,
of course. But the `make mailer.conf' is quite important. That's going
to edit /etc/mail/mailer.conf which instructs the OS to use
/usr/local/sbin/sendmail instead of the base system's sendmail. You
don't have to change your PATH either.
Why? Because if take a look at /usr/sbin/sendmail, it's not a binary,
it's a symbolic link to `/usr/sbin/mailwrapper'. Just read the
mailwrapper(8) man page and you'll understand how things work.
I want to make certain that when I build new sendmail.in.cf and
sendmail.out.cf the correct files are used by m4. Currently I run the
following when making changes to my *.mc files
/usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/
/usr/share/sendmail/cf/m4/cf.m4 sendmail.in.mc > sendmail.in.cf
Take a look at the /etc/mail/Makefile and you'll see that it can
determine your _CF_DIR_. But it takes a wrong decision. It uses either
/usr/share/sendmail/cf or /usr/src/contrib/sendmail/cf.
To work around this, you can edit /etc/mail/Makefile or use the
following at the top of your sendmail.mc files:
dnl include.
dnl Use the following m4 macro file.
dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
That's it. If you need any help, don't hesitate to contact me.
Have fun :)
David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Best practice for SMTP relay with user authentication.
> I have my postfix authenticate users before accepting mail for non-local > delivery. Till now, users can connect to port 25 and 465 (smtps) use > STARTTLS and authenticate. > > But, I stumbled upon submission port 587 which is not reserved - it > appeas - for a protocol but for a use? > > I'd like to align my configuration with best practice. Should I just > move postfix to bind to port 587 or did I misunderstand that submission > is indeed a different protocol? Is there any best practice for which > protocol should be used for submission? Port 587 is used by the Mail Submission as defined in section 3.1 of RFC 2476 - Message Submission: 3.1. Submission Identification Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions as specified here. While most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site MAY choose to use port 25 for message submission, by designating some hosts to be MSAs and others to be MTAs. Basically, port 25 is used by Mail Transfer Agents (MTA) while 587 is used by the Mail Submission Programs (MSP). If you need more info, check the "Bat Book" (i.e. Sendmail by O'Reilly) which is pretty clear on that topic. You can also check "Sendmail Cookbook" also from O'Reilly for tips, tricks and recipies on what you can do with MSP. Of course, it's sendmail related. But I'm quite sure you can adapt it to Postfix or whatever your organisation uses to handle emails. Finally, IMHO the best description of the what, where and why of Submission is described in the "UNIX System Administration Handbook" by Nemeth, Snyder, Seebass & Hein. Check it out at http://www.admin.com. It's a must read for all UNIX systems administrators. HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring OpenLDAP on FreeBSD 6.2 Release, Problems.
> Sorry, I am pretty new with LDAP too :) I have no documentation beside > the one I found from Googling around. Hi Olivier, There are a few good books about LDAP out there, but most of them are quite old unfortunately. Anyhow, I found that reading "LDAP System Administration" by Gerald Carter from O'Reilly was a good help in understanding LDAP, deploying OpenLDAP and configuring applications to fetch data from the LDAP directory (i.e. sendmail, replace NIS, PAM, FTP, Apache, DNS, etc). Get more info at http://www.oreilly.com/catalog/ldapsa/index.html For a more in depth look into LDAP itself, get your hands on "Understanding and Deploying LDAP Directory Services" by Timothy A. Howes & al. from Addison-Wesley. Again, it's rather old, but will still help your understanding of LDAP quite a lot. Check it out on Amazon at http://www.amazon.ca/Understanding-Deploying-LDAP-Directory-Services/dp/0672323168/ref=wl_itt_dp/702-7398595-5616835?ie=UTF8&coliid=IDX1KGHZ13UXH&colid=CWBQ1L7F8P6P Next is the "Oracle Internet Directory Administrator's Guide" document which covers LDAP very well, just don't read the Oracle specific stuff if you're not interested. You can reach this doc for free at http://download-east.oracle.com/docs/cd/B14099_11/idmanage.1012/b14082/toc.htm Finally, for a more OpenLDAP centric book, look for "OpenLDAP by Example: Practical Exercises in LDAP Directory Deployment" by John H. Terpstra & Benjamin Coles from Prentice Hall PTR. Contrary to the other books, this one is not yet published (as you can see from http://www.amazon.ca/OpenLDAP-Example-Practical-Exercises-Deployment/dp/0131488732/ref=wl_itt_dp/702-7398595-5616835?ie=UTF8&coliid=I1YEUBXAR8YIE3&colid=CWBQ1L7F8P6P ;) Seems quite promising. We'll see Good luck, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: named-bind-9
> I am having problems with my zone file... > There used to be a command to run and check zone files/Named files.. > > I can't seem to locate it...?? See named-checkzone(8) and named-checkconf(8) David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question:encryption tool.
I am looking for any suggestion on using the right tool that I can use to perform the encryption/decryption for flat files. We have a requirement to encrypt 15 flat files and be dumped on tape and be stored in remote site facility for later business resumption. or in the crash/fire/emergency situation for the recovery purposes. For consistency I am planning to use the same tool across our Solaris, Linux and Freebsd OS oracle database environments. Check out SysAdmin magazine's article "Backup Encryption" from the March 2007 issue. It looks like exactly what you're looking for: http://www.samag.com/documents/s=10118/sam0703b/0703b.htm HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache Rotate Logs and Log Rotate.
I have Apache making separate log files for each of my virtual hosts and putting them in /home/vhostname/log. Rotate logs makes a new log every 24 hours, but the logs quickly add up and since the sites are fairly busy the logs are at times over 5gigs. Is there any way to make rotate logs delete the log files after two days? Someone recommended me Log Rotate (from the ports tree), but this program does basically what Rotate logs does; except it makes things more complicated because it needs to restart apache and such. Is there a easy way to just have Apache's rotatelogs rotate the logs and then delete them after two days? Any feedback, suggestions, or comments would be greatly appreciated. Hi Peter, I personaly don't use neither Log Rotate nor Rotate Logs, but configure newsyslog.conf(5) to handle the job of Apache log rotation and clean-up. The newsyslog software is part of FreeBSD's base system, so you don't need to install anything. Just configure /etc/newsyslog.conf and that's it. No need to restart anything because newsyslog is already active in FreeBSD's base system via /etc/crontab. It can rotate the logs, compress them with either gzip(1) or bzip2(1) and remove the old ones to preserve disk space. For example, let's say you have two virtual host's logs into /home/vhostname1/log and /home/vhostname2/log, you can configure newsyslog to: a) Keep only 10 log files. Remove the older ones as they grow. (i.e. 10 in the config below) b) Create files with chmod 640 and owner root:www (i.e. root:www and 640) c) Rotate the files when they reach 1Mb in size. (i.e. 1048576) d) Compress the files with gzip(1) to preserve compatibility with webalizer. (i.e. Z) # logfilename [owner:group]mode count size when flags [/pid_file] [sig_num] # Host vhostname1. # /home/vhostname1/log/access.log root:www640 10 1048576 * Z /var/run/httpd.pid /home/vhostname1/log/error.log root:www640 10 1048576 * Z /var/run/httpd.pid # Host vhostname2. # /home/vhostname2/log/access.log root:www640 10 1048576 * Z /var/run/httpd.pid /home/vhostname2/log/error.log root:www640 10 1048576 * Z /var/run/httpd.pid Check the man pages for newsyslog(8) and newsyslog.conf(8) for more information. I've been using this for more then two years now and it works like a charm. HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Ksh Shell script security question.
I am am puzzled how to secure this code when this shell script is
being executed.
${ORACLE_HOME}/bin/sqlplus -s <
Hi Dak,
The reason you can see the code in ${RESTOREFILE} is because of the
tee command. With `tee -a` you're actually asking to have the code
installed in ${RESTOREFILE}.
Now, one way to secure this is to set a restrictive umask at the start
of the script. For example, setting `umask 0077` will cause your
script to generate files which will only be read/write for the user
who runs the script. But the files will still have you username/passwd
in them.
To remove the username/passwd from the files, may I suggest you change
your code to include the username/passwd into the sqlplus command.
