diff options
| author | Sergio Carlavilla Delgado <carlavilla@FreeBSD.org> | 2021-06-06 09:15:27 +0000 |
|---|---|---|
| committer | Sergio Carlavilla Delgado <carlavilla@FreeBSD.org> | 2021-06-06 09:15:55 +0000 |
| commit | a8c5c8965cd534ff9634d95e6d84edb321c273d5 (patch) | |
| tree | 8cffa19a0d8f00db113624a228497231371713e0 /documentation/content/en | |
| parent | 9a8282e7d2151ea37ecd313de5210f77ea5393a4 (diff) | |
| download | doc-a8c5c8965cd534ff9634d95e6d84edb321c273d5.tar.gz doc-a8c5c8965cd534ff9634d95e6d84edb321c273d5.zip | |
Diffstat (limited to 'documentation/content/en')
43 files changed, 9320 insertions, 3286 deletions
diff --git a/documentation/content/en/books/handbook/_index.adoc b/documentation/content/en/books/handbook/_index.adoc index 6551efc869..af69a1236e 100644 --- a/documentation/content/en/books/handbook/_index.adoc +++ b/documentation/content/en/books/handbook/_index.adoc @@ -26,9 +26,16 @@ include::shared/en/mailing-lists.adoc[] [.abstract-title] Abstract -Welcome to FreeBSD! This handbook covers the installation and day to day use of _FreeBSD {rel130-current}-RELEASE_, _FreeBSD {rel122-current}-RELEASE_ and _FreeBSD {rel114-current}-RELEASE_. This book is the result of ongoing work by many individuals. Some sections might be outdated. Those interested in helping to update and expand this document should send email to the {freebsd-doc}. - -The latest version of this book is available from the https://www.FreeBSD.org/[FreeBSD web site]. Previous versions can be obtained from https://docs.FreeBSD.org/doc/[https://docs.FreeBSD.org/doc/]. The book can be downloaded in a variety of formats and compression options from the https://download.freebsd.org/ftp/doc/[FreeBSD FTP server] or one of the numerous link:./mirrors#mirrors-ftp[mirror sites]. Printed copies can be purchased at the https://www.freebsdmall.com/[FreeBSD Mall]. Searches can be performed on the handbook and other documents on the link:https://www.FreeBSD.org/search/[search page]. +Welcome to FreeBSD! This handbook covers the installation and day to day use of _FreeBSD {rel130-current}-RELEASE_, _FreeBSD {rel122-current}-RELEASE_ and _FreeBSD {rel114-current}-RELEASE_. +This book is the result of ongoing work by many individuals. +Some sections might be outdated. +Those interested in helping to update and expand this document should send email to the {freebsd-doc}. + +The latest version of this book is available from the https://www.FreeBSD.org/[FreeBSD web site]. +Previous versions can be obtained from https://docs.FreeBSD.org/doc/[https://docs.FreeBSD.org/doc/]. +The book can be downloaded in a variety of formats and compression options from the https://download.freebsd.org/ftp/doc/[FreeBSD FTP server] or one of the numerous link:./mirrors#mirrors-ftp[mirror sites]. +Printed copies can be purchased at the https://www.freebsdmall.com/[FreeBSD Mall]. +Searches can be performed on the handbook and other documents on the link:https://www.FreeBSD.org/search/[search page]. ''' diff --git a/documentation/content/en/books/handbook/advanced-networking/_index.adoc b/documentation/content/en/books/handbook/advanced-networking/_index.adoc index 73e766a724..a64a5e8fa5 100644 --- a/documentation/content/en/books/handbook/advanced-networking/_index.adoc +++ b/documentation/content/en/books/handbook/advanced-networking/_index.adoc @@ -70,9 +70,16 @@ Before reading this chapter, you should: [[network-routing]] == Gateways and Routes -_Routing_ is the mechanism that allows a system to find the network path to another system. A _route_ is a defined pair of addresses which represent the "destination" and a "gateway". The route indicates that when trying to get to the specified destination, send the packets through the specified gateway. There are three types of destinations: individual hosts, subnets, and "default". The "default route" is used if no other routes apply. There are also three types of gateways: individual hosts, interfaces, also called links, and Ethernet hardware (MAC) addresses. Known routes are stored in a routing table. +_Routing_ is the mechanism that allows a system to find the network path to another system. +A _route_ is a defined pair of addresses which represent the "destination" and a "gateway". +The route indicates that when trying to get to the specified destination, send the packets through the specified gateway. +There are three types of destinations: individual hosts, subnets, and "default". +The "default route" is used if no other routes apply. +There are also three types of gateways: individual hosts, interfaces, also called links, and Ethernet hardware (MAC) addresses. +Known routes are stored in a routing table. -This section provides an overview of routing basics. It then demonstrates how to configure a FreeBSD system as a router and offers some troubleshooting tips. +This section provides an overview of routing basics. +It then demonstrates how to configure a FreeBSD system as a router and offers some troubleshooting tips. [[network-routing-default]] === Routing Basics @@ -100,32 +107,49 @@ host2.example.com link#1 UC 0 0 The entries in this example are as follows: default:: -The first route in this table specifies the `default` route. When the local system needs to make a connection to a remote host, it checks the routing table to determine if a known path exists. If the remote host matches an entry in the table, the system checks to see if it can connect using the interface specified in that entry. +The first route in this table specifies the `default` route. +When the local system needs to make a connection to a remote host, it checks the routing table to determine if a known path exists. +If the remote host matches an entry in the table, the system checks to see if it can connect using the interface specified in that entry. + -If the destination does not match an entry, or if all known paths fail, the system uses the entry for the default route. For hosts on a local area network, the `Gateway` field in the default route is set to the system which has a direct connection to the Internet. When reading this entry, verify that the `Flags` column indicates that the gateway is usable (`UG`). +If the destination does not match an entry, or if all known paths fail, the system uses the entry for the default route. +For hosts on a local area network, the `Gateway` field in the default route is set to the system which has a direct connection to the Internet. +When reading this entry, verify that the `Flags` column indicates that the gateway is usable (`UG`). + The default route for a machine which itself is functioning as the gateway to the outside world will be the gateway machine at the Internet Service Provider (ISP). localhost:: -The second route is the `localhost` route. The interface specified in the `Netif` column for `localhost` is [.filename]#lo0#, also known as the loopback device. This indicates that all traffic for this destination should be internal, rather than sending it out over the network. +The second route is the `localhost` route. +The interface specified in the `Netif` column for `localhost` is [.filename]#lo0#, also known as the loopback device. +This indicates that all traffic for this destination should be internal, rather than sending it out over the network. MAC address:: -The addresses beginning with `0:e0:` are MAC addresses. FreeBSD will automatically identify any hosts, `test0` in the example, on the local Ethernet and add a route for that host over the Ethernet interface, [.filename]#re0#. This type of route has a timeout, seen in the `Expire` column, which is used if the host does not respond in a specific amount of time. When this happens, the route to this host will be automatically deleted. These hosts are identified using the Routing Information Protocol (RIP), which calculates routes to local hosts based upon a shortest path determination. +The addresses beginning with `0:e0:` are MAC addresses. +FreeBSD will automatically identify any hosts, `test0` in the example, on the local Ethernet and add a route for that host over the Ethernet interface, [.filename]#re0#. +This type of route has a timeout, seen in the `Expire` column, which is used if the host does not respond in a specific amount of time. +When this happens, the route to this host will be automatically deleted. +These hosts are identified using the Routing Information Protocol (RIP), which calculates routes to local hosts based upon a shortest path determination. subnet:: -FreeBSD will automatically add subnet routes for the local subnet. In this example, `10.20.30.255` is the broadcast address for the subnet `10.20.30` and `example.com` is the domain name associated with that subnet. The designation `link#1` refers to the first Ethernet card in the machine. +FreeBSD will automatically add subnet routes for the local subnet. +In this example, `10.20.30.255` is the broadcast address for the subnet `10.20.30` and `example.com` is the domain name associated with that subnet. +The designation `link#1` refers to the first Ethernet card in the machine. + -Local network hosts and local subnets have their routes automatically configured by a daemon called man:routed[8]. If it is not running, only routes which are statically defined by the administrator will exist. +Local network hosts and local subnets have their routes automatically configured by a daemon called man:routed[8]. +If it is not running, only routes which are statically defined by the administrator will exist. host:: -The `host1` line refers to the host by its Ethernet address. Since it is the sending host, FreeBSD knows to use the loopback interface ([.filename]#lo0#) rather than the Ethernet interface. +The `host1` line refers to the host by its Ethernet address. +Since it is the sending host, FreeBSD knows to use the loopback interface ([.filename]#lo0#) rather than the Ethernet interface. + -The two `host2` lines represent aliases which were created using man:ifconfig[8]. The `=>` symbol after the [.filename]#lo0# interface says that an alias has been set in addition to the loopback address. Such routes only show up on the host that supports the alias and all other hosts on the local network will have a `link#1` line for such routes. +The two `host2` lines represent aliases which were created using man:ifconfig[8]. +The `=>` symbol after the [.filename]#lo0# interface says that an alias has been set in addition to the loopback address. +Such routes only show up on the host that supports the alias and all other hosts on the local network will have a `link#1` line for such routes. 224:: The final line (destination subnet `224`) deals with multicasting. -Various attributes of each route can be seen in the `Flags` column. <<routeflags>> summarizes some of these flags and their meanings: +Various attributes of each route can be seen in the `Flags` column. +<<routeflags>> summarizes some of these flags and their meanings: [[routeflags]] .Commonly Seen Routing Table Flags @@ -170,34 +194,45 @@ It is also possible to manually add the route using `route`: # route add default 10.20.30.1 .... -Note that manually added routes will not survive a reboot. For more information on manual manipulation of network routing tables, refer to man:route[8]. +Note that manually added routes will not survive a reboot. +For more information on manual manipulation of network routing tables, refer to man:route[8]. [[network-static-routes]] === Configuring a Router with Static Routes -A FreeBSD system can be configured as the default gateway, or router, for a network if it is a dual-homed system. A dual-homed system is a host which resides on at least two different networks. Typically, each network is connected to a separate network interface, though IP aliasing can be used to bind multiple addresses, each on a different subnet, to one physical interface. +A FreeBSD system can be configured as the default gateway, or router, for a network if it is a dual-homed system. +A dual-homed system is a host which resides on at least two different networks. +Typically, each network is connected to a separate network interface, though IP aliasing can be used to bind multiple addresses, each on a different subnet, to one physical interface. -In order for the system to forward packets between interfaces, FreeBSD must be configured as a router. Internet standards and good engineering practice prevent the FreeBSD Project from enabling this feature by default, but it can be configured to start at boot by adding this line to [.filename]#/etc/rc.conf#: +In order for the system to forward packets between interfaces, FreeBSD must be configured as a router. +Internet standards and good engineering practice prevent the FreeBSD Project from enabling this feature by default, but it can be configured to start at boot by adding this line to [.filename]#/etc/rc.conf#: [.programlisting] .... gateway_enable="YES" # Set to YES if this host will be a gateway .... -To enable routing now, set the man:sysctl[8] variable `net.inet.ip.forwarding` to `1`. To stop routing, reset this variable to `0`. +To enable routing now, set the man:sysctl[8] variable `net.inet.ip.forwarding` to `1`. +To stop routing, reset this variable to `0`. -The routing table of a router needs additional routes so it knows how to reach other networks. Routes can be either added manually using static routes or routes can be automatically learned using a routing protocol. Static routes are appropriate for small networks and this section describes how to add a static routing entry for a small network. +The routing table of a router needs additional routes so it knows how to reach other networks. +Routes can be either added manually using static routes or routes can be automatically learned using a routing protocol. +Static routes are appropriate for small networks and this section describes how to add a static routing entry for a small network. [NOTE] ==== -For large networks, static routes quickly become unscalable. FreeBSD comes with the standard BSD routing daemon man:routed[8], which provides the routing protocols RIP, versions 1 and 2, and IRDP. Support for the BGP and OSPF routing protocols can be installed using the package:net/zebra[] package or port. +For large networks, static routes quickly become unscalable. +FreeBSD comes with the standard BSD routing daemon man:routed[8], which provides the routing protocols RIP, versions 1 and 2, and IRDP. +Support for the BGP and OSPF routing protocols can be installed using the package:net/zebra[] package or port. ==== Consider the following network: image::static-routes.png[] -In this scenario, `RouterA` is a FreeBSD machine that is acting as a router to the rest of the Internet. It has a default route set to `10.0.0.1` which allows it to connect with the outside world. `RouterB` is already configured to use `192.168.1.1` as its default gateway. +In this scenario, `RouterA` is a FreeBSD machine that is acting as a router to the rest of the Internet. +It has a default route set to `10.0.0.1` which allows it to connect with the outside world. +`RouterB` is already configured to use `192.168.1.1` as its default gateway. Before adding any static routes, the routing table on `RouterA` looks like this: @@ -214,14 +249,17 @@ default 10.0.0.1 UGS 0 49378 xl0 192.168.1.0/24 link#2 UC 0 0 xl1 .... -With the current routing table, `RouterA` does not have a route to the `192.168.2.0/24` network. The following command adds the `Internal Net 2` network to ``RouterA``'s routing table using `192.168.1.2` as the next hop: +With the current routing table, `RouterA` does not have a route to the `192.168.2.0/24` network. +The following command adds the `Internal Net 2` network to ``RouterA``'s routing table using `192.168.1.2` as the next hop: [source,shell] .... # route add -net 192.168.2.0/24 192.168.1.2 .... -Now, `RouterA` can reach any host on the `192.168.2.0/24` network. However, the routing information will not persist if the FreeBSD system reboots. If a static route needs to be persistent, add it to [.filename]#/etc/rc.conf#: +Now, `RouterA` can reach any host on the `192.168.2.0/24` network. +However, the routing information will not persist if the FreeBSD system reboots. +If a static route needs to be persistent, add it to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -230,9 +268,11 @@ static_routes="internalnet2" route_internalnet2="-net 192.168.2.0/24 192.168.1.2" .... -The `static_routes` configuration variable is a list of strings separated by a space, where each string references a route name. The variable `route_internalnet2` contains the static route for that route name. +The `static_routes` configuration variable is a list of strings separated by a space, where each string references a route name. +The variable `route_internalnet2` contains the static route for that route name. -Using more than one string in `static_routes` creates multiple static routes. The following shows an example of adding static routes for the `192.168.0.0/24` and `192.168.1.0/24` networks: +Using more than one string in `static_routes` creates multiple static routes. +The following shows an example of adding static routes for the `192.168.0.0/24` and `192.168.1.0/24` networks: [.programlisting] .... @@ -244,31 +284,44 @@ route_net2="-net 192.168.1.0/24 192.168.1.1" [[network-routing-troubleshooting]] === Troubleshooting -When an address space is assigned to a network, the service provider configures their routing tables so that all traffic for the network will be sent to the link for the site. But how do external sites know to send their packets to the network's ISP? +When an address space is assigned to a network, the service provider configures their routing tables so that all traffic for the network will be sent to the link for the site. +But how do external sites know to send their packets to the network's ISP? -There is a system that keeps track of all assigned address spaces and defines their point of connection to the Internet backbone, or the main trunk lines that carry Internet traffic across the country and around the world. Each backbone machine has a copy of a master set of tables, which direct traffic for a particular network to a specific backbone carrier, and from there down the chain of service providers until it reaches a particular network. +There is a system that keeps track of all assigned address spaces and defines their point of connection to the Internet backbone, or the main trunk lines that carry Internet traffic across the country and around the world. +Each backbone machine has a copy of a master set of tables, which direct traffic for a particular network to a specific backbone carrier, and from there down the chain of service providers until it reaches a particular network. -It is the task of the service provider to advertise to the backbone sites that they are the point of connection, and thus the path inward, for a site. This is known as route propagation. +It is the task of the service provider to advertise to the backbone sites that they are the point of connection, and thus the path inward, for a site. +This is known as route propagation. -Sometimes, there is a problem with route propagation and some sites are unable to connect. Perhaps the most useful command for trying to figure out where routing is breaking down is `traceroute`. It is useful when `ping` fails. +Sometimes, there is a problem with route propagation and some sites are unable to connect. +Perhaps the most useful command for trying to figure out where routing is breaking down is `traceroute`. +It is useful when `ping` fails. -When using `traceroute`, include the address of the remote host to connect to. The output will show the gateway hosts along the path of the attempt, eventually either reaching the target host, or terminating because of a lack of connection. For more information, refer to man:traceroute[8]. +When using `traceroute`, include the address of the remote host to connect to. +The output will show the gateway hosts along the path of the attempt, eventually either reaching the target host, or terminating because of a lack of connection. +For more information, refer to man:traceroute[8]. [[network-routing-multicast]] === Multicast Considerations -FreeBSD natively supports both multicast applications and multicast routing. Multicast applications do not require any special configuration in order to run on FreeBSD. Support for multicast routing requires that the following option be compiled into a custom kernel: +FreeBSD natively supports both multicast applications and multicast routing. +Multicast applications do not require any special configuration in order to run on FreeBSD. +Support for multicast routing requires that the following option be compiled into a custom kernel: [.programlisting] .... options MROUTING .... -The multicast routing daemon, mrouted can be installed using the package:net/mrouted[] package or port. This daemon implements the DVMRP multicast routing protocol and is configured by editing [.filename]#/usr/local/etc/mrouted.conf# in order to set up the tunnels and DVMRP. The installation of mrouted also installs map-mbone and mrinfo, as well as their associated man pages. Refer to these for configuration examples. +The multicast routing daemon, mrouted can be installed using the package:net/mrouted[] package or port. +This daemon implements the DVMRP multicast routing protocol and is configured by editing [.filename]#/usr/local/etc/mrouted.conf# in order to set up the tunnels and DVMRP. +The installation of mrouted also installs map-mbone and mrinfo, as well as their associated man pages. +Refer to these for configuration examples. [NOTE] ==== -DVMRP has largely been replaced by the PIM protocol in many multicast installations. Refer to man:pim[4] for more information. +DVMRP has largely been replaced by the PIM protocol in many multicast installations. +Refer to man:pim[4] for more information. ==== [[network-wireless]] @@ -276,22 +329,46 @@ DVMRP has largely been replaced by the PIM protocol in many multicast installati === Wireless Networking Basics -Most wireless networks are based on the IEEE(R) 802.11 standards. A basic wireless network consists of multiple stations communicating with radios that broadcast in either the 2.4GHz or 5GHz band, though this varies according to the locale and is also changing to enable communication in the 2.3GHz and 4.9GHz ranges. - -802.11 networks are organized in two ways. In _infrastructure mode_, one station acts as a master with all the other stations associating to it, the network is known as a BSS, and the master station is termed an access point (AP). In a BSS, all communication passes through the AP; even when one station wants to communicate with another wireless station, messages must go through the AP. In the second form of network, there is no master and stations communicate directly. This form of network is termed an IBSS and is commonly known as an _ad-hoc network_. - -802.11 networks were first deployed in the 2.4GHz band using protocols defined by the IEEE(R) 802.11 and 802.11b standard. These specifications include the operating frequencies and the MAC layer characteristics, including framing and transmission rates, as communication can occur at various rates. Later, the 802.11a standard defined operation in the 5GHz band, including different signaling mechanisms and higher transmission rates. Still later, the 802.11g standard defined the use of 802.11a signaling and transmission mechanisms in the 2.4GHz band in such a way as to be backwards compatible with 802.11b networks. - -Separate from the underlying transmission techniques, 802.11 networks have a variety of security mechanisms. The original 802.11 specifications defined a simple security protocol called WEP. This protocol uses a fixed pre-shared key and the RC4 cryptographic cipher to encode data transmitted on a network. Stations must all agree on the fixed key in order to communicate. This scheme was shown to be easily broken and is now rarely used except to discourage transient users from joining networks. Current security practice is given by the IEEE(R) 802.11i specification that defines new cryptographic ciphers and an additional protocol to authenticate stations to an access point and exchange keys for data communication. Cryptographic keys are periodically refreshed and there are mechanisms for detecting and countering intrusion attempts. Another security protocol specification commonly used in wireless networks is termed WPA, which was a precursor to 802.11i. WPA specifies a subset of the requirements found in 802.11i and is designed for implementation on legacy hardware. Specifically, WPA requires only the TKIP cipher that is derived from the original WEP cipher. 802.11i permits use of TKIP but also requires support for a stronger cipher, AES-CCM, for encrypting data. The AES cipher was not required in WPA because it was deemed too computationally costly to be implemented on legacy hardware. - -The other standard to be aware of is 802.11e. It defines protocols for deploying multimedia applications, such as streaming video and voice over IP (VoIP), in an 802.11 network. Like 802.11i, 802.11e also has a precursor specification termed WME (later renamed WMM) that has been defined by an industry group as a subset of 802.11e that can be deployed now to enable multimedia applications while waiting for the final ratification of 802.11e. The most important thing to know about 802.11e and WME/WMM is that it enables prioritized traffic over a wireless network through Quality of Service (QoS) protocols and enhanced media access protocols. Proper implementation of these protocols enables high speed bursting of data and prioritized traffic flow. - -FreeBSD supports networks that operate using 802.11a, 802.11b, and 802.11g. The WPA and 802.11i security protocols are likewise supported (in conjunction with any of 11a, 11b, and 11g) and QoS and traffic prioritization required by the WME/WMM protocols are supported for a limited set of wireless devices. +Most wireless networks are based on the IEEE(R) 802.11 standards. +A basic wireless network consists of multiple stations communicating with radios that broadcast in either the 2.4GHz or 5GHz band, though this varies according to the locale and is also changing to enable communication in the 2.3GHz and 4.9GHz ranges. + +802.11 networks are organized in two ways. +In _infrastructure mode_, one station acts as a master with all the other stations associating to it, the network is known as a BSS, and the master station is termed an access point (AP). +In a BSS, all communication passes through the AP; even when one station wants to communicate with another wireless station, messages must go through the AP. +In the second form of network, there is no master and stations communicate directly. +This form of network is termed an IBSS and is commonly known as an _ad-hoc network_. + +802.11 networks were first deployed in the 2.4GHz band using protocols defined by the IEEE(R) 802.11 and 802.11b standard. +These specifications include the operating frequencies and the MAC layer characteristics, including framing and transmission rates, as communication can occur at various rates. +Later, the 802.11a standard defined operation in the 5GHz band, including different signaling mechanisms and higher transmission rates. +Still later, the 802.11g standard defined the use of 802.11a signaling and transmission mechanisms in the 2.4GHz band in such a way as to be backwards compatible with 802.11b networks. + +Separate from the underlying transmission techniques, 802.11 networks have a variety of security mechanisms. +The original 802.11 specifications defined a simple security protocol called WEP. +This protocol uses a fixed pre-shared key and the RC4 cryptographic cipher to encode data transmitted on a network. +Stations must all agree on the fixed key in order to communicate. +This scheme was shown to be easily broken and is now rarely used except to discourage transient users from joining networks. +Current security practice is given by the IEEE(R) 802.11i specification that defines new cryptographic ciphers and an additional protocol to authenticate stations to an access point and exchange keys for data communication. +Cryptographic keys are periodically refreshed and there are mechanisms for detecting and countering intrusion attempts. +Another security protocol specification commonly used in wireless networks is termed WPA, which was a precursor to 802.11i. +WPA specifies a subset of the requirements found in 802.11i and is designed for implementation on legacy hardware. +Specifically, WPA requires only the TKIP cipher that is derived from the original WEP cipher. +802.11i permits use of TKIP but also requires support for a stronger cipher, AES-CCM, for encrypting data. +The AES cipher was not required in WPA because it was deemed too computationally costly to be implemented on legacy hardware. + +The other standard to be aware of is 802.11e. It defines protocols for deploying multimedia applications, such as streaming video and voice over IP (VoIP), in an 802.11 network. +Like 802.11i, 802.11e also has a precursor specification termed WME (later renamed WMM) that has been defined by an industry group as a subset of 802.11e that can be deployed now to enable multimedia applications while waiting for the final ratification of 802.11e. +The most important thing to know about 802.11e and WME/WMM is that it enables prioritized traffic over a wireless network through Quality of Service (QoS) protocols and enhanced media access protocols. +Proper implementation of these protocols enables high speed bursting of data and prioritized traffic flow. + +FreeBSD supports networks that operate using 802.11a, 802.11b, and 802.11g. +The WPA and 802.11i security protocols are likewise supported (in conjunction with any of 11a, 11b, and 11g) and QoS and traffic prioritization required by the WME/WMM protocols are supported for a limited set of wireless devices. [[network-wireless-quick-start]] === Quick Start -Connecting a computer to an existing wireless network is a very common situation. This procedure shows the steps required. +Connecting a computer to an existing wireless network is a very common situation. +This procedure shows the steps required. [.procedure] . Obtain the SSID (Service Set Identifier) and PSK (Pre-Shared Key) for the wireless network from the network administrator. @@ -342,16 +419,21 @@ ifconfig_wlan0="WPA SYNCDHCP" ==== Kernel Configuration -To use wireless networking, a wireless networking card is needed and the kernel needs to be configured with the appropriate wireless networking support. The kernel is separated into multiple modules so that only the required support needs to be configured. +To use wireless networking, a wireless networking card is needed and the kernel needs to be configured with the appropriate wireless networking support. +The kernel is separated into multiple modules so that only the required support needs to be configured. -The most commonly used wireless devices are those that use parts made by Atheros. These devices are supported by man:ath[4] and require the following line to be added to [.filename]#/boot/loader.conf#: +The most commonly used wireless devices are those that use parts made by Atheros. +These devices are supported by man:ath[4] and require the following line to be added to [.filename]#/boot/loader.conf#: [.programlisting] .... if_ath_load="YES" .... -The Atheros driver is split up into three separate pieces: the driver (man:ath[4]), the hardware support layer that handles chip-specific functions (man:ath_hal[4]), and an algorithm for selecting the rate for transmitting frames. When this support is loaded as kernel modules, any dependencies are automatically handled. To load support for a different type of wireless device, specify the module for that device. This example is for devices based on the Intersil Prism parts (man:wi[4]) driver: +The Atheros driver is split up into three separate pieces: the driver (man:ath[4]), the hardware support layer that handles chip-specific functions (man:ath_hal[4]), and an algorithm for selecting the rate for transmitting frames. +When this support is loaded as kernel modules, any dependencies are automatically handled. +To load support for a different type of wireless device, specify the module for that device. +This example is for devices based on the Intersil Prism parts (man:wi[4]) driver: [.programlisting] .... @@ -360,10 +442,17 @@ if_wi_load="YES" [NOTE] ==== -The examples in this section use an man:ath[4] device and the device name in the examples must be changed according to the configuration. A list of available wireless drivers and supported adapters can be found in the FreeBSD Hardware Notes, available on the https://www.FreeBSD.org/releases/[Release Information] page of the FreeBSD website. If a native FreeBSD driver for the wireless device does not exist, it may be possible to use the Windows(R) driver with the help of the crossref:config[config-network-ndis,NDIS] driver wrapper. +The examples in this section use an man:ath[4] device and the device name in the examples must be changed according to the configuration. +A list of available wireless drivers and supported adapters can be found in the FreeBSD Hardware Notes, available on the https://www.FreeBSD.org/releases/[Release Information] page of the FreeBSD website. +If a native FreeBSD driver for the wireless device does not exist, it may be possible to use the Windows(R) driver with the help of the crossref:config[config-network-ndis,NDIS] driver wrapper. ==== -In addition, the modules that implement cryptographic support for the security protocols to use must be loaded. These are intended to be dynamically loaded on demand by the man:wlan[4] module, but for now they must be manually configured. The following modules are available: man:wlan_wep[4], man:wlan_ccmp[4], and man:wlan_tkip[4]. The man:wlan_ccmp[4] and man:wlan_tkip[4] drivers are only needed when using the WPA or 802.11i security protocols. If the network does not use encryption, man:wlan_wep[4] support is not needed. To load these modules at boot time, add the following lines to [.filename]#/boot/loader.conf#: +In addition, the modules that implement cryptographic support for the security protocols to use must be loaded. +These are intended to be dynamically loaded on demand by the man:wlan[4] module, but for now they must be manually configured. +The following modules are available: man:wlan_wep[4], man:wlan_ccmp[4], and man:wlan_tkip[4]. +The man:wlan_ccmp[4] and man:wlan_tkip[4] drivers are only needed when using the WPA or 802.11i security protocols. +If the network does not use encryption, man:wlan_wep[4] support is not needed. +To load these modules at boot time, add the following lines to [.filename]#/boot/loader.conf#: [.programlisting] .... @@ -372,7 +461,8 @@ wlan_ccmp_load="YES" wlan_tkip_load="YES" .... -Once this information has been added to [.filename]#/boot/loader.conf#, reboot the FreeBSD box. Alternately, load the modules by hand using man:kldload[8]. +Once this information has been added to [.filename]#/boot/loader.conf#, reboot the FreeBSD box. +Alternately, load the modules by hand using man:kldload[8]. [NOTE] ==== @@ -407,7 +497,8 @@ ath0: AR2413 mac 7.9 RF2413 phy 4.5 Since the regulatory situation is different in various parts of the world, it is necessary to correctly set the domains that apply to your location to have the correct information about what channels can be used. -The available region definitions can be found in [.filename]#/etc/regdomain.xml#. To set the data at runtime, use `ifconfig`: +The available region definitions can be found in [.filename]#/etc/regdomain.xml#. +To set the data at runtime, use `ifconfig`: [source,shell] .... @@ -423,13 +514,18 @@ To persist the settings, add it to [.filename]#/etc/rc.conf#: === Infrastructure Mode -Infrastructure (BSS) mode is the mode that is typically used. In this mode, a number of wireless access points are connected to a wired network. Each wireless network has its own name, called the SSID. Wireless clients connect to the wireless access points. +Infrastructure (BSS) mode is the mode that is typically used. +In this mode, a number of wireless access points are connected to a wired network. +Each wireless network has its own name, called the SSID. +Wireless clients connect to the wireless access points. ==== FreeBSD Clients ===== How to Find Access Points -To scan for available networks, use man:ifconfig[8]. This request may take a few moments to complete as it requires the system to switch to each available wireless frequency and probe for available access points. Only the superuser can initiate a scan: +To scan for available networks, use man:ifconfig[8]. +This request may take a few moments to complete as it requires the system to switch to each available wireless frequency and probe for available access points. +Only the superuser can initiate a scan: [source,shell] .... @@ -442,10 +538,13 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -83:96 100 EPS WPA [NOTE] ==== -The interface must be `up` before it can scan. Subsequent scan requests do not require the interface to be marked as up again. +The interface must be `up` before it can scan. +Subsequent scan requests do not require the interface to be marked as up again. ==== -The output of a scan request lists each BSS/IBSS network found. Besides listing the name of the network, the `SSID`, the output also shows the `BSSID`, which is the MAC address of the access point. The `CAPS` field identifies the type of each network and the capabilities of the stations operating there: +The output of a scan request lists each BSS/IBSS network found. +Besides listing the name of the network, the `SSID`, the output also shows the `BSSID`, which is the MAC address of the access point. +The `CAPS` field identifies the type of each network and the capabilities of the stations operating there: .Station Capability Codes [cols="1,1", frame="none", options="header"] @@ -476,17 +575,21 @@ One can also display the current list of known networks with: # ifconfig wlan0 list scan .... -This information may be updated automatically by the adapter or manually with a `scan` request. Old data is automatically removed from the cache, so over time this list may shrink unless more scans are done. +This information may be updated automatically by the adapter or manually with a `scan` request. +Old data is automatically removed from the cache, so over time this list may shrink unless more scans are done. ===== Basic Settings -This section provides a simple example of how to make the wireless network adapter work in FreeBSD without encryption. Once familiar with these concepts, it is strongly recommend to use <<network-wireless-wpa,WPA>> to set up the wireless network. +This section provides a simple example of how to make the wireless network adapter work in FreeBSD without encryption. +Once familiar with these concepts, it is strongly recommend to use <<network-wireless-wpa,WPA>> to set up the wireless network. -There are three basic steps to configure a wireless network: select an access point, authenticate the station, and configure an IP address. The following sections discuss each step. +There are three basic steps to configure a wireless network: select an access point, authenticate the station, and configure an IP address. +The following sections discuss each step. ====== Selecting an Access Point -Most of the time, it is sufficient to let the system choose an access point using the builtin heuristics. This is the default behavior when an interface is marked as up or it is listed in [.filename]#/etc/rc.conf#: +Most of the time, it is sufficient to let the system choose an access point using the builtin heuristics. +This is the default behavior when an interface is marked as up or it is listed in [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -502,7 +605,8 @@ wlans_ath0="wlan0" ifconfig_wlan0="ssid your_ssid_here DHCP" .... -In an environment where there are multiple access points with the same SSID, which is often done to simplify roaming, it may be necessary to associate to one specific device. In this case, the BSSID of the access point can be specified, with or without the SSID: +In an environment where there are multiple access points with the same SSID, which is often done to simplify roaming, it may be necessary to associate to one specific device. +In this case, the BSSID of the access point can be specified, with or without the SSID: [.programlisting] .... @@ -510,7 +614,9 @@ wlans_ath0="wlan0" ifconfig_wlan0="ssid your_ssid_here bssid xx:xx:xx:xx:xx:xx DHCP" .... -There are other ways to constrain the choice of an access point, such as limiting the set of frequencies the system will scan on. This may be useful for a multi-band wireless card as scanning all the possible channels can be time-consuming. To limit operation to a specific band, use the `mode` parameter: +There are other ways to constrain the choice of an access point, such as limiting the set of frequencies the system will scan on. +This may be useful for a multi-band wireless card as scanning all the possible channels can be time-consuming. +To limit operation to a specific band, use the `mode` parameter: [.programlisting] .... @@ -518,15 +624,25 @@ wlans_ath0="wlan0" ifconfig_wlan0="mode 11g ssid your_ssid_here DHCP" .... -This example will force the card to operate in 802.11g, which is defined only for 2.4GHz frequencies so any 5GHz channels will not be considered. This can also be achieved with the `channel` parameter, which locks operation to one specific frequency, and the `chanlist` parameter, to specify a list of channels for scanning. More information about these parameters can be found in man:ifconfig[8]. +This example will force the card to operate in 802.11g, which is defined only for 2.4GHz frequencies so any 5GHz channels will not be considered. +This can also be achieved with the `channel` parameter, which locks operation to one specific frequency, and the `chanlist` parameter, to specify a list of channels for scanning. +More information about these parameters can be found in man:ifconfig[8]. ====== Authentication -Once an access point is selected, the station needs to authenticate before it can pass data. Authentication can happen in several ways. The most common scheme, open authentication, allows any station to join the network and communicate. This is the authentication to use for test purposes the first time a wireless network is setup. Other schemes require cryptographic handshakes to be completed before data traffic can flow, either using pre-shared keys or secrets, or more complex schemes that involve backend services such as RADIUS. Open authentication is the default setting. The next most common setup is WPA-PSK, also known as WPA Personal, which is described in <<network-wireless-wpa-wpa-psk>>. +Once an access point is selected, the station needs to authenticate before it can pass data. +Authentication can happen in several ways. +The most common scheme, open authentication, allows any station to join the network and communicate. +This is the authentication to use for test purposes the first time a wireless network is setup. +Other schemes require cryptographic handshakes to be completed before data traffic can flow, either using pre-shared keys or secrets, or more complex schemes that involve backend services such as RADIUS. +Open authentication is the default setting. +The next most common setup is WPA-PSK, also known as WPA Personal, which is described in <<network-wireless-wpa-wpa-psk>>. [NOTE] ==== -If using an Apple(R) AirPort(R) Extreme base station for an access point, shared-key authentication together with a WEP key needs to be configured. This can be configured in [.filename]#/etc/rc.conf# or by using man:wpa_supplicant[8]. For a single AirPort(R) base station, access can be configured with: +If using an Apple(R) AirPort(R) Extreme base station for an access point, shared-key authentication together with a WEP key needs to be configured. +This can be configured in [.filename]#/etc/rc.conf# or by using man:wpa_supplicant[8]. +For a single AirPort(R) base station, access can be configured with: [.programlisting] .... @@ -534,12 +650,16 @@ wlans_ath0="wlan0" ifconfig_wlan0="authmode shared wepmode on weptxkey 1 wepkey 01234567 DHCP" .... -In general, shared key authentication should be avoided because it uses the WEP key material in a highly-constrained manner, making it even easier to crack the key. If WEP must be used for compatibility with legacy devices, it is better to use WEP with `open` authentication. More information regarding WEP can be found in <<network-wireless-wep>>. +In general, shared key authentication should be avoided because it uses the WEP key material in a highly-constrained manner, making it even easier to crack the key. +If WEP must be used for compatibility with legacy devices, it is better to use WEP with `open` authentication. +More information regarding WEP can be found in <<network-wireless-wep>>. ==== ====== Getting an IP Address with DHCP -Once an access point is selected and the authentication parameters are set, an IP address must be obtained in order to communicate. Most of the time, the IP address is obtained via DHCP. To achieve that, edit [.filename]#/etc/rc.conf# and add `DHCP` to the configuration for the device: +Once an access point is selected and the authentication parameters are set, an IP address must be obtained in order to communicate. +Most of the time, the IP address is obtained via DHCP. +To achieve that, edit [.filename]#/etc/rc.conf# and add `DHCP` to the configuration for the device: [.programlisting] .... @@ -570,11 +690,14 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 roam:rate 5 protmode CTS wme burst .... -The `status: associated` line means that it is connected to the wireless network. The `bssid 00:13:46:49:41:76` is the MAC address of the access point and `authmode OPEN` indicates that the communication is not encrypted. +The `status: associated` line means that it is connected to the wireless network. +The `bssid 00:13:46:49:41:76` is the MAC address of the access point and `authmode OPEN` indicates that the communication is not encrypted. ====== Static IP Address -If an IP address cannot be obtained from a DHCP server, set a fixed IP address. Replace the `DHCP` keyword shown above with the address information. Be sure to retain any other parameters for selecting the access point: +If an IP address cannot be obtained from a DHCP server, set a fixed IP address. +Replace the `DHCP` keyword shown above with the address information. +Be sure to retain any other parameters for selecting the access point: [.programlisting] .... @@ -585,20 +708,33 @@ ifconfig_wlan0="inet 192.168.1.100 netmask 255.255.255.0 ssid your_ssid_here" [[network-wireless-wpa]] ===== WPA -Wi-Fi Protected Access (WPA) is a security protocol used together with 802.11 networks to address the lack of proper authentication and the weakness of WEP. WPA leverages the 802.1X authentication protocol and uses one of several ciphers instead of WEP for data integrity. The only cipher required by WPA is the Temporary Key Integrity Protocol (TKIP). TKIP is a cipher that extends the basic RC4 cipher used by WEP by adding integrity checking, tamper detection, and measures for responding to detected intrusions. TKIP is designed to work on legacy hardware with only software modification. It represents a compromise that improves security but is still not entirely immune to attack. WPA also specifies the AES-CCMP cipher as an alternative to TKIP, and that is preferred when possible. For this specification, the term WPA2 or RSN is commonly used. +Wi-Fi Protected Access (WPA) is a security protocol used together with 802.11 networks to address the lack of proper authentication and the weakness of WEP. +WPA leverages the 802.1X authentication protocol and uses one of several ciphers instead of WEP for data integrity. +The only cipher required by WPA is the Temporary Key Integrity Protocol (TKIP). +TKIP is a cipher that extends the basic RC4 cipher used by WEP by adding integrity checking, tamper detection, and measures for responding to detected intrusions. +TKIP is designed to work on legacy hardware with only software modification. +It represents a compromise that improves security but is still not entirely immune to attack. +WPA also specifies the AES-CCMP cipher as an alternative to TKIP, and that is preferred when possible. +For this specification, the term WPA2 or RSN is commonly used. -WPA defines authentication and encryption protocols. Authentication is most commonly done using one of two techniques: by 802.1X and a backend authentication service such as RADIUS, or by a minimal handshake between the station and the access point using a pre-shared secret. The former is commonly termed WPA Enterprise and the latter is known as WPA Personal. Since most people will not set up a RADIUS backend server for their wireless network, WPA-PSK is by far the most commonly encountered configuration for WPA. +WPA defines authentication and encryption protocols. +Authentication is most commonly done using one of two techniques: by 802.1X and a backend authentication service such as RADIUS, or by a minimal handshake between the station and the access point using a pre-shared secret. +The former is commonly termed WPA Enterprise and the latter is known as WPA Personal. +Since most people will not set up a RADIUS backend server for their wireless network, WPA-PSK is by far the most commonly encountered configuration for WPA. -The control of the wireless connection and the key negotiation or authentication with a server is done using man:wpa_supplicant[8]. This program requires a configuration file, [.filename]#/etc/wpa_supplicant.conf#, to run. More information regarding this file can be found in man:wpa_supplicant.conf[5]. +The control of the wireless connection and the key negotiation or authentication with a server is done using man:wpa_supplicant[8]. +This program requires a configuration file, [.filename]#/etc/wpa_supplicant.conf#, to run. +More information regarding this file can be found in man:wpa_supplicant.conf[5]. [[network-wireless-wpa-wpa-psk]] ====== WPA-PSK -WPA-PSK, also known as WPA Personal, is based on a pre-shared key (PSK) which is generated from a given password and used as the master key in the wireless network. This means every wireless user will share the same key. WPA-PSK is intended for small networks where the use of an authentication server is not possible or desired. +WPA-PSK, also known as WPA Personal, is based on a pre-shared key (PSK) which is generated from a given password and used as the master key in the wireless network. +This means every wireless user will share the same key. +WPA-PSK is intended for small networks where the use of an authentication server is not possible or desired. [WARNING] ==== - Always use strong passwords that are sufficiently long and made from a rich alphabet so that they will not be easily guessed or attacked. ==== @@ -710,11 +846,17 @@ When DHCP is not used, the default gateway and the nameserver also have to be ma [[network-wireless-wpa-eap-tls]] ====== WPA with EAP-TLS -The second way to use WPA is with an 802.1X backend authentication server. In this case, WPA is called WPA Enterprise to differentiate it from the less secure WPA Personal. Authentication in WPA Enterprise is based on the Extensible Authentication Protocol (EAP). +The second way to use WPA is with an 802.1X backend authentication server. +In this case, WPA is called WPA Enterprise to differentiate it from the less secure WPA Personal. +Authentication in WPA Enterprise is based on the Extensible Authentication Protocol (EAP). -EAP does not come with an encryption method. Instead, EAP is embedded inside an encrypted tunnel. There are many EAP authentication methods, but EAP-TLS, EAP-TTLS, and EAP-PEAP are the most common. +EAP does not come with an encryption method. +Instead, EAP is embedded inside an encrypted tunnel. +There are many EAP authentication methods, but EAP-TLS, EAP-TTLS, and EAP-PEAP are the most common. -EAP with Transport Layer Security (EAP-TLS) is a well-supported wireless authentication protocol since it was the first EAP method to be certified by the http://www.wi-fi.org/[Wi-Fi Alliance]. EAP-TLS requires three certificates to run: the certificate of the Certificate Authority (CA) installed on all machines, the server certificate for the authentication server, and one client certificate for each wireless client. In this EAP method, both the authentication server and wireless client authenticate each other by presenting their respective certificates, and then verify that these certificates were signed by the organization's CA. +EAP with Transport Layer Security (EAP-TLS) is a well-supported wireless authentication protocol since it was the first EAP method to be certified by the http://www.wi-fi.org/[Wi-Fi Alliance]. +EAP-TLS requires three certificates to run: the certificate of the Certificate Authority (CA) installed on all machines, the server certificate for the authentication server, and one client certificate for each wireless client. +In this EAP method, both the authentication server and wireless client authenticate each other by presenting their respective certificates, and then verify that these certificates were signed by the organization's CA. As previously, the configuration is done via [.filename]#/etc/wpa_supplicant.conf#: @@ -778,7 +920,10 @@ It is also possible to bring up the interface manually using man:wpa_supplicant[ [[network-wireless-wpa-eap-ttls]] ====== WPA with EAP-TTLS -With EAP-TLS, both the authentication server and the client need a certificate. With EAP-TTLS, a client certificate is optional. This method is similar to a web server which creates a secure SSL tunnel even if visitors do not have client-side certificates. EAP-TTLS uses an encrypted TLS tunnel for safe transport of the authentication data. +With EAP-TLS, both the authentication server and the client need a certificate. +With EAP-TTLS, a client certificate is optional. +This method is similar to a web server which creates a secure SSL tunnel even if visitors do not have client-side certificates. +EAP-TTLS uses an encrypted TLS tunnel for safe transport of the authentication data. The required configuration can be added to [.filename]#/etc/wpa_supplicant.conf#: @@ -838,12 +983,16 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 [NOTE] ==== -PEAPv0/EAP-MSCHAPv2 is the most common PEAP method. In this chapter, the term PEAP is used to refer to that method. +PEAPv0/EAP-MSCHAPv2 is the most common PEAP method. +In this chapter, the term PEAP is used to refer to that method. ==== -Protected EAP (PEAP) is designed as an alternative to EAP-TTLS and is the most used EAP standard after EAP-TLS. In a network with mixed operating systems, PEAP should be the most supported standard after EAP-TLS. +Protected EAP (PEAP) is designed as an alternative to EAP-TTLS and is the most used EAP standard after EAP-TLS. +In a network with mixed operating systems, PEAP should be the most supported standard after EAP-TLS. -PEAP is similar to EAP-TTLS as it uses a server-side certificate to authenticate clients by creating an encrypted TLS tunnel between the client and the authentication server, which protects the ensuing exchange of authentication information. PEAP authentication differs from EAP-TTLS as it broadcasts the username in the clear and only the password is sent in the encrypted TLS tunnel. EAP-TTLS will use the TLS tunnel for both the username and password. +PEAP is similar to EAP-TTLS as it uses a server-side certificate to authenticate clients by creating an encrypted TLS tunnel between the client and the authentication server, which protects the ensuing exchange of authentication information. +PEAP authentication differs from EAP-TTLS as it broadcasts the username in the clear and only the password is sent in the encrypted TLS tunnel. +EAP-TTLS will use the TLS tunnel for both the username and password. Add the following lines to [.filename]#/etc/wpa_supplicant.conf# to configure the EAP-PEAP related settings: @@ -903,7 +1052,8 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 [[network-wireless-wep]] ===== WEP -Wired Equivalent Privacy (WEP) is part of the original 802.11 standard. There is no authentication mechanism, only a weak form of access control which is easily cracked. +Wired Equivalent Privacy (WEP) is part of the original 802.11 standard. +There is no authentication mechanism, only a weak form of access control which is easily cracked. WEP can be set up using man:ifconfig[8]: @@ -924,7 +1074,8 @@ Replace the `0x3456789012` with the key configured for use on the access point. Refer to man:ifconfig[8] for further information. -The man:wpa_supplicant[8] facility can be used to configure a wireless interface with WEP. The example above can be set up by adding the following lines to [.filename]#/etc/wpa_supplicant.conf#: +The man:wpa_supplicant[8] facility can be used to configure a wireless interface with WEP. +The example above can be set up by adding the following lines to [.filename]#/etc/wpa_supplicant.conf#: [.programlisting] .... @@ -947,7 +1098,8 @@ Associated with 00:13:46:49:41:76 === Ad-hoc Mode -IBSS mode, also called ad-hoc mode, is designed for point to point connections. For example, to establish an ad-hoc network between the machines `A` and `B`, choose two IP addresses and a SSID. +IBSS mode, also called ad-hoc mode, is designed for point to point connections. +For example, to establish an ad-hoc network between the machines `A` and `B`, choose two IP addresses and a SSID. On `A`: @@ -978,7 +1130,8 @@ The `adhoc` parameter indicates that the interface is running in IBSS mode. freebsdap 02:11:95:c3:0d:ac 2 54M -64:-96 100 IS WME .... -The `I` in the output confirms that `A` is in ad-hoc mode. Now, configure `B` with a different IP address: +The `I` in the output confirms that `A` is in ad-hoc mode. +Now, configure `B` with a different IP address: [source,shell] .... @@ -999,16 +1152,19 @@ Both `A` and `B` are now ready to exchange information. [[network-wireless-ap]] === FreeBSD Host Access Points -FreeBSD can act as an Access Point (AP) which eliminates the need to buy a hardware AP or run an ad-hoc network. This can be particularly useful when a FreeBSD machine is acting as a gateway to another network such as the Internet. +FreeBSD can act as an Access Point (AP) which eliminates the need to buy a hardware AP or run an ad-hoc network. +This can be particularly useful when a FreeBSD machine is acting as a gateway to another network such as the Internet. [[network-wireless-ap-basic]] ==== Basic Settings -Before configuring a FreeBSD machine as an AP, the kernel must be configured with the appropriate networking support for the wireless card as well as the security protocols being used. For more details, see <<network-wireless-basic>>. +Before configuring a FreeBSD machine as an AP, the kernel must be configured with the appropriate networking support for the wireless card as well as the security protocols being used. +For more details, see <<network-wireless-basic>>. [NOTE] ==== -The NDIS driver wrapper for Windows(R) drivers does not currently support AP operation. Only native FreeBSD wireless drivers support AP mode. +The NDIS driver wrapper for Windows(R) drivers does not currently support AP operation. +Only native FreeBSD wireless drivers support AP mode. ==== Once wireless networking support is loaded, check if the wireless device supports the host-based access point mode, also known as hostap mode: @@ -1021,7 +1177,10 @@ drivercaps=6f85edc1<STA,FF,TURBOP,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MO cryptocaps=1f<WEP,TKIP,AES,AES_CCM,TKIPMIC> .... -This output displays the card's capabilities. The `HOSTAP` word confirms that this wireless card can act as an AP. Various supported ciphers are also listed: WEP, TKIP, and AES. This information indicates which security protocols can be used on the AP. +This output displays the card's capabilities. +The `HOSTAP` word confirms that this wireless card can act as an AP. +Various supported ciphers are also listed: WEP, TKIP, and AES. +This information indicates which security protocols can be used on the AP. The wireless device can only be put into hostap mode during the creation of the network pseudo-device, so a previously created device must be destroyed first: @@ -1066,7 +1225,8 @@ ifconfig_wlan0="inet 192.168.0.1 netmask 255.255.255.0 ssid freebsdap mode 11g c ==== Host-based Access Point Without Authentication or Encryption -Although it is not recommended to run an AP without any authentication or encryption, this is a simple way to check if the AP is working. This configuration is also important for debugging client issues. +Although it is not recommended to run an AP without any authentication or encryption, this is a simple way to check if the AP is working. +This configuration is also important for debugging client issues. Once the AP is configured, initiate a scan from another wireless machine to find the AP: @@ -1098,11 +1258,13 @@ The client machine found the AP and can be associated with it: [[network-wireless-ap-wpa]] ==== WPA2 Host-based Access Point -This section focuses on setting up a FreeBSD access point using the WPA2 security protocol. More details regarding WPA and the configuration of WPA-based wireless clients can be found in <<network-wireless-wpa>>. +This section focuses on setting up a FreeBSD access point using the WPA2 security protocol. +More details regarding WPA and the configuration of WPA-based wireless clients can be found in <<network-wireless-wpa>>. The man:hostapd[8] daemon is used to deal with client authentication and key management on the WPA2-enabled AP. -The following configuration operations are performed on the FreeBSD machine acting as the AP. Once the AP is correctly working, man:hostapd[8] can be automatically started at boot with this line in [.filename]#/etc/rc.conf#: +The following configuration operations are performed on the FreeBSD machine acting as the AP. +Once the AP is correctly working, man:hostapd[8] can be automatically started at boot with this line in [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -1164,11 +1326,14 @@ wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1 groups: wlan .... -Once the AP is running, the clients can associate with it. See <<network-wireless-wpa>> for more details. It is possible to see the stations associated with the AP using `ifconfig _wlan0_ list sta`. +Once the AP is running, the clients can associate with it. +See <<network-wireless-wpa>> for more details. +It is possible to see the stations associated with the AP using `ifconfig _wlan0_ list sta`. ==== WEP Host-based Access Point -It is not recommended to use WEP for setting up an AP since there is no authentication mechanism and the encryption is easily cracked. Some legacy wireless cards only support WEP and these cards will only support an AP without authentication or encryption. +It is not recommended to use WEP for setting up an AP since there is no authentication mechanism and the encryption is easily cracked. +Some legacy wireless cards only support WEP and these cards will only support an AP without authentication or encryption. The wireless device can now be put into hostap mode and configured with the correct SSID and IP address: @@ -1207,13 +1372,16 @@ SSID BSSID CHAN RATE S:N INT CAPS freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS .... -In this example, the client machine found the AP and can associate with it using the correct parameters. See <<network-wireless-wep>> for more details. +In this example, the client machine found the AP and can associate with it using the correct parameters. +See <<network-wireless-wep>> for more details. === Using Both Wired and Wireless Connections -A wired connection provides better performance and reliability, while a wireless connection provides flexibility and mobility. Laptop users typically want to roam seamlessly between the two types of connections. +A wired connection provides better performance and reliability, while a wireless connection provides flexibility and mobility. +Laptop users typically want to roam seamlessly between the two types of connections. -On FreeBSD, it is possible to combine two or even more network interfaces together in a "failover" fashion. This type of configuration uses the most preferred and available connection from a group of network interfaces, and the operating system switches automatically when the link state changes. +On FreeBSD, it is possible to combine two or even more network interfaces together in a "failover" fashion. +This type of configuration uses the most preferred and available connection from a group of network interfaces, and the operating system switches automatically when the link state changes. Link aggregation and failover is covered in <<network-aggregation>> and an example for using both wired and wireless connections is provided at <<networking-lagg-wired-and-wireless>>. @@ -1234,14 +1402,18 @@ Debugging support is provided by man:wpa_supplicant[8]. Try running this utility net.wlan.0.debug: 0 => 0xc80000<assoc,auth,scan> .... + -Many useful statistics are maintained by the 802.11 layer and `wlanstats`, found in [.filename]#/usr/src/tools/tools/net80211#, will dump this information. These statistics should display all errors identified by the 802.11 layer. However, some errors are identified in the device drivers that lie below the 802.11 layer so they may not show up. To diagnose device-specific problems, refer to the drivers' documentation. +Many useful statistics are maintained by the 802.11 layer and `wlanstats`, found in [.filename]#/usr/src/tools/tools/net80211#, will dump this information. +These statistics should display all errors identified by the 802.11 layer. +However, some errors are identified in the device drivers that lie below the 802.11 layer so they may not show up. +To diagnose device-specific problems, refer to the drivers' documentation. If the above information does not help to clarify the problem, submit a problem report and include output from the above tools. [[network-usb-tethering]] == USB Tethering -Many cellphones provide the option to share their data connection over USB (often called "tethering"). This feature uses one of RNDIS, CDC, or a custom Apple(R) iPhone(R)/iPad(R) protocol. +Many cellphones provide the option to share their data connection over USB (often called "tethering"). +This feature uses one of RNDIS, CDC, or a custom Apple(R) iPhone(R)/iPad(R) protocol. * Android(TM) devices generally use the man:urndis[4] driver. * Apple(R) devices use the man:ipheth[4] driver. @@ -1256,7 +1428,8 @@ Before attaching a device, load the appropriate driver into the kernel: # kldload if_ipheth .... -Once the device is attached ``ue``_0_ will be available for use like a normal network device. Be sure that the "USB tethering" option is enabled on the device. +Once the device is attached ``ue``_0_ will be available for use like a normal network device. +Be sure that the "USB tethering" option is enabled on the device. To make this change permanent and load the driver as a module at boot time, place the appropriate line of the following in [.filename]#/boot/loader.conf#: @@ -1270,15 +1443,23 @@ if_ipheth_load="YES" [[network-bluetooth]] == Bluetooth -Bluetooth is a wireless technology for creating personal networks operating in the 2.4 GHz unlicensed band, with a range of 10 meters. Networks are usually formed ad-hoc from portable devices such as cellular phones, handhelds, and laptops. Unlike Wi-Fi wireless technology, Bluetooth offers higher level service profiles, such as FTP-like file servers, file pushing, voice transport, serial line emulation, and more. +Bluetooth is a wireless technology for creating personal networks operating in the 2.4 GHz unlicensed band, with a range of 10 meters. +Networks are usually formed ad-hoc from portable devices such as cellular phones, handhelds, and laptops. +Unlike Wi-Fi wireless technology, Bluetooth offers higher level service profiles, such as FTP-like file servers, file pushing, voice transport, serial line emulation, and more. -This section describes the use of a USB Bluetooth dongle on a FreeBSD system. It then describes the various Bluetooth protocols and utilities. +This section describes the use of a USB Bluetooth dongle on a FreeBSD system. +It then describes the various Bluetooth protocols and utilities. === Loading Bluetooth Support -The Bluetooth stack in FreeBSD is implemented using the man:netgraph[4] framework. A broad variety of Bluetooth USB dongles is supported by man:ng_ubt[4]. Broadcom BCM2033 based Bluetooth devices are supported by the man:ubtbcmfw[4] and man:ng_ubt[4] drivers. The 3Com Bluetooth PC Card 3CRWB60-A is supported by the man:ng_bt3c[4] driver. Serial and UART based Bluetooth devices are supported by man:sio[4], man:ng_h4[4], and man:hcseriald[8]. +The Bluetooth stack in FreeBSD is implemented using the man:netgraph[4] framework. +A broad variety of Bluetooth USB dongles is supported by man:ng_ubt[4]. +Broadcom BCM2033 based Bluetooth devices are supported by the man:ubtbcmfw[4] and man:ng_ubt[4] drivers. +The 3Com Bluetooth PC Card 3CRWB60-A is supported by the man:ng_bt3c[4] driver. +Serial and UART based Bluetooth devices are supported by man:sio[4], man:ng_h4[4], and man:hcseriald[8]. -Before attaching a device, determine which of the above drivers it uses, then load the driver. For example, if the device uses the man:ng_ubt[4] driver: +Before attaching a device, determine which of the above drivers it uses, then load the driver. +For example, if the device uses the man:ng_ubt[4] driver: [source,shell] .... @@ -1292,7 +1473,8 @@ If the Bluetooth device will be attached to the system during system startup, th ng_ubt_load="YES" .... -Once the driver is loaded, plug in the USB dongle. If the driver load was successful, output similar to the following should appear on the console and in [.filename]#/var/log/messages#: +Once the driver is loaded, plug in the USB dongle. +If the driver load was successful, output similar to the following should appear on the console and in [.filename]#/var/log/messages#: [source,shell] .... @@ -1302,7 +1484,9 @@ ubt0: Interface 1 (alt.config 5) endpoints: isoc-in=0x83, isoc-out=0x3, wMaxPacketSize=49, nframes=6, buffer size=294 .... -To start and stop the Bluetooth stack, use its startup script. It is a good idea to stop the stack before unplugging the device. Starting the bluetooth stack might require man:hcsecd[8] to be started. When starting the stack, the output should be similar to the following: +To start and stop the Bluetooth stack, use its startup script. It is a good idea to stop the stack before unplugging the device. +Starting the bluetooth stack might require man:hcsecd[8] to be started. +When starting the stack, the output should be similar to the following: [source,shell] .... @@ -1322,9 +1506,16 @@ Number of SCO packets: 8 === Finding Other Bluetooth Devices -The Host Controller Interface (HCI) provides a uniform method for accessing Bluetooth baseband capabilities. In FreeBSD, a netgraph HCI node is created for each Bluetooth device. For more details, refer to man:ng_hci[4]. +The Host Controller Interface (HCI) provides a uniform method for accessing Bluetooth baseband capabilities. +In FreeBSD, a netgraph HCI node is created for each Bluetooth device. +For more details, refer to man:ng_hci[4]. -One of the most common tasks is discovery of Bluetooth devices within RF proximity. This operation is called _inquiry_. Inquiry and other HCI related operations are done using man:hccontrol[8]. The example below shows how to find out which Bluetooth devices are in range. The list of devices should be displayed in a few seconds. Note that a remote device will only answer the inquiry if it is set to _discoverable_ mode. +One of the most common tasks is discovery of Bluetooth devices within RF proximity. +This operation is called _inquiry_. +Inquiry and other HCI related operations are done using man:hccontrol[8]. +The example below shows how to find out which Bluetooth devices are in range. +The list of devices should be displayed in a few seconds. +Note that a remote device will only answer the inquiry if it is set to _discoverable_ mode. [source,shell] .... @@ -1340,7 +1531,10 @@ Inquiry result #0 Inquiry complete. Status: No error [00] .... -The `BD_ADDR` is the unique address of a Bluetooth device, similar to the MAC address of a network card. This address is needed for further communication with a device and it is possible to assign a human readable name to a `BD_ADDR`. Information regarding the known Bluetooth hosts is contained in [.filename]#/etc/bluetooth/hosts#. The following example shows how to obtain the human readable name that was assigned to the remote device: +The `BD_ADDR` is the unique address of a Bluetooth device, similar to the MAC address of a network card. +This address is needed for further communication with a device and it is possible to assign a human readable name to a `BD_ADDR`. +Information regarding the known Bluetooth hosts is contained in [.filename]#/etc/bluetooth/hosts#. +The following example shows how to obtain the human readable name that was assigned to the remote device: [source,shell] .... @@ -1349,11 +1543,14 @@ BD_ADDR: 00:80:37:29:19:a4 Name: Pav's T39 .... -If an inquiry is performed on a remote Bluetooth device, it will find the computer as "your.host.name (ubt0)". The name assigned to the local device can be changed at any time. +If an inquiry is performed on a remote Bluetooth device, it will find the computer as "your.host.name (ubt0)". +The name assigned to the local device can be changed at any time. -Remote devices can be assigned aliases in [.filename]#/etc/bluetooth/hosts#. More information about [.filename]#/etc/bluetooth/hosts# file might be found in man:bluetooth.hosts[5]. +Remote devices can be assigned aliases in [.filename]#/etc/bluetooth/hosts#. +More information about [.filename]#/etc/bluetooth/hosts# file might be found in man:bluetooth.hosts[5]. -The Bluetooth system provides a point-to-point connection between two Bluetooth units, or a point-to-multipoint connection which is shared among several Bluetooth devices. The following example shows how to create a connection to a remote device: +The Bluetooth system provides a point-to-point connection between two Bluetooth units, or a point-to-multipoint connection which is shared among several Bluetooth devices. +The following example shows how to create a connection to a remote device: [source,shell] .... @@ -1371,7 +1568,8 @@ Remote BD_ADDR Handle Type Mode Role Encrypt Pending Queue State 00:80:37:29:19:a4 41 ACL 0 MAST NONE 0 0 OPEN .... -A _connection handle_ is useful when termination of the baseband connection is required, though it is normally not required to do this by hand. The stack will automatically terminate inactive baseband connections. +A _connection handle_ is useful when termination of the baseband connection is required, though it is normally not required to do this by hand. +The stack will automatically terminate inactive baseband connections. [source,shell] .... @@ -1380,13 +1578,24 @@ Connection handle: 41 Reason: Connection terminated by local host [0x16] .... -Type `hccontrol help` for a complete listing of available HCI commands. Most of the HCI commands do not require superuser privileges. +Type `hccontrol help` for a complete listing of available HCI commands. +Most of the HCI commands do not require superuser privileges. === Device Pairing -By default, Bluetooth communication is not authenticated, and any device can talk to any other device. A Bluetooth device, such as a cellular phone, may choose to require authentication to provide a particular service. Bluetooth authentication is normally done with a _PIN code_, an ASCII string up to 16 characters in length. The user is required to enter the same PIN code on both devices. Once the user has entered the PIN code, both devices will generate a _link key_. After that, the link key can be stored either in the devices or in a persistent storage. Next time, both devices will use the previously generated link key. This procedure is called _pairing_. Note that if the link key is lost by either device, the pairing must be repeated. +By default, Bluetooth communication is not authenticated, and any device can talk to any other device. +A Bluetooth device, such as a cellular phone, may choose to require authentication to provide a particular service. +Bluetooth authentication is normally done with a _PIN code_, an ASCII string up to 16 characters in length. +The user is required to enter the same PIN code on both devices. +Once the user has entered the PIN code, both devices will generate a _link key_. +After that, the link key can be stored either in the devices or in a persistent storage. +Next time, both devices will use the previously generated link key. +This procedure is called _pairing_. +Note that if the link key is lost by either device, the pairing must be repeated. -The man:hcsecd[8] daemon is responsible for handling Bluetooth authentication requests. The default configuration file is [.filename]#/etc/bluetooth/hcsecd.conf#. An example section for a cellular phone with the PIN code set to `1234` is shown below: +The man:hcsecd[8] daemon is responsible for handling Bluetooth authentication requests. +The default configuration file is [.filename]#/etc/bluetooth/hcsecd.conf#. +An example section for a cellular phone with the PIN code set to `1234` is shown below: [.programlisting] .... @@ -1398,7 +1607,14 @@ device { } .... -The only limitation on PIN codes is length. Some devices, such as Bluetooth headsets, may have a fixed PIN code built in. The `-d` switch forces man:hcsecd[8] to stay in the foreground, so it is easy to see what is happening. Set the remote device to receive pairing and initiate the Bluetooth connection to the remote device. The remote device should indicate that pairing was accepted and request the PIN code. Enter the same PIN code listed in [.filename]#hcsecd.conf#. Now the computer and the remote device are paired. Alternatively, pairing can be initiated on the remote device. +The only limitation on PIN codes is length. +Some devices, such as Bluetooth headsets, may have a fixed PIN code built in. +The `-d` switch forces man:hcsecd[8] to stay in the foreground, so it is easy to see what is happening. +Set the remote device to receive pairing and initiate the Bluetooth connection to the remote device. +The remote device should indicate that pairing was accepted and request the PIN code. +Enter the same PIN code listed in [.filename]#hcsecd.conf#. +Now the computer and the remote device are paired. +Alternatively, pairing can be initiated on the remote device. The following line can be added to [.filename]#/etc/rc.conf# to configure man:hcsecd[8] to start automatically on system start: @@ -1421,11 +1637,15 @@ hcsecd[16484]: Sending PIN_Code_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29: === Network Access with PPP Profiles -A Dial-Up Networking (DUN) profile can be used to configure a cellular phone as a wireless modem for connecting to a dial-up Internet access server. It can also be used to configure a computer to receive data calls from a cellular phone. +A Dial-Up Networking (DUN) profile can be used to configure a cellular phone as a wireless modem for connecting to a dial-up Internet access server. +It can also be used to configure a computer to receive data calls from a cellular phone. -Network access with a PPP profile can be used to provide LAN access for a single Bluetooth device or multiple Bluetooth devices. It can also provide PC to PC connection using PPP networking over serial cable emulation. +Network access with a PPP profile can be used to provide LAN access for a single Bluetooth device or multiple Bluetooth devices. +It can also provide PC to PC connection using PPP networking over serial cable emulation. -In FreeBSD, these profiles are implemented with man:ppp[8] and the man:rfcomm_pppd[8] wrapper which converts a Bluetooth connection into something PPP can use. Before a profile can be used, a new PPP label must be created in [.filename]#/etc/ppp/ppp.conf#. Consult man:rfcomm_pppd[8] for examples. +In FreeBSD, these profiles are implemented with man:ppp[8] and the man:rfcomm_pppd[8] wrapper which converts a Bluetooth connection into something PPP can use. +Before a profile can be used, a new PPP label must be created in [.filename]#/etc/ppp/ppp.conf#. +Consult man:rfcomm_pppd[8] for examples. In this example, man:rfcomm_pppd[8] is used to open a connection to a remote device with a `BD_ADDR` of `00:80:37:29:19:a4` on a DUNRFCOMM channel: @@ -1434,9 +1654,15 @@ In this example, man:rfcomm_pppd[8] is used to open a connection to a remote dev # rfcomm_pppd -a 00:80:37:29:19:a4 -c -C dun -l rfcomm-dialup .... -The actual channel number will be obtained from the remote device using the SDP protocol. It is possible to specify the RFCOMM channel by hand, and in this case man:rfcomm_pppd[8] will not perform the SDP query. Use man:sdpcontrol[8] to find out the RFCOMM channel on the remote device. +The actual channel number will be obtained from the remote device using the SDP protocol. +It is possible to specify the RFCOMM channel by hand, and in this case man:rfcomm_pppd[8] will not perform the SDP query. +Use man:sdpcontrol[8] to find out the RFCOMM channel on the remote device. -In order to provide network access with the PPPLAN service, man:sdpd[8] must be running and a new entry for LAN clients must be created in [.filename]#/etc/ppp/ppp.conf#. Consult man:rfcomm_pppd[8] for examples. Finally, start the RFCOMMPPP server on a valid RFCOMM channel number. The RFCOMMPPP server will automatically register the Bluetooth LAN service with the local SDP daemon. The example below shows how to start the RFCOMMPPP server. +In order to provide network access with the PPPLAN service, man:sdpd[8] must be running and a new entry for LAN clients must be created in [.filename]#/etc/ppp/ppp.conf#. +Consult man:rfcomm_pppd[8] for examples. +Finally, start the RFCOMMPPP server on a valid RFCOMM channel number. +The RFCOMMPPP server will automatically register the Bluetooth LAN service with the local SDP daemon. +The example below shows how to start the RFCOMMPPP server. [source,shell] .... @@ -1449,13 +1675,22 @@ This section provides an overview of the various Bluetooth protocols, their func ==== Logical Link Control and Adaptation Protocol (L2CAP) -The Logical Link Control and Adaptation Protocol (L2CAP) provides connection-oriented and connectionless data services to upper layer protocols. L2CAP permits higher level protocols and applications to transmit and receive L2CAP data packets up to 64 kilobytes in length. +The Logical Link Control and Adaptation Protocol (L2CAP) provides connection-oriented and connectionless data services to upper layer protocols. +L2CAP permits higher level protocols and applications to transmit and receive L2CAP data packets up to 64 kilobytes in length. -L2CAP is based around the concept of _channels_. A channel is a logical connection on top of a baseband connection, where each channel is bound to a single protocol in a many-to-one fashion. Multiple channels can be bound to the same protocol, but a channel cannot be bound to multiple protocols. Each L2CAP packet received on a channel is directed to the appropriate higher level protocol. Multiple channels can share the same baseband connection. +L2CAP is based around the concept of _channels_. +A channel is a logical connection on top of a baseband connection, where each channel is bound to a single protocol in a many-to-one fashion. +Multiple channels can be bound to the same protocol, but a channel cannot be bound to multiple protocols. +Each L2CAP packet received on a channel is directed to the appropriate higher level protocol. +Multiple channels can share the same baseband connection. -In FreeBSD, a netgraph L2CAP node is created for each Bluetooth device. This node is normally connected to the downstream Bluetooth HCI node and upstream Bluetooth socket nodes. The default name for the L2CAP node is "devicel2cap". For more details refer to man:ng_l2cap[4]. +In FreeBSD, a netgraph L2CAP node is created for each Bluetooth device. +This node is normally connected to the downstream Bluetooth HCI node and upstream Bluetooth socket nodes. +The default name for the L2CAP node is "devicel2cap". +For more details refer to man:ng_l2cap[4]. -A useful command is man:l2ping[8], which can be used to ping other devices. Some Bluetooth implementations might not return all of the data sent to them, so `0 bytes` in the following example is normal. +A useful command is man:l2ping[8], which can be used to ping other devices. +Some Bluetooth implementations might not return all of the data sent to them, so `0 bytes` in the following example is normal. [source,shell] .... @@ -1466,7 +1701,8 @@ A useful command is man:l2ping[8], which can be used to ping other devices. Some 0 bytes from 0:80:37:29:19:a4 seq_no=3 time=46.150 ms result=0 .... -The man:l2control[8] utility is used to perform various operations on L2CAP nodes. This example shows how to obtain the list of logical connections (channels) and the list of baseband connections for the local device: +The man:l2control[8] utility is used to perform various operations on L2CAP nodes. +This example shows how to obtain the list of logical connections (channels) and the list of baseband connections for the local device: [source,shell] .... @@ -1480,7 +1716,9 @@ Remote BD_ADDR Handle Flags Pending State 00:07:e0:00:0b:ca 41 O 0 OPEN .... -Another diagnostic tool is man:btsockstat[1]. It is similar to man:netstat[1], but for Bluetooth network-related data structures. The example below shows the same logical connection as man:l2control[8] above. +Another diagnostic tool is man:btsockstat[1]. +It is similar to man:netstat[1], but for Bluetooth network-related data structures. +The example below shows the same logical connection as man:l2control[8] above. [source,shell] .... @@ -1498,23 +1736,37 @@ c2e8bc80 0 250 00:02:72:00:d4:1a 00:07:e0:00:0b:ca 3 6 OPEN ==== Radio Frequency Communication (RFCOMM) -The RFCOMM protocol provides emulation of serial ports over the L2CAP protocol. RFCOMM is a simple transport protocol, with additional provisions for emulating the 9 circuits of RS-232 (EIATIA-232-E) serial ports. It supports up to 60 simultaneous connections (RFCOMM channels) between two Bluetooth devices. +The RFCOMM protocol provides emulation of serial ports over the L2CAP protocol. +RFCOMM is a simple transport protocol, with additional provisions for emulating the 9 circuits of RS-232 (EIATIA-232-E) serial ports. +It supports up to 60 simultaneous