Like this for example:
export ORACLE_SID="your_oracle_sid"
sqlplus "${USERNAME}/${PASSWORD}" -s <<-EOF | tee -a ${RESTOREFILE}.
set heading off
set feedback off
set pagesize 500
select 'SCN_TO_USE | '||max(next_change#) from V\$LOG_HISTORY;
quit
EOF
This will still generate a file, but the username/password won't be
there. Of course, that means you need to hide your credentials in an
encrypted file eslwhere on your machine.
You can then setup code that will check the md5 sum of the password
file and use something like OpenSSL or GPG to encrypt/decrypt the
file.
Have fun,
David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using source control to manage system configs
If you don't have strong ties to CVS, already, I suggest using Subversion. It handles many of your complaints about permissions and symlinks better than CVS does. I agree, Subversion is better then CVS. We've switched from CVS to Subversion a year ago and so far the entire dev team is very happy. If you do have an existing CVS infrastructure, it's also possible to switch to Subversion with cvs2svn which is in the ports tree (i.e. devel/cvs2svn). You might find that using something like cfengine from ports suits your goals better than rolling your own pushing mechanism. The issue that you'll run into is that you tend to need a human or at least a decent set of rc scripts to properly adjust config files and make sure that services come back up after a significant config change or major version update exposing some compatibility problem. Again, Chuck is absolutely right. Cfengine is great, but you must know what you're doing. If you simply want to track changes and be able to roll back your configuration files, then go with a more simple approach like using RCS locally. RCS is part of the base FreeBSD system. Just create a directory named RCS (in capital letters) and use the RCS commands. Check the man pages for rcs(1) ci(1) co(1) rcsdiff(1) and rcsintro(1). Actually, rcsintro(1) is probably where you want to start. http://www.freebsd.org/cgi/man.cgi?query=rcsintro&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html Now if you want to keep your changes on another machine, then it's just a simple question of running a backup of your machines. (you do backup right? ;) I've been using RCS for 10 years now and it's simple, fast and does not depend on your network. So it's always there even in worst case scenarios. RCS is also present under a whole bunch of different UNIX flavors like FreeBSD, NetBSD, OpenBSD, RedHat, SuSE, Solaris, AIX, IRIX and HP-UX. So you're never lost because it's always the same :) Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: mysql50-server on FreeBSD 6.2 w/ LINUX_THREADS?
Is it still advisable to build the mysql50-server on FreeBSD 6.2 using the LINUX_THREADS option? I'm using the SMP kernel on an older dual 1.0GHz Pentium III. This page <http://wiki.freebsd.org//MySQL> suggests that the libthr library in FreeBSD 6.x is optimized for MySQL and perhaps better than using linuxthreads. Any thoughts? Hi Patrick, We're running several MySQL databases on FreeBSD 6.1 and 6.2 RELEASE and we don't use LINUX_THREADS. So far so good as they say. Concerning MySQL performance on FreeBSD, I recently saw this article which could be of interest to you: Linux vs FreeBSD using mysql and sysbench http://jeffr-tech.livejournal.com/5705.html Aside from a potential holy flame war from FreeBSD vs Linux, this article does present you with an interesting my.cnf configuration file. Maybe that could interest you? Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache Rotate Logs and Log Rotate.
On 2/28/07, Peter Pluta <[EMAIL PROTECTED]> wrote:
Hey David, quick question. I found this while doing a bit of reading. Is
it safe for Syslogd to send a kill -HUP to apache? This site is
extremely high traffic and I wouldn't want it cutting off users during
the HUP to rotate the logs. I'm running Apache 2.2.4 and FreeBSD 6.2
http://www.freebsddiary.org/startstop.php
It looks like Apachectl graceful is the only safe way to restart apache.
Hi Peter,
The article you're refering to is for Apache 1.3.x and you seem to be
running 2.2.x
Should you want, you can get more detailed information on how Apache
1.3.x handles kill signals here:
http://httpd.apache.org/docs/1.3/stopping.html
It's basically the same for Apache 2.2.x which is covered here:
http://httpd.apache.org/docs/2.2/stopping.html
Having said that, if your site is really busy, then consider changing
the kill signal in newsyslog.conf from -HUP to -USR1 which will
gracefully ask running httpd processes to restart once they have
finished talking to their user. As the article says:
''The USR1 signal causes the parent process to advise the children to
exit after their current request (or to exit immediately if they're
not serving anything). The parent re-reads its configuration files and
re-opens its log files. As each child dies off the parent replaces it
with a child from the new generation of the configuration, which
begins serving new requests immediately.''
Check the man page for newsyslog.conf(5) at
http://www.freebsd.org/cgi/man.cgi?query=newsyslog.conf&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html
The last field in newsyslog.conf is where you setup which signal is
used. Here's what the man page says:
signal_number
This optional field specifies the signal number that will be sent
to the daemon process (or to all processes in a process group, if
the U flag was specified). If this field is not present, then a
SIGHUP signal will be sent.
Cheers,
David
David Robillard wrote:
> Hi Peter,
>
>> Someone told me that I need to gracefully restart apache for it to make
>> a new log; and then wait till Apache's memory buffer is emptied to disk
>> before gziping or bziping the files.
>
> Well, I've never had to do this. Newsyslog send a `kill -HUP` to
> apache's master PID. Which causes Apache to reopen it's log files. For
> me anyway, the newsyslog configuration I gave you never caused me any
> problem at all. Keep in mind that you do have to send Apache a -HUP
> signal, otherwise you'll lose logs when newsyslog rotates them.
>
>> Also, is it wise to have logs for each user in their home directory?
>> Someone told me this is a serious security issue; but I can't see why
>> it would be.
>
> It is a security issue if the user has the rights to login to you
> machine. If he dosen't, then you shouldn't be worried.
>
> But I just don't take that chance and make all of my Apache log files
> under /usr/local/www/virtalhost1/logs which is not accessible from
> Apache itself because I setup my DocumentRoot under
> /usr/local/www/virtalhost1/public_html. This way, I know for sure that
> everything for virtualhost1 is under a single directory, but that my
> logs can't be seen by anyone via Apache.
>
> David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Using source control to manage system configs
On 2/27/07, Rob <[EMAIL PROTECTED]> wrote: David & Chuck, I'm already using RCS, and I've built a somewhat clunky mechanism around it. One machine holds the master copies of - site-wide files (/etc/ntp.conf, /etc/resolv.conf, /etc/syslog.conf) - host-specific files (/etc/hosts, /etc/passwd, /etc/rc.conf) for each server At install time, both sets of files are tarred up and copied to the new server. If there's a conflict, the host-specific files win. Problem: It's a good system for installs, but then I update the files on the working server. I always mean to merge the changes back to the master copy, but it never quite happens. Solution: CVS with a remote repository looks good - updates on the server, and a central record of all changes. Reinstalling a server should be as easy as 'cvs co $HOST'. Problem: I don't want 6 identical copies of /etc/ntp.conf under version control, so the site-wide files and host-specific files should be in separate modules. But they have the same working directory, and this is where I run into problems with CVS - it's impossible to check them both out to the same server. Is there some way to do this with Subversion? Or can a file be shared by different modules? Or am I going about this all wrong? Hi Rob, Well, I'm not quite sure that it will answer all of your questions, but take a look at Luke Kanies's article called ''Using version control in system administration''. It's available from the USENIX website at http://www.usenix.org/publications/login/2005-12/pdfs/kanies.pdf HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache Rotate Logs and Log Rotate.
On 3/1/07, Peter Pluta <[EMAIL PROTECTED]> wrote: What I did was made a new log format to include the %v (it includes the vhost name in the logs). Lowered my error log to just info. I also got rid of the errorlog and customlog in my vhost brackets and setup newsyslog to rotate the http-access.log and http-error.log after 24 hours. This is what I pretty much wanted. I have more space in /home/ now since there are no log files in there and I also have 1 main log that I can rotate and view or separate if needed. It makes it a lot easier. I have a quick question though. Say I am hosting a few sites for customers and they want to run their own statistics programs that rely on log files. How would I deal with the logs if they were in each users home directory? Those logs add up after a week or so; not to mention if someone had a larger site that generated larger logs. What exactly could be done in that situation to allow stats and still have a functional web server? Hi Peter, What I do with stats is use webalizer which is available from the ports directory as www/webalizer. Webalizer keeps the history of your logs, so you don't have to keep the old ones around. I run webalizer from cron once and a while to generate stats. I've wraped it in a simple shell script to check all my virtual sites listed in a custom config file in /usr/local/etc and dump the stats file into /path/to/virtual/host/stats. I then setup a /stats Alias in httpd.conf for each virtual site and protect it with a simple .htpasswd. Easy. BTW, may I suggest you also include the freebsd-questions list in Cc when you write back? Some people might be interested by what we're talking about. In fact, ideally we should only 'talk' via the list, but that's ok with me. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache Rotate Logs and Log Rotate.