connections (RFCOMM channels) between two Bluetooth devices. -For the purposes of RFCOMM, a complete communication path involves two applications running on the communication endpoints with a communication segment between them. RFCOMM is intended to cover applications that make use of the serial ports of the devices in which they reside. The communication segment is a direct connect Bluetooth link from one device to another. +For the purposes of RFCOMM, a complete communication path involves two applications running on the communication endpoints with a communication segment between them. +RFCOMM is intended to cover applications that make use of the serial ports of the devices in which they reside. +The communication segment is a direct connect Bluetooth link from one device to another. -RFCOMM is only concerned with the connection between the devices in the direct connect case, or between the device and a modem in the network case. RFCOMM can support other configurations, such as modules that communicate via Bluetooth wireless technology on one side and provide a wired interface on the other side. +RFCOMM is only concerned with the connection between the devices in the direct connect case, or between the device and a modem in the network case. +RFCOMM can support other configurations, such as modules that communicate via Bluetooth wireless technology on one side and provide a wired interface on the other side. In FreeBSD, RFCOMM is implemented at the Bluetooth sockets layer. ==== Service Discovery Protocol (SDP) -The Service Discovery Protocol (SDP) provides the means for client applications to discover the existence of services provided by server applications as well as the attributes of those services. The attributes of a service include the type or class of service offered and the mechanism or protocol information needed to utilize the service. +The Service Discovery Protocol (SDP) provides the means for client applications to discover the existence of services provided by server applications as well as the attributes of those services. +The attributes of a service include the type or class of service offered and the mechanism or protocol information needed to utilize the service. -SDP involves communication between a SDP server and a SDP client. The server maintains a list of service records that describe the characteristics of services associated with the server. Each service record contains information about a single service. A client may retrieve information from a service record maintained by the SDP server by issuing a SDP request. If the client, or an application associated with the client, decides to use a service, it must open a separate connection to the service provider in order to utilize the service. SDP provides a mechanism for discovering services and their attributes, but it does not provide a mechanism for utilizing those services. +SDP involves communication between a SDP server and a SDP client. +The server maintains a list of service records that describe the characteristics of services associated with the server. +Each service record contains information about a single service. +A client may retrieve information from a service record maintained by the SDP server by issuing a SDP request. +If the client, or an application associated with the client, decides to use a service, it must open a separate connection to the service provider in order to utilize the service. +SDP provides a mechanism for discovering services and their attributes, but it does not provide a mechanism for utilizing those services. -Normally, a SDP client searches for services based on some desired characteristics of the services. However, there are times when it is desirable to discover which types of services are described by an SDP server's service records without any prior information about the services. This process of looking for any offered services is called _browsing_. +Normally, a SDP client searches for services based on some desired characteristics of the services. +However, there are times when it is desirable to discover which types of services are described by an SDP server's service records without any prior information about the services. +This process of looking for any offered services is called _browsing_. -The Bluetooth SDP server, man:sdpd[8], and command line client, man:sdpcontrol[8], are included in the standard FreeBSD installation. The following example shows how to perform a SDP browse query. +The Bluetooth SDP server, man:sdpd[8], and command line client, man:sdpcontrol[8], are included in the standard FreeBSD installation. +The following example shows how to perform a SDP browse query. [source,shell] .... @@ -1542,14 +1794,19 @@ Bluetooth Profile Descriptor List: LAN Access Using PPP (0x1102) ver. 1.0 .... -Note that each service has a list of attributes, such as the RFCOMM channel. Depending on the service, the user might need to make note of some of the attributes. Some Bluetooth implementations do not support service browsing and may return an empty list. In this case, it is possible to search for the specific service. The example below shows how to search for the OBEX Object Push (OPUSH) service: +Note that each service has a list of attributes, such as the RFCOMM channel. +Depending on the service, the user might need to make note of some of the attributes. +Some Bluetooth implementations do not support service browsing and may return an empty list. +In this case, it is possible to search for the specific service. +The example below shows how to search for the OBEX Object Push (OPUSH) service: [source,shell] .... % sdpcontrol -a 00:01:03:fc:6e:ec search OPUSH .... -Offering services on FreeBSD to Bluetooth clients is done with the man:sdpd[8] server. The following line can be added to [.filename]#/etc/rc.conf#: +Offering services on FreeBSD to Bluetooth clients is done with the man:sdpd[8] server. +The following line can be added to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -1563,7 +1820,9 @@ Then the man:sdpd[8] daemon can be started with: # service sdpd start .... -The local server application that wants to provide a Bluetooth service to remote clients will register the service with the local SDP daemon. An example of such an application is man:rfcomm_pppd[8]. Once started, it will register the Bluetooth LAN service with the local SDP daemon. +The local server application that wants to provide a Bluetooth service to remote clients will register the service with the local SDP daemon. +An example of such an application is man:rfcomm_pppd[8]. +Once started, it will register the Bluetooth LAN service with the local SDP daemon. The list of services registered with the local SDP server can be obtained by issuing a SDP browse query via the local control channel: @@ -1574,11 +1833,18 @@ The list of services registered with the local SDP server can be obtained by iss ==== OBEX Object Push (OPUSH) -Object Exchange (OBEX) is a widely used protocol for simple file transfers between mobile devices. Its main use is in infrared communication, where it is used for generic file transfers between notebooks or PDAs, and for sending business cards or calendar entries between cellular phones and other devices with Personal Information Manager (PIM) applications. +Object Exchange (OBEX) is a widely used protocol for simple file transfers between mobile devices. +Its main use is in infrared communication, where it is used for generic file transfers between notebooks or PDAs, and for sending business cards or calendar entries between cellular phones and other devices with Personal Information Manager (PIM) applications. The OBEX server and client are implemented by obexapp, which can be installed using the package:comms/obexapp[] package or port. -The OBEX client is used to push and/or pull objects from the OBEX server. An example object is a business card or an appointment. The OBEX client can obtain the RFCOMM channel number from the remote device via SDP. This can be done by specifying the service name instead of the RFCOMM channel number. Supported service names are: `IrMC`, `FTRN`, and `OPUSH`. It is also possible to specify the RFCOMM channel as a number. Below is an example of an OBEX session where the device information object is pulled from the cellular phone, and a new object, the business card, is pushed into the phone's directory. +The OBEX client is used to push and/or pull objects from the OBEX server. +An example object is a business card or an appointment. +The OBEX client can obtain the RFCOMM channel number from the remote device via SDP. +This can be done by specifying the service name instead of the RFCOMM channel number. +Supported service names are: `IrMC`, `FTRN`, and `OPUSH`. +It is also possible to specify the RFCOMM channel as a number. +Below is an example of an OBEX session where the device information object is pulled from the cellular phone, and a new object, the business card, is pushed into the phone's directory. [source,shell] .... @@ -1591,7 +1857,11 @@ obex> di Success, response: OK, Success (0x20) .... -In order to provide the OPUSH service, man:sdpd[8] must be running and a root folder, where all incoming objects will be stored, must be created. The default path to the root folder is [.filename]#/var/spool/obex#. Finally, start the OBEX server on a valid RFCOMM channel number. The OBEX server will automatically register the OPUSH service with the local SDP daemon. The example below shows how to start the OBEX server. +In order to provide the OPUSH service, man:sdpd[8] must be running and a root folder, where all incoming objects will be stored, must be created. +The default path to the root folder is [.filename]#/var/spool/obex#. +Finally, start the OBEX server on a valid RFCOMM channel number. +The OBEX server will automatically register the OPUSH service with the local SDP daemon. +The example below shows how to start the OBEX server. [source,shell] .... @@ -1600,9 +1870,13 @@ In order to provide the OPUSH service, man:sdpd[8] must be running and a root fo ==== Serial Port Profile (SPP) -The Serial Port Profile (SPP) allows Bluetooth devices to perform serial cable emulation. This profile allows legacy applications to use Bluetooth as a cable replacement, through a virtual serial port abstraction. +The Serial Port Profile (SPP) allows Bluetooth devices to perform serial cable emulation. +This profile allows legacy applications to use Bluetooth as a cable replacement, through a virtual serial port abstraction. -In FreeBSD, man:rfcomm_sppd[1] implements SPP and a pseudo tty is used as a virtual serial port abstraction. The example below shows how to connect to a remote device's serial port service. A RFCOMM channel does not have to be specified as man:rfcomm_sppd[1] can obtain it from the remote device via SDP. To override this, specify a RFCOMM channel on the command line. +In FreeBSD, man:rfcomm_sppd[1] implements SPP and a pseudo tty is used as a virtual serial port abstraction. +The example below shows how to connect to a remote device's serial port service. +A RFCOMM channel does not have to be specified as man:rfcomm_sppd[1] can obtain it from the remote device via SDP. +To override this, specify a RFCOMM channel on the command line. [source,shell] .... @@ -1628,31 +1902,44 @@ cu -l $PTS === Troubleshooting -By default, when FreeBSD is accepting a new connection, it tries to perform a role switch and become master. Some older Bluetooth devices which do not support role switching will not be able to connect. Since role switching is performed when a new connection is being established, it is not possible to ask the remote device if it supports role switching. However, there is a HCI option to disable role switching on the local side: +By default, when FreeBSD is accepting a new connection, it tries to perform a role switch and become master. +Some older Bluetooth devices which do not support role switching will not be able to connect. +Since role switching is performed when a new connection is being established, it is not possible to ask the remote device if it supports role switching. +However, there is a HCI option to disable role switching on the local side: [source,shell] .... # hccontrol -n ubt0hci write_node_role_switch 0 .... -To display Bluetooth packets, use the third-party package hcidump, which can be installed using the package:comms/hcidump[] package or port. This utility is similar to man:tcpdump[1] and can be used to display the contents of Bluetooth packets on the terminal and to dump the Bluetooth packets to a file. +To display Bluetooth packets, use the third-party package hcidump, which can be installed using the package:comms/hcidump[] package or port. +This utility is similar to man:tcpdump[1] and can be used to display the contents of Bluetooth packets on the terminal and to dump the Bluetooth packets to a file. [[network-bridging]] == Bridging -It is sometimes useful to divide a network, such as an Ethernet segment, into network segments without having to create IP subnets and use a router to connect the segments together. A device that connects two networks together in this fashion is called a "bridge". +It is sometimes useful to divide a network, such as an Ethernet segment, into network segments without having to create IP subnets and use a router to connect the segments together. +A device that connects two networks together in this fashion is called a "bridge". -A bridge works by learning the MAC addresses of the devices on each of its network interfaces. It forwards traffic between networks only when the source and destination MAC addresses are on different networks. In many respects, a bridge is like an Ethernet switch with very few ports. A FreeBSD system with multiple network interfaces can be configured to act as a bridge. +A bridge works by learning the MAC addresses of the devices on each of its network interfaces. +It forwards traffic between networks only when the source and destination MAC addresses are on different networks. +In many respects, a bridge is like an Ethernet switch with very few ports. +A FreeBSD system with multiple network interfaces can be configured to act as a bridge. Bridging can be useful in the following situations: Connecting Networks:: -The basic operation of a bridge is to join two or more network segments. There are many reasons to use a host-based bridge instead of networking equipment, such as cabling constraints or firewalling. A bridge can also connect a wireless interface running in hostap mode to a wired network and act as an access point. +The basic operation of a bridge is to join two or more network segments. +There are many reasons to use a host-based bridge instead of networking equipment, such as cabling constraints or firewalling. +A bridge can also connect a wireless interface running in hostap mode to a wired network and act as an access point. Filtering/Traffic Shaping Firewall:: A bridge can be used when firewall functionality is needed without routing or Network Address Translation (NAT). + -An example is a small company that is connected via DSL or ISDN to an ISP. There are thirteen public IP addresses from the ISP and ten computers on the network. In this situation, using a router-based firewall is difficult because of subnetting issues. A bridge-based firewall can be configured without any IP addressing issues. +An example is a small company that is connected via DSL or ISDN to an ISP. +There are thirteen public IP addresses from the ISP and ten computers on the network. +In this situation, using a router-based firewall is difficult because of subnetting issues. +A bridge-based firewall can be configured without any IP addressing issues. Network Tap:: A bridge can join two network segments in order to inspect all Ethernet frames that pass between them using man:bpf[4] and man:tcpdump[1] on the bridge interface or by sending a copy of all frames out an additional interface known as a span port. @@ -1663,18 +1950,22 @@ Two Ethernet networks can be joined across an IP link by bridging the networks t Layer 2 Redundancy:: A network can be connected together with multiple links and use the Spanning Tree Protocol (STP) to block redundant paths. -This section describes how to configure a FreeBSD system as a bridge using man:if_bridge[4]. A netgraph bridging driver is also available, and is described in man:ng_bridge[4]. +This section describes how to configure a FreeBSD system as a bridge using man:if_bridge[4]. +A netgraph bridging driver is also available, and is described in man:ng_bridge[4]. [NOTE] ==== -Packet filtering can be used with any firewall package that hooks into the man:pfil[9] framework. The bridge can be used as a traffic shaper with man:altq[4] or man:dummynet[4]. +Packet filtering can be used with any firewall package that hooks into the man:pfil[9] framework. +The bridge can be used as a traffic shaper with man:altq[4] or man:dummynet[4]. ==== === Enabling the Bridge -In FreeBSD, man:if_bridge[4] is a kernel module which is automatically loaded by man:ifconfig[8] when creating a bridge interface. It is also possible to compile bridge support into a custom kernel by adding `device if_bridge` to the custom kernel configuration file. +In FreeBSD, man:if_bridge[4] is a kernel module which is automatically loaded by man:ifconfig[8] when creating a bridge interface. +It is also possible to compile bridge support into a custom kernel by adding `device if_bridge` to the custom kernel configuration file. -The bridge is created using interface cloning. To create the bridge interface: +The bridge is created using interface cloning. +To create the bridge interface: [source,shell] .... @@ -1688,9 +1979,12 @@ bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0 .... -When a bridge interface is created, it is automatically assigned a randomly generated Ethernet address. The `maxaddr` and `timeout` parameters control how many MAC addresses the bridge will keep in its forwarding table and how many seconds before each entry is removed after it is last seen. The other parameters control how STP operates. +When a bridge interface is created, it is automatically assigned a randomly generated Ethernet address. +The `maxaddr` and `timeout` parameters control how many MAC addresses the bridge will keep in its forwarding table and how many seconds before each entry is removed after it is last seen. +The other parameters control how STP operates. -Next, specify which network interfaces to add as members of the bridge. For the bridge to forward packets, all member interfaces and the bridge need to be up: +Next, specify which network interfaces to add as members of the bridge. +For the bridge to forward packets, all member interfaces and the bridge need to be up: [source,shell] .... @@ -1699,7 +1993,8 @@ Next, specify which network interfaces to add as members of the bridge. For the # ifconfig fxp1 up .... -The bridge can now forward Ethernet frames between [.filename]#fxp0# and [.filename]#fxp1#. Add the following lines to [.filename]#/etc/rc.conf# so the bridge is created at startup: +The bridge can now forward Ethernet frames between [.filename]#fxp0# and [.filename]#fxp1#. +Add the following lines to [.filename]#/etc/rc.conf# so the bridge is created at startup: [.programlisting] .... @@ -1709,29 +2004,40 @@ ifconfig_fxp0="up" ifconfig_fxp1="up" .... -If the bridge host needs an IP address, set it on the bridge interface, not on the member interfaces. The address can be set statically or via DHCP. This example sets a static IP address: +If the bridge host needs an IP address, set it on the bridge interface, not on the member interfaces. +The address can be set statically or via DHCP. +This example sets a static IP address: [source,shell] .... # ifconfig bridge0 inet 192.168.0.1/24 .... -It is also possible to assign an IPv6 address to a bridge interface. To make the changes permanent, add the addressing information to [.filename]#/etc/rc.conf#. +It is also possible to assign an IPv6 address to a bridge interface. +To make the changes permanent, add the addressing information to [.filename]#/etc/rc.conf#. [NOTE] ==== -When packet filtering is enabled, bridged packets will pass through the filter inbound on the originating interface on the bridge interface, and outbound on the appropriate interfaces. Either stage can be disabled. When direction of the packet flow is important, it is best to firewall on the member interfaces rather than the bridge itself. +When packet filtering is enabled, bridged packets will pass through the filter inbound on the originating interface on the bridge interface, and outbound on the appropriate interfaces. +Either stage can be disabled. +When direction of the packet flow is important, it is best to firewall on the member interfaces rather than the bridge itself. -The bridge has several configurable settings for passing non-IP and IP packets, and layer2 firewalling with man:ipfw[8]. See man:if_bridge[4] for more information. +The bridge has several configurable settings for passing non-IP and IP packets, and layer2 firewalling with man:ipfw[8]. +See man:if_bridge[4] for more information. ==== === Enabling Spanning Tree -For an Ethernet network to function properly, only one active path can exist between two devices. The STP protocol detects loops and puts redundant links into a blocked state. Should one of the active links fail, STP calculates a different tree and enables one of the blocked paths to restore connectivity to all points in the network. +For an Ethernet network to function properly, only one active path can exist between two devices. +The STP protocol detects loops and puts redundant links into a blocked state. +Should one of the active links fail, STP calculates a different tree and enables one of the blocked paths to restore connectivity to all points in the network. -The Rapid Spanning Tree Protocol (RSTP or 802.1w) provides backwards compatibility with legacy STP. RSTP provides faster convergence and exchanges information with neighboring switches to quickly transition to forwarding mode without creating loops. FreeBSD supports RSTP and STP as operating modes, with RSTP being the default mode. +The Rapid Spanning Tree Protocol (RSTP or 802.1w) provides backwards compatibility with legacy STP. +RSTP provides faster convergence and exchanges information with neighboring switches to quickly transition to forwarding mode without creating loops. +FreeBSD supports RSTP and STP as operating modes, with RSTP being the default mode. -STP can be enabled on member interfaces using man:ifconfig[8]. For a bridge with [.filename]#fxp0# and [.filename]#fxp1# as the current interfaces, enable STP with: +STP can be enabled on member interfaces using man:ifconfig[8]. +For a bridge with [.filename]#fxp0# and [.filename]#fxp1# as the current interfaces, enable STP with: [source,shell] .... @@ -1749,7 +2055,8 @@ bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 role designated state forwarding .... -This bridge has a spanning tree ID of `00:01:02:4b:d4:50` and a priority of `32768`. As the `root id` is the same, it indicates that this is the root bridge for the tree. +This bridge has a spanning tree ID of `00:01:02:4b:d4:50` and a priority of `32768`. +As the `root id` is the same, it indicates that this is the root bridge for the tree. Another bridge on the network also has STP enabled: @@ -1768,17 +2075,25 @@ bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 role designated state forwarding .... -The line `root id 00:01:02:4b:d4:50 priority 32768 ifcost 400000 port 4` shows that the root bridge is `00:01:02:4b:d4:50` and has a path cost of `400000` from this bridge. The path to the root bridge is via `port 4` which is [.filename]#fxp0#. +The line `root id 00:01:02:4b:d4:50 priority 32768 ifcost 400000 port 4` shows that the root bridge is `00:01:02:4b:d4:50` and has a path cost of `400000` from this bridge. +The path to the root bridge is via `port 4` which is [.filename]#fxp0#. === Bridge Interface Parameters -Several `ifconfig` parameters are unique to bridge interfaces. This section summarizes some common uses for these parameters. The complete list of available parameters is described in man:ifconfig[8]. +Several `ifconfig` parameters are unique to bridge interfaces. +This section summarizes some common uses for these parameters. +The complete list of available parameters is described in man:ifconfig[8]. private:: -A private interface does not forward any traffic to any other port that is also designated as a private interface. The traffic is blocked unconditionally so no Ethernet frames will be forwarded, including ARP packets. If traffic needs to be selectively blocked, a firewall should be used instead. +A private interface does not forward any traffic to any other port that is also designated as a private interface. +The traffic is blocked unconditionally so no Ethernet frames will be forwarded, including ARP packets. +If traffic needs to be selectively blocked, a firewall should be used instead. span:: -A span port transmits a copy of every Ethernet frame received by the bridge. The number of span ports configured on a bridge is unlimited, but if an interface is designated as a span port, it cannot also be used as a regular bridge port. This is most useful for snooping a bridged network passively on another host connected to one of the span ports of the bridge. For example, to send a copy of all frames out the interface named [.filename]#fxp4#: +A span port transmits a copy of every Ethernet frame received by the bridge. +The number of span ports configured on a bridge is unlimited, but if an interface is designated as a span port, it cannot also be used as a regular bridge port. +This is most useful for snooping a bridged network passively on another host connected to one of the span ports of the bridge. +For example, to send a copy of all frames out the interface named [.filename]#fxp4#: + [source,shell] .... @@ -1786,9 +2101,13 @@ A span port transmits a copy of every Ethernet frame received by the bridge. The .... sticky:: -If a bridge member interface is marked as sticky, dynamically learned address entries are treated as static entries in the forwarding cache. Sticky entries are never aged out of the cache or replaced, even if the address is seen on a different interface. This gives the benefit of static address entries without the need to pre-populate the forwarding table. Clients learned on a particular segment of the bridge cannot roam to another segment. +If a bridge member interface is marked as sticky, dynamically learned address entries are treated as static entries in the forwarding cache. +Sticky entries are never aged out of the cache or replaced, even if the address is seen on a different interface. +This gives the benefit of static address entries without the need to pre-populate the forwarding table. +Clients learned on a particular segment of the bridge cannot roam to another segment. + -An example of using sticky addresses is to combine the bridge with VLANs in order to isolate customer networks without wasting IP address space. Consider that `CustomerA` is on `vlan100`, `CustomerB` is on `vlan101`, and the bridge has the address `192.168.0.1`: +An example of using sticky addresses is to combine the bridge with VLANs in order to isolate customer networks without wasting IP address space. +Consider that `CustomerA` is on `vlan100`, `CustomerB` is on `vlan101`, and the bridge has the address `192.168.0.1`: + [source,shell] .... @@ -1796,7 +2115,8 @@ An example of using sticky addresses is to combine the bridge with VLANs in orde # ifconfig bridge0 inet 192.168.0.1/24 .... + -In this example, both clients see `192.168.0.1` as their default gateway. Since the bridge cache is sticky, one host cannot spoof the MAC address of the other customer in order to intercept their traffic. +In this example, both clients see `192.168.0.1` as their default gateway. +Since the bridge cache is sticky, one host cannot spoof the MAC address of the other customer in order to intercept their traffic. + Any communication between the VLANs can be blocked using a firewall or, as seen in this example, private interfaces: + @@ -1807,7 +2127,8 @@ Any communication between the VLANs can be blocked using a firewall or, as seen + The customers are completely isolated from each other and the full `/24` address range can be allocated without subnetting. + -The number of unique source MAC addresses behind an interface can be limited. Once the limit is reached, packets with unknown source addresses are dropped until an existing host cache entry expires or is removed. +The number of unique source MAC addresses behind an interface can be limited. +Once the limit is reached, packets with unknown source addresses are dropped until an existing host cache entry expires or is removed. + The following example sets the maximum number of Ethernet devices for `CustomerA` on `vlan100` to 10: + @@ -1816,7 +2137,10 @@ The following example sets the maximum number of Ethernet devices for `CustomerA # ifconfig bridge0 ifmaxaddr vlan100 10 .... -Bridge interfaces also support monitor mode, where the packets are discarded after man:bpf[4] processing and are not processed or forwarded further. This can be used to multiplex the input of two or more interfaces into a single man:bpf[4] stream. This is useful for reconstructing the traffic for network taps that transmit the RX/TX signals out through two separate interfaces. For example, to read the input from four network interfaces as one stream: +Bridge interfaces also support monitor mode, where the packets are discarded after man:bpf[4] processing and are not processed or forwarded further. +This can be used to multiplex the input of two or more interfaces into a single man:bpf[4] stream. +This is useful for reconstructing the traffic for network taps that transmit the RX/TX signals out through two separate interfaces. +For example, to read the input from four network interfaces as one stream: [source,shell] .... @@ -1826,7 +2150,8 @@ Bridge interfaces also support monitor mode, where the packets are discarded aft === SNMP Monitoring -The bridge interface and STP parameters can be monitored via man:bsnmpd[1] which is included in the FreeBSD base system. The exported bridge MIBs conform to IETF standards so any SNMP client or monitoring package can be used to retrieve the data. +The bridge interface and STP parameters can be monitored via man:bsnmpd[1] which is included in the FreeBSD base system. +The exported bridge MIBs conform to IETF standards so any SNMP client or monitoring package can be used to retrieve the data. To enable monitoring on the bridge, uncomment this line in [.filename]#/etc/snmpd.config# by removing the beginning `#` symbol: @@ -1835,7 +2160,9 @@ To enable monitoring on the bridge, uncomment this line in [.filename]#/etc/snmp begemotSnmpdModulePath."bridge" = "/usr/lib/snmp_bridge.so" .... -Other configuration settings, such as community names and access lists, may need to be modified in this file. See man:bsnmpd[1] and man:snmp_bridge[3] for more information. Once these edits are saved, add this line to [.filename]#/etc/rc.conf#: +Other configuration settings, such as community names and access lists, may need to be modified in this file. +See man:bsnmpd[1] and man:snmp_bridge[3] for more information. +Once these edits are saved, add this line to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -1849,7 +2176,9 @@ Then, start man:bsnmpd[1]: # service bsnmpd start .... -The following examples use the Net-SNMP software (package:net-mgmt/net-snmp[]) to query a bridge from a client system. The package:net-mgmt/bsnmptools[] port can also be used. From the SNMP client which is running Net-SNMP, add the following lines to [.filename]#$HOME/.snmp/snmp.conf# in order to import the bridge MIB definitions: +The following examples use the Net-SNMP software (package:net-mgmt/net-snmp[]) to query a bridge from a client system. +The package:net-mgmt/bsnmptools[] port can also be used. +From the SNMP client which is running Net-SNMP, add the following lines to [.filename]#$HOME/.snmp/snmp.conf# in order to import the bridge MIB definitions: [.programlisting] .... @@ -1879,7 +2208,9 @@ BRIDGE-MIB::dot1dStpPortForwardTransitions.3 = Counter32: 1 RSTP-MIB::dot1dStpVersion.0 = INTEGER: rstp(2) .... -The `dot1dStpTopChanges.0` value is two, indicating that the STP bridge topology has changed twice. A topology change means that one or more links in the network have changed or failed and a new tree has been calculated. The `dot1dStpTimeSinceTopologyChange.0` value will show when this happened. +The `dot1dStpTopChanges.0` value is two, indicating that the STP bridge topology has changed twice. +A topology change means that one or more links in the network have changed or failed and a new tree has been calculated. +The `dot1dStpTimeSinceTopologyChange.0` value will show when this happened. To monitor multiple bridge interfaces, the private BEGEMOT-BRIDGE-MIB can be used: @@ -1913,35 +2244,52 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2 [[network-aggregation]] == Link Aggregation and Failover -FreeBSD provides the man:lagg[4] interface which can be used to aggregate multiple network interfaces into one virtual interface in order to provide failover and link aggregation. Failover allows traffic to continue to flow as long as at least one aggregated network interface has an established link. Link aggregation works best on switches which support LACP, as this protocol distributes traffic bi-directionally while responding to the failure of individual links. +FreeBSD provides the man:lagg[4] interface which can be used to aggregate multiple network interfaces into one virtual interface in order to provide failover and link aggregation. +Failover allows traffic to continue to flow as long as at least one aggregated network interface has an established link. +Link aggregation works best on switches which support LACP, as this protocol distributes traffic bi-directionally while responding to the failure of individual links. -The aggregation protocols supported by the lagg interface determine which ports are used for outgoing traffic and whether or not a specific port accepts incoming traffic. The following protocols are supported by man:lagg[4]: +The aggregation protocols supported by the lagg interface determine which ports are used for outgoing traffic and whether or not a specific port accepts incoming traffic. +The following protocols are supported by man:lagg[4]: failover:: -This mode sends and receives traffic only through the master port. If the master port becomes unavailable, the next active port is used. The first interface added to the virtual interface is the master port and all subsequently added interfaces are used as failover devices. If failover to a non-master port occurs, the original port becomes master once it becomes available again. +This mode sends and receives traffic only through the master port. +If the master port becomes unavailable, the next active port is used. +The first interface added to the virtual interface is the master port and all subsequently added interfaces are used as failover devices. +If failover to a non-master port occurs, the original port becomes master once it becomes available again. fec / loadbalance:: -Cisco(R) Fast EtherChannel(R) (FEC) is found on older Cisco(R) switches. It provides a static setup and does not negotiate aggregation with the peer or exchange frames to monitor the link. If the switch supports LACP, that should be used instead. +Cisco(R) Fast EtherChannel(R) (FEC) is found on older Cisco(R) switches. +It provides a static setup and does not negotiate aggregation with the peer or exchange frames to monitor the link. +If the switch supports LACP, that should be used instead. lacp:: -The IEEE(R) 802.3ad Link Aggregation Control Protocol (LACP) negotiates a set of aggregable links with the peer into one or more Link Aggregated Groups (LAGs). Each LAG is composed of ports of the same speed, set to full-duplex operation, and traffic is balanced across the ports in the LAG with the greatest total speed. Typically, there is only one LAG which contains all the ports. In the event of changes in physical connectivity, LACP will quickly converge to a new configuration. +The IEEE(R) 802.3ad Link Aggregation Control Protocol (LACP) negotiates a set of aggregable links with the peer into one or more Link Aggregated Groups (LAGs). +Each LAG is composed of ports of the same speed, set to full-duplex operation, and traffic is balanced across the ports in the LAG with the greatest total speed. +Typically, there is only one LAG which contains all the ports. +In the event of changes in physical connectivity, LACP will quickly converge to a new configuration. + -LACP balances outgoing traffic across the active ports based on hashed protocol header information and accepts incoming traffic from any active port. The hash includes the Ethernet source and destination address and, if available, the VLAN tag, and the IPv4 or IPv6 source and destination address. +LACP balances outgoing traffic across the active ports based on hashed protocol header information and accepts incoming traffic from any active port. +The hash includes the Ethernet source and destination address and, if available, the VLAN tag, and the IPv4 or IPv6 source and destination address. roundrobin:: -This mode distributes outgoing traffic using a round-robin scheduler through all active ports and accepts incoming traffic from any active port. Since this mode violates Ethernet frame ordering, it should be used with caution. +This mode distributes outgoing traffic using a round-robin scheduler through all active ports and accepts incoming traffic from any active port. +Since this mode violates Ethernet frame ordering, it should be used with caution. === Configuration Examples -This section demonstrates how to configure a Cisco(R) switch and a FreeBSD system for LACP load balancing. It then shows how to configure two Ethernet interfaces in failover mode as well as how to configure failover mode between an Ethernet and a wireless interface. +This section demonstrates how to configure a Cisco(R) switch and a FreeBSD system for LACP load balancing. +It then shows how to configure two Ethernet interfaces in failover mode as well as how to configure failover mode between an Ethernet and a wireless interface. [[networking-lacp-aggregation-cisco]] .LACP Aggregation with a Cisco(R) Switch [example] ==== -This example connects two man:fxp[4] Ethernet interfaces on a FreeBSD machine to the first two Ethernet ports on a Cisco(R) switch as a single load balanced and fault tolerant link. More interfaces can be added to increase throughput and fault tolerance. Replace the names of the Cisco(R) ports, Ethernet devices, channel group number, and IP address shown in the example to match the local configuration. +This example connects two man:fxp[4] Ethernet interfaces on a FreeBSD machine to the first two Ethernet ports on a Cisco(R) switch as a single load balanced and fault tolerant link. +More interfaces can be added to increase throughput and fault tolerance. +Replace the names of the Cisco(R) ports, Ethernet devices, channel group number, and IP address shown in the example to match the local configuration. -Frame ordering is mandatory on Ethernet links and any traffic between two stations always flows over the same physical link, limiting the maximum speed to that of one interface. The transmit algorithm attempts to use as much information as it can to distinguish different traffic flows and balance the flows across the available interfaces. +Frame ordering is mandatory on Ethernet links and any traffic between two stations always flows over the same physical link, limiting the maximum speed to that of one interface. +The transmit algorithm attempts to use as much information as it can to distinguish different traffic flows and balance the flows across the available interfaces. On the Cisco(R) switch, add the _FastEthernet0/1_ and _FastEthernet0/2_ interfaces to channel group _1_: @@ -1982,7 +2330,9 @@ lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 laggport: fxp0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> .... -Ports marked as `ACTIVE` are part of the LAG that has been negotiated with the remote switch. Traffic will be transmitted and received through these active ports. Add `-v` to the above command to view the LAG identifiers. +Ports marked as `ACTIVE` are part of the LAG that has been negotiated with the remote switch. +Traffic will be transmitted and received through these active ports. +Add `-v` to the above command to view the LAG identifiers. To see the port status on the Cisco(R) switch: @@ -2022,7 +2372,9 @@ ifconfig_lagg0="laggproto lacp laggport fxp0 laggport fxp1 10.0.0.3/24" [example] ==== -Failover mode can be used to switch over to a secondary interface if the link is lost on the master interface. To configure failover, make sure that the underlying physical interfaces are up, then create the man:lagg[4] interface. In this example, _fxp0_ is the master interface, _fxp1_ is the secondary interface, and the virtual interface is assigned an IP address of _10.0.0.15/24_: +Failover mode can be used to switch over to a secondary interface if the link is lost on the master interface. +To configure failover, make sure that the underlying physical interfaces are up, then create the man:lagg[4] interface. +In this example, _fxp0_ is the master interface, _fxp1_ is the secondary interface, and the virtual interface is assigned an IP address of _10.0.0.15/24_: [source,shell] .... @@ -2048,7 +2400,9 @@ lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 laggport: fxp0 flags=5<MASTER,ACTIVE> .... -Traffic will be transmitted and received on _fxp0_. If the link is lost on _fxp0_, _fxp1_ will become the active link. If the link is restored on the master interface, it will once again become the active link. +Traffic will be transmitted and received on _fxp0_. +If the link is lost on _fxp0_, _fxp1_ will become the active link. +If the link is restored on the master interface, it will once again become the active link. To retain this configuration across reboots, add the following entries to [.filename]#/etc/rc.conf#: @@ -2067,21 +2421,28 @@ ifconfig_lagg0="laggproto failover laggport fxp0 laggport fxp1 10.0.0.15/24" [example] ==== -For laptop users, it is usually desirable to configure the wireless device as a secondary which is only used when the Ethernet connection is not available. With man:lagg[4], it is possible to configure a failover which prefers the Ethernet connection for both performance and security reasons, while maintaining the ability to transfer data over the wireless connection. +For laptop users, it is usually desirable to configure the wireless device as a secondary which is only used when the Ethernet connection is not available. +With man:lagg[4], it is possible to configure a failover which prefers the Ethernet connection for both performance and security reasons, while maintaining the ability to transfer data over the wireless connection. This is achieved by overriding the Ethernet interface's MAC address with that of the wireless interface. [NOTE] **** -In theory, either the Ethernet or wireless MAC address can be changed to match the other. However, some popular wireless interfaces lack support for overriding the MAC address. We therefore recommend overriding the Ethernet MAC address for this purpose. +In theory, either the Ethernet or wireless MAC address can be changed to match the other. +However, some popular wireless interfaces lack support for overriding the MAC address. +We therefore recommend overriding the Ethernet MAC address for this purpose. **** [NOTE] **** -If the driver for the wireless interface is not loaded in the `GENERIC` or custom kernel, and the computer is running FreeBSD {rel121-current}, load the corresponding [.filename]#.ko# in [.filename]#/boot/loader.conf# by adding `*driver_load="YES"*` to that file and rebooting. Another, better way is to load the driver in [.filename]#/etc/rc.conf# by adding it to `kld_list` (see man:rc.conf[5] for details) in that file and rebooting. This is needed because otherwise the driver is not loaded yet at the time the man:lagg[4] interface is set up. +If the driver for the wireless interface is not loaded in the `GENERIC` or custom kernel, and the computer is running FreeBSD {rel121-current}, load the corresponding [.filename]#.ko# in [.filename]#/boot/loader.conf# by adding `*driver_load="YES"*` to that file and rebooting. +Another, better way is to load the driver in [.filename]#/etc/rc.conf# by adding it to `kld_list` (see man:rc.conf[5] for details) in that file and rebooting. +This is needed because otherwise the driver is not loaded yet at the time the man:lagg[4] interface is set up. **** -In this example, the Ethernet interface, _re0_, is the master and the wireless interface, _wlan0_, is the failover. The _wlan0_ interface was created from the _ath0_ physical wireless interface, and the Ethernet interface will be configured with the MAC address of the wireless interface. First, determine the MAC address of the wireless interface: +In this example, the Ethernet interface, _re0_, is the master and the wireless interface, _wlan0_, is the failover. +The _wlan0_ interface was created from the _ath0_ physical wireless interface, and the Ethernet interface will be configured with the MAC address of the wireless interface. +First, determine the MAC address of the wireless interface: [source,shell] .... @@ -2099,7 +2460,9 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> .... -Replace _wlan0_ to match the system's wireless interface name. The `ether` line will contain the MAC address of the specified interface. Now, change the MAC address of the Ethernet interface: +Replace _wlan0_ to match the system's wireless interface name. +The `ether` line will contain the MAC address of the specified interface. +Now, change the MAC address of the Ethernet interface: [source,shell] .... @@ -2162,7 +2525,10 @@ ifconfig_lagg0="up laggproto failover laggport re0 laggport wlan0 DHCP" [[network-diskless]] == Diskless Operation with PXE -The Intel(R) Preboot eXecution Environment (PXE) allows an operating system to boot over the network. For example, a FreeBSD system can boot over the network and operate without a local disk, using file systems mounted from an NFS server. PXE support is usually available in the BIOS. To use PXE when the machine starts, select the `Boot from network` option in the BIOS setup or type a function key during system initialization. +The Intel(R) Preboot eXecution Environment (PXE) allows an operating system to boot over the network. +For example, a FreeBSD system can boot over the network and operate without a local disk, using file systems mounted from an NFS server. +PXE support is usually available in the BIOS. +To use PXE when the machine starts, select the `Boot from network` option in the BIOS setup or type a function key during system initialization. In order to provide the files needed for an operating system to boot over the network, a PXE setup also requires properly configured DHCP, TFTP, and NFS servers, where: @@ -2170,24 +2536,32 @@ In order to provide the files needed for an operating system to boot over the ne * The operating system loader file is booted using TFTP. * The file systems are loaded using NFS. -When a computer PXE boots, it receives information over DHCP about where to obtain the initial boot loader file. After the host computer receives this information, it downloads the boot loader via TFTP and then executes the boot loader. In FreeBSD, the boot loader file is [.filename]#/boot/pxeboot#. After [.filename]#/boot/pxeboot# executes, the FreeBSD kernel is loaded and the rest of the FreeBSD bootup sequence proceeds, as described in crossref:boot[boot,The FreeBSD Booting Process]. +When a computer PXE boots, it receives information over DHCP about where to obtain the initial boot loader file. +After the host computer receives this information, it downloads the boot loader via TFTP and then executes the boot loader. +In FreeBSD, the boot loader file is [.filename]#/boot/pxeboot#. +After [.filename]#/boot/pxeboot# executes, the FreeBSD kernel is loaded and the rest of the FreeBSD bootup sequence proceeds, as described in crossref:boot[boot,The FreeBSD Booting Process]. -This section describes how to configure these services on a FreeBSD system so that other systems can PXE boot into FreeBSD. Refer to man:diskless[8] for more information. +This section describes how to configure these services on a FreeBSD system so that other systems can PXE boot into FreeBSD. +Refer to man:diskless[8] for more information. [CAUTION] ==== - -As described, the system providing these services is insecure. It should live in a protected area of a network and be untrusted by other hosts. +As described, the system providing these services is insecure. +It should live in a protected area of a network and be untrusted by other hosts. ==== [[network-pxe-nfs]] === Setting Up the PXE Environment -The steps shown in this section configure the built-in NFS and TFTP servers. The next section demonstrates how to install and configure the DHCP server. In this example, the directory which will contain the files used by PXE users is [.filename]#/b/tftpboot/FreeBSD/install#. It is important that this directory exists and that the same directory name is set in both [.filename]#/etc/inetd.conf# and [.filename]#/usr/local/etc/dhcpd.conf#. +The steps shown in this section configure the built-in NFS and TFTP servers. +The next section demonstrates how to install and configure the DHCP server. +In this example, the directory which will contain the files used by PXE users is [.filename]#/b/tftpboot/FreeBSD/install#. +It is important that this directory exists and that the same directory name is set in both [.filename]#/etc/inetd.conf# and [.filename]#/usr/local/etc/dhcpd.conf#. [NOTE] ==== -The command examples below assume use of the man:sh[1] shell. man:csh[1] and man:tcsh[1] users will need to start a man:sh[1] shell or adapt the commands to man:csh[1] syntax. +The command examples below assume use of the man:sh[1] shell. +man:csh[1] and man:tcsh[1] users will need to start a man:sh[1] shell or adapt the commands to man:csh[1] syntax. ==== [.procedure] @@ -2236,7 +2610,8 @@ tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /b/tftpboot + [NOTE] ==== -Some PXE versions require the TCP version of TFTP. In this case, uncomment the second `tftp` line which contains `stream tcp`. +Some PXE versions require the TCP version of TFTP. +In this case, uncomment the second `tftp` line which contains `stream tcp`. ==== . Start man:inetd[8]: @@ -2264,7 +2639,8 @@ Received 264951 bytes in 0.1 seconds myhost.example.com:/b/tftpboot/FreeBSD/install / nfs ro 0 0 .... + -Replace _myhost.example.com_ with the hostname or IP address of the NFS server. In this example, the root file system is mounted read-only in order to prevent NFS clients from potentially deleting the contents of the root file system. +Replace _myhost.example.com_ with the hostname or IP address of the NFS server. +In this example, the root file system is mounted read-only in order to prevent NFS clients from potentially deleting the contents of the root file system. . Set the root password in the PXE environment for client machines which are PXE booting : + [source,shell] @@ -2276,7 +2652,8 @@ Replace _myhost.example.com_ with the hostname or IP address of the NFS server. . If needed, enable man:ssh[1] root logins for client machines which are PXE booting by editing [.filename]#${NFSROOTDIR}/etc/ssh/sshd_config# and enabling `PermitRootLogin`. This option is documented in man:sshd_config[5]. . Perform any other needed customizations of the PXE environment in [.filename]#${NFSROOTDIR}#. These customizations could include things like installing packages or editing the password file with man:vipw[8]. -When booting from an NFS root volume, [.filename]#/etc/rc# detects the NFS boot and runs [.filename]#/etc/rc.initdiskless#. In this case, [.filename]#/etc# and [.filename]#/var# need to be memory backed file systems so that these directories are writable but the NFS root directory is read-only: +When booting from an NFS root volume, [.filename]#/etc/rc# detects the NFS boot and runs [.filename]#/etc/rc.initdiskless#. +In this case, [.filename]#/etc# and [.filename]#/var# need to be memory backed file systems so that these directories are writable but the NFS root directory is read-only: [source,shell] .... @@ -2286,7 +2663,9 @@ When booting from an NFS root volume, [.filename]#/etc/rc# detects the NFS boot # tar -c -v -f conf/base/var.cpio.gz --format cpio --gzip var .... -When the system boots, memory file systems for [.filename]#/etc# and [.filename]#/var# will be created and mounted and the contents of the [.filename]#cpio.gz# files will be copied into them. By default, these file systems have a maximum capacity of 5 megabytes. If your archives do not fit, which is usually the case for [.filename]#/var# when binary packages have been installed, request a larger size by putting the number of 512 byte sectors needed (e.g., 5 megabytes is 10240 sectors) in [.filename]#${NFSROOTDIR}/conf/base/etc/md_size# and [.filename]#${NFSROOTDIR}/conf/base/var/md_size# files for [.filename]#/etc# and [.filename]#/var# file systems respectively. +When the system boots, memory file systems for [.filename]#/etc# and [.filename]#/var# will be created and mounted and the contents of the [.filename]#cpio.gz# files will be copied into them. +By default, these file systems have a maximum capacity of 5 megabytes. +If your archives do not fit, which is usually the case for [.filename]#/var# when binary packages have been installed, request a larger size by putting the number of 512 byte sectors needed (e.g., 5 megabytes is 10240 sectors) in [.filename]#${NFSROOTDIR}/conf/base/etc/md_size# and [.filename]#${NFSROOTDIR}/conf/base/var/md_size# files for [.filename]#/etc# and [.filename]#/var# file systems respectively. [[network-pxe-setting-up-dhcp]] === Configuring the DHCP Server @@ -2295,7 +2674,8 @@ The DHCP server does not need to be the same machine as the TFTP and NFS server, DHCP is not part of the FreeBSD base system but can be installed using the package:net/isc-dhcp43-server[] port or package. -Once installed, edit the configuration file, [.filename]#/usr/local/etc/dhcpd.conf#. Configure the `next-server`, `filename`, and `root-path` settings as seen in this example: +Once installed, edit the configuration file, [.filename]#/usr/local/etc/dhcpd.conf#. +Configure the `next-server`, `filename`, and `root-path` settings as seen in this example: [.programlisting] .... @@ -2321,7 +2701,8 @@ subnet 192.168.0.0 netmask 255.255.255.0 { The `next-server` directive is used to specify the IP address of the TFTP server. -The `filename` directive defines the path to [.filename]#/boot/pxeboot#. A relative filename is used, meaning that [.filename]#/b/tftpboot# is not included in the path. +The `filename` directive defines the path to [.filename]#/boot/pxeboot#. +A relative filename is used, meaning that [.filename]#/b/tftpboot# is not included in the path. The `root-path` option defines the path to the NFS root file system. @@ -2341,7 +2722,8 @@ Then start the DHCP service: === Debugging PXE Problems -Once all of the services are configured and started, PXE clients should be able to automatically load FreeBSD over the network. If a particular client is unable to connect, when that client machine boots up, enter the BIOS configuration menu and confirm that it is set to boot from the network. +Once all of the services are configured and started, PXE clients should be able to automatically load FreeBSD over the network. +If a particular client is unable to connect, when that client machine boots up, enter the BIOS configuration menu and confirm that it is set to boot from the network. This section describes some troubleshooting tips for isolating the source of the configuration problem should no clients be able to PXE boot. @@ -2383,7 +2765,8 @@ The `BUGS` sections in man:tftpd[8] and man:tftp[1] document some limitations wi [[network-ipv6]] == IPv6 -IPv6 is the new version of the well known IP protocol, also known as IPv4. IPv6 provides several advantages over IPv4 as well as many new features: +IPv6 is the new version of the well known IP protocol, also known as IPv4. +IPv6 provides several advantages over IPv4 as well as many new features: * Its 128-bit address space allows for 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. This addresses the IPv4 address shortage and eventual IPv4 address exhaustion. * Routers only store network aggregation addresses in their routing tables, thus reducing the average space of a routing table to 8192 entries. This addresses the scalability issues associated with IPv4, which required every allocated block of IPv4 addresses to be exchanged between Internet routers, causing their routing tables to become too large to allow efficient routing. @@ -2395,7 +2778,8 @@ IPv6 is the new version of the well known IP protocol, also known as IPv4. IPv6 * Support for mobile IP. * IPv6-to-IPv4 transition mechanisms. -FreeBSD includes the http://www.kame.net/[http://www.kame.net/] IPv6 reference implementation and comes with everything needed to use IPv6. This section focuses on getting IPv6 configured and running. +FreeBSD includes the http://www.kame.net/[http://www.kame.net/] IPv6 reference implementation and comes with everything needed to use IPv6. +This section focuses on getting IPv6 configured and running. === Background on IPv6 Addresses @@ -2405,16 +2789,25 @@ Unicast:: A packet sent to a unicast address arrives at the interface belonging to the address. Anycast:: -These addresses are syntactically indistinguishable from unicast addresses but they address a group of interfaces. The packet destined for an anycast address will arrive at the nearest router interface. Anycast addresses are only used by routers. +These addresses are syntactically indistinguishable from unicast addresses but they address a group of interfaces. +The packet destined for an anycast address will arrive at the nearest router interface. +Anycast addresses are only used by routers. Multicast:: -These addresses identify a group of interfaces. A packet destined for a multicast address will arrive at all interfaces belonging to the multicast group. The IPv4 broadcast address, usually `xxx.xxx.xxx.255`, is expressed by multicast addresses in IPv6. +These addresses identify a group of interfaces. +A packet destined for a multicast address will arrive at all interfaces belonging to the multicast group. +The IPv4 broadcast address, usually `xxx.xxx.xxx.255`, is expressed by multicast addresses in IPv6. -When reading an IPv6 address, the canonical form is represented as `x:x:x:x:x:x:x:x`, where each `x` represents a 16 bit hex value. An example is `FEBC:A574:382B:23C1:AA49:4592:4EFE:9982`. +When reading an IPv6 address, the canonical form is represented as `x:x:x:x:x:x:x:x`, where each `x` represents a 16 bit hex value. +An example is `FEBC:A574:382B:23C1:AA49:4592:4EFE:9982`. -Often, an address will have long substrings of all zeros. A `::` (double colon) can be used to replace one substring per address. Also, up to three leading ``0``s per hex value can be omitted. For example, `fe80::1` corresponds to the canonical form `fe80:0000:0000:0000:0000:0000:0000:0001`. +Often, an address will have long substrings of all zeros. +A `::` (double colon) can be used to replace one substring per address. +Also, up to three leading ``0``s per hex value can be omitted. +For example, `fe80::1` corresponds to the canonical form `fe80:0000:0000:0000:0000:0000:0000:0001`. -A third form is to write the last 32 bits using the well known IPv4 notation. For example, `2002::10.0.0.1` corresponds to the hexadecimal canonical representation `2002:0000:0000:0000:0000:0000:0a00:0001`, which in turn is equivalent to `2002::a00:1`. +A third form is to write the last 32 bits using the well known IPv4 notation. +For example, `2002::10.0.0.1` corresponds to the hexadecimal canonical representation `2002:0000:0000:0000:0000:0000:0a00:0001`, which in turn is equivalent to `2002::a00:1`. To view a FreeBSD system's IPv6 address, use man:ifconfig[8]: @@ -2435,7 +2828,9 @@ rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 In this example, the [.filename]#rl0# interface is using `fe80::200:21ff:fe03:8e1%rl0`, an auto-configured link-local address which was automatically generated from the MAC address. -Some IPv6 addresses are reserved. A summary of these reserved addresses is seen in <<reservedip6>>: +Some IPv6 addresses are reserved. +A summary of these reserved addresses is seen in <<reservedip6>>: + [[reservedip6]] .Reserved IPv6 Addresses [cols="1,1,1,1", frame="none", options="header"] @@ -2498,7 +2893,8 @@ ifconfig_rl0_ipv6="inet6 accept_rtadv" rtsold_enable="YES" .... -The first line enables the specified interface to receive router advertisement messages. The second line enables the router solicitation daemon, man:rtsol[8]. +The first line enables the specified interface to receive router advertisement messages. +The second line enables the router solicitation daemon, man:rtsol[8]. If the interface needs a statically assigned IPv6 address, add an entry to specify the static address and associated prefix length: @@ -2535,7 +2931,8 @@ The first [.filename]#/etc/rc.conf# entry creates the generic tunneling interfac cloned_interfaces="gif0" .... -Next, configure that interface with the IPv4 addresses of the local and remote endpoints. Replace `_MY_IPv4_ADDR_` and `_REMOTE_IPv4_ADDR_` with the actual IPv4 addresses: +Next, configure that interface with the IPv4 addresses of the local and remote endpoints. +Replace `_MY_IPv4_ADDR_` and `_REMOTE_IPv4_ADDR_` with the actual IPv4 addresses: [.programlisting] .... @@ -2549,7 +2946,8 @@ To apply the IPv6 address that has been assigned for use as the IPv6 tunnel endp ifconfig_gif0_ipv6="inet6 MY_ASSIGNED_IPv6_TUNNEL_ENDPOINT_ADDR" .... -Then, set the default route for the other side of the IPv6 tunnel. Replace `_MY_IPv6_REMOTE_TUNNEL_ENDPOINT_ADDR_` with the default gateway address assigned by the provider: +Then, set the default route for the other side of the IPv6 tunnel. +Replace `_MY_IPv6_REMOTE_TUNNEL_ENDPOINT_ADDR_` with the default gateway address assigned by the provider: [.programlisting] .... @@ -2574,7 +2972,8 @@ To enable man:rtadvd[8], add the following to [.filename]#/etc/rc.conf#: rtadvd_enable="YES" .... -It is important to specify the interface on which to do IPv6 router advertisement. For example, to tell man:rtadvd[8] to use [.filename]#rl0#: +It is important to specify the interface on which to do IPv6 router advertisement. +For example, to tell man:rtadvd[8] to use [.filename]#rl0#: [.programlisting] .... @@ -2591,13 +2990,19 @@ rl0:\ Replace [.filename]#rl0# with the interface to be used and `2001:db8:1f11:246::` with the prefix of the allocation. -For a dedicated `/64` subnet, nothing else needs to be changed. Otherwise, change the `prefixlen#` to the correct value. +For a dedicated `/64` subnet, nothing else needs to be changed. +Otherwise, change the `prefixlen#` to the correct value. === IPv6 and IPv6 Address Mapping -When IPv6 is enabled on a server, there may be a need to enable IPv4 mapped IPv6 address communication. This compatibility option allows for IPv4 addresses to be represented as IPv6 addresses. Permitting IPv6 applications to communicate with IPv4 and vice versa may be a security issue. +When IPv6 is enabled on a server, there may be a need to enable IPv4 mapped IPv6 address communication. +This compatibility option allows for IPv4 addresses to be represented as IPv6 addresses. +Permitting IPv6 applications to communicate with IPv4 and vice versa may be a security issue. -This option may not be required in most cases and is available only for compatibility. This option will allow IPv6-only applications to work with IPv4 in a dual stack environment. This is most useful for third party applications which may not support an IPv6-only environment. To enable this feature, add the following to [.filename]#/etc/rc.conf#: +This option may not be required in most cases and is available only for compatibility. +This option will allow IPv6-only applications to work with IPv4 in a dual stack environment. +This is most useful for third party applications which may not support an IPv6-only environment. +To enable this feature, add the following to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -2609,15 +3014,25 @@ Reviewing the information in RFC 3493, section 3.6 and 3.7 as well as RFC 4038 s [[carp]] == Common Address Redundancy Protocol (CARP) -The Common Address Redundancy Protocol (CARP) allows multiple hosts to share the same IP address and Virtual Host ID (VHID) in order to provide _high availability_ for one or more services. This means that one or more hosts can fail, and the other hosts will transparently take over so that users do not see a service failure. +The Common Address Redundancy Protocol (CARP) allows multiple hosts to share the same IP address and Virtual Host ID (VHID) in order to provide _high availability_ for one or more services. +This means that one or more hosts can fail, and the other hosts will transparently take over so that users do not see a service failure. -In addition to the shared IP address, each host has its own IP address for management and configuration. All of the machines that share an IP address have the same VHID. The VHID for each virtual IP address must be unique across the broadcast domain of the network interface. +In addition to the shared IP address, each host has its own IP address for management and configuration. +All of the machines that share an IP address have the same VHID. +The VHID for each virtual IP address must be unique across the broadcast domain of the network interface. -High availability using CARP is built into FreeBSD, though the steps to configure it vary slightly depending upon the FreeBSD version. This section provides the same example configuration for versions before and equal to or after FreeBSD 10. +High availability using CARP is built into FreeBSD, though the steps to configure it vary slightly depending upon the FreeBSD version. +This section provides the same example configuration for versions before and equal to or after FreeBSD 10. -This example configures failover support with three hosts, all with unique IP addresses, but providing the same web content. It has two different masters named `hosta.example.org` and `hostb.example.org`, with a shared backup named `hostc.example.org`. +This example configures failover support with three hosts, all with unique IP addresses, but providing the same web content. +It has two different masters named `hosta.example.org` and `hostb.example.org`, with a shared backup named `hostc.example.org`. -These machines are load balanced with a Round Robin DNS configuration. The master and backup machines are configured identically except for their hostnames and management IP addresses. These servers must have the same configuration and run the same services. When the failover occurs, requests to the service on the shared IP address can only be answered correctly if the backup server has access to the same content. The backup machine has two additional CARP interfaces, one for each of the master content server's IP addresses. When a failure occurs, the backup server will pick up the failed master machine's IP address. +These machines are load balanced with a Round Robin DNS configuration. +The master and backup machines are configured identically except for their hostnames and management IP addresses. +These servers must have the same configuration and run the same services. +When the failover occurs, requests to the service on the shared IP address can only be answered correctly if the backup server has access to the same content. +The backup machine has two additional CARP interfaces, one for each of the master content server's IP addresses. +When a failure occurs, the backup server will pick up the failed master machine's IP address. [[carp-10x]] === Using CARP on FreeBSD 10 and Later @@ -2652,7 +3067,9 @@ ifconfig_em0="inet 192.168.1.3 netmask 255.255.255.0" ifconfig_em0_alias0="inet vhid 1 pass testpass alias 192.168.1.50/32" .... -The next set of entries are for `hostb.example.org`. Since it represents a second master, it uses a different shared IP address and VHID. However, the passwords specified with `pass` must be identical as CARP will only listen to and accept advertisements from machines with the correct password. +The next set of entries are for `hostb.example.org`. +Since it represents a second master, it uses a different shared IP address and VHID. +However, the passwords specified with `pass` must be identical as CARP will only listen to and accept advertisements from machines with the correct password. [.programlisting] .... @@ -2661,7 +3078,9 @@ ifconfig_em0="inet 192.168.1.4 netmask 255.255.255.0" ifconfig_em0_alias0="inet vhid 2 pass testpass alias 192.168.1.51/32" .... -The third machine, `hostc.example.org`, is configured to handle failover from either master. This machine is configured with two CARPVHIDs, one to handle the virtual IP address for each of the master hosts. The CARP advertising skew, `advskew`, is set to ensure that the backup host advertises later than the master, since `advskew` controls the order of precedence when there are multiple backup servers. +The third machine, `hostc.example.org`, is configured to handle failover from either master. +This machine is configured with two CARPVHIDs, one to handle the virtual IP address for each of the master hosts. +The CARP advertising skew, `advskew`, is set to ensure that the backup host advertises later than the master, since `advskew` controls the order of precedence when there are multiple backup servers. [.programlisting] .... @@ -2671,11 +3090,15 @@ ifconfig_em0_alias0="inet vhid 1 advskew 100 pass testpass alias 192.168.1.50/32 ifconfig_em0_alias1="inet vhid 2 advskew 100 pass testpass alias 192.168.1.51/32" .... -Having two CARPVHIDs configured means that `hostc.example.org` will notice if either of the master servers becomes unavailable. If a master fails to advertise before the backup server, the backup server will pick up the shared IP address until the master becomes available again. +Having two CARPVHIDs configured means that `hostc.example.org` will notice if either of the master servers becomes unavailable. +If a master fails to advertise before the backup server, the backup server will pick up the shared IP address until the master becomes available again. [NOTE] ==== -If the original master server becomes available again, `hostc.example.org` will not release the virtual IP address back to it automatically. For this to happen, preemption has to be enabled. The feature is disabled by default, it is controlled via the man:sysctl[8] variable `net.inet.carp.preempt`. The administrator can force the backup server to return the IP address to the master: +If the original master server becomes available again, `hostc.example.org` will not release the virtual IP address back to it automatically. +For this to happen, preemption has to be enabled. +The feature is disabled by default, it is controlled via the man:sysctl[8] variable `net.inet.carp.preempt`. +The administrator can force the backup server to return the IP address to the master: [source,shell] .... @@ -2684,9 +3107,11 @@ If the original master server becomes available again, `hostc.example.org` will ==== -Once the configuration is complete, either restart networking or reboot each system. High availability is now enabled. +Once the configuration is complete, either restart networking or reboot each system. +High availability is now enabled. -CARP functionality can be controlled via several man:sysctl[8] variables documented in the man:carp[4] manual pages. Other actions can be triggered from CARP events by using man:devd[8]. +CARP functionality can be controlled via several man:sysctl[8] variables documented in the man:carp[4] manual pages. +Other actions can be triggered from CARP events by using man:devd[8]. [[carp-9x]] === Using CARP on FreeBSD 9 and Earlier @@ -2721,7 +3146,9 @@ Next, on each host, create a CARP device: # ifconfig carp0 create .... -Set the hostname, management IP address, the shared IP address, and VHID by adding the required lines to [.filename]#/etc/rc.conf#. Since a virtual CARP device is used instead of an alias, the actual subnet mask of `/24` is used instead of `/32`. Here are the entries for `hosta.example.org`: +Set the hostname, management IP address, the shared IP address, and VHID by adding the required lines to [.filename]#/etc/rc.conf#. +Since a virtual CARP device is used instead of an alias, the actual subnet mask of `/24` is used instead of `/32`. +Here are the entries for `hosta.example.org`: [.programlisting] .... @@ -2754,7 +3181,9 @@ ifconfig_carp1="vhid 2 advskew 100 pass testpass 192.168.1.51/24" [NOTE] ==== -Preemption is disabled in the [.filename]#GENERIC# FreeBSD kernel. If preemption has been enabled with a custom kernel, `hostc.example.org` may not release the IP address back to the original content server. The administrator can force the backup server to return the IP address to the master with the command: +Preemption is disabled in the [.filename]#GENERIC# FreeBSD kernel. +If preemption has been enabled with a custom kernel, `hostc.example.org` may not release the IP address back to the original content server. +The administrator can force the backup server to return the IP address to the master with the command: [source,shell] .... @@ -2764,16 +3193,20 @@ Preemption is disabled in the [.filename]#GENERIC# FreeBSD kernel. If preemption This should be done on the [.filename]#carp# interface which corresponds to the correct host. ==== -Once the configuration is complete, either restart networking or reboot each system. High availability is now enabled. +Once the configuration is complete, either restart networking or reboot each system. +High availability is now enabled. [[network-vlan]] == VLANs -VLANs are a way of virtually dividing up a network into many different subnetworks, also referred to as segmenting. Each segment will have its own broadcast domain and be isolated from other VLANs. +VLANs are a way of virtually dividing up a network into many different subnetworks, also referred to as segmenting. +Each segment will have its own broadcast domain and be isolated from other VLANs. -On FreeBSD, VLANs must be supported by the network card driver. To see which drivers support vlans, refer to the man:vlan[4] manual page. +On FreeBSD, VLANs must be supported by the network card driver. +To see which drivers support vlans, refer to the man:vlan[4] manual page. -When configuring a VLAN, a couple pieces of information must be known. First, which network interface? Second, what is the VLAN tag? +When configuring a VLAN, a couple pieces of information must be known. +First, which network interface? Second, what is the VLAN tag? To configure VLANs at run time, with a NIC of `em0` and a VLAN tag of `5` the command would look like this: @@ -2787,7 +3220,8 @@ To configure VLANs at run time, with a NIC of `em0` and a VLAN tag of `5` the co See how the interface name includes the NIC driver name and the VLAN tag, separated by a period? This is a best practice to make maintaining the VLAN configuration easy when many VLANs are present on a machine. ==== -To configure VLANs at boot time, [.filename]#/etc/rc.conf# must be updated. To duplicate the configuration above, the following will need to be added: +To configure VLANs at boot time, [.filename]#/etc/rc.conf# must be updated. +To duplicate the configuration above, the following will need to be added: [.programlisting] .... @@ -2797,7 +3231,9 @@ ifconfig_em0_5="inet 192.168.20.20/24" Additional VLANs may be added, by simply adding the tag to the `vlans_em0` field and adding an additional line configuring the network on that VLAN tag's interface. -It is useful to assign a symbolic name to an interface so that when the associated hardware is changed, only a few configuration variables need to be updated. For example, security cameras need to be run over VLAN 1 on `em0`. Later, if the `em0` card is replaced with a card that uses the man:ixgb[4] driver, all references to `em0.1` will not have to change to `ixgb0.1`. +It is useful to assign a symbolic name to an interface so that when the associated hardware is changed, only a few configuration variables need to be updated. +For example, security cameras need to be run over VLAN 1 on `em0`. +Later, if the `em0` card is replaced with a card that uses the man:ixgb[4] driver, all references to `em0.1` will not have to change to `ixgb0.1`. To configure VLAN `5`, on the NIC `em0`, assign the interface name `cameras`, and assign the interface an IP address of `_192.168.20.20_` with a `24`-bit prefix, use this command: diff --git a/documentation/content/en/books/handbook/audit/_index.adoc b/documentation/content/en/books/handbook/audit/_index.adoc index 07e4649e4b..ca0df463c1 100644 --- a/documentation/content/en/books/handbook/audit/_index.adoc +++ b/documentation/content/en/books/handbook/audit/_index.adoc @@ -46,9 +46,13 @@ toc::[] [[audit-synopsis]] == Synopsis -The FreeBSD operating system includes support for security event auditing. Event auditing supports reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access. These log records can be invaluable for live system monitoring, intrusion detection, and postmortem analysis. FreeBSD implements Sun(TM)'s published Basic Security Module (BSM) Application Programming Interface (API) and file format, and is interoperable with the Solaris(TM) and Mac OS(R) X audit implementations. +The FreeBSD operating system includes support for security event auditing. +Event auditing supports reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access. +These log records can be invaluable for live system monitoring, intrusion detection, and postmortem analysis. +FreeBSD implements Sun(TM)'s published Basic Security Module (BSM) Application Programming Interface (API) and file format, and is interoperable with the Solaris(TM) and Mac OS(R) X audit implementations. -This chapter focuses on the installation and configuration of event auditing. It explains audit policies and provides an example audit configuration. +This chapter focuses on the installation and configuration of event auditing. +It explains audit policies and provides an example audit configuration. After reading this chapter, you will know: @@ -64,9 +68,13 @@ Before reading this chapter, you should: [WARNING] ==== -The audit facility has some known limitations. Not all security-relevant system events are auditable and some login mechanisms, such as Xorg-based display managers and third-party daemons, do not properly configure auditing for user login sessions. +The audit facility has some known limitations. +Not all security-relevant system events are auditable and some login mechanisms, such as Xorg-based display managers and third-party daemons, do not properly configure auditing for user login sessions. -The security event auditing facility is able to generate very detailed logs of system activity. On a busy system, trail file data can be very large when configured for high detail, exceeding gigabytes a week in some configurations. Administrators should take into account the disk space requirements associated with high volume audit configurations. For example, it may be desirable to dedicate a file system to [.filename]#/var/audit# so that other file systems are not affected if the audit file system becomes full. +The security event auditing facility is able to generate very detailed logs of system activity. +On a busy system, trail file data can be very large when configured for high detail, exceeding gigabytes a week in some configurations. +Administrators should take into account the disk space requirements associated with high volume audit configurations. +For example, it may be desirable to dedicate a file system to [.filename]#/var/audit# so that other file systems are not affected if the audit file system becomes full. ==== [[audit-inline-glossary]] @@ -85,7 +93,8 @@ The following terms are related to security event auditing: [[audit-config]] == Audit Configuration -User space support for event auditing is installed as part of the base FreeBSD operating system. Kernel support is available in the [.filename]#GENERIC# kernel by default, and man:auditd[8] can be enabled by adding the following line to [.filename]#/etc/rc.conf#: +User space support for event auditing is installed as part of the base FreeBSD operating system. +Kernel support is available in the [.filename]#GENERIC# kernel by default, and man:auditd[8] can be enabled by adding the following line to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -108,7 +117,9 @@ options AUDIT === Event Selection Expressions -Selection expressions are used in a number of places in the audit configuration to determine which events should be audited. Expressions contain a list of event classes to match. Selection expressions are evaluated from left to right, and two expressions are combined by appending one onto the other. +Selection expressions are used in a number of places in the audit configuration to determine which events should be audited. +Expressions contain a list of event classes to match. +Selection expressions are evaluated from left to right, and two expressions are combined by appending one onto the other. <<event-selection>> summarizes the default audit event classes: @@ -203,7 +214,8 @@ Selection expressions are used in a number of places in the audit configuration These audit event classes may be customized by modifying the [.filename]#audit_class# and [.filename]#audit_event# configuration files. -Each audit event class may be combined with a prefix indicating whether successful/failed operations are matched, and whether the entry is adding or removing matching for the class and type. <<event-prefixes>> summarizes the available prefixes: +Each audit event class may be combined with a prefix indicating whether successful/failed operations are matched, and whether the entry is adding or removing matching for the class and type. +<<event-prefixes>> summarizes the available prefixes: [[event-prefixes]] .Prefixes for Audit Event Classes @@ -249,11 +261,11 @@ The following configuration files for security event auditing are found in [.fil [WARNING] ==== - Audit configuration files should be edited and maintained carefully, as errors in configuration may result in improper logging of events. ==== -In most cases, administrators will only need to modify [.filename]#audit_control# and [.filename]#audit_user#. The first file controls system-wide audit properties and policies and the second file may be used to fine-tune auditing by user. +In most cases, administrators will only need to modify [.filename]#audit_control# and [.filename]#audit_user#. +The first file controls system-wide audit properties and policies and the second file may be used to fine-tune auditing by user. [[audit-auditcontrol]] ==== The [.filename]#audit_control# File @@ -272,28 +284,37 @@ filesz:2M expire-after:10M .... -The `dir` entry is used to set one or more directories where audit logs will be stored. If more than one directory entry appears, they will be used in order as they fill. It is common to configure audit so that audit logs are stored on a dedicated file system, in order to prevent interference between the audit subsystem and other subsystems if the file system fills. +The `dir` entry is used to set one or more directories where audit logs will be stored. +If more than one directory entry appears, they will be used in order as they fill. +It is common to configure audit so that audit logs are stored on a dedicated file system, in order to prevent interference between the audit subsystem and other subsystems if the file system fills. If the `dist` field is set to `on` or `yes`, hard links will be created to all trail files in [.filename]#/var/audit/dist#. -The `flags` field sets the system-wide default preselection mask for attributable events. In the example above, successful and failed login/logout events as well as authentication and authorization are audited for all users. +The `flags` field sets the system-wide default preselection mask for attributable events. +In the example above, successful and failed login/logout events as well as authentication and authorization are audited for all users. The `minfree` entry defines the minimum percentage of free space for the file system where the audit trail is stored. The `naflags` entry specifies audit classes to be audited for non-attributed events, such as the login/logout process and authentication and authorization. -The `policy` entry specifies a comma-separated list of policy flags controlling various aspects of audit behavior. The `cnt` indicates that the system should continue running despite an auditing failure (this flag is highly recommended). The other flag, `argv`, causes command line arguments to the man:execve[2] system call to be audited as part of command execution. +The `policy` entry specifies a comma-separated list of policy flags controlling various aspects of audit behavior. +The `cnt` indicates that the system should continue running despite an auditing failure (this flag is highly recommended). +The other flag, `argv`, causes command line arguments to the man:execve[2] system call to be audited as part of command execution. -The `filesz` entry specifies the maximum size for an audit trail before automatically terminating and rotating the trail file. A value of `0` disables automatic log rotation. If the requested file size is below the minimum of 512k, it will be ignored and a log message will be generated. +The `filesz` entry specifies the maximum size for an audit trail before automatically terminating and rotating the trail file. +A value of `0` disables automatic log rotation. +If the requested file size is below the minimum of 512k, it will be ignored and a log message will be generated. The `expire-after` field specifies when audit log files will expire and be removed. [[audit-audituser]] ==== The [.filename]#audit_user# File -The administrator can specify further audit requirements for specific users in [.filename]#audit_user#. Each line configures auditing for a user via two fields: the `alwaysaudit` field specifies a set of events that should always be audited for the user, and the `neveraudit` field specifies a set of events that should never be audited for the user. +The administrator can specify further audit requirements for specific users in [.filename]#audit_user#. +Each line configures auditing for a user via two fields: the `alwaysaudit` field specifies a set of events that should always be audited for the user, and the `neveraudit` field specifies a set of events that should never be audited for the user. -The following example entries audit login/logout events and successful command execution for `root` and file creation and successful command execution for `www`. If used with the default [.filename]#audit_control#, the `lo` entry for `root` is redundant, and login/logout events will also be audited for `www`. +The following example entries audit login/logout events and successful command execution for `root` and file creation and successful command execution for `www`. +If used with the default [.filename]#audit_control#, the `lo` entry for `root` is redundant, and login/logout events will also be audited for `www`. [.programlisting] .... @@ -304,7 +325,10 @@ www:fc,+ex:no [[audit-administration]] == Working with Audit Trails -Since audit trails are stored in the BSM binary format, several built-in tools are available to modify or convert these trails to text. To convert trail files to a simple text format, use `praudit`. To reduce the audit trail file for analysis, archiving, or printing purposes, use `auditreduce`. This utility supports a variety of selection parameters, including event type, event class, user, date or time of the event, and the file path or object acted on. +Since audit trails are stored in the BSM binary format, several built-in tools are available to modify or convert these trails to text. +To convert trail files to a simple text format, use `praudit`. +To reduce the audit trail file for analysis, archiving, or printing purposes, use `auditreduce`. +This utility supports a variety of selection parameters, including event type, event class, user, date or time of the event, and the file path or object acted on. For example, to dump the entire contents of a specified audit log in plain text: @@ -315,7 +339,9 @@ For example, to dump the entire contents of a specified audit log in plain text: Where _AUDITFILE_ is the audit log to dump. -Audit trails consist of a series of audit records made up of tokens, which `praudit` prints sequentially, one per line. Each token is of a specific type, such as `header` (an audit record header) or `path` (a file path from a name lookup). The following is an example of an `execve` event: +Audit trails consist of a series of audit records made up of tokens, which `praudit` prints sequentially, one per line. +Each token is of a specific type, such as `header` (an audit record header) or `path` (a file path from a name lookup). +The following is an example of an `execve` event: [.programlisting] .... @@ -328,29 +354,43 @@ return,success,0 trailer,133 .... -This audit represents a successful `execve` call, in which the command `finger doug` has been run. The `exec arg` token contains the processed command line presented by the shell to the kernel. The `path` token holds the path to the executable as looked up by the kernel. The `attribute` token describes the binary and includes the file mode. The `subject` token stores the audit user ID, effective user ID and group ID, real user ID and group ID, process ID, session ID, port ID, and login address. Notice that the audit user ID and real user ID differ as the user `robert` switched to the `root` account before running this command, but it is audited using the original authenticated user. The `return` token indicates the successful execution and the `trailer` concludes the record. +This audit represents a successful `execve` call, in which the command `finger doug` has been run. +The `exec arg` token contains the processed command line presented by the shell to the kernel. +The `path` token holds the path to the executable as looked up by the kernel. +The `attribute` token describes the binary and includes the file mode. +The `subject` token stores the audit user ID, effective user ID and group ID, real user ID and group ID, process ID, session ID, port ID, and login address. +Notice that the audit user ID and real user ID differ as the user `robert` switched to the `root` account before running this command, but it is audited using the original authenticated user. +The `return` token indicates the successful execution and the `trailer` concludes the record. XML output format is also supported and can be selected by including `-x`. -Since audit logs may be very large, a subset of records can be selected using `auditreduce`. This example selects all audit records produced for the user `trhodes` stored in [.filename]#AUDITFILE#: +Since audit logs may be very large, a subset of records can be selected using `auditreduce`. +This example selects all audit records produced for the user `trhodes` stored in [.filename]#AUDITFILE#: [source,shell] .... # auditreduce -u trhodes /var/audit/AUDITFILE | praudit .... -Members of the `audit` group have permission to read audit trails in [.filename]#/var/audit#. By default, this group is empty, so only the `root` user can read audit trails. Users may be added to the `audit` group in order to delegate audit review rights. As the ability to track audit log contents provides significant insight into the behavior of users and processes, it is recommended that the delegation of audit review rights be performed with caution. +Members of the `audit` group have permission to read audit trails in [.filename]#/var/audit#. +By default, this group is empty, so only the `root` user can read audit trails. +Users may be added to the `audit` group in order to delegate audit review rights. +As the ability to track audit log contents provides significant insight into the behavior of users and processes, it is recommended that the delegation of audit review rights be performed with caution. === Live Monitoring Using Audit Pipes -Audit pipes are cloning pseudo-devices which allow applications to tap the live audit record stream. This is primarily of interest to authors of intrusion detection and system monitoring applications. However, the audit pipe device is a convenient way for the administrator to allow live monitoring without running into problems with audit trail file ownership or log rotation interrupting the event stream. To track the live audit event stream: +Audit pipes are cloning pseudo-devices which allow applications to tap the live audit record stream. +This is primarily of interest to authors of intrusion detection and system monitoring applications. +However, the audit pipe device is a convenient way for the administrator to allow live monitoring without running into problems with audit trail file ownership or log rotation interrupting the event stream. +To track the live audit event stream: [source,shell] .... # praudit /dev/auditpipe .... -By default, audit pipe device nodes are accessible only to the `root` user. To make them accessible to the members of the `audit` group, add a `devfs` rule to [.filename]#/etc/devfs.rules#: +By default, audit pipe device nodes are accessible only to the `root` user. +To make them accessible to the members of the `audit` group, add a `devfs` rule to [.filename]#/etc/devfs.rules#: [.programlisting] .... @@ -361,13 +401,18 @@ See man:devfs.rules[5] for more information on configuring the devfs file system [WARNING] ==== - -It is easy to produce audit event feedback cycles, in which the viewing of each audit event results in the generation of more audit events. For example, if all network I/O is audited, and `praudit` is run from an SSH session, a continuous stream of audit events will be generated at a high rate, as each event being printed will generate another event. For this reason, it is advisable to run `praudit` on an audit pipe device from sessions without fine-grained I/O auditing. +It is easy to produce audit event feedback cycles, in which the viewing of each audit event results in the generation of more audit events. +For example, if all network I/O is audited, and `praudit` is run from an SSH session, a continuous stream of audit events will be generated at a high rate, as each event being printed will generate another event. +For this reason, it is advisable to run `praudit` on an audit pipe device from sessions without fine-grained I/O auditing. ==== === Rotating and Compressing Audit Trail Files -Audit trails are written to by the kernel and managed by the audit daemon, man:auditd[8]. Administrators should not attempt to use man:newsyslog.conf[5] or other tools to directly rotate audit logs. Instead, `audit` should be used to shut down auditing, reconfigure the audit system, and perform log rotation. The following command causes the audit daemon to create a new audit log and signal the kernel to switch to using the new log. The old log will be terminated and renamed, at which point it may then be manipulated by the administrator: +Audit trails are written to by the kernel and managed by the audit daemon, man:auditd[8]. +Administrators should not attempt to use man:newsyslog.conf[5] or other tools to directly rotate audit logs. +Instead, `audit` should be used to shut down auditing, reconfigure the audit system, and perform log rotation. +The following command causes the audit daemon to create a new audit log and signal the kernel to switch to using the new log. +The old log will be terminated and renamed, at which point it may then be manipulated by the administrator: [source,shell] .... @@ -387,7 +432,9 @@ The change will take effect once [.filename]#/etc/crontab# is saved. Automatic rotation of the audit trail file based on file size is possible using `filesz` in [.filename]#audit_control# as described in <<audit-auditcontrol>>. -As audit trail files can become very large, it is often desirable to compress or otherwise archive trails once they have been closed by the audit daemon. The [.filename]#audit_warn# script can be used to perform customized operations for a variety of audit-related events, including the clean termination of audit trails when they are rotated. For example, the following may be added to [.filename]#/etc/security/audit_warn# to compress audit trails on close: +As audit trail files can become very large, it is often desirable to compress or otherwise archive trails once they have been closed by the audit daemon. +The [.filename]#audit_warn# script can be used to perform customized operations for a variety of audit-related events, including the clean termination of audit trails when they are rotated. +For example, the following may be added to [.filename]#/etc/security/audit_warn# to compress audit trails on close: [.programlisting] .... @@ -399,4 +446,6 @@ if [ "$1" = closefile ]; then fi .... -Other archiving activities might include copying trail files to a centralized server, deleting old trail files, or reducing the audit trail to remove unneeded records. This script will be run only when audit trail files are cleanly terminated. It will not be run on trails left unterminated following an improper shutdown. +Other archiving activities might include copying trail files to a centralized server, deleting old trail files, or reducing the audit trail to remove unneeded records. +This script will be run only when audit trail files are cleanly terminated. +It will not be run on trails left unterminated following an improper shutdown. diff --git a/documentation/content/en/books/handbook/basics/_index.adoc b/documentation/content/en/books/handbook/basics/_index.adoc index 7c0c35a27c..f3cc959161 100644 --- a/documentation/content/en/books/handbook/basics/_index.adoc +++ b/documentation/content/en/books/handbook/basics/_index.adoc @@ -46,7 +46,9 @@ toc::[] [[basics-synopsis]] == Synopsis -This chapter covers the basic commands and functionality of the FreeBSD operating system. Much of this material is relevant for any UNIX(R)-like operating system. New FreeBSD users are encouraged to read through this chapter carefully. +This chapter covers the basic commands and functionality of the FreeBSD operating system. +Much of this material is relevant for any UNIX(R)-like operating system. +New FreeBSD users are encouraged to read through this chapter carefully. After reading this chapter, you will know: @@ -74,24 +76,41 @@ FreeBSD/amd64 (pc3.example.org) (ttyv0) login: .... -The first line contains some information about the system. The `amd64` indicates that the system in this example is running a 64-bit version of FreeBSD. The hostname is `pc3.example.org`, and [.filename]#ttyv0# indicates that this is the "system console". The second line is the login prompt. +The first line contains some information about the system. +The `amd64` indicates that the system in this example is running a 64-bit version of FreeBSD. +The hostname is `pc3.example.org`, and [.filename]#ttyv0# indicates that this is the "system console". +The second line is the login prompt. -Since FreeBSD is a multiuser system, it needs some way to distinguish between different users. This is accomplished by requiring every user to log into the system before gaining access to the programs on the system. Every user has a unique name "username" and a personal "password". +Since FreeBSD is a multiuser system, it needs some way to distinguish between different users. +This is accomplished by requiring every user to log into the system before gaining access to the programs on the system. +Every user has a unique name "username" and a personal "password". -To log into the system console, type the username that was configured during system installation, as described in crossref:bsdinstall[bsdinstall-addusers,Add Users], and press kbd:[Enter]. Then enter the password associated with the username and press kbd:[Enter]. The password is _not echoed_ for security reasons. +To log into the system console, type the username that was configured during system installation, as described in crossref:bsdinstall[bsdinstall-addusers,Add Users], and press kbd:[Enter]. +Then enter the password associated with the username and press kbd:[Enter]. +The password is _not echoed_ for security reasons. -Once the correct password is input, the message of the day (MOTD) will be displayed followed by a command prompt. Depending upon the shell that was selected when the user was created, this prompt will be a `#`, `$`, or `%` character. The prompt indicates that the user is now logged into the FreeBSD system console and ready to try the available commands. +Once the correct password is input, the message of the day (MOTD) will be displayed followed by a command prompt. +Depending upon the shell that was selected when the user was created, this prompt will be a `#`, `$`, or `%` character. +The prompt indicates that the user is now logged into the FreeBSD system console and ready to try the available commands. [[consoles-virtual]] === Virtual Consoles -While the system console can be used to interact with the system, a user working from the command line at the keyboard of a FreeBSD system will typically instead log into a virtual console. This is because system messages are configured by default to display on the system console. These messages will appear over the command or file that the user is working on, making it difficult to concentrate on the work at hand. +While the system console can be used to interact with the system, a user working from the command line at the keyboard of a FreeBSD system will typically instead log into a virtual console. +This is because system messages are configured by default to display on the system console. +These messages will appear over the command or file that the user is working on, making it difficult to concentrate on the work at hand. -By default, FreeBSD is configured to provide several virtual consoles for inputting commands. Each virtual console has its own login prompt and shell and it is easy to switch between virtual consoles. This essentially provides the command line equivalent of having several windows open at the same time in a graphical environment. +By default, FreeBSD is configured to provide several virtual consoles for inputting commands. +Each virtual console has its own login prompt and shell and it is easy to switch between virtual consoles. +This essentially provides the command line equivalent of having several windows open at the same time in a graphical environment. -The key combinations kbd:[Alt+F1] through kbd:[Alt+F8] have been reserved by FreeBSD for switching between virtual consoles. Use kbd:[Alt+F1] to switch to the system console ([.filename]#ttyv0#), kbd:[Alt+F2] to access the first virtual console ([.filename]#ttyv1#), kbd:[Alt+F3] to access the second virtual console ([.filename]#ttyv2#), and so on. When using Xorg as a graphical console, the combination becomes kbd:[Ctrl+Alt+F1] to return to a text-based virtual console. +The key combinations kbd:[Alt+F1] through kbd:[Alt+F8] have been reserved by FreeBSD for switching between virtual consoles. +Use kbd:[Alt+F1] to switch to the system console ([.filename]#ttyv0#), kbd:[Alt+F2] to access the first virtual console ([.filename]#ttyv1#), kbd:[Alt+F3] to access the second virtual console ([.filename]#ttyv2#), and so on. +When using Xorg as a graphical console, the combination becomes kbd:[Ctrl+Alt+F1] to return to a text-based virtual console. -When switching from one console to the next, FreeBSD manages the screen output. The result is an illusion of having multiple virtual screens and keyboards that can be used to type commands for FreeBSD to run. The programs that are launched in one virtual console do not stop running when the user switches to a different virtual console. +When switching from one console to the next, FreeBSD manages the screen output. +The result is an illusion of having multiple virtual screens and keyboards that can be used to type commands for FreeBSD to run. +The programs that are launched in one virtual console do not stop running when the user switches to a different virtual console. Refer to man:kbdcontrol[1], man:vidcontrol[1], man:atkbd:[4], man:syscons[4], and man:vt[4] for a more technical description of the FreeBSD console and its keyboard drivers. @@ -113,14 +132,22 @@ ttyv7 "/usr/libexec/getty Pc" xterm on secure ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure .... -To disable a virtual console, put a comment symbol (`#`) at the beginning of the line representing that virtual console. For example, to reduce the number of available virtual consoles from eight to four, put a `#` in front of the last four lines representing virtual consoles [.filename]#ttyv5# through [.filename]#ttyv8#. _Do not_ comment out the line for the system console [.filename]#ttyv0#. Note that the last virtual console ([.filename]#ttyv8#) is used to access the graphical environment if Xorg has been installed and configured as described in crossref:x11[x11,The X Window System]. +To disable a virtual console, put a comment symbol (`#`) at the beginning of the line representing that virtual console. +For example, to reduce the number of available virtual consoles from eight to four, put a `#` in front of the last four lines representing virtual consoles [.filename]#ttyv5# through [.filename]#ttyv8#. +_Do not_ comment out the line for the system console [.filename]#ttyv0#. +Note that the last virtual console ([.filename]#ttyv8#) is used to access the graphical environment if Xorg has been installed and configured as described in crossref:x11[x11,The X Window System]. For a detailed description of every column in this file and the available options for the virtual consoles, refer to man:ttys[5]. [[consoles-singleuser]] === Single User Mode -The FreeBSD boot menu provides an option labelled as "Boot Single User". If this option is selected, the system will boot into a special mode known as "single user mode". This mode is typically used to repair a system that will not boot or to reset the `root` password when it is not known. While in single user mode, networking and other virtual consoles are not available. However, full `root` access to the system is available, and by default, the `root` password is not needed. For these reasons, physical access to the keyboard is needed to boot into this mode and determining who has physical access to the keyboard is something to consider when securing a FreeBSD system. +The FreeBSD boot menu provides an option labelled as "Boot Single User". +If this option is selected, the system will boot into a special mode known as "single user mode". +This mode is typically used to repair a system that will not boot or to reset the `root` password when it is not known. +While in single user mode, networking and other virtual consoles are not available. +However, full `root` access to the system is available, and by default, the `root` password is not needed. +For these reasons, physical access to the keyboard is needed to boot into this mode and determining who has physical access to the keyboard is something to consider when securing a FreeBSD system. The settings which control single user mode are found in this section of [.filename]#/etc/ttys#: @@ -133,7 +160,10 @@ The settings which control single user mode are found in this section of [.filen console none unknown off secure .... -By default, the status is set to `secure`. This assumes that who has physical access to the keyboard is either not important or it is controlled by a physical security policy. If this setting is changed to `insecure`, the assumption is that the environment itself is insecure because anyone can access the keyboard. When this line is changed to `insecure`, FreeBSD will prompt for the `root` password when a user selects to boot into single user mode. +By default, the status is set to `secure`. +This assumes that who has physical access to the keyboard is either not important or it is controlled by a physical security policy. +If this setting is changed to `insecure`, the assumption is that the environment itself is insecure because anyone can access the keyboard. +When this line is changed to `insecure`, FreeBSD will prompt for the `root` password when a user selects to boot into single user mode. [NOTE] ==== @@ -143,21 +173,24 @@ _Be careful when changing this setting to `insecure`!_ If the `root` password is [[consoles-vidcontrol]] === Changing Console Video Modes -The FreeBSD console default video mode may be adjusted to 1024x768, 1280x1024, or any other size supported by the graphics chip and monitor. To use a different video mode load the `VESA` module: +The FreeBSD console default video mode may be adjusted to 1024x768, 1280x1024, or any other size supported by the graphics chip and monitor. +To use a different video mode load the `VESA` module: [source,shell] .... # kldload vesa .... -To determine which video modes are supported by the hardware, use man:vidcontrol[1]. To get a list of supported video modes issue the following: +To determine which video modes are supported by the hardware, use man:vidcontrol[1]. +To get a list of supported video modes issue the following: [source,shell] .... # vidcontrol -i mode .... -The output of this command lists the video modes that are supported by the hardware. To select a new video mode, specify the mode using man:vidcontrol[1] as the `root` user: +The output of this command lists the video modes that are supported by the hardware. +To select a new video mode, specify the mode using man:vidcontrol[1] as the `root` user: [source,shell] .... @@ -174,7 +207,9 @@ allscreens_flags="MODE_279" [[users-synopsis]] == Users and Basic Account Management -FreeBSD allows multiple users to use the computer at the same time. While only one user can sit in front of the screen and use the keyboard at any one time, any number of users can log in to the system through the network. To use the system, each user should have their own user account. +FreeBSD allows multiple users to use the computer at the same time. +While only one user can sit in front of the screen and use the keyboard at any one time, any number of users can log in to the system through the network. +To use the system, each user should have their own user account. This chapter describes: @@ -193,7 +228,8 @@ There are three main types of accounts: system accounts, user accounts, and the [[users-system]] ==== System Accounts -System accounts are used to run services such as DNS, mail, and web servers. The reason for this is security; if all services ran as the superuser, they could act without restriction. +System accounts are used to run services such as DNS, mail, and web servers. +The reason for this is security; if all services ran as the superuser, they could act without restriction. Examples of system accounts are `daemon`, `operator`, `bind`, `news`, and `www`. @@ -203,61 +239,88 @@ Examples of system accounts are `daemon`, `operator`, `bind`, `news`, and `www`. Care must be taken when using the operator group, as unintended superuser-like access privileges may be granted, including but not limited to shutdown, reboot, and access to all items in [.filename]#/dev# in the group. ==== -`nobody` is the generic unprivileged system account. However, the more services that use `nobody`, the more files and processes that user will become associated with, and hence the more privileged that user becomes. +`nobody` is the generic unprivileged system account. +However, the more services that use `nobody`, the more files and processes that user will become associated with, and hence the more privileged that user becomes. [[users-user]] ==== User Accounts -User accounts are assigned to real people and are used to log in and use the system. Every person accessing the system should have a unique user account. This allows the administrator to find out who is doing what and prevents users from clobbering the settings of other users. +User accounts are assigned to real people and are used to log in and use the system. +Every person accessing the system should have a unique user account. +This allows the administrator to find out who is doing what and prevents users from clobbering the settings of other users. Each user can set up their own environment to accommodate their use of the system, by configuring their default shell, editor, key bindings, and language settings. Every user account on a FreeBSD system has certain information associated with it: User name:: -The user name is typed at the `login:` prompt. Each user must have a unique user name. There are a number of rules for creating valid user names which are documented in man:passwd[5]. It is recommended to use user names that consist of eight or fewer, all lower case characters in order to maintain backwards compatibility with applications. +The user name is typed at the `login:` prompt. +Each user must have a unique user name. +There are a number of rules for creating valid user names which are documented in man:passwd[5]. +It is recommended to use user names that consist of eight or fewer, all lower case characters in order to maintain backwards compatibility with applications. Password:: Each account has an associated password. User ID (UID):: -The User ID (UID) is a number used to uniquely identify the user to the FreeBSD system. Commands that allow a user name to be specified will first convert it to the UID. It is recommended to use a UID less than 65535, since higher values may cause compatibility issues with some software. +The User ID (UID) is a number used to uniquely identify the user to the FreeBSD system. +Commands that allow a user name to be specified will first convert it to the UID. +It is recommended to use a UID less than 65535, since higher values may cause compatibility issues with some software. Group ID (GID):: -The Group ID (GID) is a number used to uniquely identify the primary group that the user belongs to. Groups are a mechanism for controlling access to resources based on a user's GID rather than their UID. This can significantly reduce the size of some configuration files and allows users to be members of more than one group. It is recommended to use a GID of 65535 or lower as higher GIDs may break some software. +The Group ID (GID) is a number used to uniquely identify the primary group that the user belongs to. +Groups are a mechanism for controlling access to resources based on a user's GID rather than their UID. +This can significantly reduce the size of some configuration files and allows users to be members of more than one group. +It is recommended to use a GID of 65535 or lower as higher GIDs may break some software. Login class:: -Login classes are an extension to the group mechanism that provide additional flexibility when tailoring the system to different users. Login classes are discussed further in crossref:security[users-limiting,Configuring Login Classes]. +Login classes are an extension to the group mechanism that provide additional flexibility when tailoring the system to different users. +Login classes are discussed further in crossref:security[users-limiting,Configuring Login Classes]. Password change time:: -By default, passwords do not expire. However, password expiration can be enabled on a per-user basis, forcing some or all users to change their passwords after a certain amount of time has elapsed. +By default, passwords do not expire. +However, password expiration can be enabled on a per-user basis, forcing some or all users to change their passwords after a certain amount of time has elapsed. Account expiration time:: -By default, FreeBSD does not expire accounts. When creating accounts that need a limited lifespan, such as student accounts in a school, specify the account expiry date using man:pw[8]. After the expiry time has elapsed, the account cannot be used to log in to the system, although the account's directories and files will remain. +By default, FreeBSD does not expire accounts. +When creating accounts that need a limited lifespan, such as student accounts in a school, specify the account expiry date using man:pw[8]. +After the expiry time has elapsed, the account cannot be used to log in to the system, although the account's directories and files will remain. User's full name:: -The user name uniquely identifies the account to FreeBSD, but does not necessarily reflect the user's real name. Similar to a comment, this information can contain spaces, uppercase characters, and be more than 8 characters long. +The user name uniquely identifies the account to FreeBSD, but does not necessarily reflect the user's real name. +Similar to a comment, this information can contain spaces, uppercase characters, and be more than 8 characters long. Home directory:: -The home directory is the full path to a directory on the system. This is the user's starting directory when the user logs in. A common convention is to put all user home directories under [.filename]#/home/username# or [.filename]#/usr/home/username#. Each user stores their personal files and subdirectories in their own home directory. +The home directory is the full path to a directory on the system. +This is the user's starting directory when the user logs in. +A common convention is to put all user home directories under [.filename]#/home/username# or [.filename]#/usr/home/username#. +Each user stores their personal files and subdirectories in their own home directory. User shell:: -The shell provides the user's default environment for interacting with the system. There are many different kinds of shells and experienced users will have their own preferences, which can be reflected in their account settings. +The shell provides the user's default environment for interacting with the system. +There are many different kinds of shells and experienced users will have their own preferences, which can be reflected in their account settings. [[users-superuser]] ==== The Superuser Account -The superuser account, usually called `root`, is used to manage the system with no limitations on privileges. For this reason, it should not be used for day-to-day tasks like sending and receiving mail, general exploration of the system, or programming. +The superuser account, usually called `root`, is used to manage the system with no limitations on privileges. +For this reason, it should not be used for day-to-day tasks like sending and receiving mail, general exploration of the system, or programming. -The superuser, unlike other user accounts, can operate without limits, and misuse of the superuser account may result in spectacular disasters. User accounts are unable to destroy the operating system by mistake, so it is recommended to login as a user account and to only become the superuser when a command requires extra privilege. +The superuser, unlike other user accounts, can operate without limits, and misuse of the superuser account may result in spectacular disasters. +User accounts are unable to destroy the operating system by mistake, so it is recommended to login as a user account and to only become the superuser when a command requires extra privilege. Always double and triple-check any commands issued as the superuser, since an extra space or missing character can mean irreparable data loss. -There are several ways to gain superuser privilege. While one can log in as `root`, this is highly discouraged. +There are several ways to gain superuser privilege. +While one can log in as `root`, this is highly discouraged. -Instead, use man:su[1] to become the superuser. If `-` is specified when running this command, the user will also inherit the root user's environment. The user running this command must be in the `wheel` group or else the command will fail. The user must also know the password for the `root` user account. +Instead, use man:su[1] to become the superuser. +If `-` is specified when running this command, the user will also inherit the root user's environment. +The user running this command must be in the `wheel` group or else the command will fail. +The user must also know the password for the `root` user account. -In this example, the user only becomes superuser in order to run `make install` as this step requires superuser privilege. Once the command completes, the user types `exit` to leave the superuser account and return to the privilege of their user account. +In this example, the user only becomes superuser in order to run `make install` as this step requires superuser privilege. +Once the command completes, the user types `exit` to leave the superuser account and return to the privilege of their user account. .Install a Program As the Superuser [example] @@ -274,12 +337,16 @@ Password: .... ==== -The built-in man:su[1] framework works well for single systems or small networks with just one system administrator. An alternative is to install the package:security/sudo[] package or port. This software provides activity logging and allows the administrator to configure which users can run which commands as the superuser. +The built-in man:su[1] framework works well for single systems or small networks with just one system administrator. +An alternative is to install the package:security/sudo[] package or port. +This software provides activity logging and allows the administrator to configure which users can run which commands as the superuser. [[users-modifying]] === Managing Accounts -FreeBSD provides a variety of different commands to manage user accounts. The most common commands are summarized in <<users-modifying-utilities>>, followed by some examples of their usage. See the manual page for each utility for more details and usage examples. +FreeBSD provides a variety of different commands to manage user accounts. +The most common commands are summarized in <<users-modifying-utilities>>, followed by some examples of their usage. +See the manual page for each utility for more details and usage examples. [[users-modifying-utilities]] .Utilities for Managing User Accounts @@ -307,9 +374,15 @@ FreeBSD provides a variety of different commands to manage user accounts. The mo [[users-adduser]] ==== `adduser` -The recommended program for adding new users is man:adduser[8]. When a new user is added, this program automatically updates [.filename]#/etc/passwd# and [.filename]#/etc/group#. It also creates a home directory for the new user, copies in the default configuration files from [.filename]#/usr/share/skel#, and can optionally mail the new user a welcome message. This utility must be run as the superuser. +The recommended program for adding new users is man:adduser[8]. +When a new user is added, this program automatically updates [.filename]#/etc/passwd# and [.filename]#/etc/group#. +It also creates a home directory for the new user, copies in the default configuration files from [.filename]#/usr/share/skel#, and can optionally mail the new user a welcome message. +This utility must be run as the superuser. -The man:adduser[8] utility is interactive and walks through the steps for creating a new user account. As seen in <<users-modifying-adduser>>, either input the required information or press kbd:[Return] to accept the default value shown in square brackets. In this example, the user has been invited into the `wheel` group, allowing them to become the superuser with man:su[1]. When finished, the utility will prompt to either create another user or to exit. +The man:adduser[8] utility is interactive and walks through the steps for creating a new user account. +As seen in <<users-modifying-adduser>>, either input the required information or press kbd:[Return] to accept the default value shown in square brackets. +In this example, the user has been invited into the `wheel` group, allowing them to become the superuser with man:su[1]. +When finished, the utility will prompt to either create another user or to exit. [[users-modifying-adduser]] .Adding a User on FreeBSD @@ -358,7 +431,8 @@ Since the password is not echoed when typed, be careful to not mistype the passw [[users-rmuser]] ==== `rmuser` -To completely remove a user from the system, run man:rmuser[8] as the superuser. This command performs the following steps: +To completely remove a user from the system, run man:rmuser[8] as the superuser. +This command performs the following steps: [.procedure] . Removes the user's man:crontab[1] entry, if one exists. @@ -392,16 +466,20 @@ Removing user (jru): mailspool home passwd. [[users-chpass]] ==== `chpass` -Any user can use man:chpass[1] to change their default shell and personal information associated with their user account. The superuser can use this utility to change additional account information for any user. +Any user can use man:chpass[1] to change their default shell and personal information associated with their user account. +The superuser can use this utility to change additional account information for any user. -When passed no options, aside from an optional username, man:chpass[1] displays an editor containing user information. When the user exits from the editor, the user database is updated with the new information. +When passed no options, aside from an optional username, man:chpass[1] displays an editor containing user information. +When the user exits from the editor, the user database is updated with the new information. [NOTE] ==== This utility will prompt for the user's password when exiting the editor, unless the utility is run as the superuser. ==== -In <<users-modifying-chpass-su>>, the superuser has typed `chpass jru` and is now viewing the fields that can be changed for this user. If `jru` runs this command instead, only the last six fields will be displayed and available for editing. This is shown in <<users-modifying-chpass-ru>>. +In <<users-modifying-chpass-su>>, the superuser has typed `chpass jru` and is now viewing the fields that can be changed for this user +If `jru` runs this command instead, only the last six fields will be displayed and available for editing. +This is shown in <<users-modifying-chpass-ru>>. [[users-modifying-chpass-su]] .Using `chpass` as Superuser @@ -445,13 +523,16 @@ Other information: [NOTE] ==== -The commands man:chfn[1] and man:chsh[1] are links to man:chpass[1], as are man:ypchpass[1], man:ypchfn[1], and man:ypchsh[1]. Since NIS support is automatic, specifying the `yp` before the command is not necessary. How to configure NIS is covered in crossref:network-servers[network-servers,Network Servers]. +The commands man:chfn[1] and man:chsh[1] are links to man:chpass[1], as are man:ypchpass[1], man:ypchfn[1], and man:ypchsh[1]. +Since NIS support is automatic, specifying the `yp` before the command is not necessary. +How to configure NIS is covered in crossref:network-servers[network-servers,Network Servers]. ==== [[users-passwd]] ==== `passwd` -Any user can easily change their password using man:passwd[1]. To prevent accidental or unauthorized changes, this command will prompt for the user's original password before a new password can be set: +Any user can easily change their password using man:passwd[1]. +To prevent accidental or unauthorized changes, this command will prompt for the user's original password before a new password can be set: .Changing Your Password [example] @@ -468,7 +549,9 @@ passwd: done .... ==== -The superuser can change any user's password by specifying the username when running man:passwd[1]. When this utility is run as the superuser, it will not prompt for the user's current password. This allows the password to be changed when a user cannot remember the original password. +The superuser can change any user's password by specifying the username when running man:passwd[1]. +When this utility is run as the superuser, it will not prompt for the user's current password. +This allows the password to be changed when a user cannot remember the original password. .Changing Another User's Password as the Superuser [example] @@ -492,16 +575,25 @@ As with man:chpass[1], man:yppasswd[1] is a link to man:passwd[1], so NIS works [[users-pw]] ==== `pw` -The man:pw[8] utility can create, remove, modify, and display users and groups. It functions as a front end to the system user and group files. man:pw[8] has a very powerful set of command line options that make it suitable for use in shell scripts, but new users may find it more complicated than the other commands presented in this section. +The man:pw[8] utility can create, remove, modify, and display users and groups. +It functions as a front end to the system user and group files. +man:pw[8] has a very powerful set of command line options that make it suitable for use in shell scripts, but new users may find it more complicated than the other commands presented in this section. [[users-groups]] === Managing Groups -A group is a list of users. A group is identified by its group name and GID. In FreeBSD, the kernel uses the UID of a process, and the list of groups it belongs to, to determine what the process is allowed to do. Most of the time, the GID of a user or process usually means the first group in the list. +A group is a list of users. A group is identified by its group name and GID. +In FreeBSD, the kernel uses the UID of a process, and the list of groups it belongs to, to determine what the process is allowed to do. +Most of the time, the GID of a user or process usually means the first group in the list. -The group name to GID mapping is listed in [.filename]#/etc/group#. This is a plain text file with four colon-delimited fields. The first field is the group name, the second is the encrypted password, the third the GID, and the fourth the comma-delimited list of members. For a more complete description of the syntax, refer to man:group[5]. +The group name to GID mapping is listed in [.filename]#/etc/group#. +This is a plain text file with four colon-delimited fields. +The first field is the group name, the second is the encrypted password, the third the GID, and the fourth the comma-delimited list of members. +For a more complete description of the syntax, refer to man:group[5]. -The superuser can modify [.filename]#/etc/group# using a text editor. Alternatively, man:pw[8] can be used to add and edit groups. For example, to add a group called `teamtwo` and then confirm that it exists: +The superuser can modify [.filename]#/etc/group# using a text editor. +Alternatively, man:pw[8] can be used to add and edit groups. +For example, to add a group called `teamtwo` and then confirm that it exists: .Adding a Group Using man:pw[8] [example] @@ -514,7 +606,9 @@ teamtwo:*:1100: .... ==== -In this example, `1100` is the GID of `teamtwo`. Right now, `teamtwo` has no members. This command will add `jru` as a member of `teamtwo`. +In this example, `1100` is the GID of `teamtwo`. +Right now, `teamtwo` has no members. +This command will add `jru` as a member of `teamtwo`. .Adding User Accounts to a New Group Using man:pw[8] [example] @@ -527,7 +621,10 @@ teamtwo:*:1100:jru .... ==== -The argument to `-M` is a comma-delimited list of users to be added to a new (empty) group or to replace the members of an existing group. To the user, this group membership is different from (and in addition to) the user's primary group listed in the password file. This means that the user will not show up as a member when using `groupshow` with man:pw[8], but will show up when the information is queried via man:id[1] or a similar tool. When man:pw[8] is used to add a user to a group, it only manipulates [.filename]#/etc/group# and does not attempt to read additional data from [.filename]#/etc/passwd#. +The argument to `-M` is a comma-delimited list of users to be added to a new (empty) group or to replace the members of an existing group. +To the user, this group membership is different from (and in addition to) the user's primary group listed in the password file. +This means that the user will not show up as a member when using `groupshow` with man:pw[8], but will show up when the information is queried via man:id[1] or a similar tool. +When man:pw[8] is used to add a user to a group, it only manipulates [.filename]#/etc/group# and does not attempt to read additional data from [.filename]#/etc/passwd#. .Adding a New Member to a Group Using man:pw[8] [example] @@ -540,7 +637,8 @@ teamtwo:*:1100:jru,db .... ==== -In this example, the argument to `-m` is a comma-delimited list of users who are to be added to the group. Unlike the previous example, these users are appended to the group and do not replace existing users in the group. +In this example, the argument to `-m` is a comma-delimited list of users who are to be added to the group. +Unlike the previous example, these users are appended to the group and do not replace existing users in the group. .Using man:id[1] to Determine Group Membership [example] @@ -559,13 +657,20 @@ For more information about this command and the format of [.filename]#/etc/group [[permissions]] == Permissions -In FreeBSD, every file and directory has an associated set of permissions and several utilities are available for viewing and modifying these permissions. Understanding how permissions work is necessary to make sure that users are able to access the files that they need and are unable to improperly access the files used by the operating system or owned by other users. +In FreeBSD, every file and directory has an associated set of permissions and several utilities are available for viewing and modifying these permissions. +Understanding how permissions work is necessary to make sure that users are able to access the files that they need and are unable to improperly access the files used by the operating system or owned by other users. -This section discusses the traditional UNIX(R) permissions used in FreeBSD. For finer grained file system access control, refer to crossref:security[fs-acl,“Access Control Lists”]. +This section discusses the traditional UNIX(R) permissions used in FreeBSD. +For finer grained file system access control, refer to crossref:security[fs-acl,“Access Control Lists”]. -In UNIX(R), basic permissions are assigned using three types of access: read, write, and execute. These access types are used to determine file access to the file's owner, group, and others (everyone else). The read, write, and execute permissions can be represented as the letters `r`, `w`, and `x`. They can also be represented as binary numbers as each permission is either on or off (`0`). When represented as a number, the order is always read as `rwx`, where `r` has an on value of `4`, `w` has an on value of `2` and `x` has an on value of `1`. +In UNIX(R), basic permissions are assigned using three types of access: read, write, and execute. +These access types are used to determine file access to the file's owner, group, and others (everyone else). +The read, write, and execute permissions can be represented as the letters `r`, `w`, and `x`. +They can also be represented as binary numbers as each permission is either on or off (`0`). +When represented as a number, the order is always read as `rwx`, where `r` has an on value of `4`, `w` has an on value of `2` and `x` has an on value of `1`. -Table 4.1 summarizes the possible numeric and alphabetic possibilities. When reading the "Directory Listing" column, a `-` is used to represent a permission that is set to off. +Table 4.1 summarizes the possible numeric and alphabetic possibilities. +When reading the "Directory Listing" column, a `-` is used to represent a permission that is set to off. .UNIX(R) Permissions [cols="1,1,1", frame="none", options="header"] @@ -607,7 +712,8 @@ Table 4.1 summarizes the possible numeric and alphabetic possibilities. When rea |`rwx` |=== -Use the `-l` argument to man:ls[1] to view a long directory listing that includes a column of information about a file's permissions for the owner, group, and everyone else. For example, an `ls -l` in an arbitrary directory may show: +Use the `-l` argument to man:ls[1] to view a long directory listing that includes a column of information about a file's permissions for the owner, group, and everyone else. +For example, an `ls -l` in an arbitrary directory may show: [source,shell] .... @@ -618,19 +724,34 @@ total 530 -rw-r--r-- 1 root wheel 7680 Sep 5 12:31 email.txt .... -The first (leftmost) character in the first column indicates whether this file is a regular file, a directory, a special character device, a socket, or any other special pseudo-file device. In this example, the `-` indicates a regular file. The next three characters, `rw-` in this example, give the permissions for the owner of the file. The next three characters, `r--`, give the permissions for the group that the file belongs to. The final three characters, `r--`, give the permissions for the rest of the world. A dash means that the permission is turned off. In this example, the permissions are set so the owner can read and write to the file, the group can read the file, and the rest of the world can only read the file. According to the table above, the permissions for this file would be `644`, where each digit represents the three parts of the file's permission. +The first (leftmost) character in the first column indicates whether this file is a regular file, a directory, a special character device, a socket, or any other special pseudo-file device. +In this example, the `-` indicates a regular file. +The next three characters, `rw-` in this example, give the permissions for the owner of the file. +The next three characters, `r--`, give the permissions for the group that the file belongs to. +The final three characters, `r--`, give the permissions for the rest of the world. +A dash means that the permission is turned off. +In this example, the permissions are set so the owner can read and write to the file, the group can read the file, and the rest of the world can only read the file. +According to the table above, the permissions for this file would be `644`, where each digit represents the three parts of the file's permission. -How does the system control permissions on devices? FreeBSD treats most hardware devices as a file that programs can open, read, and write data to. These special device files are stored in [.filename]#/dev/#. +How does the system control permissions on devices? FreeBSD treats most hardware devices as a file that programs can open, read, and write data to. +These special device files are stored in [.filename]#/dev/#. -Directories are also treated as files. They have read, write, and execute permissions. The executable bit for a directory has a slightly different meaning than that of files. When a directory is marked executable, it means it is possible to change into that directory using man:cd[1]. This also means that it is possible to access the files within that directory, subject to the permissions on the files themselves. +Directories are also treated as files. +They have read, write, and execute permissions. +The executable bit for a directory has a slightly different meaning than that of files. +When a directory is marked executable, it means it is possible to change into that directory using man:cd[1]. +This also means that it is possible to access the files within that directory, subject to the permissions on the files themselves. -In order to perform a directory listing, the read permission must be set on the directory. In order to delete a file that one knows the name of, it is necessary to have write _and_ execute permissions to the directory containing the file. +In order to perform a directory listing, the read permission must be set on the directory. +In order to delete a file that one knows the name of, it is necessary to have write _and_ execute permissions to the directory containing the file. -There are more permission bits, but they are primarily used in special circumstances such as setuid binaries and sticky directories. For more information on file permissions and how to set them, refer to man:chmod[1]. +There are more permission bits, but they are primarily used in special circumstances such as setuid binaries and sticky directories. +For more information on file permissions and how to set them, refer to man:chmod[1]. === Symbolic Permissions -Symbolic permissions use characters instead of octal values to assign permissions to files or directories. Symbolic permissions use the syntax of (who) (action) (permissions), where the following values are available: +Symbolic permissions use characters instead of octal values to assign permissions to files or directories. +Symbolic permissions use the syntax of (who) (action) (permissions), where the following values are available: [.informaltable] [cols="1,1,1", frame="none", options="header"] @@ -688,14 +809,16 @@ Symbolic permissions use characters instead of octal values to assign permission |Set UID or GID |=== -These values are used with man:chmod[1], but with letters instead of numbers. For example, the following command would block other users from accessing _FILE_: +These values are used with man:chmod[1], but with letters instead of numbers. +For example, the following command would block other users from accessing _FILE_: [source,shell] .... % chmod go= FILE .... -A comma separated list can be provided when more than one set of changes to a file must be made. For example, the following command removes the group and "world" write permission on _FILE_, and adds the execute permissions for everyone: +A comma separated list can be provided when more than one set of changes to a file must be made. +For example, the following command removes the group and "world" write permission on _FILE_, and adds the execute permissions for everyone: [source,shell] .... @@ -704,9 +827,12 @@ A comma separated list can be provided when more than one set of changes to a fi === FreeBSD File Flags -In addition to file permissions, FreeBSD supports the use of "file flags". These flags add an additional level of security and control over files, but not directories. With file flags, even `root` can be prevented from removing or altering files. +In addition to file permissions, FreeBSD supports the use of "file flags". +These flags add an additional level of security and control over files, but not directories. +With file flags, even `root` can be prevented from removing or altering files. -File flags are modified using man:chflags[1]. For example, to enable the system undeletable flag on the file [.filename]#file1#, issue the following command: +File flags are modified using man:chflags[1]. +For example, to enable the system undeletable flag on the file [.filename]#file1#, issue the following command: [source,shell] .... @@ -732,15 +858,23 @@ To view the flags of a file, use `-lo` with man:ls[1]: -rw-r--r-- 1 trhodes trhodes sunlnk 0 Mar 1 05:54 file1 .... -Several file flags may only be added or removed by the `root` user. In other cases, the file owner may set its file flags. Refer to man:chflags[1] and man:chflags[2] for more information. +Several file flags may only be added or removed by the `root` user. +In other cases, the file owner may set its file flags. +Refer to man:chflags[1] and man:chflags[2] for more information. === The `setuid`, `setgid`, and `sticky` Permissions -Other than the permissions already discussed, there are three other specific settings that all administrators should know about. They are the `setuid`, `setgid`, and `sticky` permissions. +Other than the permissions already discussed, there are three other specific settings that all administrators should know about. +They are the `setuid`, `setgid`, and `sticky` permissions. -These settings are important for some UNIX(R) operations as they provide functionality not normally granted to normal users. To understand them, the difference between the real user ID and effective user ID must be noted. +These settings are important for some UNIX(R) operations as they provide functionality not normally granted to normal users. +To understand them, the difference between the real user ID and effective user ID must be noted. -The real user ID is the UID who owns or starts the process. The effective UID is the user ID the process runs as. As an example, man:passwd[1] runs with the real user ID when a user changes their password. However, in order to update the password database, the command runs as the effective ID of the `root` user. This allows users to change their passwords without seeing a `Permission Denied` error. +The real user ID is the UID who owns or starts the process. +The effective UID is the user ID the process runs as. +As an example, man:passwd[1] runs with the real user ID when a user changes their password. +However, in order to update the password database, the command runs as the effective ID of the `root` user. +This allows users to change their passwords without seeing a `Permission Denied` error. The setuid permission may be set by prefixing a permission set with the number four (4) as shown in the following example: @@ -756,14 +890,18 @@ The permissions on [.filename]#suidexample.sh# now look like the following: -rwsr-xr-x 1 trhodes trhodes 63 Aug 29 06:36 suidexample.sh .... -Note that a `s` is now part of the permission set designated for the file owner, replacing the executable bit. This allows utilities which need elevated permissions, such as man:passwd[1]. +Note that a `s` is now part of the permission set designated for the file owner, replacing the executable bit. +This allows utilities which need elevated permissions, such as man:passwd[1]. [NOTE] ==== -The `nosuid` man:mount[8] option will cause such binaries to silently fail without alerting the user. That option is not completely reliable as a `nosuid` wrapper may be able to circumvent it. +The `nosuid` man:mount[8] option will cause such binaries to silently fail without alerting the user. +That option is not completely reliable as a `nosuid` wrapper may be able to circumvent it. ==== -To view this in real time, open two terminals. On one, type `passwd` as a normal user. While it waits for a new password, check the process table and look at the user information for man:passwd[1]: +To view this in real time, open two terminals. +On one, type `passwd` as a normal user. +While it waits for a new password, check the process table and look at the user information for man:passwd[1]: In terminal A: @@ -788,7 +926,8 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd Although man:passwd[1] is run as a normal user, it is using the effective UID of `root`. -The `setgid` permission performs the same function as the `setuid` permission; except that it alters the group settings. When an application or utility executes with this setting, it will be granted the permissions based on the group that owns the file, not the user who started the process. +The `setgid` permission performs the same function as the `setuid` permission; except that it alters the group settings. +When an application or utility executes with this setting, it will be granted the permissions based on the group that owns the file, not the user who started the process. To set the `setgid` permission on a file, provide man:chmod[1] with a leading two (2): @@ -806,12 +945,16 @@ In the following listing, notice that the `s` is now in the field designated for [NOTE] ==== -In these examples, even though the shell script in question is an executable file, it will not run with a different EUID or effective user ID. This is because shell scripts may not access the man:setuid[2] system calls. +In these examples, even though the shell script in question is an executable file, it will not run with a different EUID or effective user ID. +This is because shell scripts may not access the man:setuid[2] system calls. ==== -The `setuid` and `setgid` permission bits may lower system security, by allowing for elevated permissions. The third special permission, the `sticky bit`, can strengthen the security of a system. +The `setuid` and `setgid` permission bits may lower system security, by allowing for elevated permissions. +The third special permission, the `sticky bit`, can strengthen the security of a system. -When the `sticky bit` is set on a directory, it allows file deletion only by the file owner. This is useful to prevent file deletion in public directories, such as [.filename]#/tmp#, by users who do not own the file. To utilize this permission, prefix the permission set with a one (1): +When the `sticky bit` is set on a directory, it allows file deletion only by the file owner. +This is useful to prevent file deletion in public directories, such as [.filename]#/tmp#, by users who do not own the file. +To utilize this permission, prefix the permission set with a one (1): [source,shell] .... @@ -833,11 +976,21 @@ drwxrwxrwt 10 root wheel 512 Aug 31 01:49 tmp [[dirstructure]] == Directory Structure -The FreeBSD directory hierarchy is fundamental to obtaining an overall understanding of the system. The most important directory is root or, "/". This directory is the first one mounted at boot time and it contains the base system necessary to prepare the operating system for multi-user operation. The root directory also contains mount points for other file systems that are mounted during the transition to multi-user operation. +The FreeBSD directory hierarchy is fundamental to obtaining an overall understanding of the system. +The most important directory is root or, "/". +This directory is the first one mounted at boot time and it contains the base system necessary to prepare the operating system for multi-user operation. +The root directory also contains mount points for other file systems that are mounted during the transition to multi-user operation. -A mount point is a directory where additional file systems can be grafted onto a parent file system (usually the root file system). This is further described in <<disk-organization>>. Standard mount points include [.filename]#/usr/#, [.filename]#/var/#, [.filename]#/tmp/#, [.filename]#/mnt/#, and [.filename]#/cdrom/#. These directories are usually referenced to entries in [.filename]#/etc/fstab#. This file is a table of various file systems and mount points and is read by the system. Most of the file systems in [.filename]#/etc/fstab# are mounted automatically at boot time from the script man:rc[8] unless their entry includes `noauto`. Details can be found in <<disks-fstab>>. +A mount point is a directory where additional file systems can be grafted onto a parent file system (usually the root file system). +This is further described in <<disk-organization>>. +Standard mount points include [.filename]#/usr/#, [.filename]#/var/#, [.filename]#/tmp/#, [.filename]#/mnt/#, and [.filename]#/cdrom/#. +These directories are usually referenced to entries in [.filename]#/etc/fstab#. +This file is a table of various file systems and mount points and is read by the system. +Most of the file systems in [.filename]#/etc/fstab# are mounted automatically at boot time from the script man:rc[8] unless their entry includes `noauto`. +Details can be found in <<disks-fstab>>. -A complete description of the file system hierarchy is available in man:hier[7]. The following table provides a brief overview of the most common directories. +A complete description of the file system hierarchy is available in man:hier[7]. +The following table provides a brief overview of the most common directories. [.informaltable] [cols="1,1", frame="none", options="header"] @@ -951,25 +1104,44 @@ A complete description of the file system hierarchy is available in man:hier[7]. [[disk-organization]] == Disk Organization -The smallest unit of organization that FreeBSD uses to find files is the filename. Filenames are case-sensitive, which means that [.filename]#readme.txt# and [.filename]#README.TXT# are two separate files. FreeBSD does not use the extension of a file to determine whether the file is a program, document, or some other form of data. +The smallest unit of organization that FreeBSD uses to find files is the filename. +Filenames are case-sensitive, which means that [.filename]#readme.txt# and [.filename]#README.TXT# are two separate files. +FreeBSD does not use the extension of a file to determine whether the file is a program, document, or some other form of data. -Files are stored in directories. A directory may contain no files, or it may contain many hundreds of files. A directory can also contain other directories, allowing a hierarchy of directories within one another in order to organize data. +Files are stored in directories. +A directory may contain no files, or it may contain many hundreds of files. +A directory can also contain other directories, allowing a hierarchy of directories within one another in order to organize data. -Files and directories are referenced by giving the file or directory name, followed by a forward slash, `/`, followed by any other directory names that are necessary. For example, if the directory [.filename]#foo# contains a directory [.filename]#bar# which contains the file [.filename]#readme.txt#, the full name, or _path_, to the file is [.filename]#foo/bar/readme.txt#. Note that this is different from Windows(R) which uses `\` to separate file and directory names. FreeBSD does not use drive letters, or other drive names in the path. For example, one would not type [.filename]#c:\foo\bar\readme.txt# on FreeBSD. +Files and directories are referenced by giving the file or directory name, followed by a forward slash, `/`, followed by any other directory names that are necessary. +For example, if the directory [.filename]#foo# contains a directory [.filename]#bar# which contains the file [.filename]#readme.txt#, the full name, or _path_, to the file is [.filename]#foo/bar/readme.txt#. +Note that this is different from Windows(R) which uses `\` to separate file and directory names. +FreeBSD does not use drive letters, or other drive names in the path. +For example, one would not type [.filename]#c:\foo\bar\readme.txt# on FreeBSD. -Directories and files are stored in a file system. Each file system contains exactly one directory at the very top level, called the _root directory_ for that file system. This root directory can contain other directories. One file system is designated the _root file system_ or `/`. Every other file system is _mounted_ under the root file system. No matter how many disks are on the FreeBSD system, every directory appears to be part of the same disk. +Directories and files are stored in a file system. +Each file system contains exactly one directory at the very top level, called the _root directory_ for that file system. +This root directory can contain other directories. +One file system is designated the _root file system_ or `/`. +Every other file system is _mounted_ under the root file system. +No matter how many disks are on the FreeBSD system, every directory appears to be part of the same disk. -Consider three file systems, called `A`, `B`, and `C`. Each file system has one root directory, which contains two other directories, called `A1`, `A2` (and likewise `B1`, `B2` and `C1`, `C2`). +Consider three file systems, called `A`, `B`, and `C`. +Each file system has one root directory, which contains two other directories, called `A1`, `A2` (and likewise `B1`, `B2` and `C1`, `C2`). -Call `A` the root file system. If man:ls[1] is used to view the contents of this directory, it will show two subdirectories, `A1` and `A2`. The directory tree looks like this: +Call `A` the root file system. +If man:ls[1] is used to view the contents of this directory, it will show two subdirectories, `A1` and `A2`. +The directory tree looks like this: image::example-dir1.png[] -A file system must be mounted on to a directory in another file system. When mounting file system `B` on to the directory `A1`, the root directory of `B` replaces `A1`, and the directories in `B` appear accordingly: +A file system must be mounted on to a directory in another file system. +When mounting file system `B` on to the directory `A1`, the root directory of `B` replaces `A1`, and the directories in `B` appear accordingly: image::example-dir2.png[] -Any files that are in the `B1` or `B2` directories can be reached with the path [.filename]#/A1/B1# or [.filename]#/A1/B2# as necessary. Any files that were in [.filename]#/A1# have been temporarily hidden. They will reappear if `B` is _unmounted_ from `A`. +Any files that are in the `B1` or `B2` directories can be reached with the path [.filename]#/A1/B1# or [.filename]#/A1/B2# as necessary. +Any files that were in [.filename]#/A1# have been temporarily hidden. +They will reappear if `B` is _unmounted_ from `A`. If `B` had been mounted on `A2` then the diagram would look like this: @@ -977,7 +1149,8 @@ image::example-dir3.png[] and the paths would be [.filename]#/A2/B1# and [.filename]#/A2/B2# respectively. -File systems can be mounted on top of one another. Continuing the last example, the `C` file system could be mounted on top of the `B1` directory in the `B` file system, leading to this arrangement: +File systems can be mounted on top of one another. +Continuing the last example, the `C` file system could be mounted on top of the `B1` directory in the `B` file system, leading to this arrangement: image::example-dir4.png[] @@ -985,7 +1158,8 @@ Or `C` could be mounted directly on to the `A` file system, under the `A1` direc image::example-dir5.png[] -It is entirely possible to have one large root file system, and not need to create any others. There are some drawbacks to this approach, and one advantage. +It is entirely possible to have one large root file system, and not need to create any others. +There are some drawbacks to this approach, and one advantage. .Benefits of Multiple File Systems * Different file systems can have different _mount options_. For example, the root file system can be mounted read-only, making it impossible for users to inadvertently delete or edit a critical file. Separating user-writable file systems, such as [.filename]#/home#, from other file systems allows them to be mounted _nosuid_. This option prevents the _suid_/_guid_ bits on executables stored on the file system from taking effect, possibly improving security. @@ -1000,9 +1174,14 @@ It is entirely possible to have one large root file system, and not need to crea FreeBSD features the man:growfs[8] command, which makes it possible to increase the size of file system on the fly, removing this limitation. ==== -File systems are contained in partitions. This does not have the same meaning as the common usage of the term partition (for example, MS-DOS(R) partition), because of FreeBSD's UNIX(R) heritage. Each partition is identified by a letter from `a` through to `h`. Each partition can contain only one file system, which means that file systems are often described by either their typical mount point in the file system hierarchy, or the letter of the partition they are contained in. +File systems are contained in partitions. +This does not have the same meaning as the common usage of the term partition (for example, MS-DOS(R) partition), because of FreeBSD's UNIX(R) heritage. +Each partition is identified by a letter from `a` through to `h`. +Each partition can contain only one file system, which means that file systems are often described by either their typical mount point in the file system hierarchy, or the letter of the partition they are contained in. -FreeBSD also uses disk space for _swap space_ to provide _virtual memory_. This allows your computer to behave as though it has much more memory than it actually does. When FreeBSD runs out of memory, it moves some of the data that is not currently being used to the swap space, and moves it back in (moving something else out) when it needs it. +FreeBSD also uses disk space for _swap space_ to provide _virtual memory_. +This allows your computer to behave as though it has much more memory than it actually does. +When FreeBSD runs out of memory, it moves some of the data that is not currently being used to the swap space, and moves it back in (moving something else out) when it needs it. Some partitions have certain conventions associated with them. @@ -1025,15 +1204,26 @@ Some partitions have certain conventions associated with them. |Partition `d` used to have a special meaning associated with it, although that is now gone and `d` may work as any normal partition. |=== -Disks in FreeBSD are divided into slices, referred to in Windows(R) as partitions, which are numbered from 1 to 4. These are then divided into partitions, which contain file systems, and are labeled using letters. +Disks in FreeBSD are divided into slices, referred to in Windows(R) as partitions, which are numbered from 1 to 4. +These are then divided into partitions, which contain file systems, and are labeled using letters. -Slice numbers follow the device name, prefixed with an `s`, starting at 1. So "da0__s1__" is the first slice on the first SCSI drive. There can only be four physical slices on a disk, but there can be logical slices inside physical slices of the appropriate type. These extended slices are numbered starting at 5, so "ada0__s5__" is the first extended slice on the first SATA disk. These devices are used by file systems that expect to occupy a slice. +Slice numbers follow the device name, prefixed with an `s`, starting at 1. +So "da0__s1__" is the first slice on the first SCSI drive. +There can only be four physical slices on a disk, but there can be logical slices inside physical slices of the appropriate type. +These extended slices are numbered starting at 5, so "ada0__s5__" is the first extended slice on the first SATA disk. +These devices are used by file systems that expect to occupy a slice. -Slices, "dangerously dedicated" physical drives, and other drives contain _partitions_, which are represented as letters from `a` to `h`. This letter is appended to the device name, so "da0__a__" is the `a` partition on the first `da` drive, which is "dangerously dedicated". "ada1s3__e__" is the fifth partition in the third slice of the second SATA disk drive. +Slices, "dangerously dedicated" physical drives, and other drives contain _partitions_, which are represented as letters from `a` to `h`. +This letter is appended to the device name, so "da0__a__" is the `a` partition on the first `da` drive, which is "dangerously dedicated". +"ada1s3__e__" is the fifth partition in the third slice of the second SATA disk drive. -Finally, each disk on the system is identified. A disk name starts with a code that indicates the type of disk, and then a number, indicating which disk it is. Unlike slices, disk numbering starts at 0. Common codes are listed in <<disks-naming>>. +Finally, each disk on the system is identified. +A disk name starts with a code that indicates the type of disk, and then a number, indicating which disk it is. +Unlike slices, disk numbering starts at 0. +Common codes are listed in <<disks-naming>>. -When referring to a partition, include the disk name, `s`, the slice number, and then the partition letter. Examples are shown in <<basics-disk-slice-part>>. +When referring to a partition, include the disk name, `s`, the slice number, and then the partition letter. +Examples are shown in <<basics-disk-slice-part>>. <<basics-concept-disk-model>> shows a conceptual model of a disk layout. @@ -1096,9 +1286,14 @@ When installing FreeBSD, configure the disk slices, create partitions within the .Conceptual Model of a Disk [example] ==== -This diagram shows FreeBSD's view of the first SATA disk attached to the system. Assume that the disk is 250 GB in size, and contains an 80 GB slice and a 170 GB slice (MS-DOS(R) partitions). The first slice contains a Windows(R) NTFS file system, [.filename]#C:#, and the second slice contains a FreeBSD installation. This example FreeBSD installation has four data partitions and a swap partition. +This diagram shows FreeBSD's view of the first SATA disk attached to the system. +Assume that the disk is 250 GB in size, and contains an 80 GB slice and a 170 GB slice (MS-DOS(R) partitions). +The first slice contains a Windows(R) NTFS file system, [.filename]#C:#, and the second slice contains a FreeBSD installation. +This example FreeBSD installation has four data partitions and a swap partition. -The four partitions each hold a file system. Partition `a` is used for the root file system, `d` for [.filename]#/var/#, `e` for [.filename]#/tmp/#, and `f` for [.filename]#/usr/#. Partition letter `c` refers to the entire slice, and so is not used for ordinary partitions. +The four partitions each hold a file system. +Partition `a` is used for the root file system, `d` for [.filename]#/var/#, `e` for [.filename]#/tmp/#, and `f` for [.filename]#/usr/#. +Partition letter `c` refers to the entire slice, and so is not used for ordinary partitions. image::disk-layout.png[] ==== @@ -1108,14 +1303,17 @@ image::disk-layout.png[] The file system is best visualized as a tree, rooted, as it were, at [.filename]#/#. [.filename]#/dev#, [.filename]#/usr#, and the other directories in the root directory are branches, which may have their own branches, such as [.filename]#/usr/local#, and so on. -There are various reasons to house some of these directories on separate file systems. [.filename]#/var# contains the directories [.filename]#log/#, [.filename]#spool/#, and various types of temporary files, and as such, may get filled up. Filling up the root file system is not a good idea, so splitting [.filename]#/var# from [.filename]#/# is often favorable. +There are various reasons to house some of these directories on separate file systems. +[.filename]#/var# contains the directories [.filename]#log/#, [.filename]#spool/#, and various types of temporary files, and as such, may get filled up. +Filling up the root file system is not a good idea, so splitting [.filename]#/var# from [.filename]#/# is often favorable. Another common reason to contain certain directory trees on other file systems is if they are to be housed on separate physical disks, or are separate virtual disks, such as Network File System mounts, described in crossref:network-servers[network-nfs,“Network File System (NFS)”], or CDROM drives. [[disks-fstab]] === The [.filename]#fstab# File -During the boot process (crossref:boot[boot,The FreeBSD Booting Process]), file systems listed in [.filename]#/etc/fstab# are automatically mounted except for the entries containing `noauto`. This file contains entries in the following format: +During the boot process (crossref:boot[boot,The FreeBSD Booting Process]), file systems listed in [.filename]#/etc/fstab# are automatically mounted except for the entries containing `noauto`. +This file contains entries in the following format: [.programlisting] .... @@ -1129,23 +1327,32 @@ An existing device name as explained in <<disks-naming>>. An existing directory on which to mount the file system. `fstype`:: -The file system type to pass to man:mount[8]. The default FreeBSD file system is `ufs`. +The file system type to pass to man:mount[8]. +The default FreeBSD file system is `ufs`. `options`:: -Either `rw` for read-write file systems, or `ro` for read-only file systems, followed by any other options that may be needed. A common option is `noauto` for file systems not normally mounted during the boot sequence. Other options are listed in man:mount[8]. +Either `rw` for read-write file systems, or `ro` for read-only file systems, followed by any other options that may be needed. +A common option is `noauto` for file systems not normally mounted during the boot sequence. +Other options are listed in man:mount[8]. `dumpfreq`:: -Used by man:dump[8] to determine which file systems require dumping. If the field is missing, a value of zero is assumed. +Used by man:dump[8] to determine which file systems require dumping. +If the field is missing, a value of zero is assumed. `passno`:: -Determines the order in which file systems should be checked. File systems that should be skipped should have their `passno` set to zero. The root file system needs to be checked before everything else and should have its `passno` set to one. The other file systems should be set to values greater than one. If more than one file system has the same `passno`, man:fsck[8] will attempt to check file systems in parallel if possible. +Determines the order in which file systems should be checked. +File systems that should be skipped should have their `passno` set to zero. +The root file system needs to be checked before everything else and should have its `passno` set to one. +The other file systems should be set to values greater than one. +If more than one file system has the same `passno`, man:fsck[8] will attempt to check file systems in parallel if possible. Refer to man:fstab[5] for more information on the format of [.filename]#/etc/fstab# and its options. [[disks-mount]] === Using man:mount[8] -File systems are mounted using man:mount[8]. The most basic syntax is as follows: +File systems are mounted using man:mount[8]. +The most basic syntax is as follows: [example] ==== @@ -1162,16 +1369,19 @@ This command provides many options which are described in man:mount[8], The most Mount all the file systems listed in [.filename]#/etc/fstab#, except those marked as "noauto", excluded by the `-t` flag, or those that are already mounted. `-d`:: -Do everything except for the actual mount system call. This option is useful in conjunction with the `-v` flag to determine what man:mount[8] is actually trying to do. +Do everything except for the actual mount system call. +This option is useful in conjunction with the `-v` flag to determine what man:mount[8] is actually trying to do. `-f`:: Force the mount of an unclean file system (dangerous), or the revocation of write access when downgrading a file system's mount status from read-write to read-only. `-r`:: -Mount the file system read-only. This is identical to using `-o ro`. +Mount the file system read-only. +This is identical to using `-o ro`. ``-t _fstype_``:: -Mount the specified file system type or mount only file systems of the given type, if `-a` is included. "ufs" is the default file system type. +Mount the specified file system type or mount only file systems of the given type, if `-a` is included. +"ufs" is the default file system type. `-u`:: Update mount options on the file system. @@ -1185,33 +1395,55 @@ Mount the file system read-write. The following options can be passed to `-o` as a comma-separated list: nosuid:: -Do not interpret setuid or setgid flags on the file system. This is also a useful security option. +Do not interpret setuid or setgid flags on the file system. +This is also a useful security option. [[disks-umount]] === Using man:umount[8] -To unmount a file system use man:umount[8]. This command takes one parameter which can be a mountpoint, device name, `-a` or `-A`. +To unmount a file system use man:umount[8]. +This command takes one parameter which can be a mountpoint, device name, `-a` or `-A`. -All forms take `-f` to force unmounting, and `-v` for verbosity. Be warned that `-f` is not generally a good idea as it might crash the computer or damage data on the file system. +All forms take `-f` to force unmounting, and `-v` for verbosity. +Be warned that `-f` is not generally a good idea as it might crash the computer or damage data on the file system. -To unmount all mounted file systems, or just the file system types listed after `-t`, use `-a` or `-A`. Note that `-A` does not attempt to unmount the root file system. +To unmount all mounted file systems, or just the file system types listed after `-t`, use `-a` or `-A`. +Note that `-A` does not attempt to unmount the root file system. [[basics-processes]] == Processes and Daemons -FreeBSD is a multi-tasking operating system. Each program running at any one time is called a _process_. Every running command starts at least one new process and there are a number of system processes that are run by FreeBSD. - -Each process is uniquely identified by a number called a _process ID_ (PID). Similar to files, each process has one owner and group, and the owner and group permissions are used to determine which files and devices the process can open. Most processes also have a parent process that started them. For example, the shell is a process, and any command started in the shell is a process which has the shell as its parent process. The exception is a special process called man:init[8] which is always the first process to start at boot time and which always has a PID of `1`. - -Some programs are not designed to be run with continuous user input and disconnect from the terminal at the first opportunity. For example, a web server responds to web requests, rather than user input. Mail servers are another example of this type of application. These types of programs are known as _daemons_. The term daemon comes from Greek mythology and represents an entity that is neither good nor evil, and which invisibly performs useful tasks. This is why the BSD mascot is the cheerful-looking daemon with sneakers and a pitchfork. - -There is a convention to name programs that normally run as daemons with a trailing "d". For example, BIND is the Berkeley Internet Name Domain, but the actual program that executes is `named`. The Apache web server program is `httpd` and the line printer spooling daemon is `lpd`. This is only a naming convention. For example, the main mail daemon for the Sendmail application is `sendmail`, and not `maild`. +FreeBSD is a multi-tasking operating system. +Each program running at any one time is called a _process_. +Every running command starts at least one new process and there are a number of system processes that are run by FreeBSD. + +Each process is uniquely identified by a number called a _process ID_ (PID). +Similar to files, each process has one owner and group, and the owner and group permissions are used to determine which files and devices the process can open. +Most processes also have a parent process that started them. +For example, the shell is a process, and any command started in the shell is a process which has the shell as its parent process. +The exception is a special process called man:init[8] which is always the first process to start at boot time and which always has a PID of `1`. + +Some programs are not designed to be run with continuous user input and disconnect from the terminal at the first opportunity. +For example, a web server responds to web requests, rather than user input. +Mail servers are another example of this type of application. +These types of programs are known as _daemons_. +The term daemon comes from Greek mythology and represents an entity that is neither good nor evil, and which invisibly performs useful tasks. +This is why the BSD mascot is the cheerful-looking daemon with sneakers and a pitchfork. + +There is a convention to name programs that normally run as daemons with a trailing "d". +For example, BIND is the Berkeley Internet Name Domain, but the actual program that executes is `named`. +The Apache web server program is `httpd` and the line printer spooling daemon is `lpd`. +This is only a naming convention. +For example, the main mail daemon for the Sendmail application is `sendmail`, and not `maild`. === Viewing Processes -To see the processes running on the system, use man:ps[1] or man:top[1]. To display a static list of the currently running processes, their PIDs, how much memory they are using, and the command they were started with, use man:ps[1]. To display all the running processes and update the display every few seconds in order to interactively see what the computer is doing, use man:top[1]. +To see the processes running on the system, use man:ps[1] or man:top[1]. +To display a static list of the currently running processes, their PIDs, how much memory they are using, and the command they were started with, use man:ps[1]. +To display all the running processes and update the display every few seconds in order to interactively see what the computer is doing, use man:top[1]. -By default, man:ps[1] only shows the commands that are running and owned by the user. For example: +By default, man:ps[1] only shows the commands that are running and owned by the user. +For example: [source,shell] .... @@ -1221,9 +1453,17 @@ By default, man:ps[1] only shows the commands that are running and owned by the 8895 0 R+ 0:00.00 ps .... -The output from man:ps[1] is organized into a number of columns. The `PID` column displays the process ID. PIDs are assigned starting at 1, go up to 99999, then wrap around back to the beginning. However, a PID is not reassigned if it is already in use. The `TT` column shows the tty the program is running on and `STAT` shows the program's state. `TIME` is the amount of time the program has been running on the CPU. This is usually not the elapsed time since the program was started, as most programs spend a lot of time waiting for things to happen before they need to spend time on the CPU. Finally, `COMMAND` is the command that was used to start the program. +The output from man:ps[1] is organized into a number of columns. +The `PID` column displays the process ID. +PIDs are assigned starting at 1, go up to 99999, then wrap around back to the beginning. +However, a PID is not reassigned if it is already in use. +The `TT` column shows the tty the program is running on and `STAT` shows the program's state. +`TIME` is the amount of time the program has been running on the CPU. +This is usually not the elapsed time since the program was started, as most programs spend a lot of time waiting for things to happen before they need to spend time on the CPU. +Finally, `COMMAND` is the command that was used to start the program. -A number of different options are available to change the information that is displayed. One of the most useful sets is `auxww`, where `a` displays information about all the running processes of all users, `u` displays the username and memory usage of the process' owner, `x` displays information about daemon processes, and `ww` causes man:ps[1] to display the full command line for each process, rather than truncating it once it gets too long to fit on the screen. +A number of different options are available to change the information that is displayed. +One of the most useful sets is `auxww`, where `a` displays information about all the running processes of all users, `u` displays the username and memory usage of the process' owner, `x` displays information about daemon processes, and `ww` causes man:ps[1] to display the full command line for each process, rather than truncating it once it gets too long to fit on the screen. The output from man:top[1] is similar: @@ -1251,32 +1491,52 @@ Swap: 2048M Total, 2048M Free 1427 dru 5 22 0 605M 86412K select 1 0:05 0.00% kdeinit4 .... -The output is split into two sections. The header (the first five or six lines) shows the PID of the last process to run, the system load averages (which are a measure of how busy the system is), the system uptime (time since the last reboot) and the current time. The other figures in the header relate to how many processes are running, how much memory and swap space has been used, and how much time the system is spending in different CPU states. If the ZFS file system module has been loaded, an `ARC` line indicates how much data was read from the memory cache instead of from disk. +The output is split into two sections. +The header (the first five or six lines) shows the PID of the last process to run, the system load averages (which are a measure of how busy the system is), the system uptime (time since the last reboot) and the current time. +The other figures in the header relate to how many processes are running, how much memory and swap space has been used, and how much time the system is spending in different CPU states. +If the ZFS file system module has been loaded, an `ARC` line indicates how much data was read from the memory cache instead of from disk. -Below the header is a series of columns containing similar information to the output from man:ps[1], such as the PID, username, amount of CPU time, and the command that started the process. By default, man:top[1] also displays the amount of memory space taken by the process. This is split into two columns: one for total size and one for resident size. Total size is how much memory the application has needed and the resident size is how much it is actually using now. +Below the header is a series of columns containing similar information to the output from man:ps[1], such as the PID, username, amount of CPU time, and the command that started the process. +By default, man:top[1] also displays the amount of memory space taken by the process. +This is split into two columns: one for total size and one for resident size. +Total size is how much memory the application has needed and the resident size is how much it is actually using now. -man:top[1] automatically updates the display every two seconds. A different interval can be specified with `-s`. +man:top[1] automatically updates the display every two seconds. +A different interval can be specified with `-s`. [[basics-daemons]] === Killing Processes -One way to communicate with any running process or daemon is to send a _signal_ using man:kill[1]. There are a number of different signals; some have a specific meaning while others are described in the application's documentation. A user can only send a signal to a process they own and sending a signal to someone else's process will result in a permission denied error. The exception is the `root` user, who can send signals to anyone's processes. +One way to communicate with any running process or daemon is to send a _signal_ using man:kill[1]. +There are a number of different signals; some have a specific meaning while others are described in the application's documentation. +A user can only send a signal to a process they own and sending a signal to someone else's process will result in a permission denied error. +The exception is the `root` user, who can send signals to anyone's processes. -The operating system can also send a signal to a process. If an application is badly written and tries to access memory that it is not supposed to, FreeBSD will send the process the "Segmentation Violation" signal (`SIGSEGV`). If an application has been written to use the man:alarm[3] system call to be alerted after a period of time has elapsed, it will be sent the "Alarm" signal (`SIGALRM`). +The operating system can also send a signal to a process. +If an application is badly written and tries to access memory that it is not supposed to, FreeBSD will send the process the "Segmentation Violation" signal (`SIGSEGV`). +If an application has been written to use the man:alarm[3] system call to be alerted after a period of time has elapsed, it will be sent the "Alarm" signal (`SIGALRM`). -Two signals can be used to stop a process: `SIGTERM` and `SIGKILL`. `SIGTERM` is the polite way to kill a process as the process can read the signal, close any log files it may have open, and attempt to finish what it is doing before shutting down. In some cases, a process may ignore `SIGTERM` if it is in the middle of some task that cannot be interrupted. +Two signals can be used to stop a process: `SIGTERM` and `SIGKILL`. +`SIGTERM` is the polite way to kill a process as the process can read the signal, close any log files it may have open, and attempt to finish what it is doing before shutting down. +In some cases, a process may ignore `SIGTERM` if it is in the middle of some task that cannot be interrupted. -`SIGKILL` cannot be ignored by a process. Sending a `SIGKILL` to a process will usually stop that process there and then. footnote:[There are a few tasks that cannot be interrupted. For example, if the process is trying to read from a file that is on another computer on the network, and the other computer is unavailable, the process is said to be uninterruptible. Eventually the process will time out, typically after two minutes. As soon as this time out occurs the process will be killed.]