On 3/3/07, Peter Pluta <[EMAIL PROTECTED]> wrote: I see, thanks. Does the shell script you use automatically delete the original logs after verbalizer or awstats makes it's own? I imagine the ones those programs use are smaller in size? No, the shell script does not delete any logs. Log rotation and compression is the job of newsyslog. Webalizer creates and maintains his own files which grow slowly over time. How fast they grow depends on how busy your site is and how much data you need to extract from the logs. Try it on one VirtualHost and you'll see. If you like it, then extend your configuration to your other VirtualHosts. Talking about logs, you might want to send them to syslog. Here's a quick article on this topic: http://www.oreillynet.com/pub/a/sysadmin/2006/10/12/httpd-syslog.html Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Linux "equivalent" to freebsd
If you have a (Free)BSD mindset and like your rc.conf but don't mind typing "pacman" instead of pkg_* or portupgrade -P * and you don't mind using something called ABS for src packages, which is like ports, only with a stage install before live-system install, then you may just like ArchLinux. Yes, I agree with Danny. Arch Linux is as close to FreeBSD that you can get with Linux. I don't run any core business services on it, but a friend does run his webservers on it and so far he's happy. Again, my 0.02 on this topic :) David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache Rotate Logs and Log Rotate.
On 3/3/07, Peter Pluta <[EMAIL PROTECTED]> wrote: I see, thanks. Does the shell script you use automatically delete the original logs after verbalizer or awstats makes it's own? I imagine the ones those programs use are smaller in size? No, the shell script does not delete any logs. Log rotation and compression is the job of newsyslog. Alright, after some more RTFM on Apache logs, here's what your newsyslog.conf(5) configuration should look like. /var/log/httpd/access.log640 5 1048576 * B /var/run/httpd.pid 30 /var/log/httpd/error.log640 5 1048576 * B /var/run/httpd.pid 30 Of course, you should taylor this to suit your own needs (like the size, ownership and number logs kept on disk, etc.) But keep the "B" flag for Binary which will prevent newsyslog from adding a line in your logs which says it was rotated. It _may_ confuse some log analyser (depends on your log analyser software). Also make sure to add the "30" at the end of each line. This is the kill(1) number for signal -USR1 which gracefully restarts Apache. Now the reason I removed the "Z" flags, which eliminates compression, is to make sure all of your children httpd processes have enough time to write their logs into the log file. If a request on your site is rather long, them this is the best way to go. Of couse, that means you will need a little bit more disk space. But not that much depending on how much logs you keep (i.e. 5 in the example above). HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache Rotate Logs and Log Rotate.
On 3/5/07, Peter Pluta <[EMAIL PROTECTED]> wrote: Thanks, David. I had already configured it like that the first time around after reading up on it a bit. Most articles/tips I have read say to wait 10 minutes or so and then compress the logs with a shell script in order to be sure Apache finished logging to the files. Another thing, just to be sure. If I had 30 vhosts on my server and each had logs in their home directory, I would still use newsyslog to rotate and delete them, correct? I assume one needs tons of disk space to do that if the sites are rather large. Well, if you do use newsyslog to rotate Apache log files, then it's just a matter of setting the number of files you whish to keep. From newsyslog.conf(5) count Specify the maximum number of archive files which may exist. This does not consider the current log file. Let's say you rotate your files once they reach 2Mb for example and that you've configured 10 in your newsyslog,conf field. Then that means a maximum of 10 x 2Mb = 20Mb will be kept for one VirtualHost. Now if you have 100 virtual hosts all configured this way, then you will need 100 x 20Mb = 2000Mb or 2Gb for all your Apache logs. Considering today's disk drive sizes are well beyond the 300Gb, I don't think this is a problem at all. Of course, YMMV so check your own needs and do the math. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache Rotate Logs and Log Rotate.
On 3/5/07, Peter Pluta <[EMAIL PROTECTED]> wrote: Gotcha, do you use a script to compress the logs after the SIGUSR1 and after waiting for a bit for apache to clear it's logging buffer (to not have missing logs)? No I don't. I don't even see why one would want to do this? Newsyslog deletes extra logs. So if our disk space is enough to hold the amount of logs we require (see math below), then there's no need to compress any Apache logs at all. Right!?!! If we come back to my example of 100 VirtualHost with log files of 2Mb each and we keep only 10 of them. Using USR1 as the kill signal, For an httpd children to miss any log entry would mean that this children writes more than 10 times 2Mb of logs in a very short period of time. Check your VirtualHost load and determine the average response time for each httpd children. If it's 2min (which is HUGE for an httpd children) That would mean that you'd need to have more than 20Mb of logs generated in less than 2min. In ASCII, that's a whole lot of logs. I'd say your best bet would be to switch your LogLevel from "debug" to "info" in your httpd.conf and restart Apache... ;) Or you run a really busy website. Or your web application code/architecture may need a revision. Have fun! David > Well, if you do use newsyslog to rotate Apache log files, then it's > just a matter of setting the number of files you whish to keep. From > newsyslog.conf(5) > > count Specify the maximum number of archive files which may exist. > This does not consider the current log file. > > Let's say you rotate your files once they reach 2Mb for example and > that you've configured 10 in your newsyslog,conf field. Then > that means a maximum of 10 x 2Mb = 20Mb will be kept for one > VirtualHost. Now if you have 100 virtual hosts all configured this > way, then you will need 100 x 20Mb = 2000Mb or 2Gb for all your Apache > logs. > > Considering today's disk drive sizes are well beyond the 300Gb, I > don't think this is a problem at all. > > Of course, YMMV so check your own needs and do the math. > > Cheers, > > David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: remote install of 6.2
I have a remote machine running 4.8-p21. The system has two disks in it, but only one is used on a daily basis (the other is filled via dd every now and then). I want to get this remote machine running 6.2, so I figured I'ld install the new OS on the second disk, then boot off the second disk, leaving the original first disk with all the user data on it (plus as a way to back out). When I try to use /stand/sysinstall for this it seg-faults early in the installation, but after the "Commit" step. Hi Jerry, If you have a 6.2 machine handy, you can create dump files of each filesystem using dump(8), cpio(1) or pax(1) or whatever you're used to. Ship those dump files to your 4.8 machine via scp(1). Then use bsdlabel(8) to partition your second hard disk (the one you whish to install 6.2 on). Create filesystems on those new partitions. Mount those new filesystems into a chroot, for example /mnt/root, /mnt/usr, /mnt/var, etc. Then extract your dump files onto those new partitions. Don't forget to install a boot block on your disk with `bsdlabel -B` or with boot0cfg(8). That should do it. If you need more detailed step-by-step instructions, just say so, I'll send something on the list. Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: remote install of 6.2
OK. First, it was someone else who posted. I was one of the responders. My mistake! Sorry about this. That can be a good way of doing it. I have posted a list of steps for doing essentially that (slightly different circumstances) a couple of times in the past. But there is one disadvantage in this particular case. Since the OP is running 4.xx and wants to move to 6.xx, he would probably also want to take advantage of the new UFS2 filesystem improvements. But, if he builds the file system using the 4.xx fdisk and disklabel (before bsdlabel replaced it) then it will use the older file system missing some performance and feature improvements. So, he will want to find a way to fdisk and bsdlabel using a 6.xx system if at all possible. Of course, it is not the end of the world to be stuck with the older file system, but is less than optimal. It would be possible for the person to sort of double up on your suggestion and do a first build with the existing fdisk and bsdlabel and then restore 6.2 dumps. Then build a 6.2 system that can run from memory that includes the essentials such as fdisk, bsdlabel and newfs and tink with booting to boot to that memory system, which would then allow that second disk to remain unmounted or accessed anywhere -- essential for building the file systems. Then use that memory mounted system to build the file systems and finally do the restores from dumps. It should work, but will take some figuring out. The last time I built anything resembling that was back in about FreeBSD 4.9 and I made a file of it and burned it to CD and did the boots from CD. But it should be possible to get it to run from a memory file system. Indeed, you're absolutely right. An easy way to circumvent this filesystem issue would be to mount the ISO image of a 6.2 install CD as a virtual filesystem and use the binaries from there. This shows you how to proceed: http://www.freebsddiary.org/iso-mount.php Of course, you'll need a fair bit of RAM to do this. There's also this from Colin Percival that can be usefull: http://www.daemonology.net/depenguinator/ HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: mirror without destroying existing contents
Anyone made a mirror w/o destroying what's in the disk already? The atacontrol man page is less than adequate in this respect...is is even possible? Oh, yes-- it's certainly possible to create a mirror with live data, but one is advised to be cautious and have a full backup available in case of problems. With hardware-based ATA controllers like Promise, 3ware, etc, they should have a BIOS utility which you can use to create the mirror-- make sure to add the drive with valid data first, and then add the second or additional drives to the mirror set. The same approach ought to work with software-mirroring such as (g) vinum. I'd add gmirror(8) to the list of software RAID solutions. Man page: http://www.freebsd.org/cgi/man.cgi?query=gmirror&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/book.html#GEOM-MIRROR Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Serial Port Problems (Solved)
On Thu, 2007-03-01 at 15:27 -0600, Dan D Niles wrote:
If I disconnect and come back later
(sometimes), or if I hit return without entering a login name (always)
it starts spitting out junk like:
nooo~:Woo{;>6(|uww~now~nou})|t}}t9-
I found a solution, although I'm not sure why it works.
When you just hit enter getty goes back to the beginning of its loop.
This also happens if you enter a name starting with "-" or consisting of
just spaces. These also causes the output to become garbled.
At the beginning of the loop it calls setttymode(0). If I insert a
sleep(1) before this call, everything works correctly. If I insert the
sleep after that, the output still gets garbled.
Like I said, I don't know why it works, but it does.
I don't think a short delay is unreasonable after entering invalid or no
information. I am going to submit a PR with a patch.
I have the same behavior as you do on some machines here. But I
originally thought it was caused by the (old) serial port card I used
to build a serial console server.
The card is an EasyIO PCI 8-port card from Stallion Technologies as
suggested by Gregory Bond's article "Console Server" from
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/console-server/index.html
(BTW, don't buy this card today because it's driver was not ported
from FreeBSD 4.x to neither 5.x nor 6.x.)
That being said, I checked /usr/src/libexec/getty/main.c to find out
how to recreate your fix. But I'm not a huge C programmer, so I tried
other ways to solve this.
That brought me to gettytab(5) which says that the "de" field controls
the "delay secs and flush input before writing first prompt" as the
man page puts it.
So I changed a test machine's gettytab default entry from:
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n%h (%t)\r\n\r\n:sp#1200:\
:if=/etc/issue:
To:
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n%h (%t)\r\n\r\n:sp#1200:\
:if=/etc/issue:de=2:
And restarted (not sure if a reboot is necessary here?). I had to
fiddle a bit with the delay, but it did help.
HTH,
David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: remote logging with syslogd
Hello, I'm trying to put up a remote logging server. I want to let my Airport Express send its logs to my FreeBSD server. So I said to my Airport to send its logs to the internal ip of my server, I suppose it works because that's what Apple hardware does. Now I did the following things on my bsdbox: I appended to syslog.conf: # Log remote Airport Express +airport *.* /var/log/airport.log !* I touched /var/log/airport.log and it has rw-r- root:wheel rights And to rc.conf I added: syslogd_enable="YES" syslogd_flags="-b myhostname.intranet -a *.intranet" I restarted syslogd via: # /etc/rc.d/syslogd restart I suppose it should work, but nothing appears in /var/log/airport and there should be something that it listens for input or not? Also I checked netstat -a | grep syslog udp4 0 0 myhostname.intranet..syslo *.* So it looks like it is not listening. Anyone any ideas what I'm doing wrong? The Apple AirPort products, both Extreme and Express, do not use the standard syslog UDP port 514. They send it at a higher port. Just like most Cisco devices do. So to enable logging on a FreeBSD host, you must change your rc.conf(5) syslog_flags line to enable other non-standard syslog ports. Try something like this: syslogd_flags="-b myhostname.intranet -a *.intranet:*" Since you're using names instead of IP addresses in your configuration, make sure your DNS resolves both A and PTR records for the AirPort. Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: remote logging with syslogd
Thnx for the tip. Found out that it was not the airport UDP port. It is some misconfiguration in my DNS, but still don't get why it doesn't work as expected. For some reason my DNS-name is snipped just before the TLD. Oh btw i changed some configs I prepended to /etc/syslog.conf the next and deleted what I wrote above # Log remote Airport Express +airport.intranet.mydomain.org *.* /var/log/airport.log +* !* And in rc.conf I changed the above to: syslogd_enable="YES" syslogd_flags="-b myhostname.intranet.mydomain.org -a airport.intranet.mydomain.org" So what comes in on syslogd looks like "airport.intranet.mydomain" so no .org or something. I really don't get where that comes from. But now syslogd rejects because of "name mismatch". If you're having DNS problems, you can always check if your rc.conf(5) and syslog.conf(5) configurations are good by using IP addresses. Don't forget to restart syslogd(8) of course. That will help you find out if your configurations are good. Now that should not prevent you from fixing your DNS :) Have fun. David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Monitoring tool for Compaq Smart Array 5300
Hi we would like to monitor the status of a Compaq Smart Array 5300 installed on a HP Proliant DL360. Is there any tool for FreeBSD 6.2? Thanks for the help Check out this HP + FreeBSD site. It's a bit old, but looks like it has want you're looking for. http://people.freebsd.org/~jcagle/ David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Locking SSH Users to $HOME
Using the SSHD server, how can I lock users SSH'ing into a box into their home directory, without having access to the /usr/home directory as a whole? You can try to use the security/ssh2 port to replace the base system's sshd(8). This version of ssh supports additional chroot configuration options which lets you do exactly what you're looking for. Here's a link to the port: http://www.freebsd.org/cgi/url.cgi?ports/security/ssh2/pkg-descr Here's an article which shows you how to do what your looking for: http://freebsdrocks.net/index.php?option=com_content&task=view&id=51&Itemid=1 Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: sendmail with dovecot with nologin account
I am using dovecot imap and I am having a problem directing mail to go to users in Maildir format when they do not have a login shell. It seems that the .procmailrc file is ignored and the mail is put in mbox format into /var/mail For mail-only users with-out a shell, what is the best way to direct mail to them in Maildir format within ~/Maildir - maybe directly from .forward? Hello David, We run dovecot + sendmail + procmail and also store mails in Maildirs. All of our 3500+ users don't have any access to the mailserver and it works like a charm. The trick is to keep things as simple as possible. No home directory for users nor any valid shell plus a global procmailrc file which is used for all of the users. For example, start by instructing sendmail to use procmail in the /etc/mail/`hostname`.mc FEATURE(`local_procmail')dnl Then make sure dovecot knows where the mail is stored: default_mail_env = maildir:/var/mail/%u Our example mail user has this entry in master.passwd(5) : example.user::13431:231::0:0:Example User:/nonexistent:/sbin/nologin And the Global procmail configuration is very simple: cat /usr/local/etc/procmailrc # procmailrc # # $Id: procmailrc,v 1.1 2006/10/20 13:08:25 drobilla Exp $ # # System wide procmail(1) configuration file. # This configuration causes procmail(1) to deliver mail # to maildir format as the recipient's UID. DROPPRIVS = yes :0 /var/mail/$LOGNAME/ # EOF A single file to rule them all Sorry, couldn't resist :) Let me know if you need any help with this setup. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IBM / FreeBSD - Install Update - Seems to be ACPI
In our initial posts, we stated that we seemed to be having issues getting the machine to boot with the 4 processors, so to bypass this we disabled ACPI on boot. This allowed us to get past the CPU error and continue to boot. However down the track we noticed things like the ethernet adapater not getting picked up, and the big problem - none of the disks getting recognised. We have since tried a few things, one of which was removing all but one of the CPU's. If we do this, and boot with ACPI enabled, all is totally fine. All disks are found, and I receive no CPU panic error. So it appears to me that by disabling ACPI in an attempt to bypass the QUAD CPU problem, we are causing another issue behind the scenes. The root of the problem now appears to be, that if we have anything over 1 CPU, directly after the kernel is loaded (when booting from the CD), we receive the error message "panic: madt_probe_cpus_handler: CPU ID 38 Too High". The moment a second CPU to the machineit bombs out. Have you tried to present this issue to some specific FreeBSD mailing lists? I believe some of these might be more suited to help you. These lists come to mind: FreeBSD Bugs http://lists.freebsd.org/mailman/listinfo/freebsd-bugs FreeBSD ACPI http://lists.freebsd.org/mailman/listinfo/freebsd-acpi FreeBSD Hardware http://lists.freebsd.org/mailman/listinfo/freebsd-hardware Good luck ! David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to choose an UPS?