. +`SIGKILL` cannot be ignored by a process. +Sending a `SIGKILL` to a process will usually stop that process there and then. footnote:[There are a few tasks that cannot be interrupted. For example, if the process is trying to read from a file that is on another computer on the network, and the other computer is unavailable, the process is said to be uninterruptible. Eventually the process will time out, typically after two minutes. As soon as this time out occurs the process will be killed.]. -Other commonly used signals are `SIGHUP`, `SIGUSR1`, and `SIGUSR2`. Since these are general purpose signals, different applications will respond differently. +Other commonly used signals are `SIGHUP`, `SIGUSR1`, and `SIGUSR2`. +Since these are general purpose signals, different applications will respond differently. -For example, after changing a web server's configuration file, the web server needs to be told to re-read its configuration. Restarting `httpd` would result in a brief outage period on the web server. Instead, send the daemon the `SIGHUP` signal. Be aware that different daemons will have different behavior, so refer to the documentation for the daemon to determine if `SIGHUP` will achieve the desired results. +For example, after changing a web server's configuration file, the web server needs to be told to re-read its configuration. +Restarting `httpd` would result in a brief outage period on the web server. +Instead, send the daemon the `SIGHUP` signal. +Be aware that different daemons will have different behavior, so refer to the documentation for the daemon to determine if `SIGHUP` will achieve the desired results. [.procedure] **** .Procedure: Sending a Signal to a Process -This example shows how to send a signal to man:inetd[8]. The man:inetd[8] configuration file is [.filename]#/etc/inetd.conf#, and man:inetd[8] will re-read this configuration file when it is sent a `SIGHUP`. +This example shows how to send a signal to man:inetd[8]. +The man:inetd[8] configuration file is [.filename]#/etc/inetd.conf#, and man:inetd[8] will re-read this configuration file when it is sent a `SIGHUP`. . Find the PID of the process to send the signal to using man:pgrep[1]. In this example, the PID for man:inetd[8] is 198: + @@ -1295,13 +1555,17 @@ Password: # /bin/kill -s HUP 198 .... -Like most UNIX(R) commands, man:kill[1] will not print any output if it is successful. If a signal is sent to a process not owned by that user, the message `kill: _PID_: Operation not permitted` will be displayed. Mistyping the PID will either send the signal to the wrong process, which could have negative results, or will send the signal to a PID that is not currently in use, resulting in the error `kill: _PID_: No such process`. +Like most UNIX(R) commands, man:kill[1] will not print any output if it is successful. +If a signal is sent to a process not owned by that user, the message `kill: _PID_: Operation not permitted` will be displayed. +Mistyping the PID will either send the signal to the wrong process, which could have negative results, or will send the signal to a PID that is not currently in use, resulting in the error `kill: _PID_: No such process`. [NOTE] ==== *Why Use `/bin/kill`?:* + -Many shells provide `kill` as a built in command, meaning that the shell will send the signal directly, rather than running [.filename]#/bin/kill#. Be aware that different shells have a different syntax for specifying the name of the signal to send. Rather than try to learn all of them, it can be simpler to specify `/bin/kill`. +Many shells provide `kill` as a built in command, meaning that the shell will send the signal directly, rather than running [.filename]#/bin/kill#. +Be aware that different shells have a different syntax for specifying the name of the signal to send. +Rather than try to learn all of them, it can be simpler to specify `/bin/kill`. ==== **** @@ -1309,21 +1573,42 @@ When sending other signals, substitute `TERM` or `KILL` with the name of the sig [IMPORTANT] ==== -Killing a random process on the system is a bad idea. In particular, man:init[8], PID 1, is special. Running `/bin/kill -s KILL 1` is a quick, and unrecommended, way to shutdown the system. _Always_ double check the arguments to man:kill[1] _before_ pressing kbd:[Return]. +Killing a random process on the system is a bad idea. +In particular, man:init[8], PID 1, is special. +Running `/bin/kill -s KILL 1` is a quick, and unrecommended, way to shutdown the system. +_Always_ double check the arguments to man:kill[1] _before_ pressing kbd:[Return]. ==== [[shells]] == Shells -A _shell_ provides a command line interface for interacting with the operating system. A shell receives commands from the input channel and executes them. Many shells provide built in functions to help with everyday tasks such as file management, file globbing, command line editing, command macros, and environment variables. FreeBSD comes with several shells, including the Bourne shell (man:sh[1]) and the extended C shell (man:tcsh[1]). Other shells are available from the FreeBSD Ports Collection, such as `zsh` and `bash`. - -The shell that is used is really a matter of taste. A C programmer might feel more comfortable with a C-like shell such as man:tcsh[1]. A Linux(R) user might prefer `bash`. Each shell has unique properties that may or may not work with a user's preferred working environment, which is why there is a choice of which shell to use. - -One common shell feature is filename completion. After a user types the first few letters of a command or filename and presses kbd:[Tab], the shell completes the rest of the command or filename. Consider two files called [.filename]#foobar# and [.filename]#football#. To delete [.filename]#foobar#, the user might type `rm foo` and press kbd:[Tab] to complete the filename. - -But the shell only shows `rm foo`. It was unable to complete the filename because both [.filename]#foobar# and [.filename]#football# start with `foo`. Some shells sound a beep or show all the choices if more than one name matches. The user must then type more characters to identify the desired filename. Typing a `t` and pressing kbd:[Tab] again is enough to let the shell determine which filename is desired and fill in the rest. - -Another feature of the shell is the use of environment variables. Environment variables are a variable/key pair stored in the shell's environment. This environment can be read by any program invoked by the shell, and thus contains a lot of program configuration. <<shell-env-vars>> provides a list of common environment variables and their meanings. Note that the names of environment variables are always in uppercase. +A _shell_ provides a command line interface for interacting with the operating system. +A shell receives commands from the input channel and executes them. +Many shells provide built in functions to help with everyday tasks such as file management, file globbing, command line editing, command macros, and environment variables. +FreeBSD comes with several shells, including the Bourne shell (man:sh[1]) and the extended C shell (man:tcsh[1]). +Other shells are available from the FreeBSD Ports Collection, such as `zsh` and `bash`. + +The shell that is used is really a matter of taste. +A C programmer might feel more comfortable with a C-like shell such as man:tcsh[1]. +A Linux(R) user might prefer `bash`. +Each shell has unique properties that may or may not work with a user's preferred working environment, which is why there is a choice of which shell to use. + +One common shell feature is filename completion. +After a user types the first few letters of a command or filename and presses kbd:[Tab], the shell completes the rest of the command or filename. +Consider two files called [.filename]#foobar# and [.filename]#football#. +To delete [.filename]#foobar#, the user might type `rm foo` and press kbd:[Tab] to complete the filename. + +But the shell only shows `rm foo`. +It was unable to complete the filename because both [.filename]#foobar# and [.filename]#football# start with `foo`. +Some shells sound a beep or show all the choices if more than one name matches. +The user must then type more characters to identify the desired filename. +Typing a `t` and pressing kbd:[Tab] again is enough to let the shell determine which filename is desired and fill in the rest. + +Another feature of the shell is the use of environment variables. +Environment variables are a variable/key pair stored in the shell's environment. +This environment can be read by any program invoked by the shell, and thus contains a lot of program configuration. +<<shell-env-vars>> provides a list of common environment variables and their meanings. +Note that the names of environment variables are always in uppercase. [[shell-env-vars]] .Common Environment Variables @@ -1366,7 +1651,10 @@ Another feature of the shell is the use of environment variables. Environment va |Colon-separated list of directories to search for manual pages. |=== -How to set an environment variable differs between shells. In man:tcsh[1] and man:csh[1], use `setenv` to set environment variables. In man:sh[1] and `bash`, use `export` to set the current environment variables. This example sets the default `EDITOR` to [.filename]#/usr/local/bin/emacs# for the man:tcsh[1] shell: +How to set an environment variable differs between shells. +In man:tcsh[1] and man:csh[1], use `setenv` to set environment variables. +In man:sh[1] and `bash`, use `export` to set the current environment variables. +This example sets the default `EDITOR` to [.filename]#/usr/local/bin/emacs# for the man:tcsh[1] shell: [source,shell] .... @@ -1380,18 +1668,26 @@ The equivalent command for `bash` would be: % export EDITOR="/usr/local/bin/emacs" .... -To expand an environment variable in order to see its current setting, type a `$` character in front of its name on the command line. For example, `echo $TERM` displays the current `$TERM` setting. +To expand an environment variable in order to see its current setting, type a `$` character in front of its name on the command line. +For example, `echo $TERM` displays the current `$TERM` setting. -Shells treat special characters, known as meta-characters, as special representations of data. The most common meta-character is `\*`, which represents any number of characters in a filename. Meta-characters can be used to perform filename globbing. For example, `echo *` is equivalent to `ls` because the shell takes all the files that match `*` and `echo` lists them on the command line. +Shells treat special characters, known as meta-characters, as special representations of data. +The most common meta-character is `\*`, which represents any number of characters in a filename. +Meta-characters can be used to perform filename globbing. +For example, `echo *` is equivalent to `ls` because the shell takes all the files that match `*` and `echo` lists them on the command line. -To prevent the shell from interpreting a special character, escape it from the shell by starting it with a backslash (`\`). For example, `echo $TERM` prints the terminal setting whereas `echo \$TERM` literally prints the string `$TERM`. +To prevent the shell from interpreting a special character, escape it from the shell by starting it with a backslash (`\`). +For example, `echo $TERM` prints the terminal setting whereas `echo \$TERM` literally prints the string `$TERM`. [[changing-shells]] === Changing the Shell -The easiest way to permanently change the default shell is to use `chsh`. Running this command will open the editor that is configured in the `EDITOR` environment variable, which by default is set to man:vi[1]. Change the `Shell:` line to the full path of the new shell. +The easiest way to permanently change the default shell is to use `chsh`. +Running this command will open the editor that is configured in the `EDITOR` environment variable, which by default is set to man:vi[1]. +Change the `Shell:` line to the full path of the new shell. -Alternately, use `chsh -s` which will set the specified shell without opening an editor. For example, to change the shell to `bash`: +Alternately, use `chsh -s` which will set the specified shell without opening an editor. +For example, to change the shell to `bash`: [source,shell] .... @@ -1400,7 +1696,9 @@ Alternately, use `chsh -s` which will set the specified shell without opening an [NOTE] ==== -The new shell _must_ be present in [.filename]#/etc/shells#. If the shell was installed from the FreeBSD Ports Collection as described in crossref:ports[ports,Installing Applications: Packages and Ports], it should be automatically added to this file. If it is missing, add it using this command, replacing the path with the path of the shell: +The new shell _must_ be present in [.filename]#/etc/shells#. +If the shell was installed from the FreeBSD Ports Collection as described in crossref:ports[ports,Installing Applications: Packages and Ports], it should be automatically added to this file. +If it is missing, add it using this command, replacing the path with the path of the shell: [source,shell] .... @@ -1412,80 +1710,110 @@ Then, rerun man:chsh[1]. === Advanced Shell Techniques -The UNIX(R) shell is not just a command interpreter, it acts as a powerful tool which allows users to execute commands, redirect their output, redirect their input and chain commands together to improve the final command output. When this functionality is mixed with built in commands, the user is provided with an environment that can maximize efficiency. +The UNIX(R) shell is not just a command interpreter, it acts as a powerful tool which allows users to execute commands, redirect their output, redirect their input and chain commands together to improve the final command output. +When this functionality is mixed with built in commands, the user is provided with an environment that can maximize efficiency. -Shell redirection is the action of sending the output or the input of a command into another command or into a file. To capture the output of the man:ls[1] command, for example, into a file, redirect the output: +Shell redirection is the action of sending the output or the input of a command into another command or into a file. +To capture the output of the man:ls[1] command, for example, into a file, redirect the output: [source,shell] .... % ls > directory_listing.txt .... -The directory contents will now be listed in [.filename]#directory_listing.txt#. Some commands can be used to read input, such as man:sort[1]. To sort this listing, redirect the input: +The directory contents will now be listed in [.filename]#directory_listing.txt#. +Some commands can be used to read input, such as man:sort[1]. +To sort this listing, redirect the input: [source,shell] .... % sort < directory_listing.txt .... -The input will be sorted and placed on the screen. To redirect that input into another file, one could redirect the output of man:sort[1] by mixing the direction: +The input will be sorted and placed on the screen. +To redirect that input into another file, one could redirect the output of man:sort[1] by mixing the direction: [source,shell] .... % sort < directory_listing.txt > sorted.txt .... -In all of the previous examples, the commands are performing redirection using file descriptors. Every UNIX(R) system has file descriptors, which include standard input (stdin), standard output (stdout), and standard error (stderr). Each one has a purpose, where input could be a keyboard or a mouse, something that provides input. Output could be a screen or paper in a printer. And error would be anything that is used for diagnostic or error messages. All three are considered I/O based file descriptors and sometimes considered streams. +In all of the previous examples, the commands are performing redirection using file descriptors. +Every UNIX(R) system has file descriptors, which include standard input (stdin), standard output (stdout), and standard error (stderr). +Each one has a purpose, where input could be a keyboard or a mouse, something that provides input. +Output could be a screen or paper in a printer. +And error would be anything that is used for diagnostic or error messages. +All three are considered I/O based file descriptors and sometimes considered streams. -Through the use of these descriptors, the shell allows output and input to be passed around through various commands and redirected to or from a file. Another method of redirection is the pipe operator. +Through the use of these descriptors, the shell allows output and input to be passed around through various commands and redirected to or from a file. +Another method of redirection is the pipe operator. -The UNIX(R) pipe operator, "|" allows the output of one command to be directly passed or directed to another program. Basically, a pipe allows the standard output of a command to be passed as standard input to another command, for example: +The UNIX(R) pipe operator, "|" allows the output of one command to be directly passed or directed to another program. +Basically, a pipe allows the standard output of a command to be passed as standard input to another command, for example: [source,shell] .... % cat directory_listing.txt | sort | less .... -In that example, the contents of [.filename]#directory_listing.txt# will be sorted and the output passed to man:less[1]. This allows the user to scroll through the output at their own pace and prevent it from scrolling off the screen. +In that example, the contents of [.filename]#directory_listing.txt# will be sorted and the output passed to man:less[1]. +This allows the user to scroll through the output at their own pace and prevent it from scrolling off the screen. [[editors]] == Text Editors -Most FreeBSD configuration is done by editing text files, so it is a good idea to become familiar with a text editor. FreeBSD comes with a few as part of the base system, and many more are available in the Ports Collection. +Most FreeBSD configuration is done by editing text files, so it is a good idea to become familiar with a text editor. +FreeBSD comes with a few as part of the base system, and many more are available in the Ports Collection. -A simple editor to learn is man:ee[1], which stands for easy editor. To start this editor, type `ee _filename_` where _filename_ is the name of the file to be edited. Once inside the editor, all of the commands for manipulating the editor's functions are listed at the top of the display. The caret (`^`) represents kbd:[Ctrl], so `^e` expands to kbd:[Ctrl+e]. To leave man:ee[1], press kbd:[Esc], then choose the "leave editor" option from the main menu. The editor will prompt to save any changes if the file has been modified. +A simple editor to learn is man:ee[1], which stands for easy editor. +To start this editor, type `ee _filename_` where _filename_ is the name of the file to be edited. +Once inside the editor, all of the commands for manipulating the editor's functions are listed at the top of the display. +The caret (`^`) represents kbd:[Ctrl], so `^e` expands to kbd:[Ctrl+e]. +To leave man:ee[1], press kbd:[Esc], then choose the "leave editor" option from the main menu. +The editor will prompt to save any changes if the file has been modified. -FreeBSD also comes with more powerful text editors, such as man:vi[1], as part of the base system. Other editors, like package:editors/emacs[] and package:editors/vim[], are part of the FreeBSD Ports Collection. These editors offer more functionality at the expense of being more complicated to learn. Learning a more powerful editor such as vim or Emacs can save more time in the long run. +FreeBSD also comes with more powerful text editors, such as man:vi[1], as part of the base system. +Other editors, like package:editors/emacs[] and package:editors/vim[], are part of the FreeBSD Ports Collection. +These editors offer more functionality at the expense of being more complicated to learn. +Learning a more powerful editor such as vim or Emacs can save more time in the long run. -Many applications which modify files or require typed input will automatically open a text editor. To change the default editor, set the `EDITOR` environment variable as described in <<shells>>. +Many applications which modify files or require typed input will automatically open a text editor. +To change the default editor, set the `EDITOR` environment variable as described in <<shells>>. [[basics-devices]] == Devices and Device Nodes -A device is a term used mostly for hardware-related activities in a system, including disks, printers, graphics cards, and keyboards. When FreeBSD boots, the majority of the boot messages refer to devices being detected. A copy of the boot messages are saved to [.filename]#/var/run/dmesg.boot#. +A device is a term used mostly for hardware-related activities in a system, including disks, printers, graphics cards, and keyboards. +When FreeBSD boots, the majority of the boot messages refer to devices being detected. +A copy of the boot messages are saved to [.filename]#/var/run/dmesg.boot#. -Each device has a device name and number. For example, [.filename]#ada0# is the first SATA hard drive, while [.filename]#kbd0# represents the keyboard. +Each device has a device name and number. +For example, [.filename]#ada0# is the first SATA hard drive, while [.filename]#kbd0# represents the keyboard. Most devices in FreeBSD must be accessed through special files called device nodes, which are located in [.filename]#/dev#. [[basics-more-information]] == Manual Pages -The most comprehensive documentation on FreeBSD is in the form of manual pages. Nearly every program on the system comes with a short reference manual explaining the basic operation and available arguments. These manuals can be viewed using `man`: +The most comprehensive documentation on FreeBSD is in the form of manual pages. +Nearly every program on the system comes with a short reference manual explaining the basic operation and available arguments. +These manuals can be viewed using `man`: [source,shell] .... % man command .... -where _command_ is the name of the command to learn about. For example, to learn more about man:ls[1], type: +where _command_ is the name of the command to learn about. +For example, to learn more about man:ls[1], type: [source,shell] .... % man ls .... -Manual pages are divided into sections which represent the type of topic. In FreeBSD, the following sections are available: +Manual pages are divided into sections which represent the type of topic. +In FreeBSD, the following sections are available: . User commands. . System calls and error numbers. @@ -1497,14 +1825,17 @@ Manual pages are divided into sections which represent the type of topic. In Fre . System maintenance and operation commands. . System kernel interfaces. -In some cases, the same topic may appear in more than one section of the online manual. For example, there is a `chmod` user command and a `chmod()` system call. To tell man:man[1] which section to display, specify the section number: +In some cases, the same topic may appear in more than one section of the online manual. +For example, there is a `chmod` user command and a `chmod()` system call. +To tell man:man[1] which section to display, specify the section number: [source,shell] .... % man 1 chmod .... -This will display the manual page for the user command man:chmod[1]. References to a particular section of the online manual are traditionally placed in parenthesis in written documentation, so man:chmod[1] refers to the user command and man:chmod[2] refers to the system call. +This will display the manual page for the user command man:chmod[1]. +References to a particular section of the online manual are traditionally placed in parenthesis in written documentation, so man:chmod[1] refers to the user command and man:chmod[2] refers to the system call. If the name of the manual page is unknown, use `man -k` to search for keywords in the manual page descriptions: @@ -1513,7 +1844,8 @@ If the name of the manual page is unknown, use `man -k` to search for keywords i % man -k mail .... -This command displays a list of commands that have the keyword "mail" in their descriptions. This is equivalent to using man:apropos[1]. +This command displays a list of commands that have the keyword "mail" in their descriptions. +This is equivalent to using man:apropos[1]. To read the descriptions for all of the commands in [.filename]#/usr/sbin#, type: @@ -1534,7 +1866,9 @@ or [[basics-info]] === GNU Info Files -FreeBSD includes several applications and utilities produced by the Free Software Foundation (FSF). In addition to manual pages, these programs may include hypertext documents called `info` files. These can be viewed using man:info[1] or, if package:editors/emacs[] is installed, the info mode of emacs. +FreeBSD includes several applications and utilities produced by the Free Software Foundation (FSF). +In addition to manual pages, these programs may include hypertext documents called `info` files. +These can be viewed using man:info[1] or, if package:editors/emacs[] is installed, the info mode of emacs. To use man:info[1], type: @@ -1543,4 +1877,5 @@ To use man:info[1], type: % info .... -For a brief introduction, type `h`. For a quick command reference, type `?`. +For a brief introduction, type `h`. +For a quick command reference, type `?`. diff --git a/documentation/content/en/books/handbook/bibliography/_index.adoc b/documentation/content/en/books/handbook/bibliography/_index.adoc index 82a8bad0d6..f09c867678 100644 --- a/documentation/content/en/books/handbook/bibliography/_index.adoc +++ b/documentation/content/en/books/handbook/bibliography/_index.adoc @@ -28,7 +28,8 @@ include::shared/en/mailing-lists.adoc[] include::shared/en/teams.adoc[] include::shared/en/urls.adoc[] -While manual pages provide a definitive reference for individual pieces of the FreeBSD operating system, they seldom illustrate how to put the pieces together to make the whole operating system run smoothly. For this, there is no substitute for a good book or users' manual on UNIX(R) system administration. +While manual pages provide a definitive reference for individual pieces of the FreeBSD operating system, they seldom illustrate how to put the pieces together to make the whole operating system run smoothly. +For this, there is no substitute for a good book or users' manual on UNIX(R) system administration. [[bibliography-freebsd]] == Books Specific to FreeBSD diff --git a/documentation/content/en/books/handbook/book.adoc b/documentation/content/en/books/handbook/book.adoc index 7b4120b17f..7d80d890e7 100644 --- a/documentation/content/en/books/handbook/book.adoc +++ b/documentation/content/en/books/handbook/book.adoc @@ -62,9 +62,16 @@ endif::[] [abstract] Abstract -Welcome to FreeBSD! This handbook covers the installation and day to day use of _FreeBSD {rel122-current}-RELEASE_, _FreeBSD {rel121-current}-RELEASE_ and _FreeBSD {rel114-current}-RELEASE_. This book is the result of ongoing work by many individuals. Some sections might be outdated. Those interested in helping to update and expand this document should send email to the {freebsd-doc}. - -The latest version of this book is available from the https://www.FreeBSD.org/[FreeBSD web site]. Previous versions can be obtained from https://docs.FreeBSD.org/doc/[https://docs.FreeBSD.org/doc/]. The book can be downloaded in a variety of formats and compression options from the https://download.freebsd.org/ftp/doc/[FreeBSD FTP server] or one of the numerous crossref:mirrors[mirrors-ftp,mirror sites]. Printed copies can be purchased at the https://www.freebsdmall.com/[FreeBSD Mall]. Searches can be performed on the handbook and other documents on the link:https://www.FreeBSD.org/search/[search page]. +Welcome to FreeBSD! This handbook covers the installation and day to day use of _FreeBSD {rel122-current}-RELEASE_, _FreeBSD {rel121-current}-RELEASE_ and _FreeBSD {rel114-current}-RELEASE_. +This book is the result of ongoing work by many individuals. +Some sections might be outdated. +Those interested in helping to update and expand this document should send email to the {freebsd-doc}. + +The latest version of this book is available from the https://www.FreeBSD.org/[FreeBSD web site]. +Previous versions can be obtained from https://docs.FreeBSD.org/doc/[https://docs.FreeBSD.org/doc/]. +The book can be downloaded in a variety of formats and compression options from the https://download.freebsd.org/ftp/doc/[FreeBSD FTP server] or one of the numerous crossref:mirrors[mirrors-ftp,mirror sites]. +Printed copies can be purchased at the https://www.freebsdmall.com/[FreeBSD Mall]. +Searches can be performed on the handbook and other documents on the link:https://www.FreeBSD.org/search/[search page]. ''' diff --git a/documentation/content/en/books/handbook/boot/_index.adoc b/documentation/content/en/books/handbook/boot/_index.adoc index 61b5d8752b..864832928a 100644 --- a/documentation/content/en/books/handbook/boot/_index.adoc +++ b/documentation/content/en/books/handbook/boot/_index.adoc @@ -46,9 +46,12 @@ toc::[] [[boot-synopsis]] == Synopsis -The process of starting a computer and loading the operating system is referred to as "the bootstrap process", or "booting". FreeBSD's boot process provides a great deal of flexibility in customizing what happens when the system starts, including the ability to select from different operating systems installed on the same computer, different versions of the same operating system, or a different installed kernel. +The process of starting a computer and loading the operating system is referred to as "the bootstrap process", or "booting". +FreeBSD's boot process provides a great deal of flexibility in customizing what happens when the system starts, including the ability to select from different operating systems installed on the same computer, different versions of the same operating system, or a different installed kernel. -This chapter details the configuration options that can be set. It demonstrates how to customize the FreeBSD boot process, including everything that happens until the FreeBSD kernel has started, probed for devices, and started man:init[8]. This occurs when the text color of the boot messages changes from bright white to grey. +This chapter details the configuration options that can be set. +It demonstrates how to customize the FreeBSD boot process, including everything that happens until the FreeBSD kernel has started, probed for devices, and started man:init[8]. +This occurs when the text color of the boot messages changes from bright white to grey. After reading this chapter, you will recognize: @@ -65,33 +68,56 @@ This chapter only describes the boot process for FreeBSD running on x86 and amd6 [[boot-introduction]] == FreeBSD Boot Process -Turning on a computer and starting the operating system poses an interesting dilemma. By definition, the computer does not know how to do anything until the operating system is started. This includes running programs from the disk. If the computer can not run a program from the disk without the operating system, and the operating system programs are on the disk, how is the operating system started? +Turning on a computer and starting the operating system poses an interesting dilemma. +By definition, the computer does not know how to do anything until the operating system is started. +This includes running programs from the disk. +If the computer can not run a program from the disk without the operating system, and the operating system programs are on the disk, how is the operating system started? -This problem parallels one in the book The Adventures of Baron Munchausen. A character had fallen part way down a manhole, and pulled himself out by grabbing his bootstraps and lifting. In the early days of computing, the term _bootstrap_ was applied to the mechanism used to load the operating system. It has since become shortened to "booting". +This problem parallels one in the book The Adventures of Baron Munchausen. +A character had fallen part way down a manhole, and pulled himself out by grabbing his bootstraps and lifting. +In the early days of computing, the term _bootstrap_ was applied to the mechanism used to load the operating system. +It has since become shortened to "booting". -On x86 hardware, the Basic Input/Output System (BIOS) is responsible for loading the operating system. The BIOS looks on the hard disk for the Master Boot Record (MBR), which must be located in a specific place on the disk. The BIOS has enough knowledge to load and run the MBR, and assumes that the MBR can then carry out the rest of the tasks involved in loading the operating system, possibly with the help of the BIOS. +On x86 hardware, the Basic Input/Output System (BIOS) is responsible for loading the operating system. +The BIOS looks on the hard disk for the Master Boot Record (MBR), which must be located in a specific place on the disk. +The BIOS has enough knowledge to load and run the MBR, and assumes that the MBR can then carry out the rest of the tasks involved in loading the operating system, possibly with the help of the BIOS. [NOTE] ==== -FreeBSD provides for booting from both the older MBR standard, and the newer GUID Partition Table (GPT). GPT partitioning is often found on computers with the Unified Extensible Firmware Interface (UEFI). However, FreeBSD can boot from GPT partitions even on machines with only a legacy BIOS with man:gptboot[8]. Work is under way to provide direct UEFI booting. +FreeBSD provides for booting from both the older MBR standard, and the newer GUID Partition Table (GPT). +GPT partitioning is often found on computers with the Unified Extensible Firmware Interface (UEFI). +However, FreeBSD can boot from GPT partitions even on machines with only a legacy BIOS with man:gptboot[8]. +Work is under way to provide direct UEFI booting. ==== -The code within the MBR is typically referred to as a _boot manager_, especially when it interacts with the user. The boot manager usually has more code in the first track of the disk or within the file system. Examples of boot managers include the standard FreeBSD boot manager boot0, also called Boot Easy, and Grub, which is used by many Linux(R) distributions. +The code within the MBR is typically referred to as a _boot manager_, especially when it interacts with the user. +The boot manager usually has more code in the first track of the disk or within the file system. +Examples of boot managers include the standard FreeBSD boot manager boot0, also called Boot Easy, and Grub, which is used by many Linux(R) distributions. -If only one operating system is installed, the MBR searches for the first bootable (active) slice on the disk, and then runs the code on that slice to load the remainder of the operating system. When multiple operating systems are present, a different boot manager can be installed to display a list of operating systems so the user can select one to boot. +If only one operating system is installed, the MBR searches for the first bootable (active) slice on the disk, and then runs the code on that slice to load the remainder of the operating system. +When multiple operating systems are present, a different boot manager can be installed to display a list of operating systems so the user can select one to boot. -The remainder of the FreeBSD bootstrap system is divided into three stages. The first stage knows just enough to get the computer into a specific state and run the second stage. The second stage can do a little bit more, before running the third stage. The third stage finishes the task of loading the operating system. The work is split into three stages because the MBR puts limits on the size of the programs that can be run at stages one and two. Chaining the tasks together allows FreeBSD to provide a more flexible loader. +The remainder of the FreeBSD bootstrap system is divided into three stages. +The first stage knows just enough to get the computer into a specific state and run the second stage. +The second stage can do a little bit more, before running the third stage. +The third stage finishes the task of loading the operating system. +The work is split into three stages because the MBR puts limits on the size of the programs that can be run at stages one and two. +Chaining the tasks together allows FreeBSD to provide a more flexible loader. -The kernel is then started and begins to probe for devices and initialize them for use. Once the kernel boot process is finished, the kernel passes control to the user process man:init[8], which makes sure the disks are in a usable state, starts the user-level resource configuration which mounts file systems, sets up network cards to communicate on the network, and starts the processes which have been configured to run at startup. +The kernel is then started and begins to probe for devices and initialize them for use. +Once the kernel boot process is finished, the kernel passes control to the user process man:init[8], which makes sure the disks are in a usable state, starts the user-level resource configuration which mounts file systems, sets up network cards to communicate on the network, and starts the processes which have been configured to run at startup. This section describes these stages in more detail and demonstrates how to interact with the FreeBSD boot process. [[boot-boot0]] === The Boot Manager -The boot manager code in the MBR is sometimes referred to as _stage zero_ of the boot process. By default, FreeBSD uses the boot0 boot manager. +The boot manager code in the MBR is sometimes referred to as _stage zero_ of the boot process. +By default, FreeBSD uses the boot0 boot manager. -The MBR installed by the FreeBSD installer is based on [.filename]#/boot/boot0#. The size and capability of boot0 is restricted to 446 bytes due to the slice table and `0x55AA` identifier at the end of the MBR. If boot0 and multiple operating systems are installed, a message similar to this example will be displayed at boot time: +The MBR installed by the FreeBSD installer is based on [.filename]#/boot/boot0#. +The size and capability of boot0 is restricted to 446 bytes due to the slice table and `0x55AA` identifier at the end of the MBR. +If boot0 and multiple operating systems are installed, a message similar to this example will be displayed at boot time: [[boot-boot0-example]] .[.filename]#boot0# Screenshot @@ -108,25 +134,34 @@ Default: F2 ==== -Other operating systems will overwrite an existing MBR if they are installed after FreeBSD. If this happens, or to replace the existing MBR with the FreeBSD MBR, use the following command: +Other operating systems will overwrite an existing MBR if they are installed after FreeBSD. +If this happens, or to replace the existing MBR with the FreeBSD MBR, use the following command: [source,shell] .... # fdisk -B -b /boot/boot0 device .... -where _device_ is the boot disk, such as [.filename]#ad0# for the first IDE disk, [.filename]#ad2# for the first IDE disk on a second IDE controller, or [.filename]#da0# for the first SCSI disk. To create a custom configuration of the MBR, refer to man:boot0cfg[8]. +where _device_ is the boot disk, such as [.filename]#ad0# for the first IDE disk, [.filename]#ad2# for the first IDE disk on a second IDE controller, or [.filename]#da0# for the first SCSI disk. +To create a custom configuration of the MBR, refer to man:boot0cfg[8]. [[boot-boot1]] === Stage One and Stage Two -Conceptually, the first and second stages are part of the same program on the same area of the disk. Due to space constraints, they have been split into two, but are always installed together. They are copied from the combined [.filename]#/boot/boot# by the FreeBSD installer or `bsdlabel`. +Conceptually, the first and second stages are part of the same program on the same area of the disk. +Due to space constraints, they have been split into two, but are always installed together. +They are copied from the combined [.filename]#/boot/boot# by the FreeBSD installer or `bsdlabel`. -These two stages are located outside file systems, in the first track of the boot slice, starting with the first sector. This is where boot0, or any other boot manager, expects to find a program to run which will continue the boot process. +These two stages are located outside file systems, in the first track of the boot slice, starting with the first sector. +This is where boot0, or any other boot manager, expects to find a program to run which will continue the boot process. -The first stage, [.filename]#boot1#, is very simple, since it can only be 512 bytes in size. It knows just enough about the FreeBSD _bsdlabel_, which stores information about the slice, to find and execute [.filename]#boot2#. +The first stage, [.filename]#boot1#, is very simple, since it can only be 512 bytes in size. +It knows just enough about the FreeBSD _bsdlabel_, which stores information about the slice, to find and execute [.filename]#boot2#. -Stage two, [.filename]#boot2#, is slightly more sophisticated, and understands the FreeBSD file system enough to find files. It can provide a simple interface to choose the kernel or loader to run. It runs loader, which is much more sophisticated and provides a boot configuration file. If the boot process is interrupted at stage two, the following interactive screen is displayed: +Stage two, [.filename]#boot2#, is slightly more sophisticated, and understands the FreeBSD file system enough to find files. +It can provide a simple interface to choose the kernel or loader to run. +It runs loader, which is much more sophisticated and provides a boot configuration file. +If the boot process is interrupted at stage two, the following interactive screen is displayed: [[boot-boot2-example]] .[.filename]#boot2# Screenshot @@ -151,21 +186,28 @@ To replace the installed [.filename]#boot1# and [.filename]#boot2#, use `bsdlabe [WARNING] ==== -If just the disk name is used, such as [.filename]#ad0#, `bsdlabel` will create the disk in "dangerously dedicated mode", without slices. This is probably not the desired action, so double check the _diskslice_ before pressing kbd:[Return]. +If just the disk name is used, such as [.filename]#ad0#, `bsdlabel` will create the disk in "dangerously dedicated mode", without slices. +This is probably not the desired action, so double check the _diskslice_ before pressing kbd:[Return]. ==== [[boot-loader]] === Stage Three -The loader is the final stage of the three-stage bootstrap process. It is located on the file system, usually as [.filename]#/boot/loader#. +The loader is the final stage of the three-stage bootstrap process. +It is located on the file system, usually as [.filename]#/boot/loader#. The loader is intended as an interactive method for configuration, using a built-in command set, backed up by a more powerful interpreter which has a more complex command set. -During initialization, loader will probe for a console and for disks, and figure out which disk it is booting from. It will set variables accordingly, and an interpreter is started where user commands can be passed from a script or interactively. +During initialization, loader will probe for a console and for disks, and figure out which disk it is booting from. +It will set variables accordingly, and an interpreter is started where user commands can be passed from a script or interactively. -The loader will then read [.filename]#/boot/loader.rc#, which by default reads in [.filename]#/boot/defaults/loader.conf# which sets reasonable defaults for variables and reads [.filename]#/boot/loader.conf# for local changes to those variables. [.filename]#loader.rc# then acts on these variables, loading whichever modules and kernel are selected. +The loader will then read [.filename]#/boot/loader.rc#, which by default reads in [.filename]#/boot/defaults/loader.conf# which sets reasonable defaults for variables and reads [.filename]#/boot/loader.conf# for local changes to those variables. +[.filename]#loader.rc# then acts on these variables, loading whichever modules and kernel are selected. -Finally, by default, loader issues a 10 second wait for key presses, and boots the kernel if it is not interrupted. If interrupted, the user is presented with a prompt which understands the command set, where the user may adjust variables, unload all modules, load modules, and then finally boot or reboot. <<boot-loader-commands>> lists the most commonly used loader commands. For a complete discussion of all available commands, refer to man:loader[8]. +Finally, by default, loader issues a 10 second wait for key presses, and boots the kernel if it is not interrupted. +If interrupted, the user is presented with a prompt which understands the command set, where the user may adjust variables, unload all modules, load modules, and then finally boot or reboot. +<<boot-loader-commands>> lists the most commonly used loader commands. +For a complete discussion of all available commands, refer to man:loader[8]. [[boot-loader-commands]] .Loader Built-In Commands @@ -214,7 +256,8 @@ Finally, by default, loader issues a 10 second wait for key presses, and boots t |Removes all loaded modules. |=== -Here are some practical examples of loader usage. To boot the usual kernel in single-user mode : +Here are some practical examples of loader usage. +To boot the usual kernel in single-user mode : [source,shell] .... @@ -231,7 +274,8 @@ To unload the usual kernel and modules and then load the previous or another, sp Use the qualified [.filename]#/boot/GENERIC/kernel# to refer to the default kernel that comes with an installation, or [.filename]#/boot/kernel.old/kernel#, to refer to the previously installed kernel before a system upgrade or before configuring a custom kernel. -Use the following to load the usual modules with another kernel. Note that in this case it is not necessary the qualified name: +Use the following to load the usual modules with another kernel. +Note that in this case it is not necessary the qualified name: [source,shell] .... @@ -250,7 +294,9 @@ To load an automated kernel configuration script: [[boot-init]] === Last Stage -Once the kernel is loaded by either loader or by boot2, which bypasses loader, it examines any boot flags and adjusts its behavior as necessary. <<boot-kernel>> lists the commonly used boot flags. Refer to man:boot[8] for more information on the other boot flags. +Once the kernel is loaded by either loader or by boot2, which bypasses loader, it examines any boot flags and adjusts its behavior as necessary. +<<boot-kernel>> lists the commonly used boot flags. +Refer to man:boot[8] for more information on the other boot flags. [[boot-kernel]] .Kernel Interaction During Boot @@ -272,27 +318,38 @@ Once the kernel is loaded by either loader or by boot2, which bypasses loader, i |Be more verbose during kernel startup. |=== -Once the kernel has finished booting, it passes control to the user process man:init[8], which is located at [.filename]#/sbin/init#, or the program path specified in the `init_path` variable in `loader`. This is the last stage of the boot process. +Once the kernel has finished booting, it passes control to the user process man:init[8], which is located at [.filename]#/sbin/init#, or the program path specified in the `init_path` variable in `loader`. +This is the last stage of the boot process. -The boot sequence makes sure that the file systems available on the system are consistent. If a UFS file system is not, and `fsck` cannot fix the inconsistencies, init drops the system into single-user mode so that the system administrator can resolve the problem directly. Otherwise, the system boots into multi-user mode. +The boot sequence makes sure that the file systems available on the system are consistent. +If a UFS file system is not, and `fsck` cannot fix the inconsistencies, init drops the system into single-user mode so that the system administrator can resolve the problem directly. +Otherwise, the system boots into multi-user mode. [[boot-singleuser]] ==== Single-User Mode -A user can specify this mode by booting with `-s` or by setting the `boot_single` variable in loader. It can also be reached by running `shutdown now` from multi-user mode. Single-user mode begins with this message: +A user can specify this mode by booting with `-s` or by setting the `boot_single` variable in loader. +It can also be reached by running `shutdown now` from multi-user mode. +Single-user mode begins with this message: [.programlisting] .... Enter full pathname of shell or RETURN for /bin/sh: .... -If the user presses kbd:[Enter], the system will enter the default Bourne shell. To specify a different shell, input the full path to the shell. +If the user presses kbd:[Enter], the system will enter the default Bourne shell. +To specify a different shell, input the full path to the shell. -Single-user mode is usually used to repair a system that will not boot due to an inconsistent file system or an error in a boot configuration file. It can also be used to reset the `root` password when it is unknown. These actions are possible as the single-user mode prompt gives full, local access to the system and its configuration files. There is no networking in this mode. +Single-user mode is usually used to repair a system that will not boot due to an inconsistent file system or an error in a boot configuration file. +It can also be used to reset the `root` password when it is unknown. +These actions are possible as the single-user mode prompt gives full, local access to the system and its configuration files. +There is no networking in this mode. -While single-user mode is useful for repairing a system, it poses a security risk unless the system is in a physically secure location. By default, any user who can gain physical access to a system will have full control of that system after booting into single-user mode. +While single-user mode is useful for repairing a system, it poses a security risk unless the system is in a physically secure location. +By default, any user who can gain physical access to a system will have full control of that system after booting into single-user mode. -If the system `console` is changed to `insecure` in [.filename]#/etc/ttys#, the system will first prompt for the `root` password before initiating single-user mode. This adds a measure of security while removing the ability to reset the `root` password when it is unknown. +If the system `console` is changed to `insecure` in [.filename]#/etc/ttys#, the system will first prompt for the `root` password before initiating single-user mode. +This adds a measure of security while removing the ability to reset the `root` password when it is unknown. [[boot-insecure-console]] .Configuring an Insecure Console in [.filename]#/etc/ttys# @@ -316,20 +373,28 @@ An `insecure` console means that physical security to the console is considered If init finds the file systems to be in order, or once the user has finished their commands in single-user mode and has typed `exit` to leave single-user mode, the system enters multi-user mode, in which it starts the resource configuration of the system. -The resource configuration system reads in configuration defaults from [.filename]#/etc/defaults/rc.conf# and system-specific details from [.filename]#/etc/rc.conf#. It then proceeds to mount the system file systems listed in [.filename]#/etc/fstab#. It starts up networking services, miscellaneous system daemons, then the startup scripts of locally installed packages. +The resource configuration system reads in configuration defaults from [.filename]#/etc/defaults/rc.conf# and system-specific details from [.filename]#/etc/rc.conf#. +It then proceeds to mount the system file systems listed in [.filename]#/etc/fstab#. +It starts up networking services, miscellaneous system daemons, then the startup scripts of locally installed packages. To learn more about the resource configuration system, refer to man:rc[8] and examine the scripts located in [.filename]#/etc/rc.d#. [[device-hints]] == Device Hints -During initial system startup, the boot man:loader[8] reads man:device.hints[5]. This file stores kernel boot information known as variables, sometimes referred to as "device hints". These "device hints" are used by device drivers for device configuration. +During initial system startup, the boot man:loader[8] reads man:device.hints[5]. +This file stores kernel boot information known as variables, sometimes referred to as "device hints". +These "device hints" are used by device drivers for device configuration. -Device hints may also be specified at the Stage 3 boot loader prompt, as demonstrated in <<boot-loader>>. Variables can be added using `set`, removed with `unset`, and viewed `show`. Variables set in [.filename]#/boot/device.hints# can also be overridden. Device hints entered at the boot loader are not permanent and will not be applied on the next reboot. +Device hints may also be specified at the Stage 3 boot loader prompt, as demonstrated in <<boot-loader>>. +Variables can be added using `set`, removed with `unset`, and viewed `show`. +Variables set in [.filename]#/boot/device.hints# can also be overridden. +Device hints entered at the boot loader are not permanent and will not be applied on the next reboot. Once the system is booted, man:kenv[1] can be used to dump all of the variables. -The syntax for [.filename]#/boot/device.hints# is one variable per line, using the hash "#" as comment markers. Lines are constructed as follows: +The syntax for [.filename]#/boot/device.hints# is one variable per line, using the hash "#" as comment markers. +Lines are constructed as follows: [source,shell] .... @@ -343,7 +408,8 @@ The syntax for the Stage 3 boot loader is: set hint.driver.unit.keyword=value .... -where `driver` is the device driver name, `unit` is the device driver unit number, and `keyword` is the hint keyword. The keyword may consist of the following options: +where `driver` is the device driver name, `unit` is the device driver unit number, and `keyword` is the hint keyword. +The keyword may consist of the following options: * `at`: specifies the bus which the device is attached to. * `port`: specifies the start address of the I/O to be used. @@ -353,14 +419,19 @@ where `driver` is the device driver name, `unit` is the device driver unit numbe * `flags`: sets various flag bits for the device. * `disabled`: if set to `1` the device is disabled. -Since device drivers may accept or require more hints not listed here, viewing a driver's manual page is recommended. For more information, refer to man:device.hints[5], man:kenv[1], man:loader.conf[5], and man:loader[8]. +Since device drivers may accept or require more hints not listed here, viewing a driver's manual page is recommended. +For more information, refer to man:device.hints[5], man:kenv[1], man:loader.conf[5], and man:loader[8]. [[boot-shutdown]] == Shutdown Sequence Upon controlled shutdown using man:shutdown[8], man:init[8] will attempt to run the script [.filename]#/etc/rc.shutdown#, and then proceed to send all processes the `TERM` signal, and subsequently the `KILL` signal to any that do not terminate in a timely manner. -To power down a FreeBSD machine on architectures and systems that support power management, use `shutdown -p now` to turn the power off immediately. To reboot a FreeBSD system, use `shutdown -r now`. One must be `root` or a member of `operator` in order to run man:shutdown[8]. One can also use man:halt[8] and man:reboot[8]. Refer to their manual pages and to man:shutdown[8] for more information. +To power down a FreeBSD machine on architectures and systems that support power management, use `shutdown -p now` to turn the power off immediately. +To reboot a FreeBSD system, use `shutdown -r now`. +One must be `root` or a member of `operator` in order to run man:shutdown[8]. +One can also use man:halt[8] and man:reboot[8]. +Refer to their manual pages and to man:shutdown[8] for more information. Modify group membership by referring to crossref:basics[users-synopsis,“Users and Basic Account Management”]. diff --git a/documentation/content/en/books/handbook/bsdinstall/_index.adoc b/documentation/content/en/books/handbook/bsdinstall/_index.adoc index 33ae0535fe..cd11a7f59e 100644 --- a/documentation/content/en/books/handbook/bsdinstall/_index.adoc +++ b/documentation/content/en/books/handbook/bsdinstall/_index.adoc @@ -46,7 +46,8 @@ toc::[] [[bsdinstall-synopsis]] == Synopsis -There are several different ways of getting FreeBSD to run, depending on the environment. Those are: +There are several different ways of getting FreeBSD to run, depending on the environment. +Those are: * Virtual Machine images, to download and import on a virtual environment of choice. These can be downloaded from the https://www.freebsd.org/where/[Download FreeBSD] page. There are images for KVM ("qcow2"), VMWare ("vmdk"), Hyper-V ("vhd"), and raw device images that are universally supported. These are not installation images, but rather the preconfigured ("already installed") instances, ready to run and perform post-installation tasks. * Virtual Machine images available at Amazon's https://aws.amazon.com/marketplace/pp/B07L6QV354[AWS Marketplace], https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=freebsd&page=1[Microsoft Azure Marketplace], and https://console.cloud.google.com/marketplace/details/freebsd-cloud/freebsd-12[Google Cloud Platform], to run on their respective hosting services. For more information on deploying FreeBSD on Azure please consult the relevant chapter in the https://docs.microsoft.com/en-us/azure/virtual-machines/linux/freebsd-intro-on-azure[Azure Documentation]. @@ -55,7 +56,9 @@ There are several different ways of getting FreeBSD to run, depending on the env The rest of this chapter describes the fourth case, explaining how to install FreeBSD using the text-based installation program named bsdinstall. -In general, the installation instructions in this chapter are written for the i386(TM) and AMD64 architectures. Where applicable, instructions specific to other platforms will be listed. There may be minor differences between the installer and what is shown here, so use this chapter as a general guide rather than as a set of literal instructions. +In general, the installation instructions in this chapter are written for the i386(TM) and AMD64 architectures. +Where applicable, instructions specific to other platforms will be listed. +There may be minor differences between the installer and what is shown here, so use this chapter as a general guide rather than as a set of literal instructions. [NOTE] ==== @@ -78,24 +81,34 @@ Before reading this chapter, you should: [[bsdinstall-hardware]] == Minimum Hardware Requirements -The hardware requirements to install FreeBSD vary by architecture. Hardware architectures and devices supported by a FreeBSD release are listed on the link:https://www.FreeBSD.org/releases/[FreeBSD Release Information] page. The link:https://www.FreeBSD.org/where/[FreeBSD download page] also has recommendations for choosing the correct image for different architectures. +The hardware requirements to install FreeBSD vary by architecture. +Hardware architectures and devices supported by a FreeBSD release are listed on the link:https://www.FreeBSD.org/releases/[FreeBSD Release Information] page. +The link:https://www.FreeBSD.org/where/[FreeBSD download page] also has recommendations for choosing the correct image for different architectures. -A FreeBSD installation requires a minimum of 96 MB of RAM and 1.5 GB of free hard drive space. However, such small amounts of memory and disk space are really only suitable for custom applications like embedded appliances. General-purpose desktop systems need more resources. 2-4 GB RAM and at least 8 GB hard drive space is a good starting point. +A FreeBSD installation requires a minimum of 96 MB of RAM and 1.5 GB of free hard drive space. +However, such small amounts of memory and disk space are really only suitable for custom applications like embedded appliances. +General-purpose desktop systems need more resources. +2-4 GB RAM and at least 8 GB hard drive space is a good starting point. These are the processor requirements for each architecture: amd64:: -This is the most common desktop and laptop processor type, used in most modern systems. Intel(R) calls it Intel64. Other manufacturers sometimes call it x86-64. +This is the most common desktop and laptop processor type, used in most modern systems. +Intel(R) calls it Intel64. +Other manufacturers sometimes call it x86-64. + Examples of amd64 compatible processors include: AMD Athlon(TM)64, AMD Opteron(TM), multi-core Intel(R) Xeon(TM), and Intel(R) Core(TM) 2 and later processors. i386:: Older desktops and laptops often use this 32-bit, x86 architecture. + -Almost all i386-compatible processors with a floating point unit are supported. All Intel(R) processors 486 or higher are supported. +Almost all i386-compatible processors with a floating point unit are supported. +All Intel(R) processors 486 or higher are supported. However, binaries released by the project are compiled for the 686 processor, so a special build will be needed for 486 and 586 systems. + -FreeBSD will take advantage of Physical Address Extensions (PAE) support on CPUs with this feature. A kernel with the PAE feature enabled will detect memory above 4 GB and allow it to be used by the system. However, using PAE places constraints on device drivers and other features of FreeBSD. +FreeBSD will take advantage of Physical Address Extensions (PAE) support on CPUs with this feature. +A kernel with the PAE feature enabled will detect memory above 4 GB and allow it to be used by the system. +However, using PAE places constraints on device drivers and other features of FreeBSD. arm64:: Most embedded boards are 64-bit ARM computers. @@ -105,41 +118,60 @@ arm:: Older armv7 boards are supported. powerpc:: -All New World ROM Apple(R) Mac(R) systems with built-in USB are supported. SMP is supported on machines with multiple CPUs. +All New World ROM Apple(R) Mac(R) systems with built-in USB are supported. +SMP is supported on machines with multiple CPUs. + A 32-bit kernel can only use the first 2 GB of RAM. [[bsdinstall-pre]] == Pre-Installation Tasks -Once it has been determined that the system meets the minimum hardware requirements for installing FreeBSD, the installation file should be downloaded and the installation media prepared. Before doing this, check that the system is ready for an installation by verifying the items in this checklist: +Once it has been determined that the system meets the minimum hardware requirements for installing FreeBSD, the installation file should be downloaded and the installation media prepared. +Before doing this, check that the system is ready for an installation by verifying the items in this checklist: [.procedure] . *Back Up Important Data* + -Before installing any operating system, _always_ backup all important data first. Do not store the backup on the system being installed. Instead, save the data to a removable disk such as a USB drive, another system on the network, or an online backup service. Test the backup before starting the installation to make sure it contains all of the needed files. Once the installer formats the system's disk, all data stored on that disk will be lost. +Before installing any operating system, _always_ backup all important data first. +Do not store the backup on the system being installed. +Instead, save the data to a removable disk such as a USB drive, another system on the network, or an online backup service. +Test the backup before starting the installation to make sure it contains all of the needed files. +Once the installer formats the system's disk, all data stored on that disk will be lost. . *Decide Where to Install FreeBSD* + -If FreeBSD will be the only operating system installed, this step can be skipped. But if FreeBSD will share the disk with another operating system, decide which disk or partition will be used for FreeBSD. +If FreeBSD will be the only operating system installed, this step can be skipped. +But if FreeBSD will share the disk with another operating system, decide which disk or partition will be used for FreeBSD. + -In the i386 and amd64 architectures, disks can be divided into multiple partitions using one of two partitioning schemes. A traditional _Master Boot Record_ (MBR) holds a partition table defining up to four _primary partitions_. For historical reasons, FreeBSD calls these primary partition _slices_. One of these primary partitions can be made into an _extended partition_ containing multiple _logical partitions_. The _GUID Partition Table_ (GPT) is a newer and simpler method of partitioning a disk. Common GPT implementations allow up to 128 partitions per disk, eliminating the need for logical partitions. +In the i386 and amd64 architectures, disks can be divided into multiple partitions using one of two partitioning schemes. +A traditional _Master Boot Record_ (MBR) holds a partition table defining up to four _primary partitions_. +For historical reasons, FreeBSD calls these primary partition _slices_. +One of these primary partitions can be made into an _extended partition_ containing multiple _logical partitions_. +The _GUID Partition Table_ (GPT) is a newer and simpler method of partitioning a disk. +Common GPT implementations allow up to 128 partitions per disk, eliminating the need for logical partitions. + -The FreeBSD boot loader requires either a primary or GPT partition. If all of the primary or GPT partitions are already in use, one must be freed for FreeBSD. To create a partition without deleting existing data, use a partition resizing tool to shrink an existing partition and create a new partition using the freed space. +The FreeBSD boot loader requires either a primary or GPT partition. +If all of the primary or GPT partitions are already in use, one must be freed for FreeBSD. +To create a partition without deleting existing data, use a partition resizing tool to shrink an existing partition and create a new partition using the freed space. + -A variety of free and commercial partition resizing tools are listed at http://en.wikipedia.org/wiki/List_of_disk_partitioning_software[http://en.wikipedia.org/wiki/List_of_disk_partitioning_software]. GParted Live (http://gparted.sourceforge.net/livecd.php[http://gparted.sourceforge.net/livecd.php]) is a free live CD which includes the GParted partition editor. GParted is also included with many other Linux live CD distributions. +A variety of free and commercial partition resizing tools are listed at http://en.wikipedia.org/wiki/List_of_disk_partitioning_software[http://en.wikipedia.org/wiki/List_of_disk_partitioning_software]. +GParted Live (http://gparted.sourceforge.net/livecd.php[http://gparted.sourceforge.net/livecd.php]) is a free live CD which includes the GParted partition editor. +GParted is also included with many other Linux live CD distributions. + [WARNING] ==== - -When used properly, disk shrinking utilities can safely create space for creating a new partition. Since the possibility of selecting the wrong partition exists, always backup any important data and verify the integrity of the backup before modifying disk partitions. +When used properly, disk shrinking utilities can safely create space for creating a new partition. +Since the possibility of selecting the wrong partition exists, always backup any important data and verify the integrity of the backup before modifying disk partitions. ==== + -Disk partitions containing different operating systems make it possible to install multiple operating systems on one computer. An alternative is to use virtualization (crossref:virtualization[virtualization,Virtualization]) which allows multiple operating systems to run at the same time without modifying any disk partitions. +Disk partitions containing different operating systems make it possible to install multiple operating systems on one computer. +An alternative is to use virtualization (crossref:virtualization[virtualization,Virtualization]) which allows multiple operating systems to run at the same time without modifying any disk partitions. . *Collect Network Information* + -Some FreeBSD installation methods require a network connection in order to download the installation files. After any installation, the installer will offer to setup the system's network interfaces. +Some FreeBSD installation methods require a network connection in order to download the installation files. +After any installation, the installer will offer to setup the system's network interfaces. + -If the network has a DHCP server, it can be used to provide automatic network configuration. If DHCP is not available, the following network information for the system must be obtained from the local network administrator or Internet service provider: +If the network has a DHCP server, it can be used to provide automatic network configuration. +If DHCP is not available, the following network information for the system must be obtained from the local network administrator or Internet service provider: + [[bsdinstall-collect-network-information]] Required Network Information @@ -152,20 +184,29 @@ Required Network Information . *Check for FreeBSD Errata* + -Although the FreeBSD Project strives to ensure that each release of FreeBSD is as stable as possible, bugs occasionally creep into the process. On very rare occasions those bugs affect the installation process. As these problems are discovered and fixed, they are noted in the FreeBSD Errata (link:https://www.FreeBSD.org/releases/{rel121-current}R/errata/[https://www.freebsd.org/releases/{rel121-current}R/errata/]) on the FreeBSD web site. Check the errata before installing to make sure that there are no problems that might affect the installation. +Although the FreeBSD Project strives to ensure that each release of FreeBSD is as stable as possible, bugs occasionally creep into the process. +On very rare occasions those bugs affect the installation process. +As these problems are discovered and fixed, they are noted in the FreeBSD Errata (link:https://www.FreeBSD.org/releases/{rel121-current}R/errata/[https://www.freebsd.org/releases/{rel121-current}R/errata/]) on the FreeBSD web site. +Check the errata before installing to make sure that there are no problems that might affect the installation. + Information and errata for all the releases can be found on the release information section of the FreeBSD web site (link:https://www.FreeBSD.org/releases/[https://www.freebsd.org/releases/]). [[bsdinstall-installation-media]] === Prepare the Installation Media -The FreeBSD installer is not an application that can be run from within another operating system. Instead, download a FreeBSD installation file, burn it to the media associated with its file type and size (CD, DVD, or USB), and boot the system to install from the inserted media. +The FreeBSD installer is not an application that can be run from within another operating system. +Instead, download a FreeBSD installation file, burn it to the media associated with its file type and size (CD, DVD, or USB), and boot the system to install from the inserted media. + +FreeBSD installation files are available at link:https://www.FreeBSD.org/where/[www.freebsd.org/where/]. +Each installation file's name includes the release version of FreeBSD, the architecture, and the type of file. +For example, to install FreeBSD 12.1 on an amd64 system from a DVD, download [.filename]#FreeBSD-12.1-RELEASE-amd64-dvd1.iso#, burn this file to a DVD, and boot the system with the DVD inserted. -FreeBSD installation files are available at link:https://www.FreeBSD.org/where/[www.freebsd.org/where/]. Each installation file's name includes the release version of FreeBSD, the architecture, and the type of file. For example, to install FreeBSD 12.1 on an amd64 system from a DVD, download [.filename]#FreeBSD-12.1-RELEASE-amd64-dvd1.iso#, burn this file to a DVD, and boot the system with the DVD inserted. +Installation files are available in several formats. +The formats vary depending on computer architecture and media type. -Installation files are available in several formats. The formats vary depending on computer architecture and media type. [[bsdinstall-installation-media-uefi]] -Additional installation files are included for computers that boot with UEFI (Unified Extensible Firmware Interface). The names of these files include the string [.filename]#uefi#. +Additional installation files are included for computers that boot with UEFI (Unified Extensible Firmware Interface). +The names of these files include the string [.filename]#uefi#. File types: @@ -175,18 +216,27 @@ File types: * `-memstick.img`: This file contains all of the files needed to install FreeBSD, its source, and the Ports Collection. It should be burned to a USB stick using the instructions below. * `-mini-memstick.img`: Like `-bootonly.iso`, does not include installation files, but downloads them as needed. A working internet connection is required during installation. Write this file to a USB stick as shown in <<bsdinstall-usb>>. -After downloading the image file, download [.filename]#CHECKSUM.SHA256# from the same directory. Calculate a _checksum_ for the image file. FreeBSD provides man:sha256[1] for this, used as `sha256 _imagefilename_`. Other operating systems have similar programs. +After downloading the image file, download [.filename]#CHECKSUM.SHA256# from the same directory. +Calculate a _checksum_ for the image file. +FreeBSD provides man:sha256[1] for this, used as `sha256 _imagefilename_`. +Other operating systems have similar programs. -Compare the calculated checksum with the one shown in [.filename]#CHECKSUM.SHA256#. The checksums must match exactly. If the checksums do not match, the image file is corrupt and must be downloaded again. +Compare the calculated checksum with the one shown in [.filename]#CHECKSUM.SHA256#. +The checksums must match exactly. +If the checksums do not match, the image file is corrupt and must be downloaded again. [[bsdinstall-usb]] ==== Writing an Image File to USB -The [.filename]#\*.img# file is an _image_ of the complete contents of a memory stick. It _cannot_ be copied to the target device as a file. Several applications are available for writing the [.filename]#*.img# to a USB stick. This section describes two of these utilities. +The [.filename]#\*.img# file is an _image_ of the complete contents of a memory stick. +It _cannot_ be copied to the target device as a file. +Several applications are available for writing the [.filename]#*.img# to a USB stick. +This section describes two of these utilities. [IMPORTANT] ==== -Before proceeding, back up any important data on the USB stick. This procedure will erase the existing data on the stick. +Before proceeding, back up any important data on the USB stick. +This procedure will erase the existing data on the stick. ==== [[bsdinstall-usb-dd]] @@ -196,9 +246,10 @@ Before proceeding, back up any important data on the USB stick. This procedure w [WARNING] ==== - -This example uses [.filename]#/dev/da0# as the target device where the image will be written. Be _very careful_ that the correct device is used as this command will destroy the existing data on the specified target device. +This example uses [.filename]#/dev/da0# as the target device where the image will be written. +Be _very careful_ that the correct device is used as this command will destroy the existing data on the specified target device. ==== + . The command-line utility is available on BSD, Linux(R), and Mac OS(R) systems. To burn the image using `dd`, insert the USB stick and determine its device name. Then, specify the name of the downloaded installation file and the device name for the USB stick. This example burns the amd64 installation image to the first USB device on an existing FreeBSD system. + [source,shell] @@ -224,10 +275,17 @@ Be sure to give the correct drive letter as the existing data on the specified d ==== . *Obtaining Image Writer for Windows(R)* + -Image Writer for Windows(R) is a free application that can correctly write an image file to a memory stick. Download it from https://sourceforge.net/projects/win32diskimager/[https://sourceforge.net/projects/win32diskimager/] and extract it into a folder. +Image Writer for Windows(R) is a free application that can correctly write an image file to a memory stick. +Download it from https://sourceforge.net/projects/win32diskimager/[https://sourceforge.net/projects/win32diskimager/] and extract it into a folder. + . *Writing the Image with Image Writer* + -Double-click the Win32DiskImager icon to start the program. Verify that the drive letter shown under `Device` is the drive with the memory stick. Click the folder icon and select the image to be written to the memory stick. Click btn:[Save] to accept the image file name. Verify that everything is correct, and that no folders on the memory stick are open in other windows. When everything is ready, click btn:[Write] to write the image file to the memory stick. +Double-click the Win32DiskImager icon to start the program. +Verify that the drive letter shown under `Device` is the drive with the memory stick. +Click the folder icon and select the image to be written to the memory stick. +Click btn:[Save] to accept the image file name. +Verify that everything is correct, and that no folders on the memory stick are open in other windows. +When everything is ready, click btn:[Write] to write the image file to the memory stick. **** You are now ready to start installing FreeBSD. @@ -247,15 +305,22 @@ be PERMANENTLY ERASED. Are you sure you want to commit your changes? .... -The install can be exited at any time prior to this warning. If there is a concern that something is incorrectly configured, just turn the computer off before this point and no changes will be made to the system's disks. +The install can be exited at any time prior to this warning. +If there is a concern that something is incorrectly configured, just turn the computer off before this point and no changes will be made to the system's disks. ==== -This section describes how to boot the system from the installation media which was prepared using the instructions in <<bsdinstall-installation-media>>. When using a bootable USB stick, plug in the USB stick before turning on the computer. When booting from CD or DVD, turn on the computer and insert the media at the first opportunity. How to configure the system to boot from the inserted media depends upon the architecture. +This section describes how to boot the system from the installation media which was prepared using the instructions in <<bsdinstall-installation-media>>. +When using a bootable USB stick, plug in the USB stick before turning on the computer. +When booting from CD or DVD, turn on the computer and insert the media at the first opportunity. +How to configure the system to boot from the inserted media depends upon the architecture. [[bsdinstall-starting-i386]] === Booting on i386(TM) and amd64 -These architectures provide a BIOS menu for selecting the boot device. Depending upon the installation media being used, select the CD/DVD or USB device as the first boot device. Most systems also provide a key for selecting the boot device during startup without having to enter the BIOS. Typically, the key is either kbd:[F10], kbd:[F11], kbd:[F12], or kbd:[Escape]. +These architectures provide a BIOS menu for selecting the boot device. +Depending upon the installation media being used, select the CD/DVD or USB device as the first boot device. +Most systems also provide a key for selecting the boot device during startup without having to enter the BIOS. +Typically, the key is either kbd:[F10], kbd:[F11], kbd:[F12], or kbd:[Escape]. If the computer loads the existing operating system instead of the FreeBSD installer, then either: @@ -265,7 +330,9 @@ If the computer loads the existing operating system instead of the FreeBSD insta === Booting on PowerPC(R) -On most machines, holding kbd:[C] on the keyboard during boot will boot from the CD. Otherwise, hold kbd:[Command+Option+O+F], or kbd:[Windows+Alt+O+F] on non-Apple(R) keyboards. At the `0 >` prompt, enter +On most machines, holding kbd:[C] on the keyboard during boot will boot from the CD. +Otherwise, hold kbd:[Command+Option+O+F], or kbd:[Windows+Alt+O+F] on non-Apple(R) keyboards. +At the `0 >` prompt, enter [source,shell] .... @@ -281,7 +348,10 @@ Once the system boots from the installation media, a menu similar to the followi .FreeBSD Boot Loader Menu image::bsdinstall-newboot-loader-menu.png[] -By default, the menu will wait ten seconds for user input before booting into the FreeBSD installer or, if FreeBSD is already installed, before booting into FreeBSD. To pause the boot timer in order to review the selections, press kbd:[Space]. To select an option, press its highlighted number, character, or key. The following options are available. +By default, the menu will wait ten seconds for user input before booting into the FreeBSD installer or, if FreeBSD is already installed, before booting into FreeBSD. +To pause the boot timer in order to review the selections, press kbd:[Space]. +To select an option, press its highlighted number, character, or key. +The following options are available. * `Boot Multi User`: This will continue the FreeBSD boot process. If the boot timer has been paused, press kbd:[1], upper- or lower-case kbd:[B], or kbd:[Enter]. * `Boot Single User`: This mode can be used to fix an existing FreeBSD installation as described in crossref:boot[boot-singleuser,“Single-User Mode”]. Press kbd:[2] or the upper- or lower-case kbd:[S] to enter this mode. @@ -294,33 +364,46 @@ By default, the menu will wait ten seconds for user input before booting into th .FreeBSD Boot Options Menu image::bsdinstall-boot-options-menu.png[] -The boot options menu is divided into two sections. The first section can be used to either return to the main boot menu or to reset any toggled options back to their defaults. +The boot options menu is divided into two sections. +The first section can be used to either return to the main boot menu or to reset any toggled options back to their defaults. -The next section is used to toggle the available options to `On` or `Off` by pressing the option's highlighted number or character. The system will always boot using the settings for these options until they are modified. Several options can be toggled using this menu: +The next section is used to toggle the available options to `On` or `Off` by pressing the option's highlighted number or character. +The system will always boot using the settings for these options until they are modified. +Several options can be toggled using this menu: * `ACPI Support`: If the system hangs during boot, try toggling this option to `Off`. * `Safe Mode`: If the system still hangs during boot even with `ACPI Support` set to `Off`, try setting this option to `On`. * `Single User`: Toggle this option to `On` to fix an existing FreeBSD installation as described in crossref:boot[boot-singleuser,“Single-User Mode”]. Once the problem is fixed, set it back to `Off`. * `Verbose`: Toggle this option to `On` to see more detailed messages during the boot process. This can be useful when troubleshooting a piece of hardware. -After making the needed selections, press kbd:[1] or kbd:[Backspace] to return to the main boot menu, then press kbd:[Enter] to continue booting into FreeBSD. A series of boot messages will appear as FreeBSD carries out its hardware device probes and loads the installation program. Once the boot is complete, the welcome menu shown in <<bsdinstall-choose-mode>> will be displayed. +After making the needed selections, press kbd:[1] or kbd:[Backspace] to return to the main boot menu, then press kbd:[Enter] to continue booting into FreeBSD. +A series of boot messages will appear as FreeBSD carries out its hardware device probes and loads the installation program. +Once the boot is complete, the welcome menu shown in <<bsdinstall-choose-mode>> will be displayed. [[bsdinstall-choose-mode]] .Welcome Menu image::bsdinstall-choose-mode.png[] -Press kbd:[Enter] to select the default of btn:[Install] to enter the installer. The rest of this chapter describes how to use this installer. Otherwise, use the right or left arrows or the colorized letter to select the desired menu item. The btn:[Shell] can be used to access a FreeBSD shell in order to use command line utilities to prepare the disks before installation. The btn:[Live CD] option can be used to try out FreeBSD before installing it. The live version is described in <<using-live-cd>>. +Press kbd:[Enter] to select the default of btn:[Install] to enter the installer. +The rest of this chapter describes how to use this installer. +Otherwise, use the right or left arrows or the colorized letter to select the desired menu item. +The btn:[Shell] can be used to access a FreeBSD shell in order to use command line utilities to prepare the disks before installation. +The btn:[Live CD] option can be used to try out FreeBSD before installing it. +The live version is described in <<using-live-cd>>. [TIP] ==== - -To review the boot messages, including the hardware device probe, press the upper- or lower-case kbd:[S] and then kbd:[Enter] to access a shell. At the shell prompt, type `more /var/run/dmesg.boot` and use the space bar to scroll through the messages. When finished, type `exit` to return to the welcome menu. +To review the boot messages, including the hardware device probe, press the upper- or lower-case kbd:[S] and then kbd:[Enter] to access a shell. +At the shell prompt, type `more /var/run/dmesg.boot` and use the space bar to scroll through the messages. +When finished, type `exit` to return to the welcome menu. ==== [[using-bsdinstall]] == Using bsdinstall -This section shows the order of the bsdinstall menus and the type of information that will be asked before the system is installed. Use the arrow keys to highlight a menu option, then kbd:[Space] to select or deselect that menu item. When finished, press kbd:[Enter] to save the selection and move onto the next screen. +This section shows the order of the bsdinstall menus and the type of information that will be asked before the system is installed. +Use the arrow keys to highlight a menu option, then kbd:[Space] to select or deselect that menu item. +When finished, press kbd:[Enter] to save the selection and move onto the next screen. [[bsdinstall-keymap]] === Selecting the Keymap Menu @@ -331,7 +414,9 @@ Before starting the process, bsdinstall will load the keymap files as show in << .Keymap Loading image::bsdinstall-keymap-loading.png[] -After the keymaps have been loaded bsdinstall displays the menu shown in <<bsdinstall-keymap-10>>. Use the up and down arrows to select the keymap that most closely represents the mapping of the keyboard attached to the system. Press kbd:[Enter] to save the selection. +After the keymaps have been loaded bsdinstall displays the menu shown in <<bsdinstall-keymap-10>>. +Use the up and down arrows to select the keymap that most closely represents the mapping of the keyboard attached to the system. +Press kbd:[Enter] to save the selection. [[bsdinstall-keymap-10]] .Keymap Selection Menu @@ -339,7 +424,8 @@ image::bsdinstall-keymap-10.png[] [NOTE] ==== -Pressing kbd:[Esc] will exit this menu and use the default keymap. If the choice of keymap is not clear, [.guimenuitem]#United States of America ISO-8859-1# is also a safe option. +Pressing kbd:[Esc] will exit this menu and use the default keymap. +If the choice of keymap is not clear, [.guimenuitem]#United States of America ISO-8859-1# is also a safe option. ==== In addition, when selecting a different keymap, the user can try the keymap and ensure it is correct before proceeding as shown in <<bsdinstall-keymap-testing>>. @@ -357,7 +443,8 @@ The next bsdinstall menu is used to set the hostname for the newly installed sys .Setting the Hostname image::bsdinstall-config-hostname.png[] -Type in a hostname that is unique for the network. It should be a fully-qualified hostname, such as `machine3.example.com`. +Type in a hostname that is unique for the network. +It should be a fully-qualified hostname, such as `machine3.example.com`. [[bsdinstall-components]] === Selecting Components to Install @@ -368,7 +455,9 @@ Next, bsdinstall will prompt to select optional components to install. .Selecting Components to Install image::bsdinstall-config-components.png[] -Deciding which components to install will depend largely on the intended use of the system and the amount of disk space available. The FreeBSD kernel and userland, collectively known as the _base system_, are always installed. Depending on the architecture, some of these components may not appear: +Deciding which components to install will depend largely on the intended use of the system and the amount of disk space available. +The FreeBSD kernel and userland, collectively known as the _base system_, are always installed. +Depending on the architecture, some of these components may not appear: * `base-dbg` - Base tools like cat, ls among many others with debug symbols activated. * `kernel-dbg` - Kernel and modules with debug symbols activated. @@ -378,8 +467,9 @@ Deciding which components to install will depend largely on the intended use of + [WARNING] ==== - -The installation program does not check for adequate disk space. Select this option only if sufficient hard disk space is available. The FreeBSD Ports Collection takes up about {ports-size} of disk space. +The installation program does not check for adequate disk space. +Select this option only if sufficient hard disk space is available. +The FreeBSD Ports Collection takes up about {ports-size} of disk space. ==== * `src` - The complete FreeBSD source code for both the kernel and the userland. Although not required for the majority of applications, it may be required to build device drivers, kernel modules, or some applications from the Ports Collection. It is also used for developing FreeBSD itself. The full source tree requires 1 GB of disk space and recompiling the entire FreeBSD system requires an additional 5 GB of space. @@ -388,7 +478,9 @@ The installation program does not check for adequate disk space. Select this opt [[bsdinstall-netinstall]] === Installing from the Network -The menu shown in <<bsdinstall-netinstall-notify>> only appears when installing from a [.filename]#-bootonly.iso# or [.filename]#-mini-memstick.img# as this installation media does not hold copies of the installation files. Since the installation files must be retrieved over a network connection, this menu indicates that the network interface must be configured first. If this menu is shown in any step of the process remember to follow the instructions in <<bsdinstall-config-network-dev>>. +The menu shown in <<bsdinstall-netinstall-notify>> only appears when installing from a [.filename]#-bootonly.iso# or [.filename]#-mini-memstick.img# as this installation media does not hold copies of the installation files. +Since the installation files must be retrieved over a network connection, this menu indicates that the network interface must be configured first. +If this menu is shown in any step of the process remember to follow the instructions in <<bsdinstall-config-network-dev>>. [[bsdinstall-netinstall-notify]] .Installing from the Network @@ -410,40 +502,62 @@ bsdinstall gives the user four methods for allocating disk space: * `Shell` opens a shell prompt where advanced users can create customized partitions using command-line utilities like man:gpart[8], man:fdisk[8], and man:bsdlabel[8]. * `Auto (ZFS)` partitioning creates a root-on-ZFS system with optional GELI encryption support for _boot environments_. -This section describes what to consider when laying out the disk partitions. It then demonstrates how to use the different partitioning methods. +This section describes what to consider when laying out the disk partitions. +It then demonstrates how to use the different partitioning methods. [[configtuning-initial]] === Designing the Partition Layout -When laying out file systems, remember that hard drives transfer data faster from the outer tracks to the inner. Thus, smaller and heavier-accessed file systems should be closer to the outside of the drive, while larger partitions like [.filename]#/usr# should be placed toward the inner parts of the disk. It is a good idea to create partitions in an order similar to: [.filename]#/#, swap, [.filename]#/var#, and [.filename]#/usr#. +When laying out file systems, remember that hard drives transfer data faster from the outer tracks to the inner. +Thus, smaller and heavier-accessed file systems should be closer to the outside of the drive, while larger partitions like [.filename]#/usr# should be placed toward the inner parts of the disk. +It is a good idea to create partitions in an order similar to: [.filename]#/#, swap, [.filename]#/var#, and [.filename]#/usr#. -The size of the [.filename]#/var# partition reflects the intended machine's usage. This partition is used to hold mailboxes, log files, and printer spools. Mailboxes and log files can grow to unexpected sizes depending on the number of users and how long log files are kept. On average, most users rarely need more than about a gigabyte of free disk space in [.filename]#/var#. +The size of the [.filename]#/var# partition reflects the intended machine's usage. +This partition is used to hold mailboxes, log files, and printer spools. +Mailboxes and log files can grow to unexpected sizes depending on the number of users and how long log files are kept. +On average, most users rarely need more than about a gigabyte of free disk space in [.filename]#/var#. [NOTE] ==== -Sometimes, a lot of disk space is required in [.filename]#/var/tmp#. When new software is installed, the packaging tools extract a temporary copy of the packages under [.filename]#/var/tmp#. Large software packages, like Firefox or LibreOffice may be tricky to install if there is not enough disk space under [.filename]#/var/tmp#. +Sometimes, a lot of disk space is required in [.filename]#/var/tmp#. +When new software is installed, the packaging tools extract a temporary copy of the packages under [.filename]#/var/tmp#. +Large software packages, like Firefox or LibreOffice may be tricky to install if there is not enough disk space under [.filename]#/var/tmp#. ==== -The [.filename]#/usr# partition holds many of the files which support the system, including the FreeBSD Ports Collection and system source code. At least 2 gigabytes of space is recommended for this partition. +The [.filename]#/usr# partition holds many of the files which support the system, including the FreeBSD Ports Collection and system source code. +At least 2 gigabytes of space is recommended for this partition. -When selecting partition sizes, keep the space requirements in mind. Running out of space in one partition while barely using another can be a hassle. +When selecting partition sizes, keep the space requirements in mind. +Running out of space in one partition while barely using another can be a hassle. -As a rule of thumb, the swap partition should be about double the size of physical memory (RAM). Systems with minimal RAM may perform better with more swap. Configuring too little swap can lead to inefficiencies in the VM page scanning code and might create issues later if more memory is added. +As a rule of thumb, the swap partition should be about double the size of physical memory (RAM). +Systems with minimal RAM may perform better with more swap. +Configuring too little swap can lead to inefficiencies in the VM page scanning code and might create issues later if more memory is added. -On larger systems with multiple SCSI disks or multiple IDE disks operating on different controllers, it is recommended that swap be configured on each drive, up to four drives. The swap partitions should be approximately the same size. The kernel can handle arbitrary sizes but internal data structures scale to 4 times the largest swap partition. Keeping the swap partitions near the same size will allow the kernel to optimally stripe swap space across disks. Large swap sizes are fine, even if swap is not used much. It might be easier to recover from a runaway program before being forced to reboot. +On larger systems with multiple SCSI disks or multiple IDE disks operating on different controllers, it is recommended that swap be configured on each drive, up to four drives. +The swap partitions should be approximately the same size. +The kernel can handle arbitrary sizes but internal data structures scale to 4 times the largest swap partition. +Keeping the swap partitions near the same size will allow the kernel to optimally stripe swap space across disks. +Large swap sizes are fine, even if swap is not used much. +It might be easier to recover from a runaway program before being forced to reboot. -By properly partitioning a system, fragmentation introduced in the smaller write heavy partitions will not bleed over into the mostly read partitions. Keeping the write loaded partitions closer to the disk's edge will increase I/O performance in the partitions where it occurs the most. While I/O performance in the larger partitions may be needed, shifting them more toward the edge of the disk will not lead to a significant performance improvement over moving [.filename]#/var# to the edge. +By properly partitioning a system, fragmentation introduced in the smaller write heavy partitions will not bleed over into the mostly read partitions. +Keeping the write loaded partitions closer to the disk's edge will increase I/O performance in the partitions where it occurs the most. +While I/O performance in the larger partitions may be needed, shifting them more toward the edge of the disk will not lead to a significant performance improvement over moving [.filename]#/var# to the edge. [[bsdinstall-part-guided]] === Guided Partitioning Using UFS -When this method is selected, a menu will display the available disk(s). If multiple disks are connected, choose the one where FreeBSD is to be installed. +When this method is selected, a menu will display the available disk(s). +If multiple disks are connected, choose the one where FreeBSD is to be installed. [[bsdinstall-part-guided-disk]] .Selecting from Multiple Disks image::bsdinstall-part-guided-disk.png[] -Once the disk is selected, the next menu prompts to install to either the entire disk or to create a partition using free space. If btn:[Entire Disk] is chosen, a general partition layout filling the whole disk is automatically created. Selecting btn:[Partition] creates a partition layout from the unused space on the disk. +Once the disk is selected, the next menu prompts to install to either the entire disk or to create a partition using free space. +If btn:[Entire Disk] is chosen, a general partition layout filling the whole disk is automatically created. +Selecting btn:[Partition] creates a partition layout from the unused space on the disk. [[bsdinstall-part-entire-part]] .Selecting Entire Disk or Partition @@ -455,19 +569,29 @@ After btn:[Entire Disk] is chosen bsdinstall displays a dialog indicating that t .Confirmation image::bsdinstall-ufs-warning.png[] -The next menu shows a list with the partition schemes types. GPT is usually the most appropriate choice for amd64 computers. Older computers that are not compatible with GPT should use MBR. The other partition schemes are generally used for uncommon or older computers. More information is available in <<partition-schemes>>. +The next menu shows a list with the partition schemes types. +GPT is usually the most appropriate choice for amd64 computers. +Older computers that are not compatible with GPT should use MBR. +The other partition schemes are generally used for uncommon or older computers. +More information is available in <<partition-schemes>>. [[bsdinstall-ufs-scheme]] .Select Partition Scheme image::bsdinstall-part-manual-partscheme.png[] -After the partition layout has been created, review it to ensure it meets the needs of the installation. Selecting btn:[Revert] will reset the partitions to their original values and pressing btn:[Auto] will recreate the automatic FreeBSD partitions. Partitions can also be manually created, modified, or deleted. When the partitioning is correct, select btn:[Finish] to continue with the installation. +After the partition layout has been created, review it to ensure it meets the needs of the installation. +Selecting btn:[Revert] will reset the partitions to their original values and pressing btn:[Auto] will recreate the automatic FreeBSD partitions. +Partitions can also be manually created, modified, or deleted. +When the partitioning is correct, select btn:[Finish] to continue with the installation. [[bsdinstall-part-review]] .Review Created Partitions image::bsdinstall-part-review.png[] -Once the disks are configured, the next menu provides the last chance to make changes before the selected drives are formatted. If changes need to be made, select btn:[Back] to return to the main partitioning menu. btn:[Revert & Exit] exits the installer without making any changes to the drive. Select btn:[Commit] to start the installation process. +Once the disks are configured, the next menu provides the last chance to make changes before the selected drives are formatted. +If changes need to be made, select btn:[Back] to return to the main partitioning menu. +btn:[Revert & Exit] exits the installer without making any changes to the drive. +Select btn:[Commit] to start the installation process. [[bsdinstall-ufs-final-confirmation]] .Final Confirmation @@ -490,7 +614,9 @@ Highlight the installation drive ([.filename]#ada0# in this example) and select .Manually Create Partitions image::bsdinstall-part-manual-partscheme.png[] -GPT is usually the most appropriate choice for amd64 computers. Older computers that are not compatible with GPT should use MBR. The other partition schemes are generally used for uncommon or older computers. +GPT is usually the most appropriate choice for amd64 computers. +Older computers that are not compatible with GPT should use MBR. +The other partition schemes are generally used for uncommon or older computers. [[partition-schemes]] .Partitioning Schemes @@ -512,7 +638,8 @@ GPT is usually the most appropriate choice for amd64 computers. Older computers |Master Boot Record (http://en.wikipedia.org/wiki/Master_boot_record[http://en.wikipedia.org/wiki/Master_boot_record]). |=== -After the partitioning scheme has been selected and created, select btn:[Create] again to create the partitions. The kbd:[Tab] key is used to move the cursor between fields. +After the partitioning scheme has been selected and created, select btn:[Create] again to create the partitions. +The kbd:[Tab] key is used to move the cursor between fields. [[bsdinstall-part-manual-addpart]] .Manually Create Partitions @@ -527,31 +654,42 @@ A standard FreeBSD GPT installation uses at least three partitions: Refer to man:gpart[8] for descriptions of the available GPT partition types. -Multiple file system partitions can be created and some people prefer a traditional layout with separate partitions for [.filename]#/#, [.filename]#/var#, [.filename]#/tmp#, and [.filename]#/usr#. See <<bsdinstall-part-manual-splitfs>> for an example. +Multiple file system partitions can be created and some people prefer a traditional layout with separate partitions for [.filename]#/#, [.filename]#/var#, [.filename]#/tmp#, and [.filename]#/usr#. +See <<bsdinstall-part-manual-splitfs>> for an example. The `Size` may be entered with common abbreviations: _K_ for kilobytes, _M_ for megabytes, or _G_ for gigabytes. [TIP] ==== - -Proper sector alignment provides the best performance, and making partition sizes even multiples of 4K bytes helps to ensure alignment on drives with either 512-byte or 4K-byte sectors. Generally, using partition sizes that are even multiples of 1M or 1G is the easiest way to make sure every partition starts at an even multiple of 4K. There is one exception: the _freebsd-boot_ partition should be no larger than 512K due to current boot code limitations. +Proper sector alignment provides the best performance, and making partition sizes even multiples of 4K bytes helps to ensure alignment on drives with either 512-byte or 4K-byte sectors. +Generally, using partition sizes that are even multiples of 1M or 1G is the easiest way to make sure every partition starts at an even multiple of 4K. +There is one exception: the _freebsd-boot_ partition should be no larger than 512K due to current boot code limitations. ==== -A `Mountpoint` is needed if the partition will contain a file system. If only a single UFS partition will be created, the mountpoint should be [.filename]#/#. +A `Mountpoint` is needed if the partition will contain a file system. +If only a single UFS partition will be created, the mountpoint should be [.filename]#/#. -The `Label` is a name by which the partition will be known. Drive names or numbers can change if the drive is connected to a different controller or port, but the partition label does not change. Referring to labels instead of drive names and partition numbers in files like [.filename]#/etc/fstab# makes the system more tolerant to hardware changes. GPT labels appear in [.filename]#/dev/gpt/# when a disk is attached. Other partitioning schemes have different label capabilities and their labels appear in different directories in [.filename]#/dev/#. +The `Label` is a name by which the partition will be known. +Drive names or numbers can change if the drive is connected to a different controller or port, but the partition label does not change. +Referring to labels instead of drive names and partition numbers in files like [.filename]#/etc/fstab# makes the system more tolerant to hardware changes. +GPT labels appear in [.filename]#/dev/gpt/# when a disk is attached. +Other partitioning schemes have different label capabilities and their labels appear in different directories in [.filename]#/dev/#. [TIP] ==== - -Use a unique label on every partition to avoid conflicts from identical labels. A few letters from the computer's name, use, or location can be added to the label. For instance, use `labroot` or `rootfslab` for the UFS root partition on the computer named `lab`. +Use a unique label on every partition to avoid conflicts from identical labels. +A few letters from the computer's name, use, or location can be added to the label. +For instance, use `labroot` or `rootfslab` for the UFS root partition on the computer named `lab`. ==== [[bsdinstall-part-manual-splitfs]] .Creating Traditional Split File System Partitions [example] ==== -For a traditional partition layout where the [.filename]#/#, [.filename]#/var#, [.filename]#/tmp#, and [.filename]#/usr# directories are separate file systems on their own partitions, create a GPT partitioning scheme, then create the partitions as shown. Partition sizes shown are typical for a 20G target disk. If more space is available on the target disk, larger swap or [.filename]#/var# partitions may be useful. Labels shown here are prefixed with `ex` for "example", but readers should use other unique label values as described above. +For a traditional partition layout where the [.filename]#/#, [.filename]#/var#, [.filename]#/tmp#, and [.filename]#/usr# directories are separate file systems on their own partitions, create a GPT partitioning scheme, then create the partitions as shown. +Partition sizes shown are typical for a 20G target disk. +If more space is available on the target disk, larger swap or [.filename]#/var# partitions may be useful. +Labels shown here are prefixed with `ex` for "example", but readers should use other unique label values as described above. By default, FreeBSD's [.filename]#gptboot# expects the first UFS partition to be the [.filename]#/# partition. @@ -600,7 +738,8 @@ After the custom partitions have been created, select btn:[Finish] to continue w [[bsdinstall-part-zfs]] === Guided Partitioning Using Root-on-ZFS -This partitioning mode only works with whole disks and will erase the contents of the entire disk. The main ZFS configuration menu offers a number of options to control the creation of the pool. +This partitioning mode only works with whole disks and will erase the contents of the entire disk. +The main ZFS configuration menu offers a number of options to control the creation of the pool. [[bsdinstall-zfs-menu]] .ZFS Partitioning Menu @@ -635,7 +774,9 @@ Here is a summary of the `Pool Type` which can be selected in this menu: * `raidz2` - Double Redundant RAID. Allows two disks to fail concurrently. This option needs at least four disks. * `raidz3` - Triple Redundant RAID. Allows three disks to fail concurrently. This option needs at least five disks. -Once a `Pool Type` has been selected, a list of available disks is displayed, and the user is prompted to select one or more disks to make up the pool. The configuration is then validated, to ensure enough disks are selected. If not, select btn:[<Change Selection>] to return to the list of disks, or btn:[<Back>] to change the `Pool Type`. +Once a `Pool Type` has been selected, a list of available disks is displayed, and the user is prompted to select one or more disks to make up the pool. +The configuration is then validated, to ensure enough disks are selected. +If not, select btn:[<Change Selection>] to return to the list of disks, or btn:[<Back>] to change the `Pool Type`. [[bsdinstall-zfs-disk_select]] .Disk Selection @@ -657,25 +798,29 @@ To avoid accidentally erasing the wrong disk, the btn:[- Disk Info] menu can be .Analyzing a Disk image::bsdinstall-zfs-disk_info.png[] -Select kbd:[N] to configure the `Pool Name`. Enter the desired name then select btn:[<OK>] to establish it or btn:[<Cancel>] to return to the main menu and leave the default name. +Select kbd:[N] to configure the `Pool Name`. +Enter the desired name then select btn:[<OK>] to establish it or btn:[<Cancel>] to return to the main menu and leave the default name. [[bsdinstall-zfs-pool-name]] .Pool Name image::bsdinstall-zfs-pool-name.png[] -Select kbd:[S] to set the amount of swap. Enter the desired amount of swap and then select btn:[<OK>] to establish it or btn:[<Cancel>] to return to the main menu and let the default amount. +Select kbd:[S] to set the amount of swap. +Enter the desired amount of swap and then select btn:[<OK>] to establish it or btn:[<Cancel>] to return to the main menu and let the default amount. [[bsdinstall-zfs-swap-amount]] .Swap Amount image::bsdinstall-zfs-swap-amount.png[] -Once all options have been set to the desired values, select the btn:[>>> Install] option at the top of the menu. The installer then offers a last chance to cancel before the contents of the selected drives are destroyed to create the ZFS pool. +Once all options have been set to the desired values, select the btn:[>>> Install] option at the top of the menu. +The installer then offers a last chance to cancel before the contents of the selected drives are destroyed to create the ZFS pool. [[bsdinstall-zfs-warning]] .Last Chance image::bsdinstall-zfs-warning.png[] -If GELI disk encryption was enabled, the installer will prompt twice for the passphrase to be used to encrypt the disks. And after that the initializing of the encryption begins. +If GELI disk encryption was enabled, the installer will prompt twice for the passphrase to be used to encrypt the disks. +And after that the initializing of the encryption begins. [[bsdinstall-zfs-geli_password]] .Disk Encryption Password @@ -685,19 +830,24 @@ image::bsdinstall-zfs-geli_password.png[] .Initializing Encryption image::bsdinstall-zfs-init-encription.png[] -The installation then proceeds normally. To continue with the installation go to <<bsdinstall-fetching-distribution>>. +The installation then proceeds normally. +To continue with the installation go to <<bsdinstall-fetching-distribution>>. [[bsdinstall-part-shell]] === Shell Mode Partitioning -When creating advanced installations, the bsdinstall partitioning menus may not provide the level of flexibility required. Advanced users can select the btn:[Shell] option from the partitioning menu in order to manually partition the drives, create the file system(s), populate [.filename]#/tmp/bsdinstall_etc/fstab#, and mount the file systems under [.filename]#/mnt#. Once this is done, type `exit` to return to bsdinstall and continue the installation. +When creating advanced installations, the bsdinstall partitioning menus may not provide the level of flexibility required. +Advanced users can select the btn:[Shell] option from the partitioning menu in order to manually partition the drives, create the file system(s), populate [.filename]#/tmp/bsdinstall_etc/fstab#, and mount the file systems under [.filename]#/mnt#. +Once this is done, type `exit` to return to bsdinstall and continue the installation. [[bsdinstall-fetching-distribution]] == Fetching Distribution Files -Installation time will vary depending on the distributions chosen, installation media, and speed of the computer. A series of messages will indicate the progress. +Installation time will vary depending on the distributions chosen, installation media, and speed of the computer. +A series of messages will indicate the progress. -First, the installer formats the selected disk(s) and initializes the partitions. Next, in the case of a `bootonly media` or `mini memstick`, it downloads the selected components: +First, the installer formats the selected disk(s) and initializes the partitions. +Next, in the case of a `bootonly media` or `mini memstick`, it downloads the selected components: [[bsdinstall-distfile-fetching]] .Fetching Distribution Files @@ -715,7 +865,8 @@ Finally, the verified distribution files are extracted to the disk: .Extracting Distribution Files image::bsdinstall-distfile-extracting.png[] -Once all requested distribution files have been extracted, bsdinstall displays the first post-installation configuration screen. The available post-configuration options are described in the next section. +Once all requested distribution files have been extracted, bsdinstall displays the first post-installation configuration screen. +The available post-configuration options are described in the next section. [[bsdinstall-post]] == Accounts, Time Zone, Services and Hardening @@ -723,7 +874,10 @@ Once all requested distribution files have been extracted, bsdinstall displays t [[bsdinstall-post-root]] === Setting the `root` Password -First, the `root` password must be set. While entering the password, the characters being typed are not displayed on the screen. After the password has been entered, it must be entered again. This helps prevent typing errors. +First, the `root` password must be set. +While entering the password, the characters being typed are not displayed on the screen. +After the password has been entered, it must be entered again. +This helps prevent typing errors. [[bsdinstall-post-set-root-passwd]] .Setting the `root` Password @@ -732,9 +886,11 @@ image::bsdinstall-post-root-passwd.png[] [[bsdinstall-timezone]] === Setting the Time Zone -The next series of menus are used to determine the correct local time by selecting the geographic region, country, and time zone. Setting the time zone allows the system to automatically correct for regional time changes, such as daylight savings time, and perform other time zone related functions properly. +The next series of menus are used to determine the correct local time by selecting the geographic region, country, and time zone. +Setting the time zone allows the system to automatically correct for regional time changes, such as daylight savings time, and perform other time zone related functions properly. -The example shown here is for a machine located in the mainland time zone of Spain, Europe. The selections will vary according to the geographical location. +The example shown here is for a machine located in the mainland time zone of Spain, Europe. +The selections will vary according to the geographical location. [[bsdinstall-timezone-region]] .Select a Region @@ -764,18 +920,22 @@ Confirm the abbreviation for the time zone is correct. .Select Date image::bsdinstall-timezone-date.png[] -The appropriate date is selected using the arrow keys and then pressing btn:[Set Date]. Otherwise, the date selection can be skipped by pressing btn:[Skip]. +The appropriate date is selected using the arrow keys and then pressing btn:[Set Date]. +Otherwise, the date selection can be skipped by pressing btn:[Skip]. [[bsdinstall-timezone-time]] .Select Time image::bsdinstall-timezone-time.png[] -The appropriate time is selected using the arrow keys and then pressing btn:[Set Time]. Otherwise, the time selection can be skipped by pressing btn:[Skip]. +The appropriate time is selected using the arrow keys and then pressing btn:[Set Time]. +Otherwise, the time selection can be skipped by pressing btn:[Skip]. [[bsdinstall-sysconf]] === Enabling Services -The next menu is used to configure which system services will be started whenever the system boots. All of these services are optional. Only start the services that are needed for the system to function. +The next menu is used to configure which system services will be started whenever the system boots. +All of these services are optional. +Only start the services that are needed for the system to function. [[bsdinstall-config-serv]] .Selecting Additional Services to Enable @@ -794,7 +954,9 @@ Here is a summary of the services which can be enabled in this menu: [[bsdinstall-hardening]] === Enabling Hardening Security Options -The next menu is used to configure which security options will be enabled. All of these options are optional. But their use is encouraged. +The next menu is used to configure which security options will be enabled. +All of these options are optional. +But their use is encouraged. [[bsdinstall-hardening-options]] .Selecting Hardening Security Options @@ -817,7 +979,10 @@ Here is a summary of the options which can be enabled in this menu: [[bsdinstall-addusers]] === Add Users -The next menu prompts to create at least one user account. It is recommended to login to the system using a user account rather than as `root`. When logged in as `root`, there are essentially no limits or protection on what can be done. Logging in as a normal user is safer and more secure. +The next menu prompts to create at least one user account. +It is recommended to login to the system using a user account rather than as `root`. +When logged in as `root`, there are essentially no limits or protection on what can be done. +Logging in as a normal user is safer and more secure. Select btn:[Yes] to add new users. @@ -825,7 +990,8 @@ Select btn:[Yes] to add new users. .Add User Accounts image::bsdinstall-adduser1.png[] -Follow the prompts and input the requested information for the user account. The example shown in <<bsdinstall-add-user2>> creates the `asample` user account. +Follow the prompts and input the requested information for the user account. +The example shown in <<bsdinstall-add-user2>> creates the `asample` user account. [[bsdinstall-add-user2]] .Enter User Information @@ -849,13 +1015,16 @@ Here is a summary of the information to input: * `Enter password again` - The password must be typed again for verification. * `Lock out the account after creation?` - Typically `no` so that the user can login. -After entering everything, a summary is shown for review. If a mistake was made, enter `no` and try again. If everything is correct, enter `yes` to create the new user. +After entering everything, a summary is shown for review. +If a mistake was made, enter `no` and try again. +If everything is correct, enter `yes` to create the new user. [[bsdinstall-add-user3]] .Exit User and Group Management image::bsdinstall-adduser3.png[] -If there are more users to add, answer the `Add another user?` question with `yes`. Enter `no` to finish adding users and continue the installation. +If there are more users to add, answer the `Add another user?` question with `yes`. +Enter `no` to finish adding users and continue the installation. For more information on adding users and user management, see crossref:basics[users-synopsis,“Users and Basic Account Management”]. @@ -885,7 +1054,8 @@ After any final configuration is complete, select btn:[Exit]. .Manual Configuration image::bsdinstall-final-modification-shell.png[] -bsdinstall will prompt if there are any additional configuration that needs to be done before rebooting into the new system. Select btn:[Yes] to exit to a shell within the new system or btn:[No] to proceed to the last step of the installation. +bsdinstall will prompt if there are any additional configuration that needs to be done before rebooting into the new system. +Select btn:[Yes] to exit to a shell within the new system or btn:[No] to proceed to the last step of the installation. [[bsdinstall-final-main]] .Complete the Installation @@ -893,13 +1063,24 @@ image::bsdinstall-mainexit.png[] If further configuration or special setup is needed, select btn:[Live CD] to boot the install media into Live CD mode. -If the installation is complete, select btn:[Reboot] to reboot the computer and start the new FreeBSD system. Do not forget to remove the FreeBSD install media or the computer may boot from it again. +If the installation is complete, select btn:[Reboot] to reboot the computer and start the new FreeBSD system. +Do not forget to remove the FreeBSD install media or the computer may boot from it again. -As FreeBSD boots, informational messages are displayed. After the system finishes booting, a login prompt is displayed. At the `login:` prompt, enter the username added during the installation. Avoid logging in as `root`. Refer to crossref:basics[users-superuser,“The Superuser Account”] for instructions on how to become the superuser when administrative access is needed. +As FreeBSD boots, informational messages are displayed. +After the system finishes booting, a login prompt is displayed. +At the `login:` prompt, enter the username added during the installation. +Avoid logging in as `root`. +Refer to crossref:basics[users-superuser,“The Superuser Account”] for instructions on how to become the superuser when administrative access is needed. -The messages that appeared during boot can be reviewed by pressing kbd:[Scroll-Lock] to turn on the scroll-back buffer. The kbd:[PgUp], kbd:[PgDn], and arrow keys can be used to scroll back through the messages. When finished, press kbd:[Scroll-Lock] again to unlock the display and return to the console. To review these messages once the system has been up for some time, type `less /var/run/dmesg.boot` from a command prompt. Press kbd:[q] to return to the command line after viewing. +The messages that appeared during boot can be reviewed by pressing kbd:[Scroll-Lock] to turn on the scroll-back buffer. +The kbd:[PgUp], kbd:[PgDn], and arrow keys can be used to scroll back through the messages. +When finished, press kbd:[Scroll-Lock] again to unlock the display and return to the console. +To review these messages once the system has been up for some time, type `less /var/run/dmesg.boot` from a command prompt. +Press kbd:[q] to return to the command line after viewing. -If sshd was enabled in <<bsdinstall-config-serv>>, the first boot may be a bit slower as the system will generate the RSA and DSA keys. Subsequent boots will be faster. The fingerprints of the keys will be displayed, as seen in this example: +If sshd was enabled in <<bsdinstall-config-serv>>, the first boot may be a bit slower as the system will generate the RSA and DSA keys. +Subsequent boots will be faster. +The fingerprints of the keys will be displayed, as seen in this example: [source,shell] .... @@ -942,9 +1123,12 @@ Starting sshd. Refer to crossref:security[openssh,"OpenSSH"] for more information about fingerprints and SSH. -FreeBSD does not install a graphical environment by default. Refer to crossref:x11[x11,The X Window System] for more information about installing and configuring a graphical window manager. +FreeBSD does not install a graphical environment by default. +Refer to crossref:x11[x11,The X Window System] for more information about installing and configuring a graphical window manager. -Proper shutdown of a FreeBSD computer helps protect data and hardware from damage. _Do not turn off the power before the system has been properly shut down!_ If the user is a member of the `wheel` group, become the superuser by typing `su` at the command line and entering the `root` password. Then, type `shutdown -p now` and the system will shut down cleanly, and if the hardware supports it, turn itself off. +Proper shutdown of a FreeBSD computer helps protect data and hardware from damage. +_Do not turn off the power before the system has been properly shut down!_ If the user is a member of the `wheel` group, become the superuser by typing `su` at the command line and entering the `root` password. +Then, type `shutdown -p now` and the system will shut down cleanly, and if the hardware supports it, turn itself off. [[bsdinstall-network]] == Network Interfaces @@ -952,25 +1136,34 @@ Proper shutdown of a FreeBSD computer helps protect data and hardware from damag [[bsdinstall-config-network-dev]] === Configuring Network Interfaces -Next, a list of the network interfaces found on the computer is shown. Select the interface to configure. +Next, a list of the network interfaces found on the computer is shown. +Select the interface to configure. [[bsdinstall-configure-net-interface]] .Choose a Network Interface image::bsdinstall-configure-network-interface.png[] -If an Ethernet interface is selected, the installer will skip ahead to the menu shown in <<bsdinstall-configure-net-ipv4>>. If a wireless network interface is chosen, the system will instead scan for wireless access points: +If an Ethernet interface is selected, the installer will skip ahead to the menu shown in <<bsdinstall-configure-net-ipv4>>. +If a wireless network interface is chosen, the system will instead scan for wireless access points: [[bsdinstall-wireless-scan]] .Scanning for Wireless Access Points image::bsdinstall-configure-wireless-scan.png[] -Wireless networks are identified by a Service Set Identifier (SSID), a short, unique name given to each network. SSIDs found during the scan are listed, followed by a description of the encryption types available for that network. If the desired SSID does not appear in the list, select btn:[Rescan] to scan again. If the desired network still does not appear, check for problems with antenna connections or try moving the computer closer to the access point. Rescan after each change is made. +Wireless networks are identified by a Service Set Identifier (SSID), a short, unique name given to each network. +SSIDs found during the scan are listed, followed by a description of the encryption types available for that network. +If the desired SSID does not appear in the list, select btn:[Rescan] to scan again. +If the desired network still does not appear, check for problems with antenna connections or try moving the computer closer to the access point. +Rescan after each change is made. [[bsdinstall-wireless-accesspoints]] .Choosing a Wireless Network image::bsdinstall-configure-wireless-accesspoints.png[] -Next, enter the encryption information for connecting to the selected wireless network. WPA2 encryption is strongly recommended as older encryption types, like WEP, offer little security. If the network uses WPA2, input the password, also known as the Pre-Shared Key (PSK). For security reasons, the characters typed into the input box are displayed as asterisks. +Next, enter the encryption information for connecting to the selected wireless network. +WPA2 encryption is strongly recommended as older encryption types, like WEP, offer little security. +If the network uses WPA2, input the password, also known as the Pre-Shared Key (PSK). +For security reasons, the characters typed into the input box are displayed as asterisks. [[bsdinstall-wireless-wpa2]] .WPA2 Setup @@ -982,14 +1175,18 @@ Next, choose whether or not an IPv4 address should be configured on the Ethernet .Choose IPv4 Networking image::bsdinstall-configure-network-interface-ipv4.png[] -There are two methods of IPv4 configuration. DHCP will automatically configure the network interface correctly and should be used if the network provides a DHCP server. Otherwise, the addressing information needs to be input manually as a static configuration. +There are two methods of IPv4 configuration. +DHCP will automatically configure the network interface correctly and should be used if the network provides a DHCP server. +Otherwise, the addressing information needs to be input manually as a static configuration. [NOTE] ==== -Do not enter random network information as it will not work. If a DHCP server is not available, obtain the information listed in <<bsdinstall-collect-network-information, Required Network Information>> from the network administrator or Internet service provider. +Do not enter random network information as it will not work. +If a DHCP server is not available, obtain the information listed in <<bsdinstall-collect-network-information, Required Network Information>> from the network administrator or Internet service provider. ==== -If a DHCP server is available, select btn:[Yes] in the next menu to automatically configure the network interface. The installer will appear to pause for a minute or so as it finds the DHCP server and obtains the addressing information for the system. +If a DHCP server is available, select btn:[Yes] in the next menu to automatically configure the network interface. +The installer will appear to pause for a minute or so as it finds the DHCP server and obtains the addressing information for the system. [[bsdinstall-net-ipv4-dhcp]] .Choose IPv4DHCP Configuration @@ -1011,9 +1208,13 @@ The next screen will ask if the interface should be configured for IPv6. If IPv6 .Choose IPv6 Networking image::bsdinstall-configure-network-interface-ipv6.png[] -IPv6 also has two methods of configuration. StateLess Address AutoConfiguration (SLAAC) will automatically request the correct configuration information from a local router. Refer to http://tools.ietf.org/html/rfc4862[rfc4862] for more information. Static configuration requires manual entry of network information. +IPv6 also has two methods of configuration. +StateLess Address AutoConfiguration (SLAAC) will automatically request the correct configuration information from a local router. +Refer to http://tools.ietf.org/html/rfc4862[rfc4862] for more information. +Static configuration requires manual entry of network information. -If an IPv6 router is available, select btn:[Yes] in the next menu to automatically configure the network interface. The installer will appear to pause for a minute or so as it finds the router and obtains the addressing information for the system. +If an IPv6 router is available, select btn:[Yes] in the next menu to automatically configure the network interface. +The installer will appear to pause for a minute or so as it finds the router and obtains the addressing information for the system. [[bsdinstall-net-ipv6-slaac]] .Choose IPv6 SLAAC Configuration @@ -1028,13 +1229,18 @@ image::bsdinstall-configure-network-interface-ipv6-static.png[] * `IPv6 Address` - The IPv6 address assigned to this computer. The address must be unique and not already in use by another piece of equipment on the local network. * `Default Router` - The IPv6 address of the network's default gateway. -The last network configuration menu is used to configure the Domain Name System (DNS) resolver, which converts hostnames to and from network addresses. If DHCP or SLAAC was used to autoconfigure the network interface, the `Resolver Configuration` values may already be filled in. Otherwise, enter the local network's domain name in the `Search` field. `DNS #1` and `DNS #2` are the IPv4 and/or IPv6 addresses of the DNS servers. At least one DNS server is required. +The last network configuration menu is used to configure the Domain Name System (DNS) resolver, which converts hostnames to and from network addresses. +If DHCP or SLAAC was used to autoconfigure the network interface, the `Resolver Configuration` values may already be filled in. +Otherwise, enter the local network's domain name in the `Search` field. +`DNS #1` and `DNS #2` are the IPv4 and/or IPv6 addresses of the DNS servers. +At least one DNS server is required. [[bsdinstall-net-dns-config]] .DNS Configuration image::bsdinstall-configure-network-ipv4-dns.png[] -Once the interface is configured, select a mirror site that is located in the same region of the world as the computer on which FreeBSD is being installed. Files can be retrieved more quickly when the mirror is close to the target computer, reducing installation time. +Once the interface is configured, select a mirror site that is located in the same region of the world as the computer on which FreeBSD is being installed. +Files can be retrieved more quickly when the mirror is close to the target computer, reducing installation time. [[bsdinstall-netinstall-mirror]] .Choosing a Mirror @@ -1045,28 +1251,39 @@ image::bsdinstall-netinstall-mirrorselect.png[] This section covers basic installation troubleshooting, such as common problems people have reported. -Check the Hardware Notes (link:https://www.FreeBSD.org/releases/[https://www.freebsd.org/releases/]) document for the version of FreeBSD to make sure the hardware is supported. If the hardware is supported and lock-ups or other problems occur, build a custom kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel] to add support for devices which are not present in the [.filename]#GENERIC# kernel. The default kernel assumes that most hardware devices are in their factory default configuration in terms of IRQs, I/O addresses, and DMA channels. If the hardware has been reconfigured, a custom kernel configuration file can tell FreeBSD where to find things. +Check the Hardware Notes (link:https://www.FreeBSD.org/releases/[https://www.freebsd.org/releases/]) document for the version of FreeBSD to make sure the hardware is supported. +If the hardware is supported and lock-ups or other problems occur, build a custom kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel] to add support for devices which are not present in the [.filename]#GENERIC# kernel. +The default kernel assumes that most hardware devices are in their factory default configuration in terms of IRQs, I/O addresses, and DMA channels. +If the hardware has been reconfigured, a custom kernel configuration file can tell FreeBSD where to find things. [NOTE] ==== -Some installation problems can be avoided or alleviated by updating the firmware on various hardware components, most notably the motherboard. Motherboard firmware is usually referred to as the BIOS. Most motherboard and computer manufacturers have a website for upgrades and upgrade information. +Some installation problems can be avoided or alleviated by updating the firmware on various hardware components, most notably the motherboard. +Motherboard firmware is usually referred to as the BIOS. +Most motherboard and computer manufacturers have a website for upgrades and upgrade information. -Manufacturers generally advise against upgrading the motherboard BIOS unless there is a good reason for doing so, like a critical update. The upgrade process _can_ go wrong, leaving the BIOS incomplete and the computer inoperative. +Manufacturers generally advise against upgrading the motherboard BIOS unless there is a good reason for doing so, like a critical update. +The upgrade process _can_ go wrong, leaving the BIOS incomplete and the computer inoperative. ==== -If the system hangs while probing hardware during boot, or it behaves strangely during install, ACPI may be the culprit. FreeBSD makes extensive use of the system ACPI service on the i386 and amd64 platforms to aid in system configuration if it is detected during boot. Unfortunately, some bugs still exist in both the ACPI driver and within system motherboards and BIOS firmware. ACPI can be disabled by setting the `hint.acpi.0.disabled` hint in the third stage boot loader: +If the system hangs while probing hardware during boot, or it behaves strangely during install, ACPI may be the culprit. +FreeBSD makes extensive use of the system ACPI service on the i386 and amd64 platforms to aid in system configuration if it is detected during boot. +Unfortunately, some bugs still exist in both the ACPI driver and within system motherboards and BIOS firmware. +ACPI can be disabled by setting the `hint.acpi.0.disabled` hint in the third stage boot loader: [source,shell] .... set hint.acpi.0.disabled="1" .... -This is reset each time the system is booted, so it is necessary to add `hint.acpi.0.disabled="1"` to the file [.filename]#/boot/loader.conf#. More information about the boot loader can be found in crossref:boot[boot-synopsis,“Synopsis”]. +This is reset each time the system is booted, so it is necessary to add `hint.acpi.0.disabled="1"` to the file [.filename]#/boot/loader.conf#. +More information about the boot loader can be found in crossref:boot[boot-synopsis,“Synopsis”]. [[using-live-cd]] == Using the Live CD -The welcome menu of bsdinstall, shown in <<bsdinstall-choose-mode>>, provides a btn:[Live CD] option. This is useful for those who are still wondering whether FreeBSD is the right operating system for them and want to test some of the features before installing. +The welcome menu of bsdinstall, shown in <<bsdinstall-choose-mode>>, provides a btn:[Live CD] option. +This is useful for those who are still wondering whether FreeBSD is the right operating system for them and want to test some of the features before installing. The following points should be noted before using the btn:[Live CD]: diff --git a/documentation/content/en/books/handbook/config/_index.adoc b/documentation/content/en/books/handbook/config/_index.adoc index c99d5d4d5d..9eba4273e8 100644 --- a/documentation/content/en/books/handbook/config/_index.adoc +++ b/documentation/content/en/books/handbook/config/_index.adoc @@ -46,7 +46,8 @@ toc::[] [[config-synopsis]] == Synopsis -One of the important aspects of FreeBSD is proper system configuration. This chapter explains much of the FreeBSD configuration process, including some of the parameters which can be set to tune a FreeBSD system. +One of the important aspects of FreeBSD is proper system configuration. +This chapter explains much of the FreeBSD configuration process, including some of the parameters which can be set to tune a FreeBSD system. After reading this chapter, you will know: @@ -65,13 +66,17 @@ Before reading this chapter, you should: [[configtuning-starting-services]] == Starting Services -Many users install third party software on FreeBSD from the Ports Collection and require the installed services to be started upon system initialization. Services, such as package:mail/postfix[] or package:www/apache22[] are just two of the many software packages which may be started during system initialization. This section explains the procedures available for starting third party software. +Many users install third party software on FreeBSD from the Ports Collection and require the installed services to be started upon system initialization. +Services, such as package:mail/postfix[] or package:www/apache22[] are just two of the many software packages which may be started during system initialization. +This section explains the procedures available for starting third party software. In FreeBSD, most included services, such as man:cron[8], are started through the system startup scripts. === Extended Application Configuration -Now that FreeBSD includes [.filename]#rc.d#, configuration of application startup is easier and provides more features. Using the key words discussed in <<configtuning-rcd>>, applications can be set to start after certain other services and extra flags can be passed through [.filename]#/etc/rc.conf# in place of hard coded flags in the startup script. A basic script may look similar to the following: +Now that FreeBSD includes [.filename]#rc.d#, configuration of application startup is easier and provides more features. +Using the key words discussed in <<configtuning-rcd>>, applications can be set to start after certain other services and extra flags can be passed through [.filename]#/etc/rc.conf# in place of hard coded flags in the startup script. +A basic script may look similar to the following: [.programlisting] .... @@ -100,7 +105,8 @@ pidfile=${utility_pidfile-"/var/run/utility.pid"} run_rc_command "$1" .... -This script will ensure that the provided `utility` will be started after the `DAEMON` pseudo-service. It also provides a method for setting and tracking the process ID (PID). +This script will ensure that the provided `utility` will be started after the `DAEMON` pseudo-service. +It also provides a method for setting and tracking the process ID (PID). This application could then have the following line placed in [.filename]#/etc/rc.conf#: @@ -113,20 +119,32 @@ This method allows for easier manipulation of command line arguments, inclusion === Using Services to Start Services -Other services can be started using man:inetd[8]. Working with man:inetd[8] and its configuration is described in depth in crossref:network-servers[network-inetd,“The inetd Super-Server”]. +Other services can be started using man:inetd[8]. +Working with man:inetd[8] and its configuration is described in depth in crossref:network-servers[network-inetd,“The inetd Super-Server”]. -In some cases, it may make more sense to use man:cron[8] to start system services. This approach has a number of advantages as man:cron[8] runs these processes as the owner of the man:crontab[5]. This allows regular users to start and maintain their own applications. +In some cases, it may make more sense to use man:cron[8] to start system services. +This approach has a number of advantages as man:cron[8] runs these processes as the owner of the man:crontab[5]. +This allows regular users to start and maintain their own applications. -The `@reboot` feature of man:cron[8], may be used in place of the time specification. This causes the job to run when man:cron[8] is started, normally during system initialization. +The `@reboot` feature of man:cron[8], may be used in place of the time specification. +This causes the job to run when man:cron[8] is started, normally during system initialization. [[configtuning-cron]] == Configuring man:cron[8] -One of the most useful utilities in FreeBSD is cron. This utility runs in the background and regularly checks [.filename]#/etc/crontab# for tasks to execute and searches [.filename]#/var/cron/tabs# for custom crontab files. These files are used to schedule tasks which cron runs at the specified times. Each entry in a crontab defines a task to run and is known as a _cron job_. +One of the most useful utilities in FreeBSD is cron. +This utility runs in the background and regularly checks [.filename]#/etc/crontab# for tasks to execute and searches [.filename]#/var/cron/tabs# for custom crontab files. +These files are used to schedule tasks which cron runs at the specified times. +Each entry in a crontab defines a task to run and is known as a _cron job_. -Two different types of configuration files are used: the system crontab, which should not be modified, and user crontabs, which can be created and edited as needed. The format used by these files is documented in man:crontab[5]. The format of the system crontab, [.filename]#/etc/crontab# includes a `who` column which does not exist in user crontabs. In the system crontab, cron runs the command as the user specified in this column. In a user crontab, all commands run as the user who created the crontab. +Two different types of configuration files are used: the system crontab, which should not be modified, and user crontabs, which can be created and edited as needed. +The format used by these files is documented in man:crontab[5]. +The format of the system crontab, [.filename]#/etc/crontab# includes a `who` column which does not exist in user crontabs. +In the system crontab, cron runs the command as the user specified in this column. +In a user crontab, all commands run as the user who created the crontab. -User crontabs allow individual users to schedule their own tasks. The `root` user can also have a user [.filename]#crontab# which can be used to schedule tasks that do not exist in the system [.filename]#crontab#. +User crontabs allow individual users to schedule their own tasks. +The `root` user can also have a user [.filename]#crontab# which can be used to schedule tasks that do not exist in the system [.filename]#crontab#. Here is a sample entry from the system crontab, [.filename]#/etc/crontab#: @@ -162,7 +180,9 @@ To create a user crontab, invoke `crontab` in editor mode: % crontab -e .... -This will open the user's crontab using the default text editor. The first time a user runs this command, it will open an empty file. Once a user creates a crontab, this command will open that file for editing. +This will open the user's crontab using the default text editor. +The first time a user runs this command, it will open an empty file. +Once a user creates a crontab, this command will open that file for editing. It is useful to add these lines to the top of the crontab file in order to set the environment variables and to remember the meanings of the fields in the crontab: @@ -174,7 +194,9 @@ PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin # minute hour mday month wday command .... -Then add a line for each command or script to run, specifying the time to run the command. This example runs the specified custom Bourne shell script every day at two in the afternoon. Since the path to the script is not specified in `PATH`, the full path to the script is given: +Then add a line for each command or script to run, specifying the time to run the command. +This example runs the specified custom Bourne shell script every day at two in the afternoon. +Since the path to the script is not specified in `PATH`, the full path to the script is given: [.programlisting] .... @@ -184,17 +206,21 @@ Then add a line for each command or script to run, specifying the time to run th [TIP] ==== -Before using a custom script, make sure it is executable and test it with the limited set of environment variables set by cron. To replicate the environment that would be used to run the above cron entry, use: +Before using a custom script, make sure it is executable and test it with the limited set of environment variables set by cron. +To replicate the environment that would be used to run the above cron entry, use: [.programlisting] .... env -i SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin HOME=/home/dru LOGNAME=dru /usr/home/dru/bin/mycustomscript.sh .... -The environment set by cron is discussed in man:crontab[5]. Checking that scripts operate correctly in a cron environment is especially important if they include any commands that delete files using wildcards. +The environment set by cron is discussed in man:crontab[5]. +Checking that scripts operate correctly in a cron environment is especially important if they include any commands that delete files using wildcards. ==== -When finished editing the crontab, save the file. It will automatically be installed and cron will read the crontab and run its cron jobs at their specified times. To list the cron jobs in a crontab, use this command: +When finished editing the crontab, save the file. +It will automatically be installed and cron will read the crontab and run its cron jobs at their specified times. +To list the cron jobs in a crontab, use this command: [source,shell] .... @@ -213,30 +239,39 @@ remove crontab for dru? y [[configtuning-rcd]] == Managing Services in FreeBSD -FreeBSD uses the man:rc[8] system of startup scripts during system initialization and for managing services. The scripts listed in [.filename]#/etc/rc.d# provide basic services which can be controlled with the `start`, `stop`, and `restart` options to man:service[8]. For instance, man:sshd[8] can be restarted with the following command: +FreeBSD uses the man:rc[8] system of startup scripts during system initialization and for managing services. +The scripts listed in [.filename]#/etc/rc.d# provide basic services which can be controlled with the `start`, `stop`, and `restart` options to man:service[8]. +For instance, man:sshd[8] can be restarted with the following command: [source,shell] .... # service sshd restart .... -This procedure can be used to start services on a running system. Services will be started automatically at boot time as specified in man:rc.conf[5]. For example, to enable man:natd[8] at system startup, add the following line to [.filename]#/etc/rc.conf#: +This procedure can be used to start services on a running system. +Services will be started automatically at boot time as specified in man:rc.conf[5]. +For example, to enable man:natd[8] at system startup, add the following line to [.filename]#/etc/rc.conf#: [.programlisting] .... natd_enable="YES" .... -If a `natd_enable="NO"` line is already present, change the `NO` to `YES`. The man:rc[8] scripts will automatically load any dependent services during the next boot, as described below. +If a `natd_enable="NO"` line is already present, change the `NO` to `YES`. +The man:rc[8] scripts will automatically load any dependent services during the next boot, as described below. -Since the man:rc[8] system is primarily intended to start and stop services at system startup and shutdown time, the `start`, `stop` and `restart` options will only perform their action if the appropriate [.filename]#/etc/rc.conf# variable is set. For instance, `sshd restart` will only work if `sshd_enable` is set to `YES` in [.filename]#/etc/rc.conf#. To `start`, `stop` or `restart` a service regardless of the settings in [.filename]#/etc/rc.conf#, these commands should be prefixed with "one". For instance, to restart man:sshd[8] regardless of the current [.filename]#/etc/rc.conf# setting, execute the following command: +Since the man:rc[8] system is primarily intended to start and stop services at system startup and shutdown time, the `start`, `stop` and `restart` options will only perform their action if the appropriate [.filename]#/etc/rc.conf# variable is set. +For instance, `sshd restart` will only work if `sshd_enable` is set to `YES` in [.filename]#/etc/rc.conf#. +To `start`, `stop` or `restart` a service regardless of the settings in [.filename]#/etc/rc.conf#, these commands should be prefixed with "one". +For instance, to restart man:sshd[8] regardless of the current [.filename]#/etc/rc.conf# setting, execute the following command: [source,shell] .... # service sshd onerestart .... -To check if a service is enabled in [.filename]#/etc/rc.conf#, run the appropriate man:rc[8] script with `rcvar`. This example checks to see if man:sshd[8] is enabled in [.filename]#/etc/rc.conf#: +To check if a service is enabled in [.filename]#/etc/rc.conf#, run the appropriate man:rc[8] script with `rcvar`. +This example checks to see if man:sshd[8] is enabled in [.filename]#/etc/rc.conf#: [source,shell] .... @@ -252,7 +287,8 @@ sshd_enable="YES" The `# sshd` line is output from the above command, not a `root` console. ==== -To determine whether or not a service is running, use `status`. For instance, to verify that man:sshd[8] is running: +To determine whether or not a service is running, use `status`. +For instance, to verify that man:sshd[8] is running: [source,shell] .... @@ -260,9 +296,13 @@ To determine whether or not a service is running, use `status`. For instance, to sshd is running as pid 433. .... -In some cases, it is also possible to `reload` a service. This attempts to send a signal to an individual service, forcing the service to reload its configuration files. In most cases, this means sending the service a `SIGHUP` signal. Support for this feature is not included for every service. +In some cases, it is also possible to `reload` a service. +This attempts to send a signal to an individual service, forcing the service to reload its configuration files. +In most cases, this means sending the service a `SIGHUP` signal. +Support for this feature is not included for every service. -The man:rc[8] system is used for network services and it also contributes to most of the system initialization. For instance, when the [.filename]#/etc/rc.d/bgfsck# script is executed, it prints out the following message: +The man:rc[8] system is used for network services and it also contributes to most of the system initialization. +For instance, when the [.filename]#/etc/rc.d/bgfsck# script is executed, it prints out the following message: [source,shell] .... @@ -271,29 +311,40 @@ Starting background file system checks in 60 seconds. This script is used for background file system checks, which occur only during system initialization. -Many system services depend on other services to function properly. For example, man:yp[8] and other RPC-based services may fail to start until after the man:rpcbind[8] service has started. To resolve this issue, information about dependencies and other meta-data is included in the comments at the top of each startup script. The man:rcorder[8] program is used to parse these comments during system initialization to determine the order in which system services should be invoked to satisfy the dependencies. +Many system services depend on other services to function properly. +For example, man:yp[8] and other RPC-based services may fail to start until after the man:rpcbind[8] service has started. +To resolve this issue, information about dependencies and other meta-data is included in the comments at the top of each startup script. +The man:rcorder[8] program is used to parse these comments during system initialization to determine the order in which system services should be invoked to satisfy the dependencies. The following key word must be included in all startup scripts as it is required by man:rc.subr[8] to "enable" the startup script: * `PROVIDE`: Specifies the services this file provides. -The following key words may be included at the top of each startup script. They are not strictly necessary, but are useful as hints to man:rcorder[8]: +The following key words may be included at the top of each startup script. +They are not strictly necessary, but are useful as hints to man:rcorder[8]: * `REQUIRE`: Lists services which are required for this service. The script containing this key word will run _after_ the specified services. * `BEFORE`: Lists services which depend on this service. The script containing this key word will run _before_ the specified services. By carefully setting these keywords for each startup script, an administrator has a fine-grained level of control of the startup order of the scripts, without the need for "runlevels" used by some UNIX(R) operating systems. -Additional information can be found in man:rc[8] and man:rc.subr[8]. Refer to link:{rc-scripting}[this article] for instructions on how to create custom man:rc[8] scripts. +Additional information can be found in man:rc[8] and man:rc.subr[8]. +Refer to link:{rc-scripting}[this article] for instructions on how to create custom man:rc[8] scripts. [[configtuning-core-configuration]] === Managing System-Specific Configuration -The principal location for system configuration information is [.filename]#/etc/rc.conf#. This file contains a wide range of configuration information and it is read at system startup to configure the system. It provides the configuration information for the [.filename]#rc*# files. +The principal location for system configuration information is [.filename]#/etc/rc.conf#. +This file contains a wide range of configuration information and it is read at system startup to configure the system. +It provides the configuration information for the [.filename]#rc*# files. -The entries in [.filename]#/etc/rc.conf# override the default settings in [.filename]#/etc/defaults/rc.conf#. The file containing the default settings should not be edited. Instead, all system-specific changes should be made to [.filename]#/etc/rc.conf#. +The entries in [.filename]#/etc/rc.conf# override the default settings in [.filename]#/etc/defaults/rc.conf#. +The file containing the default settings should not be edited. +Instead, all system-specific changes should be made to [.filename]#/etc/rc.conf#. -A number of strategies may be applied in clustered applications to separate site-wide configuration from system-specific configuration in order to reduce administration overhead. The recommended approach is to place system-specific configuration into [.filename]#/etc/rc.conf.local#. For example, these entries in [.filename]#/etc/rc.conf# apply to all systems: +A number of strategies may be applied in clustered applications to separate site-wide configuration from system-specific configuration in order to reduce administration overhead. +The recommended approach is to place system-specific configuration into [.filename]#/etc/rc.conf.local#. +For example, these entries in [.filename]#/etc/rc.conf# apply to all systems: [.programlisting] .... @@ -317,7 +368,9 @@ Upgrading the system will not overwrite [.filename]#/etc/rc.conf#, so system con [TIP] ==== -Both [.filename]#/etc/rc.conf# and [.filename]#/etc/rc.conf.local# are parsed by man:sh[1]. This allows system operators to create complex configuration scenarios. Refer to man:rc.conf[5] for further information on this topic. +Both [.filename]#/etc/rc.conf# and [.filename]#/etc/rc.conf.local# are parsed by man:sh[1]. +This allows system operators to create complex configuration scenarios. +Refer to man:rc.conf[5] for further information on this topic. ==== [[config-network-setup]] @@ -327,11 +380,17 @@ Adding and configuring a network interface card (NIC) is a common task for any F === Locating the Correct Driver -First, determine the model of the NIC and the chip it uses. FreeBSD supports a wide variety of NICs. Check the Hardware Compatibility List for the FreeBSD release to see if the NIC is supported. +First, determine the model of the NIC and the chip it uses. +FreeBSD supports a wide variety of NICs. +Check the Hardware Compatibility List for the FreeBSD release to see if the NIC is supported. -If the NIC is supported, determine the name of the FreeBSD driver for the NIC. Refer to [.filename]#/usr/src/sys/conf/NOTES# and [.filename]#/usr/src/sys/arch/conf/NOTES# for the list of NIC drivers with some information about the supported chipsets. When in doubt, read the manual page of the driver as it will provide more information about the supported hardware and any known limitations of the driver. +If the NIC is supported, determine the name of the FreeBSD driver for the NIC. +Refer to [.filename]#/usr/src/sys/conf/NOTES# and [.filename]#/usr/src/sys/arch/conf/NOTES# for the list of NIC drivers with some information about the supported chipsets. +When in doubt, read the manual page of the driver as it will provide more information about the supported hardware and any known limitations of the driver. -The drivers for common NICs are already present in the [.filename]#GENERIC# kernel, meaning the NIC should be probed during boot. The system's boot messages can be viewed by typing `more /var/run/dmesg.boot` and using the spacebar to scroll through the text. In this example, two Ethernet NICs using the man:dc[4] driver are present on the system: +The drivers for common NICs are already present in the [.filename]#GENERIC# kernel, meaning the NIC should be probed during boot. +The system's boot messages can be viewed by typing `more /var/run/dmesg.boot` and using the spacebar to scroll through the text. +In this example, two Ethernet NICs using the man:dc[4] driver are present on the system: [source,shell] .... @@ -351,7 +410,8 @@ dc1: Ethernet address: 00:a0:cc:da:da:db dc1: [ITHREAD] .... -If the driver for the NIC is not present in [.filename]#GENERIC#, but a driver is available, the driver will need to be loaded before the NIC can be configured and used. This may be accomplished in one of two ways: +If the driver for the NIC is not present in [.filename]#GENERIC#, but a driver is available, the driver will need to be loaded before the NIC can be configured and used. +This may be accomplished in one of two ways: * The easiest way is to load a kernel module for the NIC using man:kldload[8]. To also automatically load the driver at boot time, add the appropriate line to [.filename]#/boot/loader.conf#. Not all NIC drivers are available as modules. * Alternatively, statically compile support for the NIC into a custom kernel. Refer to [.filename]#/usr/src/sys/conf/NOTES#, [.filename]#/usr/src/sys/arch/conf/NOTES# and the manual page of the driver to determine which line to add to the custom kernel configuration file. For more information about recompiling the kernel, refer to crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. If the NIC was detected at boot, the kernel does not need to be recompiled. @@ -359,9 +419,13 @@ If the driver for the NIC is not present in [.filename]#GENERIC#, but a driver i [[config-network-ndis]] ==== Using Windows(R) NDIS Drivers -Unfortunately, there are still many vendors that do not provide schematics for their drivers to the open source community because they regard such information as trade secrets. Consequently, the developers of FreeBSD and other operating systems are left with two choices: develop the drivers by a long and pain-staking process of reverse engineering or using the existing driver binaries available for Microsoft(R) Windows(R) platforms. +Unfortunately, there are still many vendors that do not provide schematics for their drivers to the open source community because they regard such information as trade secrets. +Consequently, the developers of FreeBSD and other operating systems are left with two choices: develop the drivers by a long and pain-staking process of reverse engineering or using the existing driver binaries available for Microsoft(R) Windows(R) platforms. -FreeBSD provides "native" support for the Network Driver Interface Specification (NDIS). It includes man:ndisgen[8] which can be used to convert a Windows(R) XP driver into a format that can be used on FreeBSD. As the man:ndis[4] driver uses a Windows(R) XP binary, it only runs on i386(TM) and amd64 systems. PCI, CardBus, PCMCIA, and USB devices are supported. +FreeBSD provides "native" support for the Network Driver Interface Specification (NDIS). +It includes man:ndisgen[8] which can be used to convert a Windows(R) XP driver into a format that can be used on FreeBSD. +As the man:ndis[4] driver uses a Windows(R) XP binary, it only runs on i386(TM) and amd64 systems. +PCI, CardBus, PCMCIA, and USB devices are supported. To use man:ndisgen[8], three things are needed: @@ -369,25 +433,34 @@ To use man:ndisgen[8], three things are needed: . A Windows(R) XP driver binary with a [.filename]#.SYS# extension. . A Windows(R) XP driver configuration file with a [.filename]#.INF# extension. -Download the [.filename]#.SYS# and [.filename]#.INF# files for the