Usually, if you are willing to interface the UPS with your Computer, like it should automatically shutdown the computer when there's a power failure, then you may want to buy one with USB support. But I am not sure that you can interface it with FreeBSD. It can be done with Linux and Windows. :) Check out the port sysutils/apcupsd According to the documentation on the project's website http://www.apcupsd.com, it works with both USB and with a serial cable. I've seen other people on this list reporting that it works with both of those solutions. For a network solution, you can also check the sysutils/nut port which also has a USB driver. More info on the project's website at http://www.networkupstools.org/. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Configuring DNS (BIND) in isolation
Hello, I have a need to make my own DNS system on an isolated network. Years ago, I administered DNS for a couple of different companies, but that was quite a while ago and since I've turned to programming I haven't done much in the way of network administration. I recall from using BIND 4, when I was reading up on it, that it is most certainly possible to configure an entire DNS system on a totally isolated network. Would I need zone files for the root, ".", zone and any other zones I configure; e.g. "isolation."? This would seem to be the way to go about it, but I'm having some difficulty visualizing it in my head. I just did some searches online for the O'Reilly book "DNS & BIND". I recall using this book in the past and it was quite helpful (and unfortunately for me, belonged to my former employers). Would this book be a good reference for this task as well, or are there better books that I might want to look into getting for this? Or, are there good on-line resources that could help me muddle through? Any help is greatly appreciated. Thanks, Andy Hello Andy, First, you need to know that BIND has jumped from version 4 directly to version 8 and is now at version 9. There is a whole world of difference between the version 4 that you've worked with in the past and the latest version 9 (such as Views, DNSSEC, IXFR, etc). Now, the book you mentioned above is still THE reference on the topic. O'Reilly recently published the 5th edition of "DNS & BIND" which covers everything BIND 9 has to offer. Plus an extended chapter on the DNS architecture itself. It's a great book, you should get yourself a copy if you're interested by DNS. Third, while "DNS & BIND" is a fine book, you'll have more direct help from another O'Reilly book called "DNS & BIND Cookbook" from Cricket Liu. It presents some common DNS related tasks in the form of easy to follow "recipes". It sure is a great help when it actually is time to build and configure your DNS servers. Moreover, FreeBSD is an excellent platform for building DNS servers. I've built DNS servers out of Solaris, AIX, RedHat and FreeBSD machines and BSD is by far the easiest and more flexible to setup and secure. Finally, if for various reasons you don't have the time or expertise to setup your own DNS machine. Then have a look at the appliances from the author of "DNS & BIND" Cricket Liu's company called Infoblox at http://www.infoblox.com. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Looking for a cookbook on Oracle clients...
I have a task that requires I extract a data set from a MySQL server, and push it on to an Oracle (9i) server. Hi Brian, If you're familiar with perl (or have a perl programmer handy) you can choose from a whole bunch of perl modules which interact with MySQL and Oracle databases. For example, in the FreeBSD ports tree you will find databases/p5-DBD-Oracle and databases/p5-DBD-mysql ports. Once you have both of these, it should be quite easy to write your perl script to pump data from the MySQL database with databases/p5-DBD-mysql port, perform the data manipulation your business requires and the dump the results into the Oracle instance with databases/p5-DBD-Oracle. Now, if your objective is to migrate all of your data from MySQL into Oracle, then you can check out the "Oracle Migration Workbench". More info on this at http://www.oracle.com/technology/tech/migration/workbench/index.html Good luck, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Which live CD for recovery
Which live CD is recommended for recovery? What I'd like is to have as many disk analysis tools at hand just in case. There are a lot to choose from, as you can see from this list: http://www.frozentech.com/content/livecd.php I believe one of two things has happened: the anti virus placed a system file in the vault, or running windows update the "genuine windows disadvantage tool" disabled the system because it may have been pirate (don't know). AFAIK the Windows Genuine Advantage never prevents you from booting your machine. It will annoy you with pop-ups about your license (or lack of it). Fortunately, you can disable the pop-ups. Keep in mind that a non-legit Windows machine can only perform the Security updates, but cannot perform the other Windows Updates. This can be confusing for a technologically challenged user. So, I need to recover data to some other machine, and then see if I can recover the system file without a full reinstall. Do you have a USB drive? Can you mount it on the crippled Windows Box? If so, then I would suggest that you backup the user's data, format the crippled box's disk drive and do a clean Windows install. After all, there probably was a virus on this box. Are you sure you want to take chances? Good luck, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Which live CD for recovery
On 12/6/06, Erik Norgaard <[EMAIL PROTECTED]> wrote:
> Do you have a USB drive? Can you mount it on the crippled Windows Box?
> If so, then I would suggest that you backup the user's data, format
> the crippled box's disk drive and do a clean Windows install. After
> all, there probably was a virus on this box. Are you sure you want to
> take chances?
Well, the system won't boot, not even in safemode, so there is no such
alternative. I hope this is just some systemfile in the vault of AVG
anti virus.
Take the chance... well it can't get much worse. If at least the system
gets back working then I can try other ways to clean it.
If you can get the machine to mount the USB drive or have it's network
connection online, you can simply backup the contents of
"C:\Documents and Settings\All Users"
"C:\Documents and Settings\${username}" (replace ${username} with the
various usernames configured on the crippled box).
Once you backup the content of those two directories, you should have
all of your user's data. Therefore you should be ok to wipe the disk
and perform a clean Windows install.
I suggest, however, that you upload those backup onto another Windows
machine and have your user double-check to see if you have everything.
Better be safe than sorry.
Cheers,
David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: remote syslog to specific file
Hello, I am trying to log my sonicwall FW log to a specific file… For the moment all logs are sent to /var/log/messages I would like them to go to /var/log/sonic.log I have tried couple of things which does not seem to work, among them : > +fw.xxx.yyy > local0.* /var/log/sonic.log > +@ --> not working > local0.* /var/log/sonic.log --> not working either In /var/log/messages my log are of that format : > Dec 14 14:50:49 fw id=firewall sn=0006Bxxx4D6C time="2006-12-14 > 14:50:45" fw=80.98.206.97 pri=5 c=64 m=36 msg="TCP connection > dropped" n=183 src=80.97.99.70:3763:WAN:89-90-99-70.pde.norby.ee > dst=192.168.2.3:135:LAN:newmail.rmm.fr proto=tcp/135 Any help would be welcome. Try installing those two lines in your syslog.conf(5) file and make sure you use TAB instead of spaces. !fw *.* /var/log/sonic.log Then issue a `sudo touch /var/log/sonic.log` as the file must exist before syslogd(8) can write to it (i.e. syslogd(8) does not create files). After this run `sudo /etc/rc.d/syslogd restart` to instruct syslogd(8) of the changes you've made to syslog.conf(5). Finally, make sure you edit newsyslog.conf(5) with something like this to keep your /var file system from filling up. /var/log/sonic.logwww:wheel 640 7 100 * J man newsyslog.conf for more on newsyslog.conf(5)'s syntax. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Legato Client for freeBSD.
I am running Legato on a sun server. I have a server running freeBSD that needs the legato backup client installed. Is there a working legato client for freeBSD ?? Have you tried this? ftp://ftp.legato.com/pub/Unsupported/FreeBSD_Client David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Legato Client for freeBSD.