specific NIC. Generally, these can be found on the driver CD or at the vendor's website. The following examples use [.filename]#W32DRIVER.SYS# and [.filename]#W32DRIVER.INF#. +Download the [.filename]#.SYS# and [.filename]#.INF# files for the specific NIC. +Generally, these can be found on the driver CD or at the vendor's website. +The following examples use [.filename]#W32DRIVER.SYS# and [.filename]#W32DRIVER.INF#. -The driver bit width must match the version of FreeBSD. For FreeBSD/i386, use a Windows(R) 32-bit driver. For FreeBSD/amd64, a Windows(R) 64-bit driver is needed. +The driver bit width must match the version of FreeBSD. +For FreeBSD/i386, use a Windows(R) 32-bit driver. +For FreeBSD/amd64, a Windows(R) 64-bit driver is needed. -The next step is to compile the driver binary into a loadable kernel module. As `root`, use man:ndisgen[8]: +The next step is to compile the driver binary into a loadable kernel module. +As `root`, use man:ndisgen[8]: [source,shell] .... # ndisgen /path/to/W32DRIVER.INF /path/to/W32DRIVER.SYS .... -This command is interactive and prompts for any extra information it requires. A new kernel module will be generated in the current directory. Use man:kldload[8] to load the new module: +This command is interactive and prompts for any extra information it requires. +A new kernel module will be generated in the current directory. +Use man:kldload[8] to load the new module: [source,shell] .... # kldload ./W32DRIVER_SYS.ko .... -In addition to the generated kernel module, the [.filename]#ndis.ko# and [.filename]#if_ndis.ko# modules must be loaded. This should happen automatically when any module that depends on man:ndis[4] is loaded. If not, load them manually, using the following commands: +In addition to the generated kernel module, the [.filename]#ndis.ko# and [.filename]#if_ndis.ko# modules must be loaded. +This should happen automatically when any module that depends on man:ndis[4] is loaded. +If not, load them manually, using the following commands: [source,shell] .... @@ -397,7 +470,8 @@ In addition to the generated kernel module, the [.filename]#ndis.ko# and [.filen The first command loads the man:ndis[4] miniport driver wrapper and the second loads the generated NIC driver. -Check man:dmesg[8] to see if there were any load errors. If all went well, the output should be similar to the following: +Check man:dmesg[8] to see if there were any load errors. +If all went well, the output should be similar to the following: [source,shell] .... @@ -410,7 +484,8 @@ ndis0: 11g rates: 6Mbps 9Mbps 12Mbps 18Mbps 36Mbps 48Mbps 54Mbps From here, [.filename]#ndis0# can be configured like any other NIC. -To configure the system to load the man:ndis[4] modules at boot time, copy the generated module, [.filename]#W32DRIVER_SYS.ko#, to [.filename]#/boot/modules#. Then, add the following line to [.filename]#/boot/loader.conf#: +To configure the system to load the man:ndis[4] modules at boot time, copy the generated module, [.filename]#W32DRIVER_SYS.ko#, to [.filename]#/boot/modules#. +Then, add the following line to [.filename]#/boot/loader.conf#: [.programlisting] .... @@ -419,7 +494,8 @@ W32DRIVER_SYS_load="YES" === Configuring the Network Card -Once the right driver is loaded for the NIC, the card needs to be configured. It may have been configured at installation time by man:bsdinstall[8]. +Once the right driver is loaded for the NIC, the card needs to be configured. +It may have been configured at installation time by man:bsdinstall[8]. To display the NIC configuration, enter the following command: @@ -452,9 +528,11 @@ In this example, the following devices were displayed: * [.filename]#dc1#: The second Ethernet interface. * [.filename]#lo0#: The loopback device. -FreeBSD uses the driver name followed by the order in which the card is detected at boot to name the NIC. For example, [.filename]#sis2# is the third NIC on the system using the man:sis[4] driver. +FreeBSD uses the driver name followed by the order in which the card is detected at boot to name the NIC. +For example, [.filename]#sis2# is the third NIC on the system using the man:sis[4] driver. -In this example, [.filename]#dc0# is up and running. The key indicators are: +In this example, [.filename]#dc0# is up and running. +The key indicators are: . `UP` means that the card is configured and ready. . The card has an Internet (`inet`) address, `192.168.1.3`. @@ -477,7 +555,9 @@ dc0: flags=8843<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 it would indicate the card has not been configured. -The card must be configured as `root`. The NIC configuration can be performed from the command line with man:ifconfig[8] but will not persist after a reboot unless the configuration is also added to [.filename]#/etc/rc.conf#. If a DHCP server is present on the LAN, just add this line: +The card must be configured as `root`. +The NIC configuration can be performed from the command line with man:ifconfig[8] but will not persist after a reboot unless the configuration is also added to [.filename]#/etc/rc.conf#. +If a DHCP server is present on the LAN, just add this line: [.programlisting] .... @@ -490,10 +570,12 @@ The line added, then, follow the instructions given in <<config-network-testing> [NOTE] ==== -If the network was configured during installation, some entries for the NIC(s) may be already present. Double check [.filename]#/etc/rc.conf# before adding any lines. +If the network was configured during installation, some entries for the NIC(s) may be already present. +Double check [.filename]#/etc/rc.conf# before adding any lines. ==== -If there is no DHCP server, the NIC(s) must be configured manually. Add a line for each NIC present on the system, as seen in this example: +If there is no DHCP server, the NIC(s) must be configured manually. +Add a line for each NIC present on the system, as seen in this example: [.programlisting] .... @@ -501,9 +583,11 @@ ifconfig_dc0="inet 192.168.1.3 netmask 255.255.255.0" ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP" .... -Replace [.filename]#dc0# and [.filename]#dc1# and the IP address information with the correct values for the system. Refer to the man page for the driver, man:ifconfig[8], and man:rc.conf[5] for more details about the allowed options and the syntax of [.filename]#/etc/rc.conf#. +Replace [.filename]#dc0# and [.filename]#dc1# and the IP address information with the correct values for the system. +Refer to the man page for the driver, man:ifconfig[8], and man:rc.conf[5] for more details about the allowed options and the syntax of [.filename]#/etc/rc.conf#. -If the network is not using DNS, edit [.filename]#/etc/hosts# to add the names and IP addresses of the hosts on the LAN, if they are not already there. For more information, refer to man:hosts[5] and to [.filename]#/usr/share/examples/etc/hosts#. +If the network is not using DNS, edit [.filename]#/etc/hosts# to add the names and IP addresses of the hosts on the LAN, if they are not already there. +For more information, refer to man:hosts[5] and to [.filename]#/usr/share/examples/etc/hosts#. [NOTE] ==== @@ -520,7 +604,8 @@ If there is no DHCP server and access to the Internet is needed, manually config [[config-network-testing]] === Testing and Troubleshooting -Once the necessary changes to [.filename]#/etc/rc.conf# are saved, a reboot can be used to test the network configuration and to verify that the system restarts without any configuration errors. Alternatively, apply the settings to the networking system with this command: +Once the necessary changes to [.filename]#/etc/rc.conf# are saved, a reboot can be used to test the network configuration and to verify that the system restarts without any configuration errors. +Alternatively, apply the settings to the networking system with this command: [source,shell] .... @@ -574,41 +659,68 @@ PING 192.168.1.2 (192.168.1.2): 56 data bytes round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 ms .... -To test network resolution, use the host name instead of the IP address. If there is no DNS server on the network, [.filename]#/etc/hosts# must first be configured. To this purpose, edit [.filename]#/etc/hosts# to add the names and IP addresses of the hosts on the LAN, if they are not already there. For more information, refer to man:hosts[5] and to [.filename]#/usr/share/examples/etc/hosts#. +To test network resolution, use the host name instead of the IP address. +If there is no DNS server on the network, [.filename]#/etc/hosts# must first be configured. +To this purpose, edit [.filename]#/etc/hosts# to add the names and IP addresses of the hosts on the LAN, if they are not already there. +For more information, refer to man:hosts[5] and to [.filename]#/usr/share/examples/etc/hosts#. ==== Troubleshooting -When troubleshooting hardware and software configurations, check the simple things first. Is the network cable plugged in? Are the network services properly configured? Is the firewall configured correctly? Is the NIC supported by FreeBSD? Before sending a bug report, always check the Hardware Notes, update the version of FreeBSD to the latest STABLE version, check the mailing list archives, and search the Internet. +When troubleshooting hardware and software configurations, check the simple things first. +Is the network cable plugged in? Are the network services properly configured? Is the firewall configured correctly? Is the NIC supported by FreeBSD? Before sending a bug report, always check the Hardware Notes, update the version of FreeBSD to the latest STABLE version, check the mailing list archives, and search the Internet. -If the card works, yet performance is poor, read through man:tuning[7]. Also, check the network configuration as incorrect network settings can cause slow connections. +If the card works, yet performance is poor, read through man:tuning[7]. +Also, check the network configuration as incorrect network settings can cause slow connections. -Some users experience one or two `device timeout` messages, which is normal for some cards. If they continue, or are bothersome, determine if the device is conflicting with another device. Double check the cable connections. Consider trying another card. +Some users experience one or two `device timeout` messages, which is normal for some cards. +If they continue, or are bothersome, determine if the device is conflicting with another device. +Double check the cable connections. +Consider trying another card. -To resolve `watchdog timeout` errors, first check the network cable. Many cards require a PCI slot which supports bus mastering. On some old motherboards, only one PCI slot allows it, usually slot 0. Check the NIC and the motherboard documentation to determine if that may be the problem. +To resolve `watchdog timeout` errors, first check the network cable. +Many cards require a PCI slot which supports bus mastering. +On some old motherboards, only one PCI slot allows it, usually slot 0. +Check the NIC and the motherboard documentation to determine if that may be the problem. -`No route to host` messages occur if the system is unable to route a packet to the destination host. This can happen if no default route is specified or if a cable is unplugged. Check the output of `netstat -rn` and make sure there is a valid route to the host. If there is not, read crossref:advanced-networking[network-routing,“Gateways and Routes”]. +`No route to host` messages occur if the system is unable to route a packet to the destination host. +This can happen if no default route is specified or if a cable is unplugged. +Check the output of `netstat -rn` and make sure there is a valid route to the host. +If there is not, read crossref:advanced-networking[network-routing,“Gateways and Routes”]. -`ping: sendto: Permission denied` error messages are often caused by a misconfigured firewall. If a firewall is enabled on FreeBSD but no rules have been defined, the default policy is to deny all traffic, even man:ping[8]. Refer to crossref:firewalls[firewalls,Firewalls] for more information. +`ping: sendto: Permission denied` error messages are often caused by a misconfigured firewall. +If a firewall is enabled on FreeBSD but no rules have been defined, the default policy is to deny all traffic, even man:ping[8]. +Refer to crossref:firewalls[firewalls,Firewalls] for more information. -Sometimes performance of the card is poor or below average. In these cases, try setting the media selection mode from `autoselect` to the correct media selection. While this works for most hardware, it may or may not resolve the issue. Again, check all the network settings, and refer to man:tuning[7]. +Sometimes performance of the card is poor or below average. +In these cases, try setting the media selection mode from `autoselect` to the correct media selection. +While this works for most hardware, it may or may not resolve the issue. +Again, check all the network settings, and refer to man:tuning[7]. [[configtuning-virtual-hosts]] == Virtual Hosts -A common use of FreeBSD is virtual site hosting, where one server appears to the network as many servers. This is achieved by assigning multiple network addresses to a single interface. +A common use of FreeBSD is virtual site hosting, where one server appears to the network as many servers. +This is achieved by assigning multiple network addresses to a single interface. -A given network interface has one "real" address, and may have any number of "alias" addresses. These aliases are normally added by placing alias entries in [.filename]#/etc/rc.conf#, as seen in this example: +A given network interface has one "real" address, and may have any number of "alias" addresses. +These aliases are normally added by placing alias entries in [.filename]#/etc/rc.conf#, as seen in this example: [.programlisting] .... ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx" .... -Alias entries must start with `alias__0__` using a sequential number such as `alias0`, `alias1`, and so on. The configuration process will stop at the first missing number. +Alias entries must start with `alias__0__` using a sequential number such as `alias0`, `alias1`, and so on. +The configuration process will stop at the first missing number. -The calculation of alias netmasks is important. For a given interface, there must be one address which correctly represents the network's netmask. Any other addresses which fall within this network must have a netmask of all ``1``s, expressed as either `255.255.255.255` or `0xffffffff`. +The calculation of alias netmasks is important. +For a given interface, there must be one address which correctly represents the network's netmask. +Any other addresses which fall within this network must have a netmask of all ``1``s, expressed as either `255.255.255.255` or `0xffffffff`. -For example, consider the case where the [.filename]#fxp0# interface is connected to two networks: `10.1.1.0` with a netmask of `255.255.255.0` and `202.0.75.16` with a netmask of `255.255.255.240`. The system is to be configured to appear in the ranges `10.1.1.1` through `10.1.1.5` and `202.0.75.17` through `202.0.75.20`. Only the first address in a given network range should have a real netmask. All the rest (`10.1.1.2` through `10.1.1.5` and `202.0.75.18` through `202.0.75.20`) must be configured with a netmask of `255.255.255.255`. +For example, consider the case where the [.filename]#fxp0# interface is connected to two networks: `10.1.1.0` with a netmask of `255.255.255.0` and `202.0.75.16` with a netmask of `255.255.255.240`. +The system is to be configured to appear in the ranges `10.1.1.1` through `10.1.1.5` and `202.0.75.17` through `202.0.75.20`. +Only the first address in a given network range should have a real netmask. +All the rest (`10.1.1.2` through `10.1.1.5` and `202.0.75.18` through `202.0.75.20`) must be configured with a netmask of `255.255.255.255`. The following [.filename]#/etc/rc.conf# entries configure the adapter correctly for this scenario: @@ -625,7 +737,8 @@ ifconfig_fxp0_alias6="inet 202.0.75.19 netmask 255.255.255.255" ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255" .... -A simpler way to express this is with a space-separated list of IP address ranges. The first address will be given the indicated subnet mask and the additional addresses will have a subnet mask of `255.255.255.255`. +A simpler way to express this is with a space-separated list of IP address ranges. +The first address will be given the indicated subnet mask and the additional addresses will have a subnet mask of `255.255.255.255`. [.programlisting] .... @@ -635,17 +748,34 @@ ifconfig_fxp0_aliases="inet 10.1.1.1-5/24 inet 202.0.75.17-20/28" [[configtuning-syslog]] == Configuring System Logging -Generating and reading system logs is an important aspect of system administration. The information in system logs can be used to detect hardware and software issues as well as application and system configuration errors. This information also plays an important role in security auditing and incident response. Most system daemons and applications will generate log entries. +Generating and reading system logs is an important aspect of system administration. +The information in system logs can be used to detect hardware and software issues as well as application and system configuration errors. +This information also plays an important role in security auditing and incident response. +Most system daemons and applications will generate log entries. -FreeBSD provides a system logger, syslogd, to manage logging. By default, syslogd is started when the system boots. This is controlled by the variable `syslogd_enable` in [.filename]#/etc/rc.conf#. There are numerous application arguments that can be set using `syslogd_flags` in [.filename]#/etc/rc.conf#. Refer to man:syslogd[8] for more information on the available arguments. +FreeBSD provides a system logger, syslogd, to manage logging. +By default, syslogd is started when the system boots. +This is controlled by the variable `syslogd_enable` in [.filename]#/etc/rc.conf#. +There are numerous application arguments that can be set using `syslogd_flags` in [.filename]#/etc/rc.conf#. +Refer to man:syslogd[8] for more information on the available arguments. This section describes how to configure the FreeBSD system logger for both local and remote logging and how to perform log rotation and log management. === Configuring Local Logging -The configuration file, [.filename]#/etc/syslog.conf#, controls what syslogd does with log entries as they are received. There are several parameters to control the handling of incoming events. The _facility_ describes which subsystem generated the message, such as the kernel or a daemon, and the _level_ describes the severity of the event that occurred. This makes it possible to configure if and where a log message is logged, depending on the facility and level. It is also possible to take action depending on the application that sent the message, and in the case of remote logging, the hostname of the machine generating the logging event. +The configuration file, [.filename]#/etc/syslog.conf#, controls what syslogd does with log entries as they are received. +There are several parameters to control the handling of incoming events. +The _facility_ describes which subsystem generated the message, such as the kernel or a daemon, and the _level_ describes the severity of the event that occurred. +This makes it possible to configure if and where a log message is logged, depending on the facility and level. +It is also possible to take action depending on the application that sent the message, and in the case of remote logging, the hostname of the machine generating the logging event. -This configuration file contains one line per action, where the syntax for each line is a selector field followed by an action field. The syntax of the selector field is _facility.level_ which will match log messages from _facility_ at level _level_ or higher. It is also possible to add an optional comparison flag before the level to specify more precisely what is logged. Multiple selector fields can be used for the same action, and are separated with a semicolon (`;`). Using `*` will match everything. The action field denotes where to send the log message, such as to a file or remote log host. As an example, here is the default [.filename]#syslog.conf# from FreeBSD: +This configuration file contains one line per action, where the syntax for each line is a selector field followed by an action field. +The syntax of the selector field is _facility.level_ which will match log messages from _facility_ at level _level_ or higher. +It is also possible to add an optional comparison flag before the level to specify more precisely what is logged. +Multiple selector fields can be used for the same action, and are separated with a semicolon (`;`). +Using `*` will match everything. +The action field denotes where to send the log message, such as to a file or remote log host. +As an example, here is the default [.filename]#syslog.conf# from FreeBSD: [.programlisting] .... @@ -695,7 +825,8 @@ In this example: The available levels, in order from most to least critical are `emerg`, `alert`, `crit`, `err`, `warning`, `notice`, `info`, and `debug`. -The facilities, in no particular order, are `auth`, `authpriv`, `console`, `cron`, `daemon`, `ftp`, `kern`, `lpr`, `mail`, `mark`, `news`, `security`, `syslog`, `user`, `uucp`, and `local0` through `local7`. Be aware that other operating systems might have different facilities. +The facilities, in no particular order, are `auth`, `authpriv`, `console`, `cron`, `daemon`, `ftp`, `kern`, `lpr`, `mail`, `mark`, `news`, `security`, `syslog`, `user`, `uucp`, and `local0` through `local7`. +Be aware that other operating systems might have different facilities. To log everything of level `notice` and higher to [.filename]#/var/log/daemon.log#, add the following entry: @@ -704,13 +835,23 @@ To log everything of level `notice` and higher to [.filename]#/var/log/daemon.lo daemon.notice /var/log/daemon.log .... -For more information about the different levels and facilities, refer to man:syslog[3] and man:syslogd[8]. For more information about [.filename]#/etc/syslog.conf#, its syntax, and more advanced usage examples, see man:syslog.conf[5]. +For more information about the different levels and facilities, refer to man:syslog[3] and man:syslogd[8]. +For more information about [.filename]#/etc/syslog.conf#, its syntax, and more advanced usage examples, see man:syslog.conf[5]. === Log Management and Rotation -Log files can grow quickly, taking up disk space and making it more difficult to locate useful information. Log management attempts to mitigate this. In FreeBSD, newsyslog is used to manage log files. This built-in program periodically rotates and compresses log files, and optionally creates missing log files and signals programs when log files are moved. The log files may be generated by syslogd or by any other program which generates log files. While newsyslog is normally run from man:cron[8], it is not a system daemon. In the default configuration, it runs every hour. +Log files can grow quickly, taking up disk space and making it more difficult to locate useful information. +Log management attempts to mitigate this. +In FreeBSD, newsyslog is used to manage log files. +This built-in program periodically rotates and compresses log files, and optionally creates missing log files and signals programs when log files are moved. +The log files may be generated by syslogd or by any other program which generates log files. +While newsyslog is normally run from man:cron[8], it is not a system daemon. +In the default configuration, it runs every hour. -To know which actions to take, newsyslog reads its configuration file, [.filename]#/etc/newsyslog.conf#. This file contains one line for each log file that newsyslog manages. Each line states the file owner, permissions, when to rotate that file, optional flags that affect log rotation, such as compression, and programs to signal when the log is rotated. Here is the default configuration in FreeBSD: +To know which actions to take, newsyslog reads its configuration file, [.filename]#/etc/newsyslog.conf#. +This file contains one line for each log file that newsyslog manages. +Each line states the file owner, permissions, when to rotate that file, optional flags that affect log rotation, such as compression, and programs to signal when the log is rotated. +Here is the default configuration in FreeBSD: [.programlisting] .... @@ -755,25 +896,37 @@ To know which actions to take, newsyslog reads its configuration file, [.filenam /var/log/xferlog 600 7 100 * JC .... -Each line starts with the name of the log to be rotated, optionally followed by an owner and group for both rotated and newly created files. The `mode` field sets the permissions on the log file and `count` denotes how many rotated log files should be kept. The `size` and `when` fields tell newsyslog when to rotate the file. A log file is rotated when either its size is larger than the `size` field or when the time in the `when` field has passed. An asterisk (`*`) means that this field is ignored. The _flags_ field gives further instructions, such as how to compress the rotated file or to create the log file if it is missing. The last two fields are optional and specify the name of the Process ID (PID) file of a process and a signal number to send to that process when the file is rotated. +Each line starts with the name of the log to be rotated, optionally followed by an owner and group for both rotated and newly created files. +The `mode` field sets the permissions on the log file and `count` denotes how many rotated log files should be kept. +The `size` and `when` fields tell newsyslog when to rotate the file. +A log file is rotated when either its size is larger than the `size` field or when the time in the `when` field has passed. +An asterisk (`*`) means that this field is ignored. +The _flags_ field gives further instructions, such as how to compress the rotated file or to create the log file if it is missing. +The last two fields are optional and specify the name of the Process ID (PID) file of a process and a signal number to send to that process when the file is rotated. -For more information on all fields, valid flags, and how to specify the rotation time, refer to man:newsyslog.conf[5]. Since newsyslog is run from man:cron[8], it cannot rotate files more often than it is scheduled to run from man:cron[8]. +For more information on all fields, valid flags, and how to specify the rotation time, refer to man:newsyslog.conf[5]. +Since newsyslog is run from man:cron[8], it cannot rotate files more often than it is scheduled to run from man:cron[8]. [[network-syslogd]] === Configuring Remote Logging -Monitoring the log files of multiple hosts can become unwieldy as the number of systems increases. Configuring centralized logging can reduce some of the administrative burden of log file administration. +Monitoring the log files of multiple hosts can become unwieldy as the number of systems increases. +Configuring centralized logging can reduce some of the administrative burden of log file administration. -In FreeBSD, centralized log file aggregation, merging, and rotation can be configured using syslogd and newsyslog. This section demonstrates an example configuration, where host `A`, named `logserv.example.com`, will collect logging information for the local network. Host `B`, named `logclient.example.com`, will be configured to pass logging information to the logging server. +In FreeBSD, centralized log file aggregation, merging, and rotation can be configured using syslogd and newsyslog. +This section demonstrates an example configuration, where host `A`, named `logserv.example.com`, will collect logging information for the local network. +Host `B`, named `logclient.example.com`, will be configured to pass logging information to the logging server. ==== Log Server Configuration -A log server is a system that has been configured to accept logging information from other hosts. Before configuring a log server, check the following: +A log server is a system that has been configured to accept logging information from other hosts. +Before configuring a log server, check the following: * If there is a firewall between the logging server and any logging clients, ensure that the firewall ruleset allows UDP port 514 for both the clients and the server. * The logging server and all client machines must have forward and reverse entries in the local DNS. If the network does not have a DNS server, create entries in each system's [.filename]#/etc/hosts#. Proper name resolution is required so that log entries are not rejected by the logging server. -On the log server, edit [.filename]#/etc/syslog.conf# to specify the name of the client to receive log entries from, the logging facility to be used, and the name of the log to store the host's log entries. This example adds the hostname of `B`, logs all facilities, and stores the log entries in [.filename]#/var/log/logclient.log#. +On the log server, edit [.filename]#/etc/syslog.conf# to specify the name of the client to receive log entries from, the logging facility to be used, and the name of the log to store the host's log entries. +This example adds the hostname of `B`, logs all facilities, and stores the log entries in [.filename]#/var/log/logclient.log#. .Sample Log Server Configuration [example] @@ -787,7 +940,8 @@ On the log server, edit [.filename]#/etc/syslog.conf# to specify the name of the ==== -When adding multiple log clients, add a similar two-line entry for each client. More information about the available facilities may be found in man:syslog.conf[5]. +When adding multiple log clients, add a similar two-line entry for each client. +More information about the available facilities may be found in man:syslog.conf[5]. Next, configure [.filename]#/etc/rc.conf#: @@ -797,9 +951,14 @@ syslogd_enable="YES" syslogd_flags="-a logclient.example.com -v -v" .... -The first entry starts syslogd at system boot. The second entry allows log entries from the specified client. The `-v -v` increases the verbosity of logged messages. This is useful for tweaking facilities as administrators are able to see what type of messages are being logged under each facility. +The first entry starts syslogd at system boot. +The second entry allows log entries from the specified client. +The `-v -v` increases the verbosity of logged messages. +This is useful for tweaking facilities as administrators are able to see what type of messages are being logged under each facility. -Multiple `-a` options may be specified to allow logging from multiple clients. IP addresses and whole netblocks may also be specified. Refer to man:syslogd[8] for a full list of possible options. +Multiple `-a` options may be specified to allow logging from multiple clients. +IP addresses and whole netblocks may also be specified. +Refer to man:syslogd[8] for a full list of possible options. Finally, create the log file: @@ -816,11 +975,13 @@ At this point, syslogd should be restarted and verified: # pgrep syslog .... -If a PID is returned, the server restarted successfully, and client configuration can begin. If the server did not restart, consult [.filename]#/var/log/messages# for the error. +If a PID is returned, the server restarted successfully, and client configuration can begin. +If the server did not restart, consult [.filename]#/var/log/messages# for the error. ==== Log Client Configuration -A logging client sends log entries to a logging server on the network. The client also keeps a local copy of its own logs. +A logging client sends log entries to a logging server on the network. +The client also keeps a local copy of its own logs. Once a logging server has been configured, edit [.filename]#/etc/rc.conf# on the logging client: @@ -830,9 +991,11 @@ syslogd_enable="YES" syslogd_flags="-s -v -v" .... -The first entry enables syslogd on boot up. The second entry prevents logs from being accepted by this client from other hosts (`-s`) and increases the verbosity of logged messages. +The first entry enables syslogd on boot up. +The second entry prevents logs from being accepted by this client from other hosts (`-s`) and increases the verbosity of logged messages. -Next, define the logging server in the client's [.filename]#/etc/syslog.conf#. In this example, all logged facilities are sent to a remote system, denoted by the `@` symbol, with the specified hostname: +Next, define the logging server in the client's [.filename]#/etc/syslog.conf#. +In this example, all logged facilities are sent to a remote system, denoted by the `@` symbol, with the specified hostname: [.programlisting] .... @@ -857,9 +1020,14 @@ This message should now exist both in [.filename]#/var/log/messages# on the clie ==== Debugging Log Servers -If no messages are being received on the log server, the cause is most likely a network connectivity issue, a hostname resolution issue, or a typo in a configuration file. To isolate the cause, ensure that both the logging server and the logging client are able to `ping` each other using the hostname specified in their [.filename]#/etc/rc.conf#. If this fails, check the network cabling, the firewall ruleset, and the hostname entries in the DNS server or [.filename]#/etc/hosts# on both the logging server and clients. Repeat until the `ping` is successful from both hosts. +If no messages are being received on the log server, the cause is most likely a network connectivity issue, a hostname resolution issue, or a typo in a configuration file. +To isolate the cause, ensure that both the logging server and the logging client are able to `ping` each other using the hostname specified in their [.filename]#/etc/rc.conf#. +If this fails, check the network cabling, the firewall ruleset, and the hostname entries in the DNS server or [.filename]#/etc/hosts# on both the logging server and clients. +Repeat until the `ping` is successful from both hosts. -If the `ping` succeeds on both hosts but log messages are still not being received, temporarily increase logging verbosity to narrow down the configuration issue. In the following example, [.filename]#/var/log/logclient.log# on the logging server is empty and [.filename]#/var/log/messages# on the logging client does not indicate a reason for the failure. To increase debugging output, edit the `syslogd_flags` entry on the logging server and issue a restart: +If the `ping` succeeds on both hosts but log messages are still not being received, temporarily increase logging verbosity to narrow down the configuration issue. +In the following example, [.filename]#/var/log/logclient.log# on the logging server is empty and [.filename]#/var/log/messages# on the logging client does not indicate a reason for the failure. +To increase debugging output, edit the `syslogd_flags` entry on the logging server and issue a restart: [.programlisting] .... @@ -885,7 +1053,9 @@ validate: dgram from IP 192.168.1.10, port 514, name logclient.example.com; rejected in rule 0 due to name mismatch. .... -In this example, the log messages are being rejected due to a typo which results in a hostname mismatch. The client's hostname should be `logclient`, not `logclien`. Fix the typo, issue a restart, and verify the results: +In this example, the log messages are being rejected due to a typo which results in a hostname mismatch. +The client's hostname should be `logclient`, not `logclien`. +Fix the typo, issue a restart, and verify the results: [source,shell] .... @@ -908,16 +1078,26 @@ At this point, the messages are being properly received and placed in the correc ==== Security Considerations -As with any network service, security requirements should be considered before implementing a logging server. Log files may contain sensitive data about services enabled on the local host, user accounts, and configuration data. Network data sent from the client to the server will not be encrypted or password protected. If a need for encryption exists, consider using package:security/stunnel[], which will transmit the logging data over an encrypted tunnel. +As with any network service, security requirements should be considered before implementing a logging server. +Log files may contain sensitive data about services enabled on the local host, user accounts, and configuration data. +Network data sent from the client to the server will not be encrypted or password protected. +If a need for encryption exists, consider using package:security/stunnel[], which will transmit the logging data over an encrypted tunnel. -Local security is also an issue. Log files are not encrypted during use or after log rotation. Local users may access log files to gain additional insight into system configuration. Setting proper permissions on log files is critical. The built-in log rotator, newsyslog, supports setting permissions on newly created and rotated log files. Setting log files to mode `600` should prevent unwanted access by local users. Refer to man:newsyslog.conf[5] for additional information. +Local security is also an issue. +Log files are not encrypted during use or after log rotation. +Local users may access log files to gain additional insight into system configuration. +Setting proper permissions on log files is critical. +The built-in log rotator, newsyslog, supports setting permissions on newly created and rotated log files. +Setting log files to mode `600` should prevent unwanted access by local users. +Refer to man:newsyslog.conf[5] for additional information. [[configtuning-configfiles]] == Configuration Files === [.filename]#/etc# Layout -There are a number of directories in which configuration information is kept. These include: +There are a number of directories in which configuration information is kept. +These include: [.informaltable] [cols="1,1", frame="none"] @@ -985,7 +1165,9 @@ When using DHCP, man:dhclient[8] usually rewrites [.filename]#/etc/resolv.conf# ==== [.filename]#/etc/hosts# -[.filename]#/etc/hosts# is a simple text database which works in conjunction with DNS and NIS to provide host name to IP address mappings. Entries for local computers connected via a LAN can be added to this file for simplistic naming purposes instead of setting up a man:named[8] server. Additionally, [.filename]#/etc/hosts# can be used to provide a local record of Internet names, reducing the need to query external DNS servers for commonly accessed names. +[.filename]#/etc/hosts# is a simple text database which works in conjunction with DNS and NIS to provide host name to IP address mappings. +Entries for local computers connected via a LAN can be added to this file for simplistic naming purposes instead of setting up a man:named[8] server. +Additionally, [.filename]#/etc/hosts# can be used to provide a local record of Internet names, reducing the need to query external DNS servers for commonly accessed names. [.programlisting] .... @@ -1042,7 +1224,9 @@ Consult man:hosts[5] for more information. [[configtuning-sysctl]] == Tuning with man:sysctl[8] -man:sysctl[8] is used to make changes to a running FreeBSD system. This includes many advanced options of the TCP/IP stack and virtual memory system that can dramatically improve performance for an experienced system administrator. Over five hundred system variables can be read and set using man:sysctl[8]. +man:sysctl[8] is used to make changes to a running FreeBSD system. +This includes many advanced options of the TCP/IP stack and virtual memory system that can dramatically improve performance for an experienced system administrator. +Over five hundred system variables can be read and set using man:sysctl[8]. At its core, man:sysctl[8] serves two functions: to read and to modify system settings. @@ -1071,12 +1255,16 @@ kern.maxfiles: 2088 -> 5000 Settings of sysctl variables are usually either strings, numbers, or booleans, where a boolean is `1` for yes or `0` for no. -To automatically set some variables each time the machine boots, add them to [.filename]#/etc/sysctl.conf#. For more information, refer to man:sysctl.conf[5] and <<configtuning-sysctlconf>>. +To automatically set some variables each time the machine boots, add them to [.filename]#/etc/sysctl.conf#. +For more information, refer to man:sysctl.conf[5] and <<configtuning-sysctlconf>>. [[configtuning-sysctlconf]] === [.filename]#sysctl.conf# -The configuration file for man:sysctl[8], [.filename]#/etc/sysctl.conf#, looks much like [.filename]#/etc/rc.conf#. Values are set in a `variable=value` form. The specified values are set after the system goes into multi-user mode. Not all variables are settable in this mode. +The configuration file for man:sysctl[8], [.filename]#/etc/sysctl.conf#, looks much like [.filename]#/etc/rc.conf#. +Values are set in a `variable=value` form. +The specified values are set after the system goes into multi-user mode. +Not all variables are settable in this mode. For example, to turn off logging of fatal signal exits and prevent users from seeing processes started by other users, the following tunables can be set in [.filename]#/etc/sysctl.conf#: @@ -1103,47 +1291,84 @@ cbb0: Could not map register memory device_probe_and_attach: cbb0 attach returned 12 .... -The fix requires the modification of a read-only man:sysctl[8] setting. Add `hw.pci.allow_unsupported_io_range=1` to [.filename]#/boot/loader.conf# and reboot. Now man:cardbus[4] should work properly. +The fix requires the modification of a read-only man:sysctl[8] setting. +Add `hw.pci.allow_unsupported_io_range=1` to [.filename]#/boot/loader.conf# and reboot. +Now man:cardbus[4] should work properly. [[configtuning-disk]] == Tuning Disks -The following section will discuss various tuning mechanisms and options which may be applied to disk devices. In many cases, disks with mechanical parts, such as SCSI drives, will be the bottleneck driving down the overall system performance. While a solution is to install a drive without mechanical parts, such as a solid state drive, mechanical drives are not going away anytime in the near future. When tuning disks, it is advisable to utilize the features of the man:iostat[8] command to test various changes to the system. This command will allow the user to obtain valuable information on system IO. +The following section will discuss various tuning mechanisms and options which may be applied to disk devices. +In many cases, disks with mechanical parts, such as SCSI drives, will be the bottleneck driving down the overall system performance. +While a solution is to install a drive without mechanical parts, such as a solid state drive, mechanical drives are not going away anytime in the near future. +When tuning disks, it is advisable to utilize the features of the man:iostat[8] command to test various changes to the system. +This command will allow the user to obtain valuable information on system IO. === Sysctl Variables ==== `vfs.vmiodirenable` -The `vfs.vmiodirenable` man:sysctl[8] variable may be set to either `0` (off) or `1` (on). It is set to `1` by default. This variable controls how directories are cached by the system. Most directories are small, using just a single fragment (typically 1 K) in the file system and typically 512 bytes in the buffer cache. With this variable turned off, the buffer cache will only cache a fixed number of directories, even if the system has a huge amount of memory. When turned on, this man:sysctl[8] allows the buffer cache to use the VM page cache to cache the directories, making all the memory available for caching directories. However, the minimum in-core memory used to cache a directory is the physical page size (typically 4 K) rather than 512 bytes. Keeping this option enabled is recommended if the system is running any services which manipulate large numbers of files. Such services can include web caches, large mail systems, and news systems. Keeping this option on will generally not reduce performance, even with the wasted memory, but one should experiment to find out. +The `vfs.vmiodirenable` man:sysctl[8] variable may be set to either `0` (off) or `1` (on). +It is set to `1` by default. This variable controls how directories are cached by the system. +Most directories are small, using just a single fragment (typically 1 K) in the file system and typically 512 bytes in the buffer cache. +With this variable turned off, the buffer cache will only cache a fixed number of directories, even if the system has a huge amount of memory. +When turned on, this man:sysctl[8] allows the buffer cache to use the VM page cache to cache the directories, making all the memory available for caching directories. +However, the minimum in-core memory used to cache a directory is the physical page size (typically 4 K) rather than 512 bytes. +Keeping this option enabled is recommended if the system is running any services which manipulate large numbers of files. +Such services can include web caches, large mail systems, and news systems. +Keeping this option on will generally not reduce performance, even with the wasted memory, but one should experiment to find out. ==== `vfs.write_behind` -The `vfs.write_behind` man:sysctl[8] variable defaults to `1` (on). This tells the file system to issue media writes as full clusters are collected, which typically occurs when writing large sequential files. This avoids saturating the buffer cache with dirty buffers when it would not benefit I/O performance. However, this may stall processes and under certain circumstances should be turned off. +The `vfs.write_behind` man:sysctl[8] variable defaults to `1` (on). +This tells the file system to issue media writes as full clusters are collected, which typically occurs when writing large sequential files. +This avoids saturating the buffer cache with dirty buffers when it would not benefit I/O performance. +However, this may stall processes and under certain circumstances should be turned off. ==== `vfs.hirunningspace` -The `vfs.hirunningspace` man:sysctl[8] variable determines how much outstanding write I/O may be queued to disk controllers system-wide at any given instance. The default is usually sufficient, but on machines with many disks, try bumping it up to four or five _megabytes_. Setting too high a value which exceeds the buffer cache's write threshold can lead to bad clustering performance. Do not set this value arbitrarily high as higher write values may add latency to reads occurring at the same time. +The `vfs.hirunningspace` man:sysctl[8] variable determines how much outstanding write I/O may be queued to disk controllers system-wide at any given instance. +The default is usually sufficient, but on machines with many disks, try bumping it up to four or five _megabytes_. +Setting too high a value which exceeds the buffer cache's write threshold can lead to bad clustering performance. +Do not set this value arbitrarily high as higher write values may add latency to reads occurring at the same time. -There are various other buffer cache and VM page cache related man:sysctl[8] values. Modifying these values is not recommended as the VM system does a good job of automatically tuning itself. +There are various other buffer cache and VM page cache related man:sysctl[8] values. +Modifying these values is not recommended as the VM system does a good job of automatically tuning itself. ==== `vm.swap_idle_enabled` -The `vm.swap_idle_enabled` man:sysctl[8] variable is useful in large multi-user systems with many active login users and lots of idle processes. Such systems tend to generate continuous pressure on free memory reserves. Turning this feature on and tweaking the swapout hysteresis (in idle seconds) via `vm.swap_idle_threshold1` and `vm.swap_idle_threshold2` depresses the priority of memory pages associated with idle processes more quickly then the normal pageout algorithm. This gives a helping hand to the pageout daemon. Only turn this option on if needed, because the tradeoff is essentially pre-page memory sooner rather than later which eats more swap and disk bandwidth. In a small system this option will have a determinable effect, but in a large system that is already doing moderate paging, this option allows the VM system to stage whole processes into and out of memory easily. +The `vm.swap_idle_enabled` man:sysctl[8] variable is useful in large multi-user systems with many active login users and lots of idle processes. +Such systems tend to generate continuous pressure on free memory reserves. +Turning this feature on and tweaking the swapout hysteresis (in idle seconds) via `vm.swap_idle_threshold1` and `vm.swap_idle_threshold2` depresses the priority of memory pages associated with idle processes more quickly then the normal pageout algorithm. +This gives a helping hand to the pageout daemon. +Only turn this option on if needed, because the tradeoff is essentially pre-page memory sooner rather than later which eats more swap and disk bandwidth. +In a small system this option will have a determinable effect, but in a large system that is already doing moderate paging, this option allows the VM system to stage whole processes into and out of memory easily. ==== `hw.ata.wc` -Turning off IDE write caching reduces write bandwidth to IDE disks, but may sometimes be necessary due to data consistency issues introduced by hard drive vendors. The problem is that some IDE drives lie about when a write completes. With IDE write caching turned on, IDE hard drives write data to disk out of order and will sometimes delay writing some blocks indefinitely when under heavy disk load. A crash or power failure may cause serious file system corruption. Check the default on the system by observing the `hw.ata.wc` man:sysctl[8] variable. If IDE write caching is turned off, one can set this read-only variable to `1` in [.filename]#/boot/loader.conf# in order to enable it at boot time. +Turning off IDE write caching reduces write bandwidth to IDE disks, but may sometimes be necessary due to data consistency issues introduced by hard drive vendors. +The problem is that some IDE drives lie about when a write completes. +With IDE write caching turned on, IDE hard drives write data to disk out of order and will sometimes delay writing some blocks indefinitely when under heavy disk load. +A crash or power failure may cause serious file system corruption. +Check the default on the system by observing the `hw.ata.wc` man:sysctl[8] variable. +If IDE write caching is turned off, one can set this read-only variable to `1` in [.filename]#/boot/loader.conf# in order to enable it at boot time. For more information, refer to man:ata[4]. ==== `SCSI_DELAY` (`kern.cam.scsi_delay`) -The `SCSI_DELAY` kernel configuration option may be used to reduce system boot times. The defaults are fairly high and can be responsible for `15` seconds of delay in the boot process. Reducing it to `5` seconds usually works with modern drives. The `kern.cam.scsi_delay` boot time tunable should be used. The tunable and kernel configuration option accept values in terms of _milliseconds_ and _not seconds_. +The `SCSI_DELAY` kernel configuration option may be used to reduce system boot times. +The defaults are fairly high and can be responsible for `15` seconds of delay in the boot process. +Reducing it to `5` seconds usually works with modern drives. +The `kern.cam.scsi_delay` boot time tunable should be used. +The tunable and kernel configuration option accept values in terms of _milliseconds_ and _not seconds_. [[soft-updates]] === Soft Updates -To fine-tune a file system, use man:tunefs[8]. This program has many different options. To toggle Soft Updates on and off, use: +To fine-tune a file system, use man:tunefs[8]. +This program has many different options. +To toggle Soft Updates on and off, use: [source,shell] .... @@ -1151,23 +1376,75 @@ To fine-tune a file system, use man:tunefs[8]. This program has many different o # tunefs -n disable /filesystem .... -A file system cannot be modified with man:tunefs[8] while it is mounted. A good time to enable Soft Updates is before any partitions have been mounted, in single-user mode. +A file system cannot be modified with man:tunefs[8] while it is mounted. +A good time to enable Soft Updates is before any partitions have been mounted, in single-user mode. -Soft Updates is recommended for UFS file systems as it drastically improves meta-data performance, mainly file creation and deletion, through the use of a memory cache. There are two downsides to Soft Updates to be aware of. First, Soft Updates guarantee file system consistency in the case of a crash, but could easily be several seconds or even a minute behind updating the physical disk. If the system crashes, unwritten data may be lost. Secondly, Soft Updates delay the freeing of file system blocks. If the root file system is almost full, performing a major update, such as `make installworld`, can cause the file system to run out of space and the update to fail. +Soft Updates is recommended for UFS file systems as it drastically improves meta-data performance, mainly file creation and deletion, through the use of a memory cache. +There are two downsides to Soft Updates to be aware of. +First, Soft Updates guarantee file system consistency in the case of a crash, but could easily be several seconds or even a minute behind updating the physical disk. +If the system crashes, unwritten data may be lost. +Secondly, Soft Updates delay the freeing of file system blocks. +If the root file system is almost full, performing a major update, such as `make installworld`, can cause the file system to run out of space and the update to fail. ==== More Details About Soft Updates -Meta-data updates are updates to non-content data like inodes or directories. There are two traditional approaches to writing a file system's meta-data back to disk. - -Historically, the default behavior was to write out meta-data updates synchronously. If a directory changed, the system waited until the change was actually written to disk. The file data buffers (file contents) were passed through the buffer cache and backed up to disk later on asynchronously. The advantage of this implementation is that it operates safely. If there is a failure during an update, meta-data is always in a consistent state. A file is either created completely or not at all. If the data blocks of a file did not find their way out of the buffer cache onto the disk by the time of the crash, man:fsck[8] recognizes this and repairs the file system by setting the file length to `0`. Additionally, the implementation is clear and simple. The disadvantage is that meta-data changes are slow. For example, `rm -r` touches all the files in a directory sequentially, but each directory change will be written synchronously to the disk. This includes updates to the directory itself, to the inode table, and possibly to indirect blocks allocated by the file. Similar considerations apply for unrolling large hierarchies using `tar -x`. - -The second approach is to use asynchronous meta-data updates. This is the default for a UFS file system mounted with `mount -o async`. Since all meta-data updates are also passed through the buffer cache, they will be intermixed with the updates of the file content data. The advantage of this implementation is there is no need to wait until each meta-data update has been written to disk, so all operations which cause huge amounts of meta-data updates work much faster than in the synchronous case. This implementation is still clear and simple, so there is a low risk for bugs creeping into the code. The disadvantage is that there is no guarantee for a consistent state of the file system. If there is a failure during an operation that updated large amounts of meta-data, like a power failure or someone pressing the reset button, the file system will be left in an unpredictable state. There is no opportunity to examine the state of the file system when the system comes up again as the data blocks of a file could already have been written to the disk while the updates of the inode table or the associated directory were not. It is impossible to implement a man:fsck[8] which is able to clean up the resulting chaos because the necessary information is not available on the disk. If the file system has been damaged beyond repair, the only choice is to reformat it and restore from backup. - -The usual solution for this problem is to implement _dirty region logging_, which is also referred to as _journaling_. Meta-data updates are still written synchronously, but only into a small region of the disk. Later on, they are moved to their proper location. Since the logging area is a small, contiguous region on the disk, there are no long distances for the disk heads to move, even during heavy operations, so these operations are quicker than synchronous updates. Additionally, the complexity of the implementation is limited, so the risk of bugs being present is low. A disadvantage is that all meta-data is written twice, once into the logging region and once to the proper location, so performance "pessimization" might result. On the other hand, in case of a crash, all pending meta-data operations can be either quickly rolled back or completed from the logging area after the system comes up again, resulting in a fast file system startup. - -Kirk McKusick, the developer of Berkeley FFS, solved this problem with Soft Updates. All pending meta-data updates are kept in memory and written out to disk in a sorted sequence ("ordered meta-data updates"). This has the effect that, in case of heavy meta-data operations, later updates to an item "catch" the earlier ones which are still in memory and have not already been written to disk. All operations are generally performed in memory before the update is written to disk and the data blocks are sorted according to their position so that they will not be on the disk ahead of their meta-data. If the system crashes, an implicit "log rewind" causes all operations which were not written to the disk appear as if they never happened. A consistent file system state is maintained that appears to be the one of 30 to 60 seconds earlier. The algorithm used guarantees that all resources in use are marked as such in their blocks and inodes. After a crash, the only resource allocation error that occurs is that resources are marked as "used" which are actually "free". man:fsck[8] recognizes this situation, and frees the resources that are no longer used. It is safe to ignore the dirty state of the file system after a crash by forcibly mounting it with `mount -f`. In order to free resources that may be unused, man:fsck[8] needs to be run at a later time. This is the idea behind the _background man:fsck[8]_: at system startup time, only a _snapshot_ of the file system is recorded and man:fsck[8] is run afterwards. All file systems can then be mounted "dirty", so the system startup proceeds in multi-user mode. Then, background man:fsck[8] is scheduled for all file systems where this is required, to free resources that may be unused. File systems that do not use Soft Updates still need the usual foreground man:fsck[8]. - -The advantage is that meta-data operations are nearly as fast as asynchronous updates and are faster than _logging_, which has to write the meta-data twice. The disadvantages are the complexity of the code, a higher memory consumption, and some idiosyncrasies. After a crash, the state of the file system appears to be somewhat "older". In situations where the standard synchronous approach would have caused some zero-length files to remain after the man:fsck[8], these files do not exist at all with Soft Updates because neither the meta-data nor the file contents have been written to disk. Disk space is not released until the updates have been written to disk, which may take place some time after running man:rm[1]. This may cause problems when installing large amounts of data on a file system that does not have enough free space to hold all the files twice. +Meta-data updates are updates to non-content data like inodes or directories. +There are two traditional approaches to writing a file system's meta-data back to disk. + +Historically, the default behavior was to write out meta-data updates synchronously. +If a directory changed, the system waited until the change was actually written to disk. +The file data buffers (file contents) were passed through the buffer cache and backed up to disk later on asynchronously. +The advantage of this implementation is that it operates safely. +If there is a failure during an update, meta-data is always in a consistent state. +A file is either created completely or not at all. +If the data blocks of a file did not find their way out of the buffer cache onto the disk by the time of the crash, man:fsck[8] recognizes this and repairs the file system by setting the file length to `0`. +Additionally, the implementation is clear and simple. +The disadvantage is that meta-data changes are slow. +For example, `rm -r` touches all the files in a directory sequentially, but each directory change will be written synchronously to the disk. +This includes updates to the directory itself, to the inode table, and possibly to indirect blocks allocated by the file. +Similar considerations apply for unrolling large hierarchies using `tar -x`. + +The second approach is to use asynchronous meta-data updates. +This is the default for a UFS file system mounted with `mount -o async`. +Since all meta-data updates are also passed through the buffer cache, they will be intermixed with the updates of the file content data. +The advantage of this implementation is there is no need to wait until each meta-data update has been written to disk, so all operations which cause huge amounts of meta-data updates work much faster than in the synchronous case. +This implementation is still clear and simple, so there is a low risk for bugs creeping into the code. +The disadvantage is that there is no guarantee for a consistent state of the file system +If there is a failure during an operation that updated large amounts of meta-data, like a power failure or someone pressing the reset button, the file system will be left in an unpredictable state. +There is no opportunity to examine the state of the file system when the system comes up again as the data blocks of a file could already have been written to the disk while the updates of the inode table or the associated directory were not. +It is impossible to implement a man:fsck[8] which is able to clean up the resulting chaos because the necessary information is not available on the disk. +If the file system has been damaged beyond repair, the only choice is to reformat it and restore from backup. + +The usual solution for this problem is to implement _dirty region logging_, which is also referred to as _journaling_. +Meta-data updates are still written synchronously, but only into a small region of the disk. +Later on, they are moved to their proper location. +Since the logging area is a small, contiguous region on the disk, there are no long distances for the disk heads to move, even during heavy operations, so these operations are quicker than synchronous updates. +Additionally, the complexity of the implementation is limited, so the risk of bugs being present is low. +A disadvantage is that all meta-data is written twice, once into the logging region and once to the proper location, so performance "pessimization" might result. +On the other hand, in case of a crash, all pending meta-data operations can be either quickly rolled back or completed from the logging area after the system comes up again, resulting in a fast file system startup. + +Kirk McKusick, the developer of Berkeley FFS, solved this problem with Soft Updates. +All pending meta-data updates are kept in memory and written out to disk in a sorted sequence ("ordered meta-data updates"). +This has the effect that, in case of heavy meta-data operations, later updates to an item "catch" the earlier ones which are still in memory and have not already been written to disk. +All operations are generally performed in memory before the update is written to disk and the data blocks are sorted according to their position so that they will not be on the disk ahead of their meta-data. +If the system crashes, an implicit "log rewind" causes all operations which were not written to the disk appear as if they never happened. +A consistent file system state is maintained that appears to be the one of 30 to 60 seconds earlier. +The algorithm used guarantees that all resources in use are marked as such in their blocks and inodes. +After a crash, the only resource allocation error that occurs is that resources are marked as "used" which are actually "free". +man:fsck[8] recognizes this situation, and frees the resources that are no longer used. +It is safe to ignore the dirty state of the file system after a crash by forcibly mounting it with `mount -f`. +In order to free resources that may be unused, man:fsck[8] needs to be run at a later time. +This is the idea behind the _background man:fsck[8]_: at system startup time, only a _snapshot_ of the file system is recorded and man:fsck[8] is run afterwards. +All file systems can then be mounted "dirty", so the system startup proceeds in multi-user mode. +Then, background man:fsck[8] is scheduled for all file systems where this is required, to free resources that may be unused. +File systems that do not use Soft Updates still need the usual foreground man:fsck[8]. + +The advantage is that meta-data operations are nearly as fast as asynchronous updates and are faster than _logging_, which has to write the meta-data twice. +The disadvantages are the complexity of the code, a higher memory consumption, and some idiosyncrasies. +After a crash, the state of the file system appears to be somewhat "older". +In situations where the standard synchronous approach would have caused some zero-length files to remain after the man:fsck[8], these files do not exist at all with Soft Updates because neither the meta-data nor the file contents have been written to disk. +Disk space is not released until the updates have been written to disk, which may take place some time after running man:rm[1]. +This may cause problems when installing large amounts of data on a file system that does not have enough free space to hold all the files twice. [[configtuning-kernel-limits]] == Tuning Kernel Limits @@ -1178,33 +1455,67 @@ The advantage is that meta-data operations are nearly as fast as asynchronous up [[kern-maxfiles]] ==== `kern.maxfiles` -The `kern.maxfiles` man:sysctl[8] variable can be raised or lowered based upon system requirements. This variable indicates the maximum number of file descriptors on the system. When the file descriptor table is full, `file: table is full` will show up repeatedly in the system message buffer, which can be viewed using man:dmesg[8]. - -Each open file, socket, or fifo uses one file descriptor. A large-scale production server may easily require many thousands of file descriptors, depending on the kind and number of services running concurrently. - -In older FreeBSD releases, the default value of `kern.maxfiles` is derived from `maxusers` in the kernel configuration file. `kern.maxfiles` grows proportionally to the value of `maxusers`. When compiling a custom kernel, consider setting this kernel configuration option according to the use of the system. From this number, the kernel is given most of its pre-defined limits. Even though a production machine may not have 256 concurrent users, the resources needed may be similar to a high-scale web server. - -The read-only man:sysctl[8] variable `kern.maxusers` is automatically sized at boot based on the amount of memory available in the system, and may be determined at run-time by inspecting the value of `kern.maxusers`. Some systems require larger or smaller values of `kern.maxusers` and values of `64`, `128`, and `256` are not uncommon. Going above `256` is not recommended unless a huge number of file descriptors is needed. Many of the tunable values set to their defaults by `kern.maxusers` may be individually overridden at boot-time or run-time in [.filename]#/boot/loader.conf#. Refer to man:loader.conf[5] and [.filename]#/boot/defaults/loader.conf# for more details and some hints. - -In older releases, the system will auto-tune `maxusers` if it is set to `0`. footnote:[The auto-tuning algorithm sets maxusers equal to the amount of memory in the system, with a minimum of 32, and a maximum of 384.]. When setting this option, set `maxusers` to at least `4`, especially if the system runs Xorg or is used to compile software. The most important table set by `maxusers` is the maximum number of processes, which is set to `20 + 16 * maxusers`. If `maxusers` is set to `1`, there can only be `36` simultaneous processes, including the `18` or so that the system starts up at boot time and the `15` or so used by Xorg. Even a simple task like reading a manual page will start up nine processes to filter, decompress, and view it. Setting `maxusers` to `64` allows up to `1044` simultaneous processes, which should be enough for nearly all uses. If, however, the error is displayed when trying to start another program, or a server is running with a large number of simultaneous users, increase the number and rebuild. +The `kern.maxfiles` man:sysctl[8] variable can be raised or lowered based upon system requirements. +This variable indicates the maximum number of file descriptors on the system. +When the file descriptor table is full, `file: table is full` will show up repeatedly in the system message buffer, which can be viewed using man:dmesg[8]. + +Each open file, socket, or fifo uses one file descriptor. +A large-scale production server may easily require many thousands of file descriptors, depending on the kind and number of services running concurrently. + +In older FreeBSD releases, the default value of `kern.maxfiles` is derived from `maxusers` in the kernel configuration file. +`kern.maxfiles` grows proportionally to the value of `maxusers`. +When compiling a custom kernel, consider setting this kernel configuration option according to the use of the system. +From this number, the kernel is given most of its pre-defined limits. +Even though a production machine may not have 256 concurrent users, the resources needed may be similar to a high-scale web server. + +The read-only man:sysctl[8] variable `kern.maxusers` is automatically sized at boot based on the amount of memory available in the system, and may be determined at run-time by inspecting the value of `kern.maxusers`. +Some systems require larger or smaller values of `kern.maxusers` and values of `64`, `128`, and `256` are not uncommon. +Going above `256` is not recommended unless a huge number of file descriptors is needed. +Many of the tunable values set to their defaults by `kern.maxusers` may be individually overridden at boot-time or run-time in [.filename]#/boot/loader.conf#. +Refer to man:loader.conf[5] and [.filename]#/boot/defaults/loader.conf# for more details and some hints. + +In older releases, the system will auto-tune `maxusers` if it is set to `0`. footnote:[The auto-tuning algorithm sets maxusers equal to the amount of memory in the system, with a minimum of 32, and a maximum of 384.]. +When setting this option, set `maxusers` to at least `4`, especially if the system runs Xorg or is used to compile software. +The most important table set by `maxusers` is the maximum number of processes, which is set to `20 + 16 * maxusers`. +If `maxusers` is set to `1`, there can only be `36` simultaneous processes, including the `18` or so that the system starts up at boot time and the `15` or so used by Xorg. +Even a simple task like reading a manual page will start up nine processes to filter, decompress, and view it. +Setting `maxusers` to `64` allows up to `1044` simultaneous processes, which should be enough for nearly all uses. +If, however, the error is displayed when trying to start another program, or a server is running with a large number of simultaneous users, increase the number and rebuild. [NOTE] ==== -`maxusers` does _not_ limit the number of users which can log into the machine. It instead sets various table sizes to reasonable values considering the maximum number of users on the system and how many processes each user will be running. +`maxusers` does _not_ limit the number of users which can log into the machine. +It instead sets various table sizes to reasonable values considering the maximum number of users on the system and how many processes each user will be running. ==== ==== `kern.ipc.soacceptqueue` -The `kern.ipc.soacceptqueue` man:sysctl[8] variable limits the size of the listen queue for accepting new `TCP` connections. The default value of `128` is typically too low for robust handling of new connections on a heavily loaded web server. For such environments, it is recommended to increase this value to `1024` or higher. A service such as man:sendmail[8], or Apache may itself limit the listen queue size, but will often have a directive in its configuration file to adjust the queue size. Large listen queues do a better job of avoiding Denial of Service (DoS) attacks. +The `kern.ipc.soacceptqueue` man:sysctl[8] variable limits the size of the listen queue for accepting new `TCP` connections. +The default value of `128` is typically too low for robust handling of new connections on a heavily loaded web server. +For such environments, it is recommended to increase this value to `1024` or higher. +A service such as man:sendmail[8], or Apache may itself limit the listen queue size, but will often have a directive in its configuration file to adjust the queue size. +Large listen queues do a better job of avoiding Denial of Service (DoS) attacks. [[nmbclusters]] === Network Limits -The `NMBCLUSTERS` kernel configuration option dictates the amount of network Mbufs available to the system. A heavily-trafficked server with a low number of Mbufs will hinder performance. Each cluster represents approximately 2 K of memory, so a value of `1024` represents `2` megabytes of kernel memory reserved for network buffers. A simple calculation can be done to figure out how many are needed. A web server which maxes out at `1000` simultaneous connections where each connection uses a 6 K receive and 16 K send buffer, requires approximately 32 MB worth of network buffers to cover the web server. A good rule of thumb is to multiply by `2`, so 2x32 MB / 2 KB = 64 MB / 2 kB = `32768`. Values between `4096` and `32768` are recommended for machines with greater amounts of memory. Never specify an arbitrarily high value for this parameter as it could lead to a boot time crash. To observe network cluster usage, use `-m` with man:netstat[1]. +The `NMBCLUSTERS` kernel configuration option dictates the amount of network Mbufs available to the system. +A heavily-trafficked server with a low number of Mbufs will hinder performance. +Each cluster represents approximately 2 K of memory, so a value of `1024` represents `2` megabytes of kernel memory reserved for network buffers. +A simple calculation can be done to figure out how many are needed. +A web server which maxes out at `1000` simultaneous connections where each connection uses a 6 K receive and 16 K send buffer, requires approximately 32 MB worth of network buffers to cover the web server. +A good rule of thumb is to multiply by `2`, so 2x32 MB / 2 KB = 64 MB / 2 kB = `32768`. +Values between `4096` and `32768` are recommended for machines with greater amounts of memory. +Never specify an arbitrarily high value for this parameter as it could lead to a boot time crash. +To observe network cluster usage, use `-m` with man:netstat[1]. -The `kern.ipc.nmbclusters` loader tunable should be used to tune this at boot time. Only older versions of FreeBSD will require the use of the `NMBCLUSTERS` kernel man:config[8] option. +The `kern.ipc.nmbclusters` loader tunable should be used to tune this at boot time. +Only older versions of FreeBSD will require the use of the `NMBCLUSTERS` kernel man:config[8] option. -For busy servers that make extensive use of the man:sendfile[2] system call, it may be necessary to increase the number of man:sendfile[2] buffers via the `NSFBUFS` kernel configuration option or by setting its value in [.filename]#/boot/loader.conf# (see man:loader[8] for details). A common indicator that this parameter needs to be adjusted is when processes are seen in the `sfbufa` state. The man:sysctl[8] variable `kern.ipc.nsfbufs` is read-only. This parameter nominally scales with `kern.maxusers`, however it may be necessary to tune accordingly. +For busy servers that make extensive use of the man:sendfile[2] system call, it may be necessary to increase the number of man:sendfile[2] buffers via the `NSFBUFS` kernel configuration option or by setting its value in [.filename]#/boot/loader.conf# (see man:loader[8] for details). +A common indicator that this parameter needs to be adjusted is when processes are seen in the `sfbufa` state. +The man:sysctl[8] variable `kern.ipc.nsfbufs` is read-only. +This parameter nominally scales with `kern.maxusers`, however it may be necessary to tune accordingly. [IMPORTANT] ==== @@ -1213,21 +1524,46 @@ Even though a socket has been marked as non-blocking, calling man:sendfile[2] on ==== `net.inet.ip.portrange.*` -The `net.inet.ip.portrange.*` man:sysctl[8] variables control the port number ranges automatically bound to `TCP` and `UDP` sockets. There are three ranges: a low range, a default range, and a high range. Most network programs use the default range which is controlled by `net.inet.ip.portrange.first` and `net.inet.ip.portrange.last`, which default to `1024` and `5000`, respectively. Bound port ranges are used for outgoing connections and it is possible to run the system out of ports under certain circumstances. This most commonly occurs when running a heavily loaded web proxy. The port range is not an issue when running a server which handles mainly incoming connections, such as a web server, or has a limited number of outgoing connections, such as a mail relay. For situations where there is a shortage of ports, it is recommended to increase `net.inet.ip.portrange.last` modestly. A value of `10000`, `20000` or `30000` may be reasonable. Consider firewall effects when changing the port range. Some firewalls may block large ranges of ports, usually low-numbered ports, and expect systems to use higher ranges of ports for outgoing connections. For this reason, it is not recommended that the value of `net.inet.ip.portrange.first` be lowered. +The `net.inet.ip.portrange.