Hi Phillip, Appreciate your help. Sure, no problem :) If you do try it out, I'd like to know if it actually works ! And if it doesn't, well, I've been thinking of other ways you could solve your problem. One is to enable FreeBSD's Linux Compatibility and use Letgato's Linux client (I suppose they have one?) Another way of doing would be to either rsync, dump, cpio or tar your data over to another Legato supported platform and then backup that one. Something like this works great once you've setup ssh keys without passphrases: dump -0uaL -f - / | ssh [EMAIL PROTECTED] "gzip -9 > /path/to/backup/directory/root.dump" Finally, I also found those: http://ftp8.ua.freebsd.org/FreeBSD/FreeBSD-current/commerce/networking/legato/ (no idea if it's any good?) http://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/LegatoNetworker (looks good, but does it work?) Good luck! DA+ On 12/15/06, Phillip Upchurch <[EMAIL PROTECTED]> wrote: David - No - as a matter of fact - I haven't tried > ftp://ftp.legato.com/pub/Unsupported/FreeBSD_Client That would be doing things the easy way - dont ya think ? ;-) Appreciate your help. Thanks David Phillip -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IBM ServeRAID-8k SAS controller support in FreeBSD/i386 6.1-RELEASE.
Hello everyone, Has anyone tried the IBM ServeRAID-8k SAS controller under FreeBSD/i386 6.1-RELEASE ? I can't find info about this particular model in the FreeBSD/i386 6.1-RELEASE Hardware Notes. I've found that the ServeRAID 6i/6M controllers are supported by the ips(4) driver, but nothing about the ServeRAID-8k SAS one. Nothing in the mailing lists also. Many thanks, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sun Fire x2100
pci1 ata3: on atapci1 atapci2: port 0x9e0-0x9e7,0xbe0-0xbe3,0x960-0x967,0xb60-0xb63,0xc000-0xc00f mem 0xfe02b000-0xfe0 2bfff irq 21 at device 8.0 on pci0 ata4: on atapci2 ata5: on atapci2 pcib1: at device 9.0 on pci0 pci_link16: BIOS IRQ 23 for 0.7.INTA is invalid pci_link19: BIOS IRQ 21 for 0.8.INTA is invalid pci_link17: BIOS IRQ 22 for 0.10.INTA is invalid pci1: on pcib1 pci1: at device 5.0 (no driver attached) nve0: port 0xbc00-0xbc07 mem 0xfe02a000-0xfe02afff irq 22 at device 10.0 on pci0 nve0: Ethernet address 00:e0:81:58:cf:71 miibus0: on nve0 ukphy0: on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto nve0: Ethernet address: 00:e0:81:58:cf:71 nve0: [GIANT-LOCKED] pcib2: at device 11.0 on pci0 pci2: on pcib2 pcib3: at device 12.0 on pci0 pci3: on pcib3 pcib4: at device 13.0 on pci0 pci4: on pcib4 bge0: mem 0xfdaf-0xfdaf irq 19 at device 0.0 on pci4 miibus1: on bge0 brgphy0: on miibus1 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto bge0: Ethernet address: 00:e0:81:58:cf:72 pcib5: at device 14.0 on pci0 pci5: on pcib5 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A orm0: at iomem 0xc-0xc7fff,0xc8000-0xcbfff,0xce000-0xcf7ff on isa0 atkbdc0: at port 0x60,0x64 on isa0 atkbd0: flags 0x1 irq 1 on atkbdc0 device_attach: atkbd0 attach returned 6 ppc0: cannot reserve I/O port range sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: at port 0x3c0-0x3df iomem 0xa-0xb on isa0 ukbd0: DELL DELL USB Keyboard, rev 1.10/1.04, addr 2, iclass 3/1 kbd0 at ukbd0 Timecounter "TSC" frequency 2211343400 Hz quality 800 Timecounters tick every 1.000 msec acd0: CDROM at ata0-master UDMA33 ad4: 76319MB at ata2-master SATA150 Trying to mount root from ufs:/dev/ad4s1a Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: cvsup'dating several machines
I will soon update FreeBSD on several machines from 4.11 to 5.5, they are all at the same level of 4.11. I would like to save network bandwidth, would it be OK/enough if I cvsup one machine and then copy /usr/src from that opne to the others? Hi Olivier, If you run an infrastructure of multiple FreeBSD machines, then you should consider building a local CVSup mirror. This way, you'll prevent the error-prone and tedious process copying /usr/src from one machine to the others by hand. Plus, with a local update server, you make sure all your machines have the exact same FreeBSD sources. You can also use this machine not only for CVSup, but for all your ports repository, thus saving even more bandwith. Not to mention the speed increase every time you run cvsup. It's way faster to cvsup on the local LAN then from the internet. To get you started, check out this article from O'Reilly ONLamp's author Michael Lucas at http://www.onlamp.com/pub/a/bsd/2001/08/30/Big_Scary_Daemons.html Now, we've made several modifications to the above article to include a generic update user on our machines which uses scponly(8) and sudo(8) with ssh keys to encrypt all of our CVS and porteasy(8) updates. It also permits you to delegate the cvsup(1) of the machines to other admins without giving them the root password. If you're interested, I can send you the documentation. Have fun! David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [Opinions Wanted] Dell PowerEdge 2950 Servers ...
Have a friend that swears by them, but ... he's in the Linux camp, so tends to have a quasi-inside track ... What are ppls opinions on them as far as FreeBSD is concerned? Also, interested in what sort of specs ppl are running ... I'm interested in going with an 8xSAS drive system, dual-dual-core, figuring 10 or 16G of RAM ... redundant power and the Dell Remote Access Card ... My personal experience with Dell is that it's ok until you hit a problem. Then it's hell. So bad, in fact, that we don't purchase them anymore and have gone with IBM and HP systems for our FreeBSD, RedHat and Windows machines. IMHO, the problem with Dell is not their hardware, but their support (or lack of it). If you plan on running your Business on Dell, be prepared for Incredibly bad and horrible support. Be it consumer product support or Enterprise 24/7/365 type support. Dell "support" is a total waste of money and time, but a superb source of frustration. (so if you're looking to get frustrated, there's your chance :) I even had to way two complete days (!) to resolve a 24/7/365 type support call ! Pathetic, really. Not to say that the hardware is good, far from that. Place equivalent IBM, Dell, HP and Sun machines next to one another and you quickly see that Dell uses sub-quality parts. There is less precise documentation printed directly on the machine (a technique IBM and Sun have mastered). You often need two or three different screwdrivers to take the various pieces apart. While with the other Tier-1 vendors, most pieces don't even require any tool at all. Finally, the Documentation that is shipped with the Dell machines is of dubious quality compared with the other top vendors. So, to sum up, I strongly recommend going with either IBM or HP for FreeBSD systems. With them, you get quality hardware and real support. Of course it might be a bit more expensive. But it's worth it. Well, you get what you pay for don't you? YMMV of course. Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question:encryption tool.
Thanks a lot, Our current backup system is veritas netbackup, and changing that to entire bacula is best thing for me, May I ask why you would prefer Bacula over NetBackup? I'm just curious, because having worked with both, I personally prefer NetBackup. so they wanted me encrypt these files, that is on the backup location before the netbackup scheduler picks up these files. Database is getting backed up to a disk location and from there netbackup agent picks up and writes it into the tape , but we have these 13 flat files that go into offsite which really needs encryption and decryption logic in place upon after restore back to disk . If those databases are all Oracle instances, then you might want to take a look at Oracle Secure Backup. It does exactly what you need. More info here: http://www.oracle.com/technology/products/secure-backup/index.html Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question:encryption tool.
On 2/6/07, Dak Ghatikachalam <[EMAIL PROTECTED]> wrote: [...snip!...] Thanks a lot , but we are on Oracle9i database, the Oracle secure backup they are talking would be nice on 10G onwards Well, not according to the FAQ. Here is what it says: -- What Oracle database versions does Oracle Secure Backup support? Oracle Secure Backup installs with a native integration of Oracle Database's via Oracle Recovery Manager (RMAN), which supports Oracle9i forward. So if you're running 9i, you should be alrgiht. You can get your hands on the FAQ at http://www.oracle.com/technology/products/secure-backup/pdf/FAQ.pdf HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Anyone running FreeBSD 6.x on HP DL320 G5?