*` man:sysctl[8] variables control the port number ranges automatically bound to `TCP` and `UDP` sockets. +There are three ranges: a low range, a default range, and a high range. +Most network programs use the default range which is controlled by `net.inet.ip.portrange.first` and `net.inet.ip.portrange.last`, which default to `1024` and `5000`, respectively. +Bound port ranges are used for outgoing connections and it is possible to run the system out of ports under certain circumstances. +This most commonly occurs when running a heavily loaded web proxy. +The port range is not an issue when running a server which handles mainly incoming connections, such as a web server, or has a limited number of outgoing connections, such as a mail relay. +For situations where there is a shortage of ports, it is recommended to increase `net.inet.ip.portrange.last` modestly. +A value of `10000`, `20000` or `30000` may be reasonable. Consider firewall effects when changing the port range. +Some firewalls may block large ranges of ports, usually low-numbered ports, and expect systems to use higher ranges of ports for outgoing connections. +For this reason, it is not recommended that the value of `net.inet.ip.portrange.first` be lowered. ==== `TCP` Bandwidth Delay Product -`TCP` bandwidth delay product limiting can be enabled by setting the `net.inet.tcp.inflight.enable` man:sysctl[8] variable to `1`. This instructs the system to attempt to calculate the bandwidth delay product for each connection and limit the amount of data queued to the network to just the amount required to maintain optimum throughput. +`TCP` bandwidth delay product limiting can be enabled by setting the `net.inet.tcp.inflight.enable` man:sysctl[8] variable to `1`. +This instructs the system to attempt to calculate the bandwidth delay product for each connection and limit the amount of data queued to the network to just the amount required to maintain optimum throughput. -This feature is useful when serving data over modems, Gigabit Ethernet, high speed `WAN` links, or any other link with a high bandwidth delay product, especially when also using window scaling or when a large send window has been configured. When enabling this option, also set `net.inet.tcp.inflight.debug` to `0` to disable debugging. For production use, setting `net.inet.tcp.inflight.min` to at least `6144` may be beneficial. Setting high minimums may effectively disable bandwidth limiting, depending on the link. The limiting feature reduces the amount of data built up in intermediate route and switch packet queues and reduces the amount of data built up in the local host's interface queue. With fewer queued packets, interactive connections, especially over slow modems, will operate with lower _Round Trip Times_. This feature only effects server side data transmission such as uploading. It has no effect on data reception or downloading. +This feature is useful when serving data over modems, Gigabit Ethernet, high speed `WAN` links, or any other link with a high bandwidth delay product, especially when also using window scaling or when a large send window has been configured. +When enabling this option, also set `net.inet.tcp.inflight.debug` to `0` to disable debugging. +For production use, setting `net.inet.tcp.inflight.min` to at least `6144` may be beneficial. +Setting high minimums may effectively disable bandwidth limiting, depending on the link. +The limiting feature reduces the amount of data built up in intermediate route and switch packet queues and reduces the amount of data built up in the local host's interface queue. +With fewer queued packets, interactive connections, especially over slow modems, will operate with lower _Round Trip Times_. +This feature only effects server side data transmission such as uploading. +It has no effect on data reception or downloading. -Adjusting `net.inet.tcp.inflight.stab` is _not_ recommended. This parameter defaults to `20`, representing 2 maximal packets added to the bandwidth delay product window calculation. The additional window is required to stabilize the algorithm and improve responsiveness to changing conditions, but it can also result in higher man:ping[8] times over slow links, though still much lower than without the inflight algorithm. In such cases, try reducing this parameter to `15`, `10`, or `5` and reducing `net.inet.tcp.inflight.min` to a value such as `3500` to get the desired effect. Reducing these parameters should be done as a last resort only. +Adjusting `net.inet.tcp.inflight.stab` is _not_ recommended. +This parameter defaults to `20`, representing 2 maximal packets added to the bandwidth delay product window calculation. +The additional window is required to stabilize the algorithm and improve responsiveness to changing conditions, but it can also result in higher man:ping[8] times over slow links, though still much lower than without the inflight algorithm. +In such cases, try reducing this parameter to `15`, `10`, or `5` and reducing `net.inet.tcp.inflight.min` to a value such as `3500` to get the desired effect. +Reducing these parameters should be done as a last resort only. === Virtual Memory ==== `kern.maxvnodes` -A vnode is the internal representation of a file or directory. Increasing the number of vnodes available to the operating system reduces disk I/O. Normally, this is handled by the operating system and does not need to be changed. In some cases where disk I/O is a bottleneck and the system is running out of vnodes, this setting needs to be increased. The amount of inactive and free RAM will need to be taken into account. +A vnode is the internal representation of a file or directory. +Increasing the number of vnodes available to the operating system reduces disk I/O. +Normally, this is handled by the operating system and does not need to be changed. +In some cases where disk I/O is a bottleneck and the system is running out of vnodes, this setting needs to be increased. +The amount of inactive and free RAM will need to be taken into account. To see the current number of vnodes in use: @@ -1245,21 +1581,27 @@ To see the maximum vnodes: kern.maxvnodes: 100000 .... -If the current vnode usage is near the maximum, try increasing `kern.maxvnodes` by a value of `1000`. Keep an eye on the number of `vfs.numvnodes`. If it climbs up to the maximum again, `kern.maxvnodes` will need to be increased further. Otherwise, a shift in memory usage as reported by man:top[1] should be visible and more memory should be active. +If the current vnode usage is near the maximum, try increasing `kern.maxvnodes` by a value of `1000`. +Keep an eye on the number of `vfs.numvnodes`. +If it climbs up to the maximum again, `kern.maxvnodes` will need to be increased further. +Otherwise, a shift in memory usage as reported by man:top[1] should be visible and more memory should be active. [[adding-swap-space]] == Adding Swap Space -Sometimes a system requires more swap space. This section describes two methods to increase swap space: adding swap to an existing partition or new hard drive, and creating a swap file on an existing partition. +Sometimes a system requires more swap space. +This section describes two methods to increase swap space: adding swap to an existing partition or new hard drive, and creating a swap file on an existing partition. For information on how to encrypt swap space, which options exist, and why it should be done, refer to crossref:disks[swap-encrypting,“Encrypting Swap”]. [[new-drive-swap]] === Swap on a New Hard Drive or Existing Partition -Adding a new hard drive for swap gives better performance than using a partition on an existing drive. Setting up partitions and hard drives is explained in crossref:disks[disks-adding,“Adding Disks”] while crossref:bsdinstall[configtuning-initial,“Designing the Partition Layout”] discusses partition layouts and swap partition size considerations. +Adding a new hard drive for swap gives better performance than using a partition on an existing drive. +Setting up partitions and hard drives is explained in crossref:disks[disks-adding,“Adding Disks”] while crossref:bsdinstall[configtuning-initial,“Designing the Partition Layout”] discusses partition layouts and swap partition size considerations. -Use `swapon` to add a swap partition to the system. For example: +Use `swapon` to add a swap partition to the system. +For example: [source,shell] .... @@ -1269,7 +1611,9 @@ Use `swapon` to add a swap partition to the system. For example: [WARNING] ==== -It is possible to use any partition not currently mounted, even if it already contains data. Using `swapon` on a partition that contains data will overwrite and destroy that data. Make sure that the partition to be added as swap is really the intended partition before running `swapon`. +It is possible to use any partition not currently mounted, even if it already contains data. +Using `swapon` on a partition that contains data will overwrite and destroy that data. +Make sure that the partition to be added as swap is really the intended partition before running `swapon`. ==== To automatically add this swap partition on boot, add an entry to [.filename]#/etc/fstab#: @@ -1279,14 +1623,16 @@ To automatically add this swap partition on boot, add an entry to [.filename]#/e /dev/ada1s1b none swap sw 0 0 .... -See man:fstab[5] for an explanation of the entries in [.filename]#/etc/fstab#. More information about `swapon` can be found in man:swapon[8]. +See man:fstab[5] for an explanation of the entries in [.filename]#/etc/fstab#. +More information about `swapon` can be found in man:swapon[8]. [[create-swapfile]] === Creating a Swap File These examples create a 512M swap file called [.filename]#/usr/swap0# instead of using a partition. -Using swap files requires that the module needed by man:md[4] has either been built into the kernel or has been loaded before swap is enabled. See crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel] for information about building a custom kernel. +Using swap files requires that the module needed by man:md[4] has either been built into the kernel or has been loaded before swap is enabled. +See crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel] for information about building a custom kernel. [[swapfile-10-and-later]] .Creating a Swap File @@ -1327,34 +1673,56 @@ The man:md[4] device [.filename]#md99# is used, leaving lower device numbers ava [[acpi-overview]] == Power and Resource Management -It is important to utilize hardware resources in an efficient manner. Power and resource management allows the operating system to monitor system limits and to possibly provide an alert if the system temperature increases unexpectedly. An early specification for providing power management was the Advanced Power Management (APM) facility. APM controls the power usage of a system based on its activity. However, it was difficult and inflexible for operating systems to manage the power usage and thermal properties of a system. The hardware was managed by the BIOS and the user had limited configurability and visibility into the power management settings. The APMBIOS is supplied by the vendor and is specific to the hardware platform. An APM driver in the operating system mediates access to the APM Software Interface, which allows management of power levels. - -There are four major problems in APM. First, power management is done by the vendor-specific BIOS, separate from the operating system. For example, the user can set idle-time values for a hard drive in the APMBIOS so that, when exceeded, the BIOS spins down the hard drive without the consent of the operating system. Second, the APM logic is embedded in the BIOS, and it operates outside the scope of the operating system. This means that users can only fix problems in the APMBIOS by flashing a new one into the ROM, which is a dangerous procedure with the potential to leave the system in an unrecoverable state if it fails. Third, APM is a vendor-specific technology, meaning that there is a lot of duplication of efforts and bugs found in one vendor's BIOS may not be solved in others. Lastly, the APMBIOS did not have enough room to implement a sophisticated power policy or one that can adapt well to the purpose of the machine. - -The Plug and Play BIOS (PNPBIOS) was unreliable in many situations. PNPBIOS is 16-bit technology, so the operating system has to use 16-bit emulation in order to interface with PNPBIOS methods. FreeBSD provides an APM driver as APM should still be used for systems manufactured at or before the year 2000. The driver is documented in man:apm[4]. - -The successor to APM is the Advanced Configuration and Power Interface (ACPI). ACPI is a standard written by an alliance of vendors to provide an interface for hardware resources and power management. It is a key element in _Operating System-directed configuration and Power Management_ as it provides more control and flexibility to the operating system. - -This chapter demonstrates how to configure ACPI on FreeBSD. It then offers some tips on how to debug ACPI and how to submit a problem report containing debugging information so that developers can diagnosis and fix ACPI issues. +It is important to utilize hardware resources in an efficient manner. +Power and resource management allows the operating system to monitor system limits and to possibly provide an alert if the system temperature increases unexpectedly. +An early specification for providing power management was the Advanced Power Management (APM) facility. +APM controls the power usage of a system based on its activity. +However, it was difficult and inflexible for operating systems to manage the power usage and thermal properties of a system. +The hardware was managed by the BIOS and the user had limited configurability and visibility into the power management settings. +The APMBIOS is supplied by the vendor and is specific to the hardware platform. +An APM driver in the operating system mediates access to the APM Software Interface, which allows management of power levels. + +There are four major problems in APM. +First, power management is done by the vendor-specific BIOS, separate from the operating system. +For example, the user can set idle-time values for a hard drive in the APMBIOS so that, when exceeded, the BIOS spins down the hard drive without the consent of the operating system. +Second, the APM logic is embedded in the BIOS, and it operates outside the scope of the operating system. +This means that users can only fix problems in the APMBIOS by flashing a new one into the ROM, which is a dangerous procedure with the potential to leave the system in an unrecoverable state if it fails. +Third, APM is a vendor-specific technology, meaning that there is a lot of duplication of efforts and bugs found in one vendor's BIOS may not be solved in others. +Lastly, the APMBIOS did not have enough room to implement a sophisticated power policy or one that can adapt well to the purpose of the machine. + +The Plug and Play BIOS (PNPBIOS) was unreliable in many situations. +PNPBIOS is 16-bit technology, so the operating system has to use 16-bit emulation in order to interface with PNPBIOS methods. +FreeBSD provides an APM driver as APM should still be used for systems manufactured at or before the year 2000. +The driver is documented in man:apm[4]. + +The successor to APM is the Advanced Configuration and Power Interface (ACPI). +ACPI is a standard written by an alliance of vendors to provide an interface for hardware resources and power management. +It is a key element in _Operating System-directed configuration and Power Management_ as it provides more control and flexibility to the operating system. + +This chapter demonstrates how to configure ACPI on FreeBSD. +It then offers some tips on how to debug ACPI and how to submit a problem report containing debugging information so that developers can diagnosis and fix ACPI issues. [[acpi-config]] === Configuring ACPI -In FreeBSD the man:acpi[4] driver is loaded by default at system boot and should _not_ be compiled into the kernel. This driver cannot be unloaded after boot because the system bus uses it for various hardware interactions. However, if the system is experiencing problems, ACPI can be disabled altogether by rebooting after setting `hint.acpi.0.disabled="1"` in [.filename]#/boot/loader.conf# or by setting this variable at the loader prompt, as described in crossref:boot[boot-loader,“Stage Three”]. +In FreeBSD the man:acpi[4] driver is loaded by default at system boot and should _not_ be compiled into the kernel. +This driver cannot be unloaded after boot because the system bus uses it for various hardware interactions. +However, if the system is experiencing problems, ACPI can be disabled altogether by rebooting after setting `hint.acpi.0.disabled="1"` in [.filename]#/boot/loader.conf# or by setting this variable at the loader prompt, as described in crossref:boot[boot-loader,“Stage Three”]. [NOTE] ==== -ACPI and APM cannot coexist and should be used separately. The last one to load will terminate if the driver notices the other is running. +ACPI and APM cannot coexist and should be used separately. +The last one to load will terminate if the driver notices the other is running. ==== -ACPI can be used to put the system into a sleep mode with `acpiconf`, the `-s` flag, and a number from `1` to `5`. Most users only need `1` (quick suspend to RAM) or `3` (suspend to RAM). Option `5` performs a soft-off which is the same as running `halt -p`. +ACPI can be used to put the system into a sleep mode with `acpiconf`, the `-s` flag, and a number from `1` to `5`. +Most users only need `1` (quick suspend to RAM) or `3` (suspend to RAM). +Option `5` performs a soft-off which is the same as running `halt -p`. -The man:acpi_video[4] driver uses -link:https://uefi.org/specs/ACPI/6.4/Apx_B_Video_Extensions/Apx_B_Video_Extensions.html[ACPI -Video Extensions] to control display switching and backlight brightness. It must -be loaded after any of the DRM kernel modules. After loading the driver, -the kbd:[Fn] brightness keys will change the brightness of the screen. It is -possible to check the ACPI events by inspecting [.filename]#/var/run/devd.pipe#: +The man:acpi_video[4] driver uses link:https://uefi.org/specs/ACPI/6.4/Apx_B_Video_Extensions/Apx_B_Video_Extensions.html[ACPI Video Extensions] to control display switching and backlight brightness. +It must be loaded after any of the DRM kernel modules. +After loading the driver, the kbd:[Fn] brightness keys will change the brightness of the screen. +It is possible to check the ACPI events by inspecting [.filename]#/var/run/devd.pipe#: [source,shell] ... @@ -1364,28 +1732,46 @@ possible to check the ACPI events by inspecting [.filename]#/var/run/devd.pipe#: !system=ACPI subsystem=Video type=brightness notify=64 ... -Other options are available using `sysctl`. Refer to man:acpi[4] and man:acpiconf[8] for more information. +Other options are available using `sysctl`. +Refer to man:acpi[4] and man:acpiconf[8] for more information. [[ACPI-comprob]] === Common Problems -ACPI is present in all modern computers that conform to the ia32 (x86) and amd64 (AMD) architectures. The full standard has many features including CPU performance management, power planes control, thermal zones, various battery systems, embedded controllers, and bus enumeration. Most systems implement less than the full standard. For instance, a desktop system usually only implements bus enumeration while a laptop might have cooling and battery management support as well. Laptops also have suspend and resume, with their own associated complexity. +ACPI is present in all modern computers that conform to the ia32 (x86) and amd64 (AMD) architectures. +The full standard has many features including CPU performance management, power planes control, thermal zones, various battery systems, embedded controllers, and bus enumeration. +Most systems implement less than the full standard. +For instance, a desktop system usually only implements bus enumeration while a laptop might have cooling and battery management support as well. +Laptops also have suspend and resume, with their own associated complexity. -An ACPI-compliant system has various components. The BIOS and chipset vendors provide various fixed tables, such as FADT, in memory that specify things like the APIC map (used for SMP), config registers, and simple configuration values. Additionally, a bytecode table, the Differentiated System Description Table DSDT, specifies a tree-like name space of devices and methods. +An ACPI-compliant system has various components. +The BIOS and chipset vendors provide various fixed tables, such as FADT, in memory that specify things like the APIC map (used for SMP), config registers, and simple configuration values. +Additionally, a bytecode table, the Differentiated System Description Table DSDT, specifies a tree-like name space of devices and methods. -The ACPI driver must parse the fixed tables, implement an interpreter for the bytecode, and modify device drivers and the kernel to accept information from the ACPI subsystem. For FreeBSD, Intel(R) has provided an interpreter (ACPI-CA) that is shared with Linux(R) and NetBSD. The path to the ACPI-CA source code is [.filename]#src/sys/contrib/dev/acpica#. The glue code that allows ACPI-CA to work on FreeBSD is in [.filename]#src/sys/dev/acpica/Osd#. Finally, drivers that implement various ACPI devices are found in [.filename]#src/sys/dev/acpica#. +The ACPI driver must parse the fixed tables, implement an interpreter for the bytecode, and modify device drivers and the kernel to accept information from the ACPI subsystem. +For FreeBSD, Intel(R) has provided an interpreter (ACPI-CA) that is shared with Linux(R) and NetBSD. +The path to the ACPI-CA source code is [.filename]#src/sys/contrib/dev/acpica#. +The glue code that allows ACPI-CA to work on FreeBSD is in [.filename]#src/sys/dev/acpica/Osd#. +Finally, drivers that implement various ACPI devices are found in [.filename]#src/sys/dev/acpica#. -For ACPI to work correctly, all the parts have to work correctly. Here are some common problems, in order of frequency of appearance, and some possible workarounds or fixes. If a fix does not resolve the issue, refer to <<ACPI-submitdebug>> for instructions on how to submit a bug report. +For ACPI to work correctly, all the parts have to work correctly. +Here are some common problems, in order of frequency of appearance, and some possible workarounds or fixes. +If a fix does not resolve the issue, refer to <<ACPI-submitdebug>> for instructions on how to submit a bug report. ==== Mouse Issues -In some cases, resuming from a suspend operation will cause the mouse to fail. A known work around is to add `hint.psm.0.flags="0x3000"` to [.filename]#/boot/loader.conf#. +In some cases, resuming from a suspend operation will cause the mouse to fail. +A known work around is to add `hint.psm.0.flags="0x3000"` to [.filename]#/boot/loader.conf#. ==== Suspend/Resume -ACPI has three suspend to RAM (STR) states, `S1`-`S3`, and one suspend to disk state (STD), called `S4`. STD can be implemented in two separate ways. The ``S4``BIOS is a BIOS-assisted suspend to disk and ``S4``OS is implemented entirely by the operating system. The normal state the system is in when plugged in but not powered up is "soft off" (`S5`). +ACPI has three suspend to RAM (STR) states, `S1`-`S3`, and one suspend to disk state (STD), called `S4`. +STD can be implemented in two separate ways. +The ``S4``BIOS is a BIOS-assisted suspend to disk and ``S4``OS is implemented entirely by the operating system. +The normal state the system is in when plugged in but not powered up is "soft off" (`S5`). -Use `sysctl hw.acpi` to check for the suspend-related items. These example results are from a Thinkpad: +Use `sysctl hw.acpi` to check for the suspend-related items. +These example results are from a Thinkpad: [source,shell] .... @@ -1393,11 +1779,17 @@ hw.acpi.supported_sleep_state: S3 S4 S5 hw.acpi.s4bios: 0 .... -Use `acpiconf -s` to test `S3`, `S4`, and `S5`. An `s4bios` of one (`1`) indicates ``S4``BIOS support instead of `S4` operating system support. +Use `acpiconf -s` to test `S3`, `S4`, and `S5`. +An `s4bios` of one (`1`) indicates ``S4``BIOS support instead of `S4` operating system support. -When testing suspend/resume, start with `S1`, if supported. This state is most likely to work since it does not require much driver support. No one has implemented `S2`, which is similar to `S1`. Next, try `S3`. This is the deepest STR state and requires a lot of driver support to properly reinitialize the hardware. +When testing suspend/resume, start with `S1`, if supported. +This state is most likely to work since it does not require much driver support. +No one has implemented `S2`, which is similar to `S1`. +Next, try `S3`. +This is the deepest STR state and requires a lot of driver support to properly reinitialize the hardware. -A common problem with suspend/resume is that many device drivers do not save, restore, or reinitialize their firmware, registers, or device memory properly. As a first attempt at debugging the problem, try: +A common problem with suspend/resume is that many device drivers do not save, restore, or reinitialize their firmware, registers, or device memory properly. +As a first attempt at debugging the problem, try: [source,shell] .... @@ -1406,10 +1798,11 @@ A common problem with suspend/resume is that many device drivers do not save, re # acpiconf -s 3 .... -This test emulates the suspend/resume cycle of all device drivers without actually going into `S3` state. In some cases, problems such as losing firmware state, device watchdog time out, and retrying forever, can be captured with this method. Note that the system will not really enter `S3` state, which means devices may not lose power, and many will work fine even if suspend/resume methods are totally missing, unlike real `S3` state. +This test emulates the suspend/resume cycle of all device drivers without actually going into `S3` state. +In some cases, problems such as losing firmware state, device watchdog time out, and retrying forever, can be captured with this method. +Note that the system will not really enter `S3` state, which means devices may not lose power, and many will work fine even if suspend/resume methods are totally missing, unlike real `S3` state. -If the previous test worked, on a laptop it is possible to configure the system -to suspend into `S3` on lid close and resume when it is open back again: +If the previous test worked, on a laptop it is possible to configure the system to suspend into `S3` on lid close and resume when it is open back again: [source,shell] .... @@ -1425,34 +1818,58 @@ This change can be made persistent across reboots: Harder cases require additional hardware, such as a serial port and cable for debugging through a serial console, a Firewire port and cable for using man:dcons[4], and kernel debugging skills. -To help isolate the problem, unload as many drivers as possible. If it works, narrow down which driver is the problem by loading drivers until it fails again. Typically, binary drivers like [.filename]#nvidia.ko#, display drivers, and USB will have the most problems while Ethernet interfaces usually work fine. If drivers can be properly loaded and unloaded, automate this by putting the appropriate commands in [.filename]#/etc/rc.suspend# and [.filename]#/etc/rc.resume#. Try setting `hw.acpi.reset_video` to `1` if the display is messed up after resume. Try setting longer or shorter values for `hw.acpi.sleep_delay` to see if that helps. +To help isolate the problem, unload as many drivers as possible. +If it works, narrow down which driver is the problem by loading drivers until it fails again. +Typically, binary drivers like [.filename]#nvidia.ko#, display drivers, and USB will have the most problems while Ethernet interfaces usually work fine. +If drivers can be properly loaded and unloaded, automate this by putting the appropriate commands in [.filename]#/etc/rc.suspend# and [.filename]#/etc/rc.resume#. +Try setting `hw.acpi.reset_video` to `1` if the display is messed up after resume. +Try setting longer or shorter values for `hw.acpi.sleep_delay` to see if that helps. -Try loading a recent Linux(R) distribution to see if suspend/resume works on the same hardware. If it works on Linux(R), it is likely a FreeBSD driver problem. Narrowing down which driver causes the problem will assist developers in fixing the problem. Since the ACPI maintainers rarely maintain other drivers, such as sound or ATA, any driver problems should also be posted to the {freebsd-current} and mailed to the driver maintainer. Advanced users can include debugging man:printf[3]s in a problematic driver to track down where in its resume function it hangs. +Try loading a recent Linux(R) distribution to see if suspend/resume works on the same hardware. +If it works on Linux(R), it is likely a FreeBSD driver problem. +Narrowing down which driver causes the problem will assist developers in fixing the problem. +Since the ACPI maintainers rarely maintain other drivers, such as sound or ATA, any driver problems should also be posted to the {freebsd-current} and mailed to the driver maintainer. +Advanced users can include debugging man:printf[3]s in a problematic driver to track down where in its resume function it hangs. -Finally, try disabling ACPI and enabling APM instead. If suspend/resume works with APM, stick with APM, especially on older hardware (pre-2000). It took vendors a while to get ACPI support correct and older hardware is more likely to have BIOS problems with ACPI. +Finally, try disabling ACPI and enabling APM instead. +If suspend/resume works with APM, stick with APM, especially on older hardware (pre-2000). +It took vendors a while to get ACPI support correct and older hardware is more likely to have BIOS problems with ACPI. ==== System Hangs -Most system hangs are a result of lost interrupts or an interrupt storm. Chipsets may have problems based on boot, how the BIOS configures interrupts before correctness of the APIC (MADT) table, and routing of the System Control Interrupt (SCI). +Most system hangs are a result of lost interrupts or an interrupt storm. +Chipsets may have problems based on boot, how the BIOS configures interrupts before correctness of the APIC (MADT) table, and routing of the System Control Interrupt (SCI). -Interrupt storms can be distinguished from lost interrupts by checking the output of `vmstat -i` and looking at the line that has `acpi0`. If the counter is increasing at more than a couple per second, there is an interrupt storm. If the system appears hung, try breaking to DDB (kbd:[CTRL+ALT+ESC] on console) and type `show interrupts`. +Interrupt storms can be distinguished from lost interrupts by checking the output of `vmstat -i` and looking at the line that has `acpi0`. +If the counter is increasing at more than a couple per second, there is an interrupt storm. +If the system appears hung, try breaking to DDB (kbd:[CTRL+ALT+ESC] on console) and type `show interrupts`. When dealing with interrupt problems, try disabling APIC support with `hint.apic.0.disabled="1"` in [.filename]#/boot/loader.conf#. ==== Panics -Panics are relatively rare for ACPI and are the top priority to be fixed. The first step is to isolate the steps to reproduce the panic, if possible, and get a backtrace. Follow the advice for enabling `options DDB` and setting up a serial console in crossref:serialcomms[serialconsole-ddb,“Entering the DDB Debugger from the Serial Line”] or setting up a dump partition. To get a backtrace in DDB, use `tr`. When handwriting the backtrace, get at least the last five and the top five lines in the trace. +Panics are relatively rare for ACPI and are the top priority to be fixed. +The first step is to isolate the steps to reproduce the panic, if possible, and get a backtrace. +Follow the advice for enabling `options DDB` and setting up a serial console in crossref:serialcomms[serialconsole-ddb,“Entering the DDB Debugger from the Serial Line”] or setting up a dump partition. +To get a backtrace in DDB, use `tr`. +When handwriting the backtrace, get at least the last five and the top five lines in the trace. -Then, try to isolate the problem by booting with ACPI disabled. If that works, isolate the ACPI subsystem by using various values of `debug.acpi.disable`. See man:acpi[4] for some examples. +Then, try to isolate the problem by booting with ACPI disabled. +If that works, isolate the ACPI subsystem by using various values of `debug.acpi.disable`. +See man:acpi[4] for some examples. ==== System Powers Up After Suspend or Shutdown -First, try setting `hw.acpi.disable_on_poweroff="0"` in [.filename]#/boot/loader.conf#. This keeps ACPI from disabling various events during the shutdown process. Some systems need this value set to `1` (the default) for the same reason. This usually fixes the problem of a system powering up spontaneously after a suspend or poweroff. +First, try setting `hw.acpi.disable_on_poweroff="0"` in [.filename]#/boot/loader.conf#. +This keeps ACPI from disabling various events during the shutdown process. +Some systems need this value set to `1` (the default) for the same reason. +This usually fixes the problem of a system powering up spontaneously after a suspend or poweroff. [[ACPI-aslanddump]] ==== BIOS Contains Buggy Bytecode -Some BIOS vendors provide incorrect or buggy bytecode. This is usually manifested by kernel console messages like this: +Some BIOS vendors provide incorrect or buggy bytecode. +This is usually manifested by kernel console messages like this: [source,shell] .... @@ -1460,33 +1877,44 @@ ACPI-1287: *** Error: Method execution failed [\\_SB_.PCI0.LPC0.FIGD._STA] \\ (Node 0xc3f6d160), AE_NOT_FOUND .... -Often, these problems may be resolved by updating the BIOS to the latest revision. Most console messages are harmless, but if there are other problems, like the battery status is not working, these messages are a good place to start looking for problems. +Often, these problems may be resolved by updating the BIOS to the latest revision. +Most console messages are harmless, but if there are other problems, like the battery status is not working, these messages are a good place to start looking for problems. === Overriding the Default AML -The BIOS bytecode, known as ACPI Machine Language (AML), is compiled from a source language called ACPI Source Language (ASL). The AML is found in the table known as the Differentiated System Description Table (DSDT). +The BIOS bytecode, known as ACPI Machine Language (AML), is compiled from a source language called ACPI Source Language (ASL). +The AML is found in the table known as the Differentiated System Description Table (DSDT). -The goal of FreeBSD is for everyone to have working ACPI without any user intervention. Workarounds are still being developed for common mistakes made by BIOS vendors. The Microsoft(R) interpreter ([.filename]#acpi.sys# and [.filename]#acpiec.sys#) does not strictly check for adherence to the standard, and thus many BIOS vendors who only test ACPI under Windows(R) never fix their ASL. FreeBSD developers continue to identify and document which non-standard behavior is allowed by Microsoft(R)'s interpreter and replicate it so that FreeBSD can work without forcing users to fix the ASL. +The goal of FreeBSD is for everyone to have working ACPI without any user intervention. +Workarounds are still being developed for common mistakes made by BIOS vendors. +The Microsoft(R) interpreter ([.filename]#acpi.sys# and [.filename]#acpiec.sys#) does not strictly check for adherence to the standard, and thus many BIOS vendors who only test ACPI under Windows(R) never fix their ASL. +FreeBSD developers continue to identify and document which non-standard behavior is allowed by Microsoft(R)'s interpreter and replicate it so that FreeBSD can work without forcing users to fix the ASL. -To help identify buggy behavior and possibly fix it manually, a copy can be made of the system's ASL. To copy the system's ASL to a specified file name, use `acpidump` with `-t`, to show the contents of the fixed tables, and `-d`, to disassemble the AML: +To help identify buggy behavior and possibly fix it manually, a copy can be made of the system's ASL. +To copy the system's ASL to a specified file name, use `acpidump` with `-t`, to show the contents of the fixed tables, and `-d`, to disassemble the AML: [source,shell] .... # acpidump -td > my.asl .... -Some AML versions assume the user is running Windows(R). To override this, set `hw.acpi.osname=_"Windows 2009"_` in [.filename]#/boot/loader.conf#, using the most recent Windows(R) version listed in the ASL. +Some AML versions assume the user is running Windows(R). +To override this, set `hw.acpi.osname=_"Windows 2009"_` in [.filename]#/boot/loader.conf#, using the most recent Windows(R) version listed in the ASL. -Other workarounds may require [.filename]#my.asl# to be customized. If this file is edited, compile the new ASL using the following command. Warnings can usually be ignored, but errors are bugs that will usually prevent ACPI from working correctly. +Other workarounds may require [.filename]#my.asl# to be customized. +If this file is edited, compile the new ASL using the following command. +Warnings can usually be ignored, but errors are bugs that will usually prevent ACPI from working correctly. [source,shell] .... # iasl -f my.asl .... -Including `-f` forces creation of the AML, even if there are errors during compilation. Some errors, such as missing return statements, are automatically worked around by the FreeBSD interpreter. +Including `-f` forces creation of the AML, even if there are errors during compilation. +Some errors, such as missing return statements, are automatically worked around by the FreeBSD interpreter. -The default output filename for `iasl` is [.filename]#DSDT.aml#. Load this file instead of the BIOS's buggy copy, which is still present in flash memory, by editing [.filename]#/boot/loader.conf# as follows: +The default output filename for `iasl` is [.filename]#DSDT.aml#. +Load this file instead of the BIOS's buggy copy, which is still present in flash memory, by editing [.filename]#/boot/loader.conf# as follows: [.programlisting] .... @@ -1494,21 +1922,30 @@ acpi_dsdt_load="YES" acpi_dsdt_name="/boot/DSDT.aml" .... -Be sure to copy [.filename]#DSDT.aml# to [.filename]#/boot#, then reboot the system. If this fixes the problem, send a man:diff[1] of the old and new ASL to {freebsd-acpi} so that developers can work around the buggy behavior in [.filename]#acpica#. +Be sure to copy [.filename]#DSDT.aml# to [.filename]#/boot#, then reboot the system. +If this fixes the problem, send a man:diff[1] of the old and new ASL to {freebsd-acpi} so that developers can work around the buggy behavior in [.filename]#acpica#. [[ACPI-submitdebug]] === Getting and Submitting Debugging Info -The ACPI driver has a flexible debugging facility. A set of subsystems and the level of verbosity can be specified. The subsystems to debug are specified as layers and are broken down into components (`ACPI_ALL_COMPONENTS`) and ACPI hardware support (`ACPI_ALL_DRIVERS`). The verbosity of debugging output is specified as the level and ranges from just report errors (`ACPI_LV_ERROR`) to everything (`ACPI_LV_VERBOSE`). The level is a bitmask so multiple options can be set at once, separated by spaces. In practice, a serial console should be used to log the output so it is not lost as the console message buffer flushes. A full list of the individual layers and levels is found in man:acpi[4]. +The ACPI driver has a flexible debugging facility. A set of subsystems and the level of verbosity can be specified. +The subsystems to debug are specified as layers and are broken down into components (`ACPI_ALL_COMPONENTS`) and ACPI hardware support (`ACPI_ALL_DRIVERS`). +The verbosity of debugging output is specified as the level and ranges from just report errors (`ACPI_LV_ERROR`) to everything (`ACPI_LV_VERBOSE`). +The level is a bitmask so multiple options can be set at once, separated by spaces. +In practice, a serial console should be used to log the output so it is not lost as the console message buffer flushes. +A full list of the individual layers and levels is found in man:acpi[4]. -Debugging output is not enabled by default. To enable it, add `options ACPI_DEBUG` to the custom kernel configuration file if ACPI is compiled into the kernel. Add `ACPI_DEBUG=1` to [.filename]#/etc/make.conf# to enable it globally. If a module is used instead of a custom kernel, recompile just the [.filename]#acpi.ko# module as follows: +Debugging output is not enabled by default. To enable it, add `options ACPI_DEBUG` to the custom kernel configuration file if ACPI is compiled into the kernel. +Add `ACPI_DEBUG=1` to [.filename]#/etc/make.conf# to enable it globally. +If a module is used instead of a custom kernel, recompile just the [.filename]#acpi.ko# module as follows: [source,shell] .... # cd /sys/modules/acpi/acpi && make clean && make ACPI_DEBUG=1 .... -Copy the compiled [.filename]#acpi.ko# to [.filename]#/boot/kernel# and add the desired level and layer to [.filename]#/boot/loader.conf#. The entries in this example enable debug messages for all ACPI components and hardware drivers and output error messages at the least verbose level: +Copy the compiled [.filename]#acpi.ko# to [.filename]#/boot/kernel# and add the desired level and layer to [.filename]#/boot/loader.conf#. +The entries in this example enable debug messages for all ACPI components and hardware drivers and output error messages at the least verbose level: [.programlisting] .... @@ -1516,7 +1953,9 @@ debug.acpi.layer="ACPI_ALL_COMPONENTS ACPI_ALL_DRIVERS" debug.acpi.level="ACPI_LV_ERROR" .... -If the required information is triggered by a specific event, such as a suspend and then resume, do not modify [.filename]#/boot/loader.conf#. Instead, use `sysctl` to specify the layer and level after booting and preparing the system for the specific event. The variables which can be set using `sysctl` are named the same as the tunables in [.filename]#/boot/loader.conf#. +If the required information is triggered by a specific event, such as a suspend and then resume, do not modify [.filename]#/boot/loader.conf#. +Instead, use `sysctl` to specify the layer and level after booting and preparing the system for the specific event. +The variables which can be set using `sysctl` are named the same as the tunables in [.filename]#/boot/loader.conf#. Once the debugging information is gathered, it can be sent to {freebsd-acpi} so that it can be used by the FreeBSD ACPI maintainers to identify the root cause of the problem and to develop a solution. @@ -1538,9 +1977,15 @@ When submitting a problem report, include the following information: # acpidump -dt > name-system.asl .... + -Substitute the login name for _name_ and manufacturer/model for _system_. For example, use [.filename]#njl-FooCo6000.asl#. - -Most FreeBSD developers watch the {freebsd-current}, but one should submit problems to {freebsd-acpi} to be sure it is seen. Be patient when waiting for a response. If the bug is not immediately apparent, submit a bug report. When entering a PR, include the same information as requested above. This helps developers to track the problem and resolve it. Do not send a PR without emailing {freebsd-acpi} first as it is likely that the problem has been reported before. +Substitute the login name for _name_ and manufacturer/model for _system_. +For example, use [.filename]#njl-FooCo6000.asl#. + +Most FreeBSD developers watch the {freebsd-current}, but one should submit problems to {freebsd-acpi} to be sure it is seen. +Be patient when waiting for a response. +If the bug is not immediately apparent, submit a bug report. +When entering a PR, include the same information as requested above. +This helps developers to track the problem and resolve it. +Do not send a PR without emailing {freebsd-acpi} first as it is likely that the problem has been reported before. [[ACPI-References]] === References diff --git a/documentation/content/en/books/handbook/cutting-edge/_index.adoc b/documentation/content/en/books/handbook/cutting-edge/_index.adoc index f087411b69..b9d4edbda9 100644 --- a/documentation/content/en/books/handbook/cutting-edge/_index.adoc +++ b/documentation/content/en/books/handbook/cutting-edge/_index.adoc @@ -67,7 +67,8 @@ Before reading this chapter, you should: [NOTE] ==== -Throughout this chapter, `git` is used to obtain and update FreeBSD sources. Optionally, the package:devel/git[] port or package may be used. +Throughout this chapter, `git` is used to obtain and update FreeBSD sources. +Optionally, the package:devel/git[] port or package may be used. ==== [[updating-upgrading-freebsdupdate]] @@ -591,7 +592,8 @@ To join these lists, go to {mailman-lists}, click on the list to subscribe to, a In order to track changes for the whole source tree, subscribe to {dev-commits-src-all}. . To install a new FreeBSD-STABLE system, install the most recent FreeBSD-STABLE release from the crossref:mirrors[mirrors,FreeBSD mirror sites] or use a monthly snapshot built from FreeBSD-STABLE. Refer to link:https://www.FreeBSD.org/snapshots/[www.freebsd.org/snapshots] for more information about snapshots. + -To compile or upgrade to an existing FreeBSD system to FreeBSD-STABLE, use `git` to check out the source for the desired branch. Branch names, such as `stable/9`, are listed at link:https://www.FreeBSD.org/releng/[www.freebsd.org/releng]. +To compile or upgrade to an existing FreeBSD system to FreeBSD-STABLE, use `git` to check out the source for the desired branch. +Branch names, such as `stable/9`, are listed at link:https://www.FreeBSD.org/releng/[www.freebsd.org/releng]. . Before compiling or upgrading to FreeBSD-STABLE , read [.filename]#/usr/src/Makefile# carefully and follow the instructions in <<makeworld>>. Read the {freebsd-stable} and [.filename]#/usr/src/UPDATING# to keep up-to-date on other bootstrapping procedures that sometimes become necessary on the road to the next release. [[makeworld]] @@ -605,7 +607,8 @@ The build process takes longer to update a system than just installing binary up [[updating-src-quick-start]] === Quick Start -This is a quick reference for the typical steps used to update FreeBSD by building from source. Later sections describe the process in more detail. +This is a quick reference for the typical steps used to update FreeBSD by building from source. +Later sections describe the process in more detail. [.procedure] ==== @@ -737,7 +740,8 @@ Based on <<updating-src-obtaining-src-repopath>>, the source used to update `10. === Building from Source The _world_, or all of the operating system except the kernel, is compiled. -This is done first to provide up-to-date tools to build the kernel. Then the kernel itself is built: +This is done first to provide up-to-date tools to build the kernel. +Then the kernel itself is built: [source,shell] .... @@ -748,7 +752,8 @@ This is done first to provide up-to-date tools to build the kernel. Then the ker The compiled code is written to [.filename]#/usr/obj#. -These are the basic steps. Additional options to control the build are described below. +These are the basic steps. +Additional options to control the build are described below. [[updating-src-building-clean-build]] ==== Performing a Clean Build diff --git a/documentation/content/en/books/handbook/desktop/_index.adoc b/documentation/content/en/books/handbook/desktop/_index.adoc index a58383cab1..6ba0a17001 100644 --- a/documentation/content/en/books/handbook/desktop/_index.adoc +++ b/documentation/content/en/books/handbook/desktop/_index.adoc @@ -46,7 +46,9 @@ toc::[] [[desktop-synopsis]] == Synopsis -While FreeBSD is popular as a server for its performance and stability, it is also suited for day-to-day use as a desktop. With over {numports} applications available as FreeBSD packages or ports, it is easy to build a customized desktop that runs a wide variety of desktop applications. This chapter demonstrates how to install numerous desktop applications, including web browsers, productivity software, document viewers, and financial software. +While FreeBSD is popular as a server for its performance and stability, it is also suited for day-to-day use as a desktop. +With over {numports} applications available as FreeBSD packages or ports, it is easy to build a customized desktop that runs a wide variety of desktop applications. +This chapter demonstrates how to install numerous desktop applications, including web browsers, productivity software, document viewers, and financial software. [NOTE] ==== @@ -63,9 +65,11 @@ For information on how to configure a multimedia environment, refer to crossref: [[desktop-browsers]] == Browsers -FreeBSD does not come with a pre-installed web browser. Instead, the https://www.FreeBSD.org/ports/[www] category of the Ports Collection contains many browsers which can be installed as a package or compiled from the Ports Collection. +FreeBSD does not come with a pre-installed web browser. +Instead, the https://www.FreeBSD.org/ports/[www] category of the Ports Collection contains many browsers which can be installed as a package or compiled from the Ports Collection. -The KDE and GNOME desktop environments include their own HTML browser. Refer to crossref:x11[x11-wm,“Desktop Environments”] for more information on how to set up these complete desktops. +The KDE and GNOME desktop environments include their own HTML browser. +Refer to crossref:x11[x11-wm,“Desktop Environments”] for more information on how to set up these complete desktops. Some lightweight browsers include package:www/dillo2[], package:www/links[], and package:www/w3m[]. @@ -97,7 +101,8 @@ This section demonstrates how to install the following popular web browsers and === Firefox -Firefox is an open source browser that features a standards-compliant HTML display engine, tabbed browsing, popup blocking, extensions, improved security, and more. Firefox is based on the Mozilla codebase. +Firefox is an open source browser that features a standards-compliant HTML display engine, tabbed browsing, popup blocking, extensions, improved security, and more. +Firefox is based on the Mozilla codebase. To install the package of the latest release version of Firefox, type: @@ -113,7 +118,8 @@ To instead install Firefox Extended Support Release (ESR) version, use: # pkg install firefox-esr .... -The Ports Collection can instead be used to compile the desired version of Firefox from source code. This example builds package:www/firefox[], where `firefox` can be replaced with the ESR or localized version to install. +The Ports Collection can instead be used to compile the desired version of Firefox from source code. +This example builds package:www/firefox[], where `firefox` can be replaced with the ESR or localized version to install. [source,shell] .... @@ -123,7 +129,9 @@ The Ports Collection can instead be used to compile the desired version of Firef === Konqueror -Konqueror is more than a web browser as it is also a file manager and a multimedia viewer. Supports WebKit as well as its own KHTML. WebKit is a rendering engine used by many modern browsers including Chromium. +Konqueror is more than a web browser as it is also a file manager and a multimedia viewer. +Supports WebKit as well as its own KHTML. +WebKit is a rendering engine used by many modern browsers including Chromium. Konqueror can be installed as a package by typing: @@ -142,7 +150,9 @@ To install from the Ports Collection: === Chromium -Chromium is an open source browser project that aims to build a safer, faster, and more stable web browsing experience. Chromium features tabbed browsing, popup blocking, extensions, and much more. Chromium is the open source project upon which the Google Chrome web browser is based. +Chromium is an open source browser project that aims to build a safer, faster, and more stable web browsing experience. +Chromium features tabbed browsing, popup blocking, extensions, and much more. +Chromium is the open source project upon which the Google Chrome web browser is based. Chromium can be installed as a package by typing: @@ -167,7 +177,9 @@ The executable for Chromium is [.filename]#/usr/local/bin/chrome#, not [.filenam [[desktop-productivity]] == Productivity -When it comes to productivity, users often look for an office suite or an easy-to-use word processor. While some <<x11-wm,desktop environments>> like KDE provide an office suite, there is no default productivity package. Several office suites and graphical word processors are available for FreeBSD, regardless of the installed window manager. +When it comes to productivity, users often look for an office suite or an easy-to-use word processor. +While some <<x11-wm,desktop environments>> like KDE provide an office suite, there is no default productivity package. +Several office suites and graphical word processors are available for FreeBSD, regardless of the installed window manager. This section demonstrates how to install the following popular productivity software and indicates if the application is resource-heavy, takes time to compile from ports, or has any major dependencies. @@ -207,9 +219,12 @@ This section demonstrates how to install the following popular productivity soft === Calligra -The KDE desktop environment includes an office suite which can be installed separately from KDE. Calligra includes standard components that can be found in other office suites. Words is the word processor, Sheets is the spreadsheet program, Stage manages slide presentations, and Karbon is used to draw graphical documents. +The KDE desktop environment includes an office suite which can be installed separately from KDE. +Calligra includes standard components that can be found in other office suites. +Words is the word processor, Sheets is the spreadsheet program, Stage manages slide presentations, and Karbon is used to draw graphical documents. -In FreeBSD, package:editors/calligra[] can be installed as a package or a port. To install the package: +In FreeBSD, package:editors/calligra[] can be installed as a package or a port. +To install the package: [source,shell] .... @@ -226,7 +241,8 @@ If the package is not available, use the Ports Collection instead: === AbiWord -AbiWord is a free word processing program similar in look and feel to Microsoft(R) Word. It is fast, contains many features, and is user-friendly. +AbiWord is a free word processing program similar in look and feel to Microsoft(R) Word. +It is fast, contains many features, and is user-friendly. AbiWord can import or export many file formats, including some proprietary ones like Microsoft(R) [.filename]#.rtf#. @@ -247,7 +263,10 @@ If the package is not available, it can be compiled from the Ports Collection: === The GIMP -For image authoring or picture retouching, The GIMP provides a sophisticated image manipulation program. It can be used as a simple paint program or as a quality photo retouching suite. It supports a large number of plugins and features a scripting interface. The GIMP can read and write a wide range of file formats and supports interfaces with scanners and tablets. +For image authoring or picture retouching, The GIMP provides a sophisticated image manipulation program. +It can be used as a simple paint program or as a quality photo retouching suite. +It supports a large number of plugins and features a scripting interface. +The GIMP can read and write a wide range of file formats and supports interfaces with scanners and tablets. To install the package: @@ -268,9 +287,16 @@ The graphics category (https://www.FreeBSD.org/ports/graphics/[freebsd.org/ports === Apache OpenOffice -Apache OpenOffice is an open source office suite which is developed under the wing of the Apache Software Foundation's Incubator. It includes all of the applications found in a complete office productivity suite: a word processor, spreadsheet, presentation manager, and drawing program. Its user interface is similar to other office suites, and it can import and export in various popular file formats. It is available in a number of different languages and internationalization has been extended to interfaces, spell checkers, and dictionaries. +Apache OpenOffice is an open source office suite which is developed under the wing of the Apache Software Foundation's Incubator. +It includes all of the applications found in a complete office productivity suite: a word processor, spreadsheet, presentation manager, and drawing program. +Its user interface is similar to other office suites, and it can import and export in various popular file formats. +It is available in a number of different languages and internationalization has been extended to interfaces, spell checkers, and dictionaries. -The word processor of Apache OpenOffice uses a native XML file format for increased portability and flexibility. The spreadsheet program features a macro language which can be interfaced with external databases. Apache OpenOffice is stable and runs natively on Windows(R), Solaris(TM), Linux(R), FreeBSD, and Mac OS(R) X. More information about Apache OpenOffice can be found at http://openoffice.org/[openoffice.org]. For FreeBSD specific information refer to http://porting.openoffice.org/freebsd/[porting.openoffice.org/freebsd/]. +The word processor of Apache OpenOffice uses a native XML file format for increased portability and flexibility. +The spreadsheet program features a macro language which can be interfaced with external databases. +Apache OpenOffice is stable and runs natively on Windows(R), Solaris(TM), Linux(R), FreeBSD, and Mac OS(R) X. +More information about Apache OpenOffice can be found at http://openoffice.org/[openoffice.org]. +For FreeBSD specific information refer to http://porting.openoffice.org/freebsd/[porting.openoffice.org/freebsd/]. To install the Apache OpenOffice package: @@ -286,9 +312,11 @@ Once the package is installed, type the following command to launch Apache OpenO % openoffice-X.Y.Z .... -where _X.Y.Z_ is the version number of the installed version of Apache OpenOffice. The first time Apache OpenOffice launches, some questions will be asked and a [.filename]#.openoffice.org# folder will be created in the user's home directory. +where _X.Y.Z_ is the version number of the installed version of Apache OpenOffice. +The first time Apache OpenOffice launches, some questions will be asked and a [.filename]#.openoffice.org# folder will be created in the user's home directory. -If the desired Apache OpenOffice package is not available, compiling the port is still an option. However, this requires a lot of disk space and a fairly long time to compile: +If the desired Apache OpenOffice package is not available, compiling the port is still an option. +However, this requires a lot of disk space and a fairly long time to compile: [source,shell] .... @@ -305,14 +333,21 @@ To build a localized version, replace the previous command with: # make LOCALIZED_LANG=your_language install clean .... -Replace _your_language_ with the correct language ISO-code. A list of supported language codes is available in [.filename]#files/Makefile.localized#, located in the port's directory. +Replace _your_language_ with the correct language ISO-code. +A list of supported language codes is available in [.filename]#files/Makefile.localized#, located in the port's directory. ==== === LibreOffice -LibreOffice is a free software office suite developed by http://www.documentfoundation.org/[documentfoundation.org]. It is compatible with other major office suites and available on a variety of platforms. It is a rebranded fork of Apache OpenOffice and includes applications found in a complete office productivity suite: a word processor, spreadsheet, presentation manager, drawing program, database management program, and a tool for creating and editing mathematical formulæ. It is available in a number of different languages and internationalization has been extended to interfaces, spell checkers, and dictionaries. +LibreOffice is a free software office suite developed by http://www.documentfoundation.org/[documentfoundation.org]. +It is compatible with other major office suites and available on a variety of platforms. +It is a rebranded fork of Apache OpenOffice and includes applications found in a complete office productivity suite: a word processor, spreadsheet, presentation manager, drawing program, database management program, and a tool for creating and editing mathematical formulæ. +It is available in a number of different languages and internationalization has been extended to interfaces, spell checkers, and dictionaries. -The word processor of LibreOffice uses a native XML file format for increased portability and flexibility. The spreadsheet program features a macro language which can be interfaced with external databases. LibreOffice is stable and runs natively on Windows(R), Linux(R), FreeBSD, and Mac OS(R) X. More information about LibreOffice can be found at http://www.libreoffice.org/[libreoffice.org]. +The word processor of LibreOffice uses a native XML file format for increased portability and flexibility. +The spreadsheet program features a macro language which can be interfaced with external databases. +LibreOffice is stable and runs natively on Windows(R), Linux(R), FreeBSD, and Mac OS(R) X. +More information about LibreOffice can be found at http://www.libreoffice.org/[libreoffice.org]. To install the English version of the LibreOffice package: @@ -321,7 +356,8 @@ To install the English version of the LibreOffice package: # pkg install libreoffice .... -The editors category (https://www.FreeBSD.org/ports/editors/[freebsd.org/ports/editors/]) of the Ports Collection contains several localizations for LibreOffice. When installing a localized package, replace `libreoffice` with the name of the localized package. +The editors category (https://www.FreeBSD.org/ports/editors/[freebsd.org/ports/editors/]) of the Ports Collection contains several localizations for LibreOffice. +When installing a localized package, replace `libreoffice` with the name of the localized package. Once the package is installed, type the following command to run LibreOffice: @@ -332,7 +368,9 @@ Once the package is installed, type the following command to run LibreOffice: During the first launch, some questions will be asked and a [.filename]#.libreoffice# folder will be created in the user's home directory. -If the desired LibreOffice package is not available, compiling the port is still an option. However, this requires a lot of disk space and a fairly long time to compile. This example compiles the English version: +If the desired LibreOffice package is not available, compiling the port is still an option. +However, this requires a lot of disk space and a fairly long time to compile. +This example compiles the English version: [source,shell] .... @@ -342,13 +380,15 @@ If the desired LibreOffice package is not available, compiling the port is still [NOTE] ==== -To build a localized version, `cd` into the port directory of the desired language. Supported languages can be found in the editors category (https://www.FreeBSD.org/ports/editors/[freebsd.org/ports/editors/]) of the Ports Collection. +To build a localized version, `cd` into the port directory of the desired language. +Supported languages can be found in the editors category (https://www.FreeBSD.org/ports/editors/[freebsd.org/ports/editors/]) of the Ports Collection. ==== [[desktop-viewers]] == Document Viewers -Some new document formats have gained popularity since the advent of UNIX(R) and the viewers they require may not be available in the base system. This section demonstrates how to install the following document viewers: +Some new document formats have gained popularity since the advent of UNIX(R) and the viewers they require may not be available in the base system. +This section demonstrates how to install the following document viewers: [.informaltable] [cols="1,1,1,1", frame="none", options="header"] @@ -386,7 +426,8 @@ Some new document formats have gained popularity since the advent of UNIX(R) and === Xpdf -For users that prefer a small FreeBSD PDF viewer, Xpdf provides a light-weight and efficient viewer which requires few resources. It uses the standard X fonts and does not require any additional toolkits. +For users that prefer a small FreeBSD PDF viewer, Xpdf provides a light-weight and efficient viewer which requires few resources. +It uses the standard X fonts and does not require any additional toolkits. To install the Xpdf package: @@ -407,7 +448,10 @@ Once the installation is complete, launch `xpdf` and use the right mouse button === gv -gv is a PostScript(R) and PDF viewer. It is based on ghostview, but has a nicer look as it is based on the Xaw3d widget toolkit. gv has many configurable features, such as orientation, paper size, scale, and anti-aliasing. Almost any operation can be performed with either the keyboard or the mouse. +gv is a PostScript(R) and PDF viewer. +It is based on ghostview, but has a nicer look as it is based on the Xaw3d widget toolkit. +gv has many configurable features, such as orientation, paper size, scale, and anti-aliasing. +Almost any operation can be performed with either the keyboard or the mouse. To install gv as a package: @@ -426,7 +470,10 @@ If a package is unavailable, use the Ports Collection: === Geeqie -Geeqie is a fork from the unmaintained GQView project, in an effort to move development forward and integrate the existing patches. Geeqie is an image manager which supports viewing a file with a single click, launching an external editor, and thumbnail previews. It also features a slideshow mode and some basic file operations, making it easy to manage image collections and to find duplicate files. Geeqie supports full screen viewing and internationalization. +Geeqie is a fork from the unmaintained GQView project, in an effort to move development forward and integrate the existing patches. +Geeqie is an image manager which supports viewing a file with a single click, launching an external editor, and thumbnail previews. +It also features a slideshow mode and some basic file operations, making it easy to manage image collections and to find duplicate files. +Geeqie supports full screen viewing and internationalization. To install the Geeqie package: @@ -445,7 +492,8 @@ If the package is not available, use the Ports Collection: === ePDFView -ePDFView is a lightweight `PDF` document viewer that only uses the Gtk+ and Poppler libraries. It is currently under development, but already opens most `PDF` files (even encrypted), save copies of documents, and has support for printing using CUPS. +ePDFView is a lightweight `PDF` document viewer that only uses the Gtk+ and Poppler libraries. +It is currently under development, but already opens most `PDF` files (even encrypted), save copies of documents, and has support for printing using CUPS. To install ePDFView as a package: @@ -464,7 +512,8 @@ If a package is unavailable, use the Ports Collection: === Okular -Okular is a universal document viewer based on KPDF for KDE. It can open many document formats, including `PDF`, PostScript(R), DjVu, `CHM`, `XPS`, and ePub. +Okular is a universal document viewer based on KPDF for KDE. +It can open many document formats, including `PDF`, PostScript(R), DjVu, `CHM`, `XPS`, and ePub. To install Okular as a package: @@ -484,7 +533,8 @@ If a package is unavailable, use the Ports Collection: [[desktop-finance]] == Finance -For managing personal finances on a FreeBSD desktop, some powerful and easy-to-use applications can be installed. Some are compatible with widespread file formats, such as the formats used by Quicken and Excel. +For managing personal finances on a FreeBSD desktop, some powerful and easy-to-use applications can be installed. +Some are compatible with widespread file formats, such as the formats used by Quicken and Excel. This section covers these programs: @@ -514,9 +564,14 @@ This section covers these programs: === GnuCash -GnuCash is part of the GNOME effort to provide user-friendly, yet powerful, applications to end-users. GnuCash can be used to keep track of income and expenses, bank accounts, and stocks. It features an intuitive interface while remaining professional. +GnuCash is part of the GNOME effort to provide user-friendly, yet powerful, applications to end-users. +GnuCash can be used to keep track of income and expenses, bank accounts, and stocks. +It features an intuitive interface while remaining professional. -GnuCash provides a smart register, a hierarchical system of accounts, and many keyboard accelerators and auto-completion methods. It can split a single transaction into several more detailed pieces. GnuCash can import and merge Quicken QIF files. It also handles most international date and currency formats. +GnuCash provides a smart register, a hierarchical system of accounts, and many keyboard accelerators and auto-completion methods. +It can split a single transaction into several more detailed pieces. +GnuCash can import and merge Quicken QIF files. +It also handles most international date and currency formats. To install the GnuCash package: @@ -535,7 +590,10 @@ If the package is not available, use the Ports Collection: === Gnumeric -Gnumeric is a spreadsheet program developed by the GNOME community. It features convenient automatic guessing of user input according to the cell format with an autofill system for many sequences. It can import files in a number of popular formats, including Excel, Lotus 1-2-3, and Quattro Pro. It has a large number of built-in functions and allows all of the usual cell formats such as number, currency, date, time, and much more. +Gnumeric is a spreadsheet program developed by the GNOME community. +It features convenient automatic guessing of user input according to the cell format with an autofill system for many sequences. +It can import files in a number of popular formats, including Excel, Lotus 1-2-3, and Quattro Pro. +It has a large number of built-in functions and allows all of the usual cell formats such as number, currency, date, time, and much more. To install Gnumeric as a package: @@ -554,7 +612,10 @@ If the package is not available, use the Ports Collection: === KMyMoney -KMyMoney is a personal finance application created by the KDE community. KMyMoney aims to provide the important features found in commercial personal finance manager applications. It also highlights ease-of-use and proper double-entry accounting among its features. KMyMoney imports from standard Quicken QIF files, tracks investments, handles multiple currencies, and provides a wealth of reports. +KMyMoney is a personal finance application created by the KDE community. +KMyMoney aims to provide the important features found in commercial personal finance manager applications. +It also highlights ease-of-use and proper double-entry accounting among its features. +KMyMoney imports from standard Quicken QIF files, tracks investments, handles multiple currencies, and provides a wealth of reports. To install KMyMoney as a package: diff --git a/documentation/content/en/books/handbook/disks/_index.adoc b/documentation/content/en/books/handbook/disks/_index.adoc index b4a70ff4bf..48a25940f0 100644 --- a/documentation/content/en/books/handbook/disks/_index.adoc +++ b/documentation/content/en/books/handbook/disks/_index.adoc @@ -46,7 +46,8 @@ toc::[] [[disks-synopsis]] == Synopsis -This chapter covers the use of disks and storage media in FreeBSD. This includes SCSI and IDE disks, CD and DVD media, memory-backed disks, and USB storage devices. +This chapter covers the use of disks and storage media in FreeBSD. +This includes SCSI and IDE disks, CD and DVD media, memory-backed disks, and USB storage devices. After reading this chapter, you will know: @@ -68,18 +69,24 @@ Before reading this chapter, you should: [[disks-adding]] == Adding Disks -This section describes how to add a new SATA disk to a machine that currently only has a single drive. First, turn off the computer and install the drive in the computer following the instructions of the computer, controller, and drive manufacturers. Reboot the system and become `root`. +This section describes how to add a new SATA disk to a machine that currently only has a single drive. +First, turn off the computer and install the drive in the computer following the instructions of the computer, controller, and drive manufacturers. +Reboot the system and become `root`. -Inspect [.filename]#/var/run/dmesg.boot# to ensure the new disk was found. In this example, the newly added SATA drive will appear as [.filename]#ada1#. +Inspect [.filename]#/var/run/dmesg.boot# to ensure the new disk was found. +In this example, the newly added SATA drive will appear as [.filename]#ada1#. -For this example, a single large partition will be created on the new disk. The http://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning scheme will be used in preference to the older and less versatile MBR scheme. +For this example, a single large partition will be created on the new disk. +The http://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning scheme will be used in preference to the older and less versatile MBR scheme. [NOTE] ==== -If the disk to be added is not blank, old partition information can be removed with `gpart delete`. See man:gpart[8] for details. +If the disk to be added is not blank, old partition information can be removed with `gpart delete`. +See man:gpart[8] for details. ==== -The partition scheme is created, and then a single partition is added. To improve performance on newer disks with larger hardware block sizes, the partition is aligned to one megabyte boundaries: +The partition scheme is created, and then a single partition is added. +To improve performance on newer disks with larger hardware block sizes, the partition is aligned to one megabyte boundaries: [source,shell] .... @@ -87,7 +94,8 @@ The partition scheme is created, and then a single partition is added. To improv # gpart add -t freebsd-ufs -a 1M ada1 .... -Depending on use, several smaller partitions may be desired. See man:gpart[8] for options to create partitions smaller than a whole disk. +Depending on use, several smaller partitions may be desired. +See man:gpart[8] for options to create partitions smaller than a whole disk. The disk partition information can be viewed with `gpart show`: @@ -131,9 +139,13 @@ The new disk can be mounted manually, without restarting the system: [[disks-growing]] == Resizing and Growing Disks -A disk's capacity can increase without any changes to the data already present. This happens commonly with virtual machines, when the virtual disk turns out to be too small and is enlarged. Sometimes a disk image is written to a USB memory stick, but does not use the full capacity. Here we describe how to resize or _grow_ disk contents to take advantage of increased capacity. +A disk's capacity can increase without any changes to the data already present. +This happens commonly with virtual machines, when the virtual disk turns out to be too small and is enlarged. +Sometimes a disk image is written to a USB memory stick, but does not use the full capacity. +Here we describe how to resize or _grow_ disk contents to take advantage of increased capacity. -Determine the device name of the disk to be resized by inspecting [.filename]#/var/run/dmesg.boot#. In this example, there is only one SATA disk in the system, so the drive will appear as [.filename]#ada0#. +Determine the device name of the disk to be resized by inspecting [.filename]#/var/run/dmesg.boot#. +In this example, there is only one SATA disk in the system, so the drive will appear as [.filename]#ada0#. List the partitions on the disk to see the current configuration: @@ -149,7 +161,8 @@ List the partitions on the disk to see the current configuration: [NOTE] ==== -If the disk was formatted with the http://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning scheme, it may show as "corrupted" because the GPT backup partition table is no longer at the end of the drive. Fix the backup partition table with `gpart`: +If the disk was formatted with the http://en.wikipedia.org/wiki/GUID_Partition_Table[GPT] partitioning scheme, it may show as "corrupted" because the GPT backup partition table is no longer at the end of the drive. +Fix the backup partition table with `gpart`: [source,shell] .... @@ -171,7 +184,9 @@ Now the additional space on the disk is available for use by a new partition, or 83886046 18513921 - free - (8.8G) .... -Partitions can only be resized into contiguous free space. Here, the last partition on the disk is the swap partition, but the second partition is the one that needs to be resized. Swap partitions only contain temporary data, so it can safely be unmounted, deleted, and then recreate the third partition after resizing the second partition. +Partitions can only be resized into contiguous free space. +Here, the last partition on the disk is the swap partition, but the second partition is the one that needs to be resized. +Swap partitions only contain temporary data, so it can safely be unmounted, deleted, and then recreate the third partition after resizing the second partition. Disable the swap partition: @@ -196,7 +211,9 @@ ada0p3 deleted [WARNING] ==== -There is risk of data loss when modifying the partition table of a mounted file system. It is best to perform the following steps on an unmounted file system while running from a live CD-ROM or USB device. However, if absolutely necessary, a mounted file system can be resized after disabling GEOM safety features: +There is risk of data loss when modifying the partition table of a mounted file system. +It is best to perform the following steps on an unmounted file system while running from a live CD-ROM or USB device. +However, if absolutely necessary, a mounted file system can be resized after disabling GEOM safety features: [source,shell] .... @@ -205,7 +222,11 @@ There is risk of data loss when modifying the partition table of a mounted file ==== -Resize the partition, leaving room to recreate a swap partition of the desired size. The partition to resize is specified with `-i`, and the new desired size with `-s`. Optionally, alignment of the partition is controlled with `-a`. This only modifies the size of the partition. The file system in the partition will be expanded in a separate step. +Resize the partition, leaving room to recreate a swap partition of the desired size. +The partition to resize is specified with `-i`, and the new desired size with `-s`. +Optionally, alignment of the partition is controlled with `-a`. +This only modifies the size of the partition. +The file system in the partition will be expanded in a separate step. [source,shell] .... @@ -218,7 +239,8 @@ ada0p2 resized 98566306 3833661 - free - (1.8G) .... -Recreate the swap partition and activate it. If no size is specified with `-s`, all remaining space is used: +Recreate the swap partition and activate it. +If no size is specified with `-s`, all remaining space is used: [source,shell] .... @@ -257,14 +279,17 @@ Both the partition and the file system on it have now been resized to use the ne [[usb-disks]] == USB Storage Devices -Many external storage solutions, such as hard drives, USB thumbdrives, and CD and DVD burners, use the Universal Serial Bus (USB). FreeBSD provides support for USB 1.x, 2.0, and 3.0 devices. +Many external storage solutions, such as hard drives, USB thumbdrives, and CD and DVD burners, use the Universal Serial Bus (USB). +FreeBSD provides support for USB 1.x, 2.0, and 3.0 devices. [NOTE] ==== -USB 3.0 support is not compatible with some hardware, including Haswell (Lynx point) chipsets. If FreeBSD boots with a `failed with error 19` message, disable xHCI/USB3 in the system BIOS. +USB 3.0 support is not compatible with some hardware, including Haswell (Lynx point) chipsets. +If FreeBSD boots with a `failed with error 19` message, disable xHCI/USB3 in the system BIOS. ==== -Support for USB storage devices is built into the [.filename]#GENERIC# kernel. For a custom kernel, be sure that the following lines are present in the kernel configuration file: +Support for USB storage devices is built into the [.filename]#GENERIC# kernel. +For a custom kernel, be sure that the following lines are present in the kernel configuration file: [.programlisting] .... @@ -280,13 +305,16 @@ device umass # Disks/Mass storage - Requires scbus and da device cd # needed for CD and DVD burners .... -FreeBSD uses the man:umass[4] driver which uses the SCSI subsystem to access USB storage devices. Since any USB device will be seen as a SCSI device by the system, if the USB device is a CD or DVD burner, do _not_ include `device atapicam` in a custom kernel configuration file. +FreeBSD uses the man:umass[4] driver which uses the SCSI subsystem to access USB storage devices. +Since any USB device will be seen as a SCSI device by the system, if the USB device is a CD or DVD burner, do _not_ include `device atapicam` in a custom kernel configuration file. The rest of this section demonstrates how to verify that a USB storage device is recognized by FreeBSD and how to configure the device so that it can be used. === Device Configuration -To test the USB configuration, plug in the USB device. Use `dmesg` to confirm that the drive appears in the system message buffer. It should look something like this: +To test the USB configuration, plug in the USB device. +Use `dmesg` to confirm that the drive appears in the system message buffer. +It should look something like this: [source,shell] .... @@ -311,7 +339,8 @@ Since the USB device is seen as a SCSI one, `camcontrol` can be used to list the <STECH Simple Drive 1.04> at scbus4 target 0 lun 0 (pass3,da0) .... -Alternately, `usbconfig` can be used to list the device. Refer to man:usbconfig[8] for more information about this command. +Alternately, `usbconfig` can be used to list the device. +Refer to man:usbconfig[8] for more information about this command. [source,shell] .... @@ -319,15 +348,17 @@ Alternately, `usbconfig` can be used to list the device. Refer to man:usbconfig[ ugen0.3: <Simple Drive STECH> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (2mA) .... -If the device has not been formatted, refer to <<disks-adding>> for instructions on how to format and create partitions on the USB drive. If the drive comes with a file system, it can be mounted by `root` using the instructions in crossref:basics[mount-unmount,“Mounting and Unmounting File Systems”]. +If the device has not been formatted, refer to <<disks-adding>> for instructions on how to format and create partitions on the USB drive. +If the drive comes with a file system, it can be mounted by `root` using the instructions in crossref:basics[mount-unmount,“Mounting and Unmounting File Systems”]. [WARNING] ==== - -Allowing untrusted users to mount arbitrary media, by enabling `vfs.usermount` as described below, should not be considered safe from a security point of view. Most file systems were not built to safeguard against malicious devices. +Allowing untrusted users to mount arbitrary media, by enabling `vfs.usermount` as described below, should not be considered safe from a security point of view. +Most file systems were not built to safeguard against malicious devices. ==== -To make the device mountable as a normal user, one solution is to make all users of the device a member of the `operator` group using man:pw[8]. Next, ensure that `operator` is able to read and write the device by adding these lines to [.filename]#/etc/devfs.rules#: +To make the device mountable as a normal user, one solution is to make all users of the device a member of the `operator` group using man:pw[8]. +Next, ensure that `operator` is able to read and write the device by adding these lines to [.filename]#/etc/devfs.rules#: [.programlisting] .... @@ -344,7 +375,9 @@ If internal SCSI disks are also installed in the system, change the second line add path 'da[3-9]*' mode 0660 group operator .... -This will exclude the first three SCSI disks ([.filename]#da0# to [.filename]#da2#)from belonging to the `operator` group. Replace _3_ with the number of internal SCSI disks. Refer to man:devfs.rules[5] for more information about this file. +This will exclude the first three SCSI disks ([.filename]#da0# to [.filename]#da2#) from belonging to the `operator` group. +Replace _3_ with the number of internal SCSI disks. +Refer to man:devfs.rules[5] for more information about this file. ==== Next, enable the ruleset in [.filename]#/etc/rc.conf#: @@ -369,7 +402,10 @@ Since this only takes effect after the next reboot, use `sysctl` to set this var vfs.usermount: 0 -> 1 .... -The final step is to create a directory where the file system is to be mounted. This directory needs to be owned by the user that is to mount the file system. One way to do that is for `root` to create a subdirectory owned by that user as [.filename]#/mnt/username#. In the following example, replace _username_ with the login name of the user and _usergroup_ with the user's primary group: +The final step is to create a directory where the file system is to be mounted. +This directory needs to be owned by the user that is to mount the file system. +One way to do that is for `root` to create a subdirectory owned by that user as [.filename]#/mnt/username#. +In the following example, replace _username_ with the login name of the user and _usergroup_ with the user's primary group: [source,shell] .... @@ -377,7 +413,8 @@ The final step is to create a directory where the file system is to be mounted. # chown username:usergroup /mnt/username .... -Suppose a USB thumbdrive is plugged in, and a device [.filename]#/dev/da0s1# appears. If the device is formatted with a FAT file system, the user can mount it using: +Suppose a USB thumbdrive is plugged in, and a device [.filename]#/dev/da0s1# appears. +If the device is formatted with a FAT file system, the user can mount it using: [source,shell] .... @@ -448,28 +485,38 @@ Start the services immediately with: # service devd start .... -Each file system that can be automatically mounted appears as a directory in [.filename]#/media/#. The directory is named after the file system label. If the label is missing, the directory is named after the device node. +Each file system that can be automatically mounted appears as a directory in [.filename]#/media/#. +The directory is named after the file system label. +If the label is missing, the directory is named after the device node. -The file system is transparently mounted on the first access, and unmounted after a period of inactivity. Automounted drives can also be unmounted manually: +The file system is transparently mounted on the first access, and unmounted after a period of inactivity. +Automounted drives can also be unmounted manually: [source,shell] .... # automount -fu .... -This mechanism is typically used for memory cards and USB memory sticks. It can be used with any block device, including optical drives or iSCSILUNs. +This mechanism is typically used for memory cards and USB memory sticks. +It can be used with any block device, including optical drives or iSCSILUNs. [[creating-cds]] == Creating and Using CD Media -Compact Disc (CD) media provide a number of features that differentiate them from conventional disks. They are designed so that they can be read continuously without delays to move the head between tracks. While CD media do have tracks, these refer to a section of data to be read continuously, and not a physical property of the disk. The ISO 9660 file system was designed to deal with these differences. +Compact Disc (CD) media provide a number of features that differentiate them from conventional disks. +They are designed so that they can be read continuously without delays to move the head between tracks. +While CD media do have tracks, these refer to a section of data to be read continuously, and not a physical property of the disk. +The ISO 9660 file system was designed to deal with these differences. -The FreeBSD Ports Collection provides several utilities for burning and duplicating audio and data CDs. This chapter demonstrates the use of several command line utilities. For CD burning software with a graphical utility, consider installing the package:sysutils/xcdroast[] or package:sysutils/k3b[] packages or ports. +The FreeBSD Ports Collection provides several utilities for burning and duplicating audio and data CDs. +This chapter demonstrates the use of several command line utilities. +For CD burning software with a graphical utility, consider installing the package:sysutils/xcdroast[] or package:sysutils/k3b[] packages or ports. [[atapicam]] === Supported Devices -The [.filename]#GENERIC# kernel provides support for SCSI, USB, and ATAPICD readers and burners. If a custom kernel is used, the options that need to be present in the kernel configuration file vary by the type of device. +The [.filename]#GENERIC# kernel provides support for SCSI, USB, and ATAPICD readers and burners. +If a custom kernel is used, the options that need to be present in the kernel configuration file vary by the type of device. For a SCSI burner, make sure these options are present: @@ -526,7 +573,8 @@ atapicam_load="YES" This will require a reboot of the system as this driver can only be loaded at boot time. ==== -To verify that FreeBSD recognizes the device, run `dmesg` and look for an entry for the device. On systems prior to 10.x, the device name in the first line of the output will be [.filename]#acd0# instead of [.filename]#cd0#. +To verify that FreeBSD recognizes the device, run `dmesg` and look for an entry for the device. +On systems prior to 10.x, the device name in the first line of the output will be [.filename]#acd0# instead of [.filename]#cd0#. [source,shell] .... @@ -541,9 +589,11 @@ cd0: Attempt to query device size failed: NOT READY, Medium not present - tray c [[cdrecord]] === Burning a CD -In FreeBSD, `cdrecord` can be used to burn CDs. This command is installed with the package:sysutils/cdrtools[] package or port. +In FreeBSD, `cdrecord` can be used to burn CDs. +This command is installed with the package:sysutils/cdrtools[] package or port. -While `cdrecord` has many options, basic usage is simple. Specify the name of the ISO file to burn and, if the system has multiple burner devices, specify the name of the device to use: +While `cdrecord` has many options, basic usage is simple. +Specify the name of the ISO file to burn and, if the system has multiple burner devices, specify the name of the device to use: [source,shell] .... @@ -577,7 +627,9 @@ scsibus1: 1,7,0 107) * .... -Locate the entry for the CD burner and use the three numbers separated by commas as the value for `dev`. In this case, the Yamaha burner device is `1,5,0`, so the appropriate input to specify that device is `dev=1,5,0`. Refer to the manual page for `cdrecord` for other ways to specify this value and for information on writing audio tracks and controlling the write speed. +Locate the entry for the CD burner and use the three numbers separated by commas as the value for `dev`. +In this case, the Yamaha burner device is `1,5,0`, so the appropriate input to specify that device is `dev=1,5,0`. +Refer to the manual page for `cdrecord` for other ways to specify this value and for information on writing audio tracks and controlling the write speed. Alternately, run the following command to get the device address of the burner: @@ -587,12 +639,15 @@ Alternately, run the following command to get the device address of the burner: <MATSHITA CDRW/DVD UJDA740 1.00> at scbus1 target 0 lun 0 (cd0,pass0) .... -Use the numeric values for `scbus`, `target`, and `lun`. For this example, `1,0,0` is the device name to use. +Use the numeric values for `scbus`, `target`, and `lun`. +For this example, `1,0,0` is the device name to use. [[mkisofs]] === Writing Data to an ISO File System -In order to produce a data CD, the data files that are going to make up the tracks on the CD must be prepared before they can be burned to the CD. In FreeBSD, package:sysutils/cdrtools[] installs `mkisofs`, which can be used to produce an ISO 9660 file system that is an image of a directory tree within a UNIX(R) file system. The simplest usage is to specify the name of the ISO file to create and the path to the files to place into the ISO 9660 file system: +In order to produce a data CD, the data files that are going to make up the tracks on the CD must be prepared before they can be burned to the CD. +In FreeBSD, package:sysutils/cdrtools[] installs `mkisofs`, which can be used to produce an ISO 9660 file system that is an image of a directory tree within a UNIX(R) file system. +The simplest usage is to specify the name of the ISO file to create and the path to the files to place into the ISO 9660 file system: [source,shell] .... @@ -601,11 +656,19 @@ In order to produce a data CD, the data files that are going to make up the trac This command maps the file names in the specified path to names that fit the limitations of the standard ISO 9660 file system, and will exclude files that do not meet the standard for ISO file systems. -A number of options are available to overcome the restrictions imposed by the standard. In particular, `-R` enables the Rock Ridge extensions common to UNIX(R) systems and `-J` enables Joliet extensions used by Microsoft(R) systems. +A number of options are available to overcome the restrictions imposed by the standard. +In particular, `-R` enables the Rock Ridge extensions common to UNIX(R) systems and `-J` enables Joliet extensions used by Microsoft(R) systems. -For CDs that are going to be used only on FreeBSD systems, `-U` can be used to disable all filename restrictions. When used with `-R`, it produces a file system image that is identical to the specified FreeBSD tree, even if it violates the ISO 9660 standard. +For CDs that are going to be used only on FreeBSD systems, `-U` can be used to disable all filename restrictions. +When used with `-R`, it produces a file system image that is identical to the specified FreeBSD tree, even if it violates the ISO 9660 standard. -The last option of general use is `-b`. This is used to specify the location of a boot image for use in producing an "El Torito" bootable CD. This option takes an argument which is the path to a boot image from the top of the tree being written to the CD. By default, `mkisofs` creates an ISO image in "floppy disk emulation" mode, and thus expects the boot image to be exactly 1200, 1440 or 2880 KB in size. Some boot loaders, like the one used by the FreeBSD distribution media, do not use emulation mode. In this case, `-no-emul-boot` should be used. So, if [.filename]#/tmp/myboot# holds a bootable FreeBSD system with the boot image in [.filename]#/tmp/myboot/boot/cdboot#, this command would produce [.filename]#/tmp/bootable.iso#: +The last option of general use is `-b`. +This is used to specify the location of a boot image for use in producing an "El Torito" bootable CD. +This option takes an argument which is the path to a boot image from the top of the tree being written to the CD. +By default, `mkisofs` creates an ISO image in "floppy disk emulation" mode, and thus expects