If anyone is running FreeBSD 6.x on a HP DL320 G5 ? The following URL contains good information on running FreeBSD on Compaq/HP systems. http://people.freebsd.org/~jcagle/ HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: RSA SecurID Pam Module Support?
We have recently purchased an RSA SecurID Appliance and there are no native libraries for *BSD OS's. I have downloaded and installed the appropriate files within the Linux Compat environment, but I'm not having any success making it work. Specifically, the key file in question is /compat/linux/lib/pam_securid.so. When I add the appropriate configuration line to /etc/pam.d/sshd and attempt to log in I get the following: May 3 09:43:01 ad-mon01 sshd[30508]: in openpam_load_module(): no /compat/linux/lib/pam_securid.so found May 3 09:43:01 ad-mon01 sshd[30508]: fatal: PAM: initialisation failed Of course, the file actually does exist. -rwxr-xr-x 1 1047 900 895304 May 2 11:13 /compat/linux/lib/pam_securid.so Has anyone had any success getting this .so to work under FreeBSD, specifically 6.2 Release? Hi Michael, We're also running some RSA SecurID Appliances. Since we need the support from RSA and that FreeBSD is not listed in their supported OS matrix, we decided to use RedHat for the front-end HTTP servers to run their module. All the rest of our business application that requires RSA authentication is running under FreeBSD. IMHO you should only use an RSA supported OS to run their module. Because otherwise you won't receive any help from them if they know you're running this under FreeBSD. Sad, but unfortunately true. Good luck, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: scponly chroot doesn?t work FB6.2
I can´t seem to make scponly work with a chrooted jail. I´ve read many articles on how FREEBSD´s scripts on making jails really don´t work and a manual mknod of $jail/dev/null must be done, but it still does´t work... I´d appreciate any help You might want to check out the port shells/rssh instead of shells/scponly. http://www.freebsd.org/cgi/url.cgi?ports/shells/rssh/pkg-descr I'm not sure it does exactly what you're looking for, but it has similar features as scponly. HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Difference between `mod_auth_mysql' and `mod_auth_mysql_another'.
Hello everyone, I'm looking for a clear document which explains the differences between the `mod_auth_mysql' and `mod_auth_mysql_another' ports. Ideally, a grid with all of the possible options on top and on the left one line for both modules would be great. Some kind of one-on-one comparison. So far, I understand that `mod_auth_mysql_another' understands more encryption methods then `mod_auth_mysql'. But what are the other differences? Could someone please point me in the right direction? Many thanks, David -- David Robillard UNIX systems administrator david DOT robillard CIRCLED_A notarius DOT com Notarius (TSIN) Inc. 465, rue St-Jean, suite 200 Montreal, Quebec, H2Y 2R6 Tel. : +1 514 966 0122 Fax. : +1 514 281 1226 http://www.notarius.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: common filesystem for Linux and FreeBSD
> That being the case, there is some data I would like to keep available to > both FreeBSD and Linux systems, in stable read/write access with > reasonably high access performance for both (fast enough to achieve > decent frame rates, for instance). This seems to rule out both ext3 and > UFS2. What filesystem(s) meet(s) my needs in this case? NFS would probably do it. You can use either OS as the NFS server and use which ever file system you desire. David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sun Fire X4600 Server & FreeBSD
> Those who have experience with "Sun Fire X4600 Server & FreeBSD", please > respond. Hi Susanth, Your best option is to contact your Sun sales rep and arrange a test of the system. Sun and it's resellers usually grant access to their hardware at their facilities for you to try before you buy. In this way you can use the FreeBSD/amd64 install CD and perform a real life test of the x4600. David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How backup huge pgsql ?
> I want to known how can I make backup of huge postgresql database (huge mean > ~ 2To). > > I can stop the access of the database during N>>1 hours. > > Any idea about this ? I came around this particular problem by setting up a read only mirror of an Oracle instance using Oracle DataGuard. Of course the product is Oracle-specific, but the idea should apply to PostgreSQL databases as well and it"s what we're in the process of installing here. The idea is to setup an identical but read-only copy of the production database on a seperate machine. This read-only copy is kept in sync with the production database using the various PostgreSQL High-Availability features (discussed here postgresql.org/docs/8.2/static/high-availability.html) Such as a Master-Slave Replication or a Synchronous Multi-Master Replication. Say you're using a Master-Slave Replication. With this setup, you can stop the Master-Slave replication before running the backup on the read-only copy on the slave machine. This way you have a consistent view of your data while you backup and the production database is still online. Once your backup is over, you simply turn on the replication again to update your slave's data with what has changed on the master while the replication was offline. Simple and effective. Beware, you will take a performance hit when you turn replication on. What's more, since you now have a read-only database, you can use it in your pre-production and test environments without any impact on your production systems. HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: compiling kernel with PAE
> Getting an error when trying to compile a kernel on 5.4 and 6.2 with the > PAE option. I've tried NO_MODULES in make.conf as well... > > se2 -ffreestanding -Werror /usr/src/sys/dev/advansys/advansys.c > /usr/src/sys/dev/advansys/advansys.c: In function `adv_action': > /usr/src/sys/dev/advansys/advansys.c:260: warning: cast from pointer to > integer of different size > *** Error code 1 > > Stop in /usr/obj/usr/src/sys/WEBTENT. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > > This is a custom kernel build with the QUOTA option, I take out the PAE > option and all makes fine. I did a src-all update with RELENG_VER tag > prior to building. I assume this is a driver issue compatible with PAE? > > Also, can I run amd64 release on this Intel Xeon dual proc with 6GB RAM? > Thinking about loading 6.3 amd64 if possible. Excuse my ignorance, I am > not a hardware guy, I am a programmer. > > CPU: Intel(R) Xeon(TM) CPU 3.00GHz (3000.12-MHz 686-class CPU) > Origin = "GenuineIntel" Id = 0xf41 Stepping = 1 > > Features=0xbfebfbff MOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> > Features2=0x641d> > AMD Features=0x2010 > Logical CPUs per core: 2 According to http://www.freebsd.org/platforms/amd64.html the Intel Xeon (3000-sequence, 5000-sequence, and 7000-sequence) processors use the Intel(R)64 architecture. Therefore if your Intel Xeon is in the 3000-sequence, 5000-sequence or 7000-sequence, then you can use FreeBSD/amd64 and use the memory above 4Gb. IMHO it should be more simple and efficient than compiling a kernel with PAE support. HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
How to link CPAN to FreeBSD ports perl modules?
Hello everyone, I'm looking for a way to link perl modules found in CPAN and the ones found in the FreeBSD ports repository. For example, let's say I need to install the following CPAN module: http://search.cpan.org/dist/libwww-perl/lib/HTTP/Request/Common.pm A search in the ports for " ^p5-HTTP " will return all perl modules which names start with p5-HTTP. But the above CPAN module does not exist. Does this means that the CPAN module is not in the ports? Or is there another way to link CPAN modules to the ports collection? Any help would be appreciated. Cheers, David -- David Robillard UNIX systems administrator, CISSP Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BIND inside a jail on FreeBSD 6.0
--
Message: 23
Date: Fri, 28 Apr 2006 19:36:22 -0600
From: "Chad Leigh -- Shire.Net LLC" <[EMAIL PROTECTED]>
Subject: Re: BIND inside a jail on FreeBSD 6.0
To: patrick <[EMAIL PROTECTED]>
Cc: freebsd-questions@freebsd.org
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
On Apr 28, 2006, at 6:57 PM, patrick wrote:
I'm trying to run BIND inside a jail on FreeBSD 6.0, and I'm
encountering the following problem:
[EMAIL PROTECTED] /var/named]# /etc/rc.d/named start
mount_devfs: Operation not permitted
/etc/rc.d/named: WARNING: devfs_domount(): Unable to mount devfs on
/var/named/dev
devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted
devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted
Starting named.
And then it doesn't start...
(I realize that BIND already runs in a chroot'd environment, but I'm
running a second copy of BIND on an existing development server as a
secondary test environment.)
The problem looks like it originates in /etc/rc.d/named:
# Mount a devfs in the chroot directory if needed
#
umount ${named_chrootdir}/dev 2>/dev/null
devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
devfs -m ${named_chrootdir}/dev rule apply path null unhide
devfs -m ${named_chrootdir}/dev rule apply path random unhide
I tried mounting the devfs outside the jail to the jail's
/var/named/dev, and then commenting out these lines above, but named
will still not start. Does anyone have any suggestions?
BIND is trying to setup a chroot(8) before it starts. If you're
already inside a jail, then IMHO it is a little overkill (i.e. Running
BIND in a chroot inside a jail).
Check the BIND related values in rc.conf(5). The chroot(8) startup is
triggered via this one:
named_chrootdir="/var/named"# Chroot directory (or "" not to auto-chroot it)
So try setting it to
named_chrootdir=""
and it should disable the chroot code from the startup script.
Of course, if you still need to chroot(8) your named(8) install inside
your jail, then you're at the same point. Consider running another
jail perhaps? Or use BIND's view feature.
Hope this helps,
David
Thanks,
Patrick
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-
[EMAIL PROTECTED]"
--
David Robillard
UNIX systems administrator, CISSP
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Software RAID guidance
Robert Fitzpatrick wrote: I have an old NT4 PIII here that has a pair Adaptec Array1000 Family controllers with 2 pairs of identical drives on one of them (2 IBM 9GB and 2 Seagate 35GB). From what I googled, *nix does not support the controller, so I have removed the RAID arrays and loaded FreeBSD 6.0 onto the two IBM drives. Now, I wanted to mirror the other two for data and looking for guidance as to whether it is first of all suited for software RAID and if so, CCD or vinum. I am contemplating vinum because the handbook mentions CCD is when cost is the important factor and for me, is reliability. What would someone suggest? If vinum, one thing I don't quite understand is do I create the partitions to be used in the device? There doesn't seem to be a man for gvinum and the link to it in the handbook section 19.6.1 is broken. Hi Robert, I use gmirror(8) to setup RAID 1 volumes. I've used it successfully with IDE, SCSI and SATA drives. It is very simple to setup and administration is easy. If you only need RAID 1, then you should try it out. Should you need RAID 5 and/or a fully fledged volume manager, then vinum is the way. I also wrote a document on gmirror(8) setup. If you're interested, I can share it with you. David FYI: man page URLs gmirror(8) http://www.freebsd.org/cgi/man.cgi?query=gmirror&apropos=0&sektion=0&manpath=FreeBSD+6.0-RELEASE+and+Ports&format=html vinum(4) http://www.freebsd.org/cgi/man.cgi?query=vinum&apropos=0&sektion=0&manpath=FreeBSD+6.0-RELEASE+and+Ports&format=html -- David Robillard UNIX systems administrator, CISSP Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Broken Compaq ML530 G1 ACPI.
Hi everyone, We have some Compaq ML530 G1 machines and I would like to upgrade them to FreeBSD 6.0-RELEASE-p7. Unfortunately, the ACPI seems to be broken and the systems freeze when booting with ACPI. I did not find a whole lot of info on the mailing list archives. Just this post http://lists.freebsd.org/pipermail/freebsd-acpi/2005-December/002324.html from which I tried the patch. But it fails to compile. I then tried using my own AML file built with acpidump(8) and changing loader.conf(5) with the following acpi_dsdt_load="YES" acpi_dsdt_name="/boot/acpi_dsdt.aml" # You may change this name. But again it failed miserably. Can anyone give me a hand with this problem? I am not a member of the freebsd-acpi mailing list, so please reply to me at this address. Many thanks, David -- David Robillard UNIX systems administrator, CISSP Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: securing beyond the handbook.
Date: Wed, 10 May 2006 09:17:30 -0400 From: "Jim Stapleton" <[EMAIL PROTECTED]> Subject: securing beyond the handbook To: freebsd-questions@freebsd.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I'm about to get a static IP and direct outside access for my BSD box (before it was hidden behind a firewall/NAT). I was comfortable with the level of security I've had, but with the whole "open to the outside world" setup I'll have, what would you suggest for securing it? I'll be running: Apache PHP MySQL SSH/SFTP OpenRPG (only occasionally, from a special nonpriv account) Any suggestions, any of these that you know are such huge security holes that you would absolutely demand something else be run? Any other security suggestions? Hi Jim, I would strongly suggest running your internet accessible applications from inside a jail. Check some man pages for jail information: jail(8), jls(8) and jexec(8). The nice thing about jails is that once everything is installed and running, you can strip it of any files which is not used by your applications (such as compilers for example). Therefore, if someone breaks in, he is limited in his capabilites. Plus he does not gain your real root password (assuming you are not using the same passwords in your jail of course ;) Configure sshd(8) to allow only a certain set of trusted users via AllowUsers configuration. Prohibit direct root login via "PermitRootLogin no" and consider using public keys with a strong passphrase instead of a simple password for login. If you have a Kerberos server, use it. Next, check your network architecture. Give your jail the public IP or NAT it in your firewall to a DMZ section of your network. Make sure your internet accessible applications are not inside your LAN. Be certain to never let internet connections have direct access to machines inside the LAN. Also, consider running host intrusion detection. Such as Osiris, Samhain or Tripwire. You can find them all in the FreeBSD ports. Talking of ports, make sure you install security/portaudit to keep track of you port's security. Subscribe to the FreeBSD security mailing list and take action when an advisory is sent. Use mod_security with your Apache server. http://www.modsecurity.org/ Actually, remove all unused Apache module from your httpd.conf(5). Run your MySQL database on another host (or another jail) which is in a seperate Database DMZ which can only be accessed by certain well defined hosts. Use tcp_wrappers to secure you connections. Use sudo(8) instead of root. Finally, check out some really good books on various security related issues: Mastering FreeBSD and OpenBSD security from O'Reilly. Apache Security from O'Reilly. Essential PHP Security from O'Reilly. Host Integrity Monitoring using Osiris and Samhain from Syngress. FreeBSD security & hardening guide: http://www.syslog.org/Content-5-4.phtml Oh, and don't forget to backup regularly. It's also part of your security. Have fun! David Thanks, -Jim -- David Robillard UNIX systems administrator, CISSP Montréal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Keyspan USB2Serial
On Thu, 18 May 2006 22:09:50 -0400 Jason Lixfeld <[EMAIL PROTECTED]> wrote: Do you have ucom device in your kernel? Yup: # egrep "ugen|ucom" /usr/src/sys/amd64/conf/RICKY device ugen# Generic device ucom # after you plug it in, have you got any /dev/cua* ? Only: # ls -al /dev/cuad0 crw-rw 1 uucp dialer0, 40 May 18 22:04 /dev/cuad0 # But it is there regardless as to whether or not the adapter is plugged in. Hi Jason, Be careful, because the first adapter I received was actually faulty. The light would go on and the device would show up in my USB device tree. But it would not work. After a few talks with Keyspan's support, they had to send me a new one for it to work. The whole process was free of charge. I would suggest you try the adapter on a MacOS X or Windows machine along with the software that shipped with it just to make sure it behaves as intended. Assuming you do have a Mac or a Win machine handy of course. FYI: I use this adapter on MacOS X laptop to access the console of FreeBSD, RedHat and Sun Microsystems machine. It works like a charm. Good luck, David -- David Robillard UNIX systems administrator CISSP Sun Certified Security Admin Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Setting up NIS questions?
I have 2 NICS in the master node of a small cluster. bge0 is connected to the outside world with a FQDN and registered DNS IP address. bge1 is connected to a 192.168.0.x internal network. I'm trying to configure NIS for the internal network, but ypinit is grabbing the FQDN. I've read the Handbook and ypinit manual page without too much enlightment. :( What I'm after is 192.168.0.10 NIS master server 192.168.0.11 NIS slave server 192.168.0.[12-15] NIS clients Anyone have a pointer to a method to achieve my goals. I would _strongly_ suggest that you run you firewall from another machine instead of using you NIS master for this. This really is Security 101 :) Check out OpenBSD with pf for this purpose or use a Cisco PIX (you can find several on eBay). But if you don't want/can do this, why don't you setup a jail for you NIS master? You can bind the jail to the RFC 1918 IP address range. Therefore, starting up ypbind inside the jail would only see the 192.168.0/24 network and bind to it. See jail(8), jls(8) and jexec(8). You might also want to check mount_nullfs(8) to help you with the jail's ports tree. If you need help with the jail setup, feel free to email me off the list. David -- David Robillard UNIX systems administrator CISSP Sun Certified Security Administrator Sun Certified Systems Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