the boot image to be exactly 1200, 1440 or 2880 KB in size. +Some boot loaders, like the one used by the FreeBSD distribution media, do not use emulation mode. +In this case, `-no-emul-boot` should be used. +So, if [.filename]#/tmp/myboot# holds a bootable FreeBSD system with the boot image in [.filename]#/tmp/myboot/boot/cdboot#, this command would produce [.filename]#/tmp/bootable.iso#: [source,shell] .... @@ -622,11 +685,13 @@ The resulting ISO image can be mounted as a memory disk with: One can then verify that [.filename]#/mnt# and [.filename]#/tmp/myboot# are identical. -There are many other options available for `mkisofs` to fine-tune its behavior. Refer to man:mkisofs[8] for details. +There are many other options available for `mkisofs` to fine-tune its behavior. +Refer to man:mkisofs[8] for details. [NOTE] ==== -It is possible to copy a data CD to an image file that is functionally equivalent to the image file created with `mkisofs`. To do so, use [.filename]#dd# with the device name as the input file and the name of the ISO to create as the output file: +It is possible to copy a data CD to an image file that is functionally equivalent to the image file created with `mkisofs`. +To do so, use [.filename]#dd# with the device name as the input file and the name of the ISO to create as the output file: [source,shell] .... @@ -648,11 +713,15 @@ Once an ISO has been burned to a CD, it can be mounted by specifying the file sy Since `mount` assumes that a file system is of type `ufs`, an `Incorrect super block` error will occur if `-t cd9660` is not included when mounting a data CD. -While any data CD can be mounted this way, disks with certain ISO 9660 extensions might behave oddly. For example, Joliet disks store all filenames in two-byte Unicode characters. If some non-English characters show up as question marks, specify the local charset with `-C`. For more information, refer to man:mount_cd9660[8]. +While any data CD can be mounted this way, disks with certain ISO 9660 extensions might behave oddly. +For example, Joliet disks store all filenames in two-byte Unicode characters. +If some non-English characters show up as question marks, specify the local charset with `-C`. +For more information, refer to man:mount_cd9660[8]. [NOTE] ==== -In order to do this character conversion with the help of `-C`, the kernel requires the [.filename]#cd9660_iconv.ko# module to be loaded. This can be done either by adding this line to [.filename]#loader.conf#: +In order to do this character conversion with the help of `-C`, the kernel requires the [.filename]#cd9660_iconv.ko# module to be loaded. +This can be done either by adding this line to [.filename]#loader.conf#: [.programlisting] .... @@ -662,9 +731,13 @@ cd9660_iconv_load="YES" and then rebooting the machine, or by directly loading the module with `kldload`. ==== -Occasionally, `Device not configured` will be displayed when trying to mount a data CD. This usually means that the CD drive has not detected a disk in the tray, or that the drive is not visible on the bus. It can take a couple of seconds for a CD drive to detect media, so be patient. +Occasionally, `Device not configured` will be displayed when trying to mount a data CD. +This usually means that the CD drive has not detected a disk in the tray, or that the drive is not visible on the bus. +It can take a couple of seconds for a CD drive to detect media, so be patient. -Sometimes, a SCSICD drive may be missed because it did not have enough time to answer the bus reset. To resolve this, a custom kernel can be created which increases the default SCSI delay. Add the following option to the custom kernel configuration file and rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig-building,“Building and Installing a Custom Kernel”]: +Sometimes, a SCSICD drive may be missed because it did not have enough time to answer the bus reset. +To resolve this, a custom kernel can be created which increases the default SCSI delay. +Add the following option to the custom kernel configuration file and rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig-building,“Building and Installing a Custom Kernel”]: [.programlisting] .... @@ -675,9 +748,12 @@ This tells the SCSI bus to pause 15 seconds during boot, to give the CD drive ev [NOTE] ==== -It is possible to burn a file directly to CD, without creating an ISO 9660 file system. This is known as burning a raw data CD and some people do this for backup purposes. +It is possible to burn a file directly to CD, without creating an ISO 9660 file system. +This is known as burning a raw data CD and some people do this for backup purposes. -This type of disk can not be mounted as a normal data CD. In order to retrieve the data burned to such a CD, the data must be read from the raw device node. For example, this command will extract a compressed tar file located on the second CD device into the current working directory: +This type of disk can not be mounted as a normal data CD. +In order to retrieve the data burned to such a CD, the data must be read from the raw device node. +For example, this command will extract a compressed tar file located on the second CD device into the current working directory: [source,shell] .... @@ -692,35 +768,35 @@ In order to mount a data CD, the data must be written using `mkisofs`. To duplicate an audio CD, extract the audio data from the CD to a series of files, then write these files to a blank CD. -<<using-cdrecord>> describes how to duplicate and burn an audio CD. If the FreeBSD version is less than 10.0 and the device is ATAPI, the `atapicam` module must be first loaded using the instructions in <<atapicam>>. +<<using-cdrecord>> describes how to duplicate and burn an audio CD. +If the FreeBSD version is less than 10.0 and the device is ATAPI, the `atapicam` module must be first loaded using the instructions in <<atapicam>>. + [[using-cdrecord]] [.procedure] .Procedure: Duplicating an Audio CD . The package:sysutils/cdrtools[] package or port installs `cdda2wav`. This command can be used to extract all of the audio tracks, with each track written to a separate WAV file in the current working directory: + - [source,shell] .... % cdda2wav -vall -B -Owav .... - + -A device name does not need to be specified if there is only one CD device on the system. Refer to the `cdda2wav` manual page for instructions on how to specify a device and to learn more about the other options available for this command. +A device name does not need to be specified if there is only one CD device on the system. +Refer to the `cdda2wav` manual page for instructions on how to specify a device and to learn more about the other options available for this command. . Use `cdrecord` to write the [.filename]#.wav# files: + - [source,shell] .... % cdrecord -v dev=2,0 -dao -useinfo *.wav .... - + Make sure that _2,0_ is set appropriately, as described in <<cdrecord>>. [[creating-dvds]] == Creating and Using DVD Media -Compared to the CD, the DVD is the next generation of optical media storage technology. The DVD can hold more data than any CD and is the standard for video publishing. +Compared to the CD, the DVD is the next generation of optical media storage technology. +The DVD can hold more data than any CD and is the standard for video publishing. Five physical recordable formats can be defined for a recordable DVD: @@ -734,14 +810,19 @@ A single layer recordable DVD can hold up to 4,700,000,000 bytes which is actual [NOTE] ==== -A distinction must be made between the physical media and the application. For example, a DVD-Video is a specific file layout that can be written on any recordable DVD physical media such as DVD-R, DVD+R, or DVD-RW. Before choosing the type of media, ensure that both the burner and the DVD-Video player are compatible with the media under consideration. +A distinction must be made between the physical media and the application. +For example, a DVD-Video is a specific file layout that can be written on any recordable DVD physical media such as DVD-R, DVD+R, or DVD-RW. +Before choosing the type of media, ensure that both the burner and the DVD-Video player are compatible with the media under consideration. ==== === Configuration -To perform DVD recording, use man:growisofs[1]. This command is part of the package:sysutils/dvd+rw-tools[] utilities which support all DVD media types. +To perform DVD recording, use man:growisofs[1]. +This command is part of the package:sysutils/dvd+rw-tools[] utilities which support all DVD media types. -These tools use the SCSI subsystem to access the devices, therefore <<atapicam,ATAPI/CAM support>> must be loaded or statically compiled into the kernel. This support is not needed if the burner uses the USB interface. Refer to <<usb-disks>> for more details on USB device configuration. +These tools use the SCSI subsystem to access the devices, therefore <<atapicam,ATAPI/CAM support>> must be loaded or statically compiled into the kernel. +This support is not needed if the burner uses the USB interface. +Refer to <<usb-disks>> for more details on USB device configuration. DMA access must also be enabled for ATAPI devices, by adding the following line to [.filename]#/boot/loader.conf#: @@ -759,7 +840,8 @@ For a graphical user interface, consider using package:sysutils/k3b[] which prov === Burning Data DVDs -Since man:growisofs[1] is a front-end to <<mkisofs,mkisofs>>, it will invoke man:mkisofs[8] to create the file system layout and perform the write on the DVD. This means that an image of the data does not need to be created before the burning process. +Since man:growisofs[1] is a front-end to <<mkisofs,mkisofs>>, it will invoke man:mkisofs[8] to create the file system layout and perform the write on the DVD. +This means that an image of the data does not need to be created before the burning process. To burn to a DVD+R or a DVD-R the data in [.filename]#/path/to/data#, use the following command: @@ -768,9 +850,13 @@ To burn to a DVD+R or a DVD-R the data in [.filename]#/path/to/data#, use the fo # growisofs -dvd-compat -Z /dev/cd0 -J -R /path/to/data .... -In this example, `-J -R` is passed to man:mkisofs[8] to create an ISO 9660 file system with Joliet and Rock Ridge extensions. Refer to man:mkisofs[8] for more details. +In this example, `-J -R` is passed to man:mkisofs[8] to create an ISO 9660 file system with Joliet and Rock Ridge extensions. +Refer to man:mkisofs[8] for more details. -For the initial session recording, `-Z` is used for both single and multiple sessions. Replace _/dev/cd0_, with the name of the DVD device. Using `-dvd-compat` indicates that the disk will be closed and that the recording will be unappendable. This should also provide better media compatibility with DVD-ROM drives. +For the initial session recording, `-Z` is used for both single and multiple sessions. +Replace _/dev/cd0_, with the name of the DVD device. +Using `-dvd-compat` indicates that the disk will be closed and that the recording will be unappendable. +This should also provide better media compatibility with DVD-ROM drives. To burn a pre-mastered image, such as _imagefile.iso_, use: @@ -779,11 +865,15 @@ To burn a pre-mastered image, such as _imagefile.iso_, use: # growisofs -dvd-compat -Z /dev/cd0=imagefile.iso .... -The write speed should be detected and automatically set according to the media and the drive being used. To force the write speed, use `-speed=`. Refer to man:growisofs[1] for example usage. +The write speed should be detected and automatically set according to the media and the drive being used. +To force the write speed, use `-speed=`. Refer to man:growisofs[1] for example usage. [NOTE] ==== -In order to support working files larger than 4.38GB, an UDF/ISO-9660 hybrid file system must be created by passing `-udf -iso-level 3` to man:mkisofs[8] and all related programs, such as man:growisofs[1]. This is required only when creating an ISO image file or when writing files directly to a disk. Since a disk created this way must be mounted as an UDF file system with man:mount_udf[8], it will be usable only on an UDF aware operating system. Otherwise it will look as if it contains corrupted files. +In order to support working files larger than 4.38GB, an UDF/ISO-9660 hybrid file system must be created by passing `-udf -iso-level 3` to man:mkisofs[8] and all related programs, such as man:growisofs[1]. +This is required only when creating an ISO image file or when writing files directly to a disk. +Since a disk created this way must be mounted as an UDF file system with man:mount_udf[8], it will be usable only on an UDF aware operating system. +Otherwise it will look as if it contains corrupted files. To create this type of ISO file: @@ -801,41 +891,51 @@ To burn files directly to a disk: When an ISO image already contains large files, no additional options are required for man:growisofs[1] to burn that image on a disk. -Be sure to use an up-to-date version of package:sysutils/cdrtools[], which contains man:mkisofs[8], as an older version may not contain large files support. If the latest version does not work, install package:sysutils/cdrtools-devel[] and read its man:mkisofs[8]. +Be sure to use an up-to-date version of package:sysutils/cdrtools[], which contains man:mkisofs[8], as an older version may not contain large files support. +If the latest version does not work, install package:sysutils/cdrtools-devel[] and read its man:mkisofs[8]. ==== === Burning a DVD-Video -A DVD-Video is a specific file layout based on the ISO 9660 and micro-UDF (M-UDF) specifications. Since DVD-Video presents a specific data structure hierarchy, a particular program such as package:multimedia/dvdauthor[] is needed to author the DVD. +A DVD-Video is a specific file layout based on the ISO 9660 and micro-UDF (M-UDF) specifications. +Since DVD-Video presents a specific data structure hierarchy, a particular program such as package:multimedia/dvdauthor[] is needed to author the DVD. -If an image of the DVD-Video file system already exists, it can be burned in the same way as any other image. If `dvdauthor` was used to make the DVD and the result is in [.filename]#/path/to/video#, the following command should be used to burn the DVD-Video: +If an image of the DVD-Video file system already exists, it can be burned in the same way as any other image. +If `dvdauthor` was used to make the DVD and the result is in [.filename]#/path/to/video#, the following command should be used to burn the DVD-Video: [source,shell] .... # growisofs -Z /dev/cd0 -dvd-video /path/to/video .... -`-dvd-video` is passed to man:mkisofs[8] to instruct it to create a DVD-Video file system layout. This option implies the `-dvd-compat` man:growisofs[1] option. +`-dvd-video` is passed to man:mkisofs[8] to instruct it to create a DVD-Video file system layout. +This option implies the `-dvd-compat` man:growisofs[1] option. === Using a DVD+RW -Unlike CD-RW, a virgin DVD+RW needs to be formatted before first use. It is _recommended_ to let man:growisofs[1] take care of this automatically whenever appropriate. However, it is possible to use `dvd+rw-format` to format the DVD+RW: +Unlike CD-RW, a virgin DVD+RW needs to be formatted before first use. +It is _recommended_ to let man:growisofs[1] take care of this automatically whenever appropriate. +However, it is possible to use `dvd+rw-format` to format the DVD+RW: [source,shell] .... # dvd+rw-format /dev/cd0 .... -Only perform this operation once and keep in mind that only virgin DVD+RW medias need to be formatted. Once formatted, the DVD+RW can be burned as usual. +Only perform this operation once and keep in mind that only virgin DVD+RW medias need to be formatted. +Once formatted, the DVD+RW can be burned as usual. -To burn a totally new file system and not just append some data onto a DVD+RW, the media does not need to be blanked first. Instead, write over the previous recording like this: +To burn a totally new file system and not just append some data onto a DVD+RW, the media does not need to be blanked first. +Instead, write over the previous recording like this: [source,shell] .... # growisofs -Z /dev/cd0 -J -R /path/to/newdata .... -The DVD+RW format supports appending data to a previous recording. This operation consists of merging a new session to the existing one as it is not considered to be multi-session writing. man:growisofs[1] will _grow_ the ISO 9660 file system present on the media. +The DVD+RW format supports appending data to a previous recording. +This operation consists of merging a new session to the existing one as it is not considered to be multi-session writing. +man:growisofs[1] will _grow_ the ISO 9660 file system present on the media. For example, to append data to a DVD+RW, use the following: @@ -848,7 +948,8 @@ The same man:mkisofs[8] options used to burn the initial session should be used [NOTE] ==== -Use `-dvd-compat` for better media compatibility with DVD-ROM drives. When using DVD+RW, this option will not prevent the addition of data. +Use `-dvd-compat` for better media compatibility with DVD-ROM drives. +When using DVD+RW, this option will not prevent the addition of data. ==== To blank the media, use: @@ -860,9 +961,11 @@ To blank the media, use: === Using a DVD-RW -A DVD-RW accepts two disc formats: incremental sequential and restricted overwrite. By default, DVD-RW discs are in sequential format. +A DVD-RW accepts two disc formats: incremental sequential and restricted overwrite. +By default, DVD-RW discs are in sequential format. -A virgin DVD-RW can be directly written without being formatted. However, a non-virgin DVD-RW in sequential format needs to be blanked before writing a new initial session. +A virgin DVD-RW can be directly written without being formatted. +However, a non-virgin DVD-RW in sequential format needs to be blanked before writing a new initial session. To blank a DVD-RW in sequential mode: @@ -873,7 +976,9 @@ To blank a DVD-RW in sequential mode: [NOTE] ==== -A full blanking using `-blank=full` will take about one hour on a 1x media. A fast blanking can be performed using `-blank`, if the DVD-RW will be recorded in Disk-At-Once (DAO) mode. To burn the DVD-RW in DAO mode, use the command: +A full blanking using `-blank=full` will take about one hour on a 1x media. +A fast blanking can be performed using `-blank`, if the DVD-RW will be recorded in Disk-At-Once (DAO) mode. +To burn the DVD-RW in DAO mode, use the command: [source,shell] .... @@ -892,9 +997,13 @@ To write data on a sequential DVD-RW, use the same instructions as for the other # growisofs -Z /dev/cd0 -J -R /path/to/data .... -To append some data to a previous recording, use `-M` with man:growisofs[1]. However, if data is appended on a DVD-RW in incremental sequential mode, a new session will be created on the disc and the result will be a multi-session disc. +To append some data to a previous recording, use `-M` with man:growisofs[1]. +However, if data is appended on a DVD-RW in incremental sequential mode, a new session will be created on the disc and the result will be a multi-session disc. -A DVD-RW in restricted overwrite format does not need to be blanked before a new initial session. Instead, overwrite the disc with `-Z`. It is also possible to grow an existing ISO 9660 file system written on the disc with `-M`. The result will be a one-session DVD. +A DVD-RW in restricted overwrite format does not need to be blanked before a new initial session. +Instead, overwrite the disc with `-Z`. +It is also possible to grow an existing ISO 9660 file system written on the disc with `-M`. +The result will be a one-session DVD. To put a DVD-RW in restricted overwrite format, the following command must be used: @@ -912,7 +1021,9 @@ To change back to sequential format, use: === Multi-Session -Few DVD-ROM drives support multi-session DVDs and most of the time only read the first session. DVD+R, DVD-R and DVD-RW in sequential format can accept multiple sessions. The notion of multiple sessions does not exist for the DVD+RW and the DVD-RW restricted overwrite formats. +Few DVD-ROM drives support multi-session DVDs and most of the time only read the first session. +DVD+R, DVD-R and DVD-RW in sequential format can accept multiple sessions. +The notion of multiple sessions does not exist for the DVD+RW and the DVD-RW restricted overwrite formats. Using the following command after an initial non-closed session on a DVD+R, DVD-R, or DVD-RW in sequential format, will add a new session to the disc: @@ -921,11 +1032,14 @@ Using the following command after an initial non-closed session on a DVD+R, DVD- # growisofs -M /dev/cd0 -J -R /path/to/nextdata .... -Using this command with a DVD+RW or a DVD-RW in restricted overwrite mode will append data while merging the new session to the existing one. The result will be a single-session disc. Use this method to add data after an initial write on these types of media. +Using this command with a DVD+RW or a DVD-RW in restricted overwrite mode will append data while merging the new session to the existing one. +The result will be a single-session disc. +Use this method to add data after an initial write on these types of media. [NOTE] ==== -Since some space on the media is used between each session to mark the end and start of sessions, one should add sessions with a large amount of data to optimize media space. The number of sessions is limited to 154 for a DVD+R, about 2000 for a DVD-R, and 127 for a DVD+R Double Layer. +Since some space on the media is used between each session to mark the end and start of sessions, one should add sessions with a large amount of data to optimize media space. +The number of sessions is limited to 154 for a DVD+R, about 2000 for a DVD-R, and 127 for a DVD+R Double Layer. ==== === For More Information @@ -942,14 +1056,17 @@ When creating a problem report related to the use of dvd+rw-tools, always includ [[creating-dvd-ram]] === Using a DVD-RAM -DVD-RAM writers can use either a SCSI or ATAPI interface. For ATAPI devices, DMA access has to be enabled by adding the following line to [.filename]#/boot/loader.conf#: +DVD-RAM writers can use either a SCSI or ATAPI interface. +For ATAPI devices, DMA access has to be enabled by adding the following line to [.filename]#/boot/loader.conf#: [.programlisting] .... hw.ata.atapi_dma="1" .... -A DVD-RAM can be seen as a removable hard drive. Like any other hard drive, the DVD-RAM must be formatted before it can be used. In this example, the whole disk space will be formatted with a standard UFS2 file system: +A DVD-RAM can be seen as a removable hard drive. +Like any other hard drive, the DVD-RAM must be formatted before it can be used. +In this example, the whole disk space will be formatted with a standard UFS2 file system: [source,shell] .... @@ -978,7 +1095,10 @@ This section explains how to format a 3.5 inch floppy disk in FreeBSD. ==== *Procedure: Steps to Format a Floppy* -A floppy disk needs to be low-level formatted before it can be used. This is usually done by the vendor, but formatting is a good way to check media integrity. To low-level format the floppy disk on FreeBSD, use man:fdformat[1]. When using this utility, make note of any error messages, as these can help determine if the disk is good or bad. +A floppy disk needs to be low-level formatted before it can be used. +This is usually done by the vendor, but formatting is a good way to check media integrity. +To low-level format the floppy disk on FreeBSD, use man:fdformat[1]. +When using this utility, make note of any error messages, as these can help determine if the disk is good or bad. . To format the floppy, insert a new 3.5 inch floppy disk into the first floppy drive and issue: + @@ -1006,18 +1126,19 @@ To format the floppy with FAT, issue: .... ==== -The disk is now ready for use. To use the floppy, mount it with man:mount_msdosfs[8]. One can also install and use package:emulators/mtools[] from the Ports Collection. +The disk is now ready for use. +To use the floppy, mount it with man:mount_msdosfs[8]. +One can also install and use package:emulators/mtools[] from the Ports Collection. [[using-ntfs]] == Using NTFS Disks This section explains how to mount NTFS disks in FreeBSD. -NTFS (New Technology File System) is a proprietary journaling file system -developed by Microsoft(R). It has been the default file system in Microsoft -Windows(R) for many years. FreeBSD can mount NTFS volumes using a FUSE file -system. These file systems are implemented as user space programs which -interact with the man:fusefs[5] kernel module via a well defined interface. +NTFS (New Technology File System) is a proprietary journaling file system developed by Microsoft(R). +It has been the default file system in Microsoft Windows(R) for many years. +FreeBSD can mount NTFS volumes using a FUSE file system. +These file systems are implemented as user space programs which interact with the man:fusefs[5] kernel module via a well defined interface. [.procedure] ==== @@ -1038,9 +1159,7 @@ Use man:sysrc[8] to load the module at startup: # sysrc kld_list+=fusefs .... -. Install the actual NTFS file system from packages as in the example (see -crossref:ports[pkgng-intro,Using pkg for Binary Package Management]) or from -ports (see crossref:ports[ports-using,Using the Ports Collection]): +. Install the actual NTFS file system from packages as in the example (see crossref:ports[pkgng-intro,Using pkg for Binary Package Management]) or from ports (see crossref:ports[ports-using,Using the Ports Collection]): + [source,shell] .... @@ -1054,8 +1173,7 @@ ports (see crossref:ports[ports-using,Using the Ports Collection]): # mkdir /mnt/usb .... -. Suppose a USB disk is plugged in. The disk partition information can be -viewed with man:gpart[8]: +. Suppose a USB disk is plugged in. The disk partition information can be viewed with man:gpart[8]: + [source,shell] .... @@ -1099,33 +1217,44 @@ Now the disk can be now mounted with: Implementing a backup plan is essential in order to have the ability to recover from disk failure, accidental file deletion, random file corruption, or complete machine destruction, including destruction of on-site backups. -The backup type and schedule will vary, depending upon the importance of the data, the granularity needed for file restores, and the amount of acceptable downtime. Some possible backup techniques include: +The backup type and schedule will vary, depending upon the importance of the data, the granularity needed for file restores, and the amount of acceptable downtime. +Some possible backup techniques include: * Archives of the whole system, backed up onto permanent, off-site media. This provides protection against all of the problems listed above, but is slow and inconvenient to restore from, especially for non-privileged users. * File system snapshots, which are useful for restoring deleted files or previous versions of files. * Copies of whole file systems or disks which are synchronized with another system on the network using a scheduled package:net/rsync[]. * Hardware or software RAID, which minimizes or avoids downtime when a disk fails. -Typically, a mix of backup techniques is used. For example, one could create a schedule to automate a weekly, full system backup that is stored off-site and to supplement this backup with hourly ZFS snapshots. In addition, one could make a manual backup of individual directories or files before making file edits or deletions. +Typically, a mix of backup techniques is used. +For example, one could create a schedule to automate a weekly, full system backup that is stored off-site and to supplement this backup with hourly ZFS snapshots. +In addition, one could make a manual backup of individual directories or files before making file edits or deletions. This section describes some of the utilities which can be used to create and manage backups on a FreeBSD system. === File System Backups -The traditional UNIX(R) programs for backing up a file system are man:dump[8], which creates the backup, and man:restore[8], which restores the backup. These utilities work at the disk block level, below the abstractions of the files, links, and directories that are created by file systems. Unlike other backup software, `dump` backs up an entire file system and is unable to backup only part of a file system or a directory tree that spans multiple file systems. Instead of writing files and directories, `dump` writes the raw data blocks that comprise files and directories. +The traditional UNIX(R) programs for backing up a file system are man:dump[8], which creates the backup, and man:restore[8], which restores the backup. +These utilities work at the disk block level, below the abstractions of the files, links, and directories that are created by file systems. +Unlike other backup software, `dump` backs up an entire file system and is unable to backup only part of a file system or a directory tree that spans multiple file systems. +Instead of writing files and directories, `dump` writes the raw data blocks that comprise files and directories. [NOTE] ==== If `dump` is used on the root directory, it will not back up [.filename]#/home#, [.filename]#/usr# or many other directories since these are typically mount points for other file systems or symbolic links into those file systems. ==== -When used to restore data, `restore` stores temporary files in [.filename]#/tmp/# by default. When using a recovery disk with a small [.filename]#/tmp#, set `TMPDIR` to a directory with more free space in order for the restore to succeed. +When used to restore data, `restore` stores temporary files in [.filename]#/tmp/# by default. +When using a recovery disk with a small [.filename]#/tmp#, set `TMPDIR` to a directory with more free space in order for the restore to succeed. -When using `dump`, be aware that some quirks remain from its early days in Version 6 of AT&T UNIX(R),circa 1975. The default parameters assume a backup to a 9-track tape, rather than to another type of media or to the high-density tapes available today. These defaults must be overridden on the command line. +When using `dump`, be aware that some quirks remain from its early days in Version 6 of AT&T UNIX(R),circa 1975. +The default parameters assume a backup to a 9-track tape, rather than to another type of media or to the high-density tapes available today. +These defaults must be overridden on the command line. -It is possible to backup a file system across the network to a another system or to a tape drive attached to another computer. While the man:rdump[8] and man:rrestore[8] utilities can be used for this purpose, they are not considered to be secure. +It is possible to backup a file system across the network to a another system or to a tape drive attached to another computer. +While the man:rdump[8] and man:rrestore[8] utilities can be used for this purpose, they are not considered to be secure. -Instead, one can use `dump` and `restore` in a more secure fashion over an SSH connection. This example creates a full, compressed backup of [.filename]#/usr# and sends the backup file to the specified host over a SSH connection. +Instead, one can use `dump` and `restore` in a more secure fashion over an SSH connection. +This example creates a full, compressed backup of [.filename]#/usr# and sends the backup file to the specified host over a SSH connection. .Using `dump` over ssh [example] @@ -1152,9 +1281,12 @@ This example sets `RSH` in order to write the backup to a tape drive on a remote Several built-in utilities are available for backing up and restoring specified files and directories as needed. -A good choice for making a backup of all of the files in a directory is man:tar[1]. This utility dates back to Version 6 of AT&T UNIX(R) and by default assumes a recursive backup to a local tape device. Switches can be used to instead specify the name of a backup file. +A good choice for making a backup of all of the files in a directory is man:tar[1]. +This utility dates back to Version 6 of AT&T UNIX(R) and by default assumes a recursive backup to a local tape device. +Switches can be used to instead specify the name of a backup file. -This example creates a compressed backup of the current directory and saves it to [.filename]#/tmp/mybackup.tgz#. When creating a backup file, make sure that the backup is not saved to the same directory that is being backed up. +This example creates a compressed backup of the current directory and saves it to [.filename]#/tmp/mybackup.tgz#. +When creating a backup file, make sure that the backup is not saved to the same directory that is being backed up. .Backing Up the Current Directory with `tar` [example] @@ -1165,7 +1297,9 @@ This example creates a compressed backup of the current directory and saves it t .... ==== -To restore the entire backup, `cd` into the directory to restore into and specify the name of the backup. Note that this will overwrite any newer versions of files in the restore directory. When in doubt, restore to a temporary directory or specify the name of the file within the backup to restore. +To restore the entire backup, `cd` into the directory to restore into and specify the name of the backup. +Note that this will overwrite any newer versions of files in the restore directory. +When in doubt, restore to a temporary directory or specify the name of the file within the backup to restore. .Restoring Up the Current Directory with `tar` [example] @@ -1176,11 +1310,14 @@ To restore the entire backup, `cd` into the directory to restore into and specif .... ==== -There are dozens of available switches which are described in man:tar[1]. This utility also supports the use of exclude patterns to specify which files should not be included when backing up the specified directory or restoring files from a backup. +There are dozens of available switches which are described in man:tar[1]. +This utility also supports the use of exclude patterns to specify which files should not be included when backing up the specified directory or restoring files from a backup. -To create a backup using a specified list of files and directories, man:cpio[1] is a good choice. Unlike `tar`, `cpio` does not know how to walk the directory tree and it must be provided the list of files to backup. +To create a backup using a specified list of files and directories, man:cpio[1] is a good choice. +Unlike `tar`, `cpio` does not know how to walk the directory tree and it must be provided the list of files to backup. -For example, a list of files can be created using `ls` or `find`. This example creates a recursive listing of the current directory which is then piped to `cpio` in order to create an output backup file named [.filename]#/tmp/mybackup.cpio#. +For example, a list of files can be created using `ls` or `find`. +This example creates a recursive listing of the current directory which is then piped to `cpio` in order to create an output backup file named [.filename]#/tmp/mybackup.cpio#. .Using `ls` and `cpio` to Make a Recursive Backup of the Current Directory [example] @@ -1191,7 +1328,9 @@ For example, a list of files can be created using `ls` or `find`. This example c .... ==== -A backup utility which tries to bridge the features provided by `tar` and `cpio` is man:pax[1]. Over the years, the various versions of `tar` and `cpio` became slightly incompatible. POSIX(R) created `pax` which attempts to read and write many of the various `cpio` and `tar` formats, plus new formats of its own. +A backup utility which tries to bridge the features provided by `tar` and `cpio` is man:pax[1]. +Over the years, the various versions of `tar` and `cpio` became slightly incompatible. +POSIX(R) created `pax` which attempts to read and write many of the various `cpio` and `tar` formats, plus new formats of its own. The `pax` equivalent to the previous examples would be: @@ -1207,11 +1346,16 @@ The `pax` equivalent to the previous examples would be: [[backups-tapebackups]] === Using Data Tapes for Backups -While tape technology has continued to evolve, modern backup systems tend to combine off-site backups with local removable media. FreeBSD supports any tape drive that uses SCSI, such as LTO or DAT. There is limited support for SATA and USB tape drives. +While tape technology has continued to evolve, modern backup systems tend to combine off-site backups with local removable media. +FreeBSD supports any tape drive that uses SCSI, such as LTO or DAT. +There is limited support for SATA and USB tape drives. -For SCSI tape devices, FreeBSD uses the man:sa[4] driver and the [.filename]#/dev/sa0#, [.filename]#/dev/nsa0#, and [.filename]#/dev/esa0# devices. The physical device name is [.filename]#/dev/sa0#. When [.filename]#/dev/nsa0# is used, the backup application will not rewind the tape after writing a file, which allows writing more than one file to a tape. Using [.filename]#/dev/esa0# ejects the tape after the device is closed. +For SCSI tape devices, FreeBSD uses the man:sa[4] driver and the [.filename]#/dev/sa0#, [.filename]#/dev/nsa0#, and [.filename]#/dev/esa0# devices. +The physical device name is [.filename]#/dev/sa0#. When [.filename]#/dev/nsa0# is used, the backup application will not rewind the tape after writing a file, which allows writing more than one file to a tape. +Using [.filename]#/dev/esa0# ejects the tape after the device is closed. -In FreeBSD, `mt` is used to control operations of the tape drive, such as seeking through files on a tape or writing tape control marks to the tape. For example, the first three files on a tape can be preserved by skipping past them before writing a new file: +In FreeBSD, `mt` is used to control operations of the tape drive, such as seeking through files on a tape or writing tape control marks to the tape. +For example, the first three files on a tape can be preserved by skipping past them before writing a new file: [source,shell] .... @@ -1234,7 +1378,8 @@ To recover files from a `tar` archive on tape into the current directory: # tar xvf /dev/sa0 .... -To backup a UFS file system, use `dump`. This examples backs up [.filename]#/usr# without rewinding the tape when finished: +To backup a UFS file system, use `dump`. +This examples backs up [.filename]#/usr# without rewinding the tape when finished: [source,shell] .... @@ -1251,7 +1396,8 @@ To interactively restore files from a `dump` file on tape into the current direc [[backups-programs-amanda]] === Third-Party Backup Utilities -The FreeBSD Ports Collection provides many third-party utilities which can be used to schedule the creation of backups, simplify tape backup, and make backups easier and more convenient. Many of these applications are client/server based and can be used to automate the backups of a single system or all of the computers in a network. +The FreeBSD Ports Collection provides many third-party utilities which can be used to schedule the creation of backups, simplify tape backup, and make backups easier and more convenient. +Many of these applications are client/server based and can be used to automate the backups of a single system or all of the computers in a network. Popular utilities include Amanda, Bacula, rsync, and duplicity. @@ -1265,23 +1411,32 @@ Create a print copy of the output of the following commands: * `more /etc/fstab` * `dmesg` -Store this printout and a copy of the installation media in a secure location. Should an emergency restore be needed, boot into the installation media and select `Live CD` to access a rescue shell. This rescue mode can be used to view the current state of the system, and if needed, to reformat disks and restore data from backups. +Store this printout and a copy of the installation media in a secure location. +Should an emergency restore be needed, boot into the installation media and select `Live CD` to access a rescue shell. +This rescue mode can be used to view the current state of the system, and if needed, to reformat disks and restore data from backups. [NOTE] ==== -The installation media for FreeBSD/i386 {rel112-current}-RELEASE does not include a rescue shell. For this version, instead download and burn a Livefs CD image from link:ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/{rel112-current}/FreeBSD-{rel112-current}-RELEASE-i386-livefs.iso[ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/{rel112-current}/FreeBSD-{rel112-current}-RELEASE-i386-livefs.iso]. +The installation media for FreeBSD/i386 {rel112-current}-RELEASE does not include a rescue shell. +For this version, instead download and burn a Livefs CD image from link:ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/{rel112-current}/FreeBSD-{rel112-current}-RELEASE-i386-livefs.iso[ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/{rel112-current}/FreeBSD-{rel112-current}-RELEASE-i386-livefs.iso]. ==== -Next, test the rescue shell and the backups. Make notes of the procedure. Store these notes with the media, the printouts, and the backups. These notes may prevent the inadvertent destruction of the backups while under the stress of performing an emergency recovery. +Next, test the rescue shell and the backups. +Make notes of the procedure. +Store these notes with the media, the printouts, and the backups. +These notes may prevent the inadvertent destruction of the backups while under the stress of performing an emergency recovery. For an added measure of security, store the latest backup at a remote location which is physically separated from the computers and disk drives by a significant distance. [[disks-virtual]] == Memory Disks -In addition to physical disks, FreeBSD also supports the creation and use of memory disks. One possible use for a memory disk is to access the contents of an ISO file system without the overhead of first burning it to a CD or DVD, then mounting the CD/DVD media. +In addition to physical disks, FreeBSD also supports the creation and use of memory disks. +One possible use for a memory disk is to access the contents of an ISO file system without the overhead of first burning it to a CD or DVD, then mounting the CD/DVD media. -In FreeBSD, the man:md[4] driver is used to provide support for memory disks. The [.filename]#GENERIC# kernel includes this driver. When using a custom kernel configuration file, ensure it includes this line: +In FreeBSD, the man:md[4] driver is used to provide support for memory disks. +The [.filename]#GENERIC# kernel includes this driver. +When using a custom kernel configuration file, ensure it includes this line: [.programlisting] .... @@ -1291,7 +1446,10 @@ device md [[disks-mdconfig]] === Attaching and Detaching Existing Images -To mount an existing file system image, use `mdconfig` to specify the name of the ISO file and a free unit number. Then, refer to that unit number to mount it on an existing mount point. Once mounted, the files in the ISO will appear in the mount point. This example attaches _diskimage.iso_ to the memory device [.filename]#/dev/md0# then mounts that memory device on [.filename]#/mnt#: +To mount an existing file system image, use `mdconfig` to specify the name of the ISO file and a free unit number. +Then, refer to that unit number to mount it on an existing mount point. +Once mounted, the files in the ISO will appear in the mount point. +This example attaches _diskimage.iso_ to the memory device [.filename]#/dev/md0# then mounts that memory device on [.filename]#/mnt#: [source,shell] .... @@ -1299,9 +1457,13 @@ To mount an existing file system image, use `mdconfig` to specify the name of th # mount -t cd9660 /dev/md0 /mnt .... -Notice that `-t cd9660` was used to mount an ISO format. If a unit number is not specified with `-u`, `mdconfig` will automatically allocate an unused memory device and output the name of the allocated unit, such as [.filename]#md4#. Refer to man:mdconfig[8] for more details about this command and its options. +Notice that `-t cd9660` was used to mount an ISO format. +If a unit number is not specified with `-u`, `mdconfig` will automatically allocate an unused memory device and output the name of the allocated unit, such as [.filename]#md4#. +Refer to man:mdconfig[8] for more details about this command and its options. -When a memory disk is no longer in use, its resources should be released back to the system. First, unmount the file system, then use `mdconfig` to detach the disk from the system and release its resources. To continue this example: +When a memory disk is no longer in use, its resources should be released back to the system. +First, unmount the file system, then use `mdconfig` to detach the disk from the system and release its resources. +To continue this example: [source,shell] .... @@ -1314,9 +1476,14 @@ To determine if any memory disks are still attached to the system, type `mdconfi [[disks-md-freebsd5]] === Creating a File- or Memory-Backed Memory Disk -FreeBSD also supports memory disks where the storage to use is allocated from either a hard disk or an area of memory. The first method is commonly referred to as a file-backed file system and the second method as a memory-backed file system. Both types can be created using `mdconfig`. +FreeBSD also supports memory disks where the storage to use is allocated from either a hard disk or an area of memory. +The first method is commonly referred to as a file-backed file system and the second method as a memory-backed file system. +Both types can be created using `mdconfig`. -To create a new memory-backed file system, specify a type of `swap` and the size of the memory disk to create. Then, format the memory disk with a file system and mount as usual. This example creates a 5M memory disk on unit `1`. That memory disk is then formatted with the UFS file system before it is mounted: +To create a new memory-backed file system, specify a type of `swap` and the size of the memory disk to create. +Then, format the memory disk with a file system and mount as usual. +This example creates a 5M memory disk on unit `1`. +That memory disk is then formatted with the UFS file system before it is mounted: [source,shell] .... @@ -1333,7 +1500,8 @@ Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/md1 4718 4 4338 0% /mnt .... -To create a new file-backed memory disk, first allocate an area of disk to use. This example creates an empty 5MB file named [.filename]#newimage#: +To create a new file-backed memory disk, first allocate an area of disk to use. +This example creates an empty 5MB file named [.filename]#newimage#: [source,shell] .... @@ -1359,7 +1527,9 @@ Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/md0a 4710 4 4330 0% /mnt .... -It takes several commands to create a file- or memory-backed file system using `mdconfig`. FreeBSD also comes with `mdmfs` which automatically configures a memory disk, formats it with the UFS file system, and mounts it. For example, after creating _newimage_ with `dd`, this one command is equivalent to running the `bsdlabel`, `newfs`, and `mount` commands shown above: +It takes several commands to create a file- or memory-backed file system using `mdconfig`. +FreeBSD also comes with `mdmfs` which automatically configures a memory disk, formats it with the UFS file system, and mounts it. +For example, after creating _newimage_ with `dd`, this one command is equivalent to running the `bsdlabel`, `newfs`, and `mount` commands shown above: [source,shell] .... @@ -1373,18 +1543,25 @@ To instead create a new memory-based memory disk with `mdmfs`, use this one comm # mdmfs -s 5m md1 /mnt .... -If the unit number is not specified, `mdmfs` will automatically select an unused memory device. For more details about `mdmfs`, refer to man:mdmfs[8]. +If the unit number is not specified, `mdmfs` will automatically select an unused memory device. +For more details about `mdmfs`, refer to man:mdmfs[8]. [[snapshots]] == File System Snapshots FreeBSD offers a feature in conjunction with crossref:config[soft-updates,Soft Updates]: file system snapshots. -UFS snapshots allow a user to create images of specified file systems, and treat them as a file. Snapshot files must be created in the file system that the action is performed on, and a user may create no more than 20 snapshots per file system. Active snapshots are recorded in the superblock so they are persistent across unmount and remount operations along with system reboots. When a snapshot is no longer required, it can be removed using man:rm[1]. While snapshots may be removed in any order, all the used space may not be acquired because another snapshot will possibly claim some of the released blocks. +UFS snapshots allow a user to create images of specified file systems, and treat them as a file. +Snapshot files must be created in the file system that the action is performed on, and a user may create no more than 20 snapshots per file system. +Active snapshots are recorded in the superblock so they are persistent across unmount and remount operations along with system reboots. +When a snapshot is no longer required, it can be removed using man:rm[1]. +While snapshots may be removed in any order, all the used space may not be acquired because another snapshot will possibly claim some of the released blocks. -The un-alterable `snapshot` file flag is set by man:mksnap_ffs[8] after initial creation of a snapshot file. man:unlink[1] makes an exception for snapshot files since it allows them to be removed. +The un-alterable `snapshot` file flag is set by man:mksnap_ffs[8] after initial creation of a snapshot file. +man:unlink[1] makes an exception for snapshot files since it allows them to be removed. -Snapshots are created using man:mount[8]. To place a snapshot of [.filename]#/var# in the file [.filename]#/var/snapshot/snap#, use the following command: +Snapshots are created using man:mount[8]. +To place a snapshot of [.filename]#/var# in the file [.filename]#/var/snapshot/snap#, use the following command: [source,shell] .... @@ -1412,14 +1589,16 @@ Once a snapshot has been created, it has several uses: * Running man:dump[8] on the snapshot will produce a dump file that is consistent with the file system and the timestamp of the snapshot. man:dump[8] can also take a snapshot, create a dump image, and then remove the snapshot in one command by using `-L`. * The snapshot can be mounted as a frozen image of the file system. To man:mount[8] the snapshot [.filename]#/var/snapshot/snap# run: + - [source,shell] .... # mdconfig -a -t vnode -o readonly -f /var/snapshot/snap -u 4 # mount -r /dev/md4 /mnt .... -The frozen [.filename]#/var# is now available through [.filename]#/mnt#. Everything will initially be in the same state it was during the snapshot creation time. The only exception is that any earlier snapshots will appear as zero length files. To unmount the snapshot, use: +The frozen [.filename]#/var# is now available through [.filename]#/mnt#. +Everything will initially be in the same state it was during the snapshot creation time. +The only exception is that any earlier snapshots will appear as zero length files. +To unmount the snapshot, use: [source,shell] .... @@ -1432,9 +1611,11 @@ For more information about `softupdates` and file system snapshots, including te [[quotas]] == Disk Quotas -Disk quotas can be used to limit the amount of disk space or the number of files a user or members of a group may allocate on a per-file system basis. This prevents one user or group of users from consuming all of the available disk space. +Disk quotas can be used to limit the amount of disk space or the number of files a user or members of a group may allocate on a per-file system basis. +This prevents one user or group of users from consuming all of the available disk space. -This section describes how to configure disk quotas for the UFS file system. To configure quotas on the ZFS file system, refer to crossref:zfs[zfs-zfs-quota,"Dataset, User, and Group Quotas"] +This section describes how to configure disk quotas for the UFS file system. +To configure quotas on the ZFS file system, refer to crossref:zfs[zfs-zfs-quota,"Dataset, User, and Group Quotas"] === Enabling Disk Quotas @@ -1446,7 +1627,8 @@ To determine if the FreeBSD kernel provides support for disk quotas: kern.features.ufs_quota: 1 .... -In this example, the `1` indicates quota support. If the value is instead `0`, add the following line to a custom kernel configuration file and rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]: +In this example, the `1` indicates quota support. +If the value is instead `0`, add the following line to a custom kernel configuration file and rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]: [.programlisting] .... @@ -1460,32 +1642,41 @@ Next, enable disk quotas in [.filename]#/etc/rc.conf#: quota_enable="YES" .... -Normally on bootup, the quota integrity of each file system is checked by man:quotacheck[8]. This program insures that the data in the quota database properly reflects the data on the file system. This is a time consuming process that will significantly affect the time the system takes to boot. To skip this step, add this variable to [.filename]#/etc/rc.conf#: +Normally on bootup, the quota integrity of each file system is checked by man:quotacheck[8]. +This program insures that the data in the quota database properly reflects the data on the file system. +This is a time consuming process that will significantly affect the time the system takes to boot. +To skip this step, add this variable to [.filename]#/etc/rc.conf#: [.programlisting] .... check_quotas="NO" .... -Finally, edit [.filename]#/etc/fstab# to enable disk quotas on a per-file system basis. To enable per-user quotas on a file system, add `userquota` to the options field in the [.filename]#/etc/fstab# entry for the file system to enable quotas on. For example: +Finally, edit [.filename]#/etc/fstab# to enable disk quotas on a per-file system basis. +To enable per-user quotas on a file system, add `userquota` to the options field in the [.filename]#/etc/fstab# entry for the file system to enable quotas on. +For example: [.programlisting] .... /dev/da1s2g /home ufs rw,userquota 1 2 .... -To enable group quotas, use `groupquota` instead. To enable both user and group quotas, separate the options with a comma: +To enable group quotas, use `groupquota` instead. +To enable both user and group quotas, separate the options with a comma: [.programlisting] .... /dev/da1s2g /home ufs rw,userquota,groupquota 1 2 .... -By default, quota files are stored in the root directory of the file system as [.filename]#quota.user# and [.filename]#quota.group#. Refer to man:fstab[5] for more information. Specifying an alternate location for the quota files is not recommended. +By default, quota files are stored in the root directory of the file system as [.filename]#quota.user# and [.filename]#quota.group#. +Refer to man:fstab[5] for more information. +Specifying an alternate location for the quota files is not recommended. Once the configuration is complete, reboot the system and [.filename]#/etc/rc# will automatically run the appropriate commands to create the initial quota files for all of the quotas enabled in [.filename]#/etc/fstab#. -In the normal course of operations, there should be no need to manually run man:quotacheck[8], man:quotaon[8], or man:quotaoff[8]. However, one should read these manual pages to be familiar with their operation. +In the normal course of operations, there should be no need to manually run man:quotacheck[8], man:quotaon[8], or man:quotaoff[8]. +However, one should read these manual pages to be familiar with their operation. === Setting Quota Limits @@ -1500,13 +1691,22 @@ There should be a one line summary of disk usage and current quota limits for ea The system is now ready to be assigned quota limits with `edquota`. -Several options are available to enforce limits on the amount of disk space a user or group may allocate, and how many files they may create. Allocations can be limited based on disk space (block quotas), number of files (inode quotas), or a combination of both. Each limit is further broken down into two categories: hard and soft limits. +Several options are available to enforce limits on the amount of disk space a user or group may allocate, and how many files they may create. +Allocations can be limited based on disk space (block quotas), number of files (inode quotas), or a combination of both. +Each limit is further broken down into two categories: hard and soft limits. -A hard limit may not be exceeded. Once a user reaches a hard limit, no further allocations can be made on that file system by that user. For example, if the user has a hard limit of 500 kbytes on a file system and is currently using 490 kbytes, the user can only allocate an additional 10 kbytes. Attempting to allocate an additional 11 kbytes will fail. +A hard limit may not be exceeded. +Once a user reaches a hard limit, no further allocations can be made on that file system by that user. +For example, if the user has a hard limit of 500 kbytes on a file system and is currently using 490 kbytes, the user can only allocate an additional 10 kbytes. +Attempting to allocate an additional 11 kbytes will fail. -Soft limits can be exceeded for a limited amount of time, known as the grace period, which is one week by default. If a user stays over their limit longer than the grace period, the soft limit turns into a hard limit and no further allocations are allowed. When the user drops back below the soft limit, the grace period is reset. +Soft limits can be exceeded for a limited amount of time, known as the grace period, which is one week by default. +If a user stays over their limit longer than the grace period, the soft limit turns into a hard limit and no further allocations are allowed. +When the user drops back below the soft limit, the grace period is reset. -In the following example, the quota for the `test` account is being edited. When `edquota` is invoked, the editor specified by `EDITOR` is opened in order to edit the quota limits. The default editor is set to vi. +In the following example, the quota for the `test` account is being edited. +When `edquota` is invoked, the editor specified by `EDITOR` is opened in order to edit the quota limits. +The default editor is set to vi. [source,shell] .... @@ -1518,7 +1718,10 @@ Quotas for user test: inodes in use: 0, limits (soft = 50, hard = 60) .... -There are normally two lines for each file system that has quotas enabled. One line represents the block limits and the other represents the inode limits. Change the value to modify the quota limit. For example, to raise the block limit on [.filename]#/usr# to a soft limit of `500` and a hard limit of `600`, change the values in that line as follows: +There are normally two lines for each file system that has quotas enabled. +One line represents the block limits and the other represents the inode limits. +Change the value to modify the quota limit. +For example, to raise the block limit on [.filename]#/usr# to a soft limit of `500` and a hard limit of `600`, change the values in that line as follows: [.programlisting] .... @@ -1527,7 +1730,10 @@ There are normally two lines for each file system that has quotas enabled. One l The new quota limits take effect upon exiting the editor. -Sometimes it is desirable to set quota limits on a range of users. This can be done by first assigning the desired quota limit to a user. Then, use `-p` to duplicate that quota to a specified range of user IDs (UIDs). The following command will duplicate those quota limits for UIDs `10,000` through `19,999`: +Sometimes it is desirable to set quota limits on a range of users. +This can be done by first assigning the desired quota limit to a user. +Then, use `-p` to duplicate that quota to a specified range of user IDs (UIDs). +The following command will duplicate those quota limits for UIDs `10,000` through `19,999`: [source,shell] .... @@ -1538,9 +1744,14 @@ For more information, refer to man:edquota[8]. === Checking Quota Limits and Disk Usage -To check individual user or group quotas and disk usage, use man:quota[1]. A user may only examine their own quota and the quota of a group they are a member of. Only the superuser may view all user and group quotas. To get a summary of all quotas and disk usage for file systems with quotas enabled, use man:repquota[8]. +To check individual user or group quotas and disk usage, use man:quota[1]. +A user may only examine their own quota and the quota of a group they are a member of. +Only the superuser may view all user and group quotas. +To get a summary of all quotas and disk usage for file systems with quotas enabled, use man:repquota[8]. -Normally, file systems that the user is not using any disk space on will not show in the output of `quota`, even if the user has a quota limit assigned for that file system. Use `-v` to display those file systems. The following is sample output from `quota -v` for a user that has quota limits on two file systems. +Normally, file systems that the user is not using any disk space on will not show in the output of `quota`, even if the user has a quota limit assigned for that file system. +Use `-v` to display those file systems. +The following is sample output from `quota -v` for a user that has quota limits on two file systems. [.programlisting] .... @@ -1550,11 +1761,13 @@ Disk quotas for user test (uid 1002): /usr/var 0 50 75 0 50 60 .... -In this example, the user is currently 15 kbytes over the soft limit of 50 kbytes on [.filename]#/usr# and has 5 days of grace period left. The asterisk `*` indicates that the user is currently over the quota limit. +In this example, the user is currently 15 kbytes over the soft limit of 50 kbytes on [.filename]#/usr# and has 5 days of grace period left. +The asterisk `*` indicates that the user is currently over the quota limit. === Quotas over NFS -Quotas are enforced by the quota subsystem on the NFS server. The man:rpc.rquotad[8] daemon makes quota information available to `quota` on NFS clients, allowing users on those machines to see their quota statistics. +Quotas are enforced by the quota subsystem on the NFS server. +The man:rpc.rquotad[8] daemon makes quota information available to `quota` on NFS clients, allowing users on those machines to see their quota statistics. On the NFS server, enable `rpc.rquotad` by removing the `#` from this line in [.filename]*/etc/inetd.conf*: @@ -1573,17 +1786,27 @@ Then, restart `inetd`: [[disks-encrypting]] == Encrypting Disk Partitions -FreeBSD offers excellent online protections against unauthorized data access. File permissions and crossref:mac[mac,Mandatory Access Control] (MAC) help prevent unauthorized users from accessing data while the operating system is active and the computer is powered up. However, the permissions enforced by the operating system are irrelevant if an attacker has physical access to a computer and can move the computer's hard drive to another system to copy and analyze the data. +FreeBSD offers excellent online protections against unauthorized data access. +File permissions and crossref:mac[mac,Mandatory Access Control] (MAC) help prevent unauthorized users from accessing data while the operating system is active and the computer is powered up. +However, the permissions enforced by the operating system are irrelevant if an attacker has physical access to a computer and can move the computer's hard drive to another system to copy and analyze the data. -Regardless of how an attacker may have come into possession of a hard drive or powered-down computer, the GEOM-based cryptographic subsystems built into FreeBSD are able to protect the data on the computer's file systems against even highly-motivated attackers with significant resources. Unlike encryption methods that encrypt individual files, the built-in `gbde` and `geli` utilities can be used to transparently encrypt entire file systems. No cleartext ever touches the hard drive's platter. +Regardless of how an attacker may have come into possession of a hard drive or powered-down computer, the GEOM-based cryptographic subsystems built into FreeBSD are able to protect the data on the computer's file systems against even highly-motivated attackers with significant resources. +Unlike encryption methods that encrypt individual files, the built-in `gbde` and `geli` utilities can be used to transparently encrypt entire file systems. +No cleartext ever touches the hard drive's platter. -This chapter demonstrates how to create an encrypted file system on FreeBSD. It first demonstrates the process using `gbde` and then demonstrates the same example using `geli`. +This chapter demonstrates how to create an encrypted file system on FreeBSD. +It first demonstrates the process using `gbde` and then demonstrates the same example using `geli`. === Disk Encryption with gbde -The objective of the man:gbde[4] facility is to provide a formidable challenge for an attacker to gain access to the contents of a _cold_ storage device. However, if the computer is compromised while up and running and the storage device is actively attached, or the attacker has access to a valid passphrase, it offers no protection to the contents of the storage device. Thus, it is important to provide physical security while the system is running and to protect the passphrase used by the encryption mechanism. +The objective of the man:gbde[4] facility is to provide a formidable challenge for an attacker to gain access to the contents of a _cold_ storage device. +However, if the computer is compromised while up and running and the storage device is actively attached, or the attacker has access to a valid passphrase, it offers no protection to the contents of the storage device. +Thus, it is important to provide physical security while the system is running and to protect the passphrase used by the encryption mechanism. -This facility provides several barriers to protect the data stored in each disk sector. It encrypts the contents of a disk sector using 128-bit AES in CBC mode. Each sector on the disk is encrypted with a different AES key. For more information on the cryptographic design, including how the sector keys are derived from the user-supplied passphrase, refer to man:gbde[4]. +This facility provides several barriers to protect the data stored in each disk sector. +It encrypts the contents of a disk sector using 128-bit AES in CBC mode. +Each sector on the disk is encrypted with a different AES key. +For more information on the cryptographic design, including how the sector keys are derived from the user-supplied passphrase, refer to man:gbde[4]. FreeBSD provides a kernel module for gbde which can be loaded with this command: @@ -1602,7 +1825,8 @@ The following example demonstrates adding a new hard drive to a system that will .Procedure: Encrypting a Partition with gbde . Add the New Hard Drive + -Install the new drive to the system as explained in <<disks-adding>>. For the purposes of this example, a new hard drive partition has been added as [.filename]#/dev/ad4s1c# and [.filename]#/dev/ad0s1*# represents the existing standard FreeBSD partitions. +Install the new drive to the system as explained in <<disks-adding>>. +For the purposes of this example, a new hard drive partition has been added as [.filename]#/dev/ad4s1c# and [.filename]#/dev/ad0s1*# represents the existing standard FreeBSD partitions. + [source,shell] .... @@ -1619,10 +1843,15 @@ Install the new drive to the system as explained in <<disks-adding>>. For the pu # mkdir /etc/gbde .... + -The gbde lock file contains information that gbde requires to access encrypted partitions. Without access to the lock file, gbde will not be able to decrypt the data contained in the encrypted partition without significant manual intervention which is not supported by the software. Each encrypted partition uses a separate lock file. +The gbde lock file contains information that gbde requires to access encrypted partitions. +Without access to the lock file, gbde will not be able to decrypt the data contained in the encrypted partition without significant manual intervention which is not supported by the software. +Each encrypted partition uses a separate lock file. . Initialize the `gbde` Partition + -A gbde partition must be initialized before it can be used. This initialization needs to be performed only once. This command will open the default editor, in order to set various configuration options in a template. For use with the UFS file system, set the sector_size to 2048: +A gbde partition must be initialized before it can be used. +This initialization needs to be performed only once. +This command will open the default editor, in order to set various configuration options in a template. +For use with the UFS file system, set the sector_size to 2048: + [source,shell] .... @@ -1638,14 +1867,19 @@ sector_size = 2048 [...] .... + -Once the edit is saved, the user will be asked twice to type the passphrase used to secure the data. The passphrase must be the same both times. The ability of gbde to protect data depends entirely on the quality of the passphrase. For tips on how to select a secure passphrase that is easy to remember, see http://world.std.com/\~reinhold/diceware.html[http://world.std.com/~reinhold/diceware.htm]. +Once the edit is saved, the user will be asked twice to type the passphrase used to secure the data. +The passphrase must be the same both times. +The ability of gbde to protect data depends entirely on the quality of the passphrase. +For tips on how to select a secure passphrase that is easy to remember, see http://world.std.com/\~reinhold/diceware.html[http://world.std.com/~reinhold/diceware.htm]. + -This initialization creates a lock file for the gbde partition. In this example, it is stored as [.filename]#/etc/gbde/ad4s1c.lock#. Lock files must end in ".lock" in order to be correctly detected by the [.filename]#/etc/rc.d/gbde# start up script. +This initialization creates a lock file for the gbde partition. +In this example, it is stored as [.filename]#/etc/gbde/ad4s1c.lock#. +Lock files must end in ".lock" in order to be correctly detected by the [.filename]#/etc/rc.d/gbde# start up script. + [CAUTION] ==== - -Lock files _must_ be backed up together with the contents of any encrypted partitions. Without the lock file, the legitimate owner will be unable to access the data on the encrypted partition. +Lock files _must_ be backed up together with the contents of any encrypted partitions. +Without the lock file, the legitimate owner will be unable to access the data on the encrypted partition. ==== . Attach the Encrypted Partition to the Kernel @@ -1655,7 +1889,8 @@ Lock files _must_ be backed up together with the contents of any encrypted parti # gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c.lock .... + -This command will prompt to input the passphrase that was selected during the initialization of the encrypted partition. The new encrypted device will appear in [.filename]#/dev# as [.filename]#/dev/device_name.bde#: +This command will prompt to input the passphrase that was selected during the initialization of the encrypted partition. +The new encrypted device will appear in [.filename]#/dev# as [.filename]#/dev/device_name.bde#: + [source,shell] .... @@ -1667,7 +1902,9 @@ This command will prompt to input the passphrase that was selected during the in . Create a File System on the Encrypted Device + -Once the encrypted device has been attached to the kernel, a file system can be created on the device. This example creates a UFS file system with soft updates enabled. Be sure to specify the partition which has a [.filename]#*.bde# extension: +Once the encrypted device has been attached to the kernel, a file system can be created on the device. +This example creates a UFS file system with soft updates enabled. +Be sure to specify the partition which has a [.filename]#*.bde# extension: + [source,shell] .... @@ -1700,7 +1937,8 @@ Filesystem Size Used Avail Capacity Mounted on /dev/ad4s1c.bde 150G 4.1K 138G 0% /private .... -After each boot, any encrypted file systems must be manually re-attached to the kernel, checked for errors, and mounted, before the file systems can be used. To configure these steps, add the following lines to [.filename]#/etc/rc.conf#: +After each boot, any encrypted file systems must be manually re-attached to the kernel, checked for errors, and mounted, before the file systems can be used. +To configure these steps, add the following lines to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -1709,11 +1947,15 @@ gbde_devices="ad4s1c" gbde_lockdir="/etc/gbde" .... -This requires that the passphrase be entered at the console at boot time. After typing the correct passphrase, the encrypted partition will be mounted automatically. Additional gbde boot options are available and listed in man:rc.conf[5]. +This requires that the passphrase be entered at the console at boot time. +After typing the correct passphrase, the encrypted partition will be mounted automatically. +Additional gbde boot options are available and listed in man:rc.conf[5]. [NOTE] ==== -sysinstall is incompatible with gbde-encrypted devices. All [.filename]#*.bde# devices must be detached from the kernel before starting sysinstall or it will crash during its initial probing for devices. To detach the encrypted device used in the example, use the following command: +sysinstall is incompatible with gbde-encrypted devices. +All [.filename]#*.bde# devices must be detached from the kernel before starting sysinstall or it will crash during its initial probing for devices. +To detach the encrypted device used in the example, use the following command: [source,shell] .... @@ -1724,7 +1966,9 @@ sysinstall is incompatible with gbde-encrypted devices. All [.filename]#*.bde# d [[disks-encrypting-geli]] === Disk Encryption with `geli` -An alternative cryptographic GEOM class is available using `geli`. This control utility adds some features and uses a different scheme for doing cryptographic work. It provides the following features: +An alternative cryptographic GEOM class is available using `geli`. +This control utility adds some features and uses a different scheme for doing cryptographic work. +It provides the following features: * Utilizes the man:crypto[9] framework and automatically uses cryptographic hardware when it is available. * Supports multiple cryptographic algorithms such as AES, Blowfish, and 3DES. @@ -1736,7 +1980,11 @@ An alternative cryptographic GEOM class is available using `geli`. This control More features and usage examples can be found in man:geli[8]. -The following example describes how to generate a key file which will be used as part of the master key for the encrypted provider mounted under [.filename]#/private#. The key file will provide some random data used to encrypt the master key. The master key will also be protected by a passphrase. The provider's sector size will be 4kB. The example describes how to attach to the `geli` provider, create a file system on it, mount it, work with it, and finally, how to detach it. +The following example describes how to generate a key file which will be used as part of the master key for the encrypted provider mounted under [.filename]#/private#. +The key file will provide some random data used to encrypt the master key. +The master key will also be protected by a passphrase. +The provider's sector size will be 4kB. +The example describes how to attach to the `geli` provider, create a file system on it, mount it, work with it, and finally, how to detach it. [.procedure] .Procedure: Encrypting a Partition with `geli` @@ -1766,7 +2014,12 @@ device crypto . Generate the Master Key + -The following commands generate a master key that all data will be encrypted with. This key can never be changed. Rather than using it directly, it is encrypted with one or more user keys. The user keys are made up of an optional combination of random bytes from a file, [.filename]#/root/da2.key#, and/or a passphrase. In this case, the data source for the key file is [.filename]#/dev/random#. This command also configures the sector size of the provider ([.filename]#/dev/da2.eli#) as 4kB, for better performance: +The following commands generate a master key that all data will be encrypted with. +This key can never be changed. +Rather than using it directly, it is encrypted with one or more user keys. +The user keys are made up of an optional combination of random bytes from a file, [.filename]#/root/da2.key#, and/or a passphrase. +In this case, the data source for the key file is [.filename]#/dev/random#. +This command also configures the sector size of the provider ([.filename]#/dev/da2.eli#) as 4kB, for better performance: + [source,shell] .... @@ -1778,7 +2031,8 @@ Reenter new passphrase: + It is not mandatory to use both a passphrase and a key file as either method of securing the master key can be used in isolation. + -If the key file is given as "-", standard input will be used. For example, this command generates three key files: +If the key file is given as "-", standard input will be used. +For example, this command generates three key files: + [source,shell] .... @@ -1844,18 +2098,31 @@ geli_devices="da2" geli_da2_flags="-k /root/da2.key" .... -This configures [.filename]#/dev/da2# as a `geli` provider with a master key of [.filename]#/root/da2.key#. The system will automatically detach the provider from the kernel before the system shuts down. During the startup process, the script will prompt for the passphrase before attaching the provider. Other kernel messages might be shown before and after the password prompt. If the boot process seems to stall, look carefully for the password prompt among the other messages. Once the correct passphrase is entered, the provider is attached. The file system is then mounted, typically by an entry in [.filename]#/etc/fstab#. Refer to crossref:basics[mount-unmount,“Mounting and Unmounting File Systems”] for instructions on how to configure a file system to mount at boot time. +This configures [.filename]#/dev/da2# as a `geli` provider with a master key of [.filename]#/root/da2.key#. +The system will automatically detach the provider from the kernel before the system shuts down. +During the startup process, the script will prompt for the passphrase before attaching the provider. +Other kernel messages might be shown before and after the password prompt. +If the boot process seems to stall, look carefully for the password prompt among the other messages. +Once the correct passphrase is entered, the provider is attached. +The file system is then mounted, typically by an entry in [.filename]#/etc/fstab#. +Refer to crossref:basics[mount-unmount,“Mounting and Unmounting File Systems”] for instructions on how to configure a file system to mount at boot time. [[swap-encrypting]] == Encrypting Swap -Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, they are not written to disk and will be cleared after a reboot. However, if FreeBSD starts swapping out memory pages to free space, the passwords may be written to the disk unencrypted. Encrypting swap space can be a solution for this scenario. +Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. +Consider an application that deals with passwords. +As long as these passwords stay in physical memory, they are not written to disk and will be cleared after a reboot. +However, if FreeBSD starts swapping out memory pages to free space, the passwords may be written to the disk unencrypted. +Encrypting swap space can be a solution for this scenario. -This section demonstrates how to configure an encrypted swap partition using man:gbde[8] or man:geli[8] encryption. It assumes that [.filename]#/dev/ada0s1b# is the swap partition. +This section demonstrates how to configure an encrypted swap partition using man:gbde[8] or man:geli[8] encryption. +It assumes that [.filename]#/dev/ada0s1b# is the swap partition. === Configuring Encrypted Swap -Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To overwrite the current swap partition with random garbage, execute the following command: +Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. +To overwrite the current swap partition with random garbage, execute the following command: [source,shell] .... @@ -1878,19 +2145,26 @@ To instead encrypt the swap partition using man:geli[8], use the `.eli` suffix: /dev/ada0s1b.eli none swap sw 0 0 .... -By default, man:geli[8] uses the AES algorithm with a key length of 128 bits. Normally the default settings will suffice. If desired, these defaults can be altered in the options field in [.filename]#/etc/fstab#. The possible flags are: +By default, man:geli[8] uses the AES algorithm with a key length of 128 bits. +Normally the default settings will suffice. +If desired, these defaults can be altered in the options field in [.filename]#/etc/fstab#. The possible flags are: aalgo:: -Data integrity verification algorithm used to ensure that the encrypted data has not been tampered with. See man:geli[8] for a list of supported algorithms. +Data integrity verification algorithm used to ensure that the encrypted data has not been tampered with. +See man:geli[8] for a list of supported algorithms. ealgo:: -Encryption algorithm used to protect the data. See man:geli[8] for a list of supported algorithms. +Encryption algorithm used to protect the data. +See man:geli[8] for a list of supported algorithms. keylen:: -The length of the key used for the encryption algorithm. See man:geli[8] for the key lengths that are supported by each encryption algorithm. +The length of the key used for the encryption algorithm. +See man:geli[8] for the key lengths that are supported by each encryption algorithm. sectorsize:: -The size of the blocks data is broken into before it is encrypted. Larger sector sizes increase performance at the cost of higher storage overhead. The recommended size is 4096 bytes. +The size of the blocks data is broken into before it is encrypted. +Larger sector sizes increase performance at the cost of higher storage overhead. +The recommended size is 4096 bytes. This example configures an encrypted swap partition using the Blowfish algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes: @@ -1925,7 +2199,10 @@ Device 1K-blocks Used Avail Capacity [[disks-hast]] == Highly Available Storage (HAST) -High availability is one of the main requirements in serious business applications and highly-available storage is a key component in such environments. In FreeBSD, the Highly Available STorage (HAST) framework allows transparent storage of the same data across several physically separated machines connected by a TCP/IP network. HAST can be understood as a network-based RAID1 (mirror), and is similar to the DRBD(R) storage system used in the GNU/Linux(R) platform. In combination with other high-availability features of FreeBSD like CARP, HAST makes it possible to build a highly-available storage cluster that is resistant to hardware failures. +High availability is one of the main requirements in serious business applications and highly-available storage is a key component in such environments. +In FreeBSD, the Highly Available STorage (HAST) framework allows transparent storage of the same data across several physically separated machines connected by a TCP/IP network. +HAST can be understood as a network-based RAID1 (mirror), and is similar to the DRBD(R) storage system used in the GNU/Linux(R) platform. +In combination with other high-availability features of FreeBSD like CARP, HAST makes it possible to build a highly-available storage cluster that is resistant to hardware failures. The following are the main features of HAST: @@ -1951,19 +2228,29 @@ The HAST project was sponsored by The FreeBSD Foundation with support from http: === HAST Operation -HAST provides synchronous block-level replication between two physical machines: the _primary_, also known as the _master_ node, and the _secondary_, or _slave_ node. These two machines together are referred to as a cluster. +HAST provides synchronous block-level replication between two physical machines: the _primary_, also known as the _master_ node, and the _secondary_, or _slave_ node. +These two machines together are referred to as a cluster. -Since HAST works in a primary-secondary configuration, it allows only one of the cluster nodes to be active at any given time. The primary node, also called _active_, is the one which will handle all the I/O requests to HAST-managed devices. The secondary node is automatically synchronized from the primary node. +Since HAST works in a primary-secondary configuration, it allows only one of the cluster nodes to be active at any given time. +The primary node, also called _active_, is the one which will handle all the I/O requests to HAST-managed devices. +The secondary node is automatically synchronized from the primary node. The physical components of the HAST system are the local disk on primary node, and the disk on the remote, secondary node. -HAST operates synchronously on a block level, making it transparent to file systems and applications. HAST provides regular GEOM providers in [.filename]#/dev/hast/# for use by other tools or applications. There is no difference between using HAST-provided devices and raw disks or partitions. +HAST operates synchronously on a block level, making it transparent to file systems and applications. +HAST provides regular GEOM providers in [.filename]#/dev/hast/# for use by other tools or applications. +There is no difference between using HAST-provided devices and raw disks or partitions. -Each write, delete, or flush operation is sent to both the local disk and to the remote disk over TCP/IP. Each read operation is served from the local disk, unless the local disk is not up-to-date or an I/O error occurs. In such cases, the read operation is sent to the secondary node. +Each write, delete, or flush operation is sent to both the local disk and to the remote disk over TCP/IP. +Each read operation is served from the local disk, unless the local disk is not up-to-date or an I/O error occurs. +In such cases, the read operation is sent to the secondary node. -HAST tries to provide fast failure recovery. For this reason, it is important to reduce synchronization time after a node's outage. To provide fast synchronization, HAST manages an on-disk bitmap of dirty extents and only synchronizes those during a regular synchronization, with an exception of the initial sync. +HAST tries to provide fast failure recovery. +For this reason, it is important to reduce synchronization time after a node's outage. +To provide fast synchronization, HAST manages an on-disk bitmap of dirty extents and only synchronizes those during a regular synchronization, with an exception of the initial sync. -There are many ways to handle synchronization. HAST implements several replication modes to handle different synchronization methods: +There are many ways to handle synchronization. +HAST implements several replication modes to handle different synchronization methods: * _memsync_: This mode reports a write operation as completed when the local write operation is finished and when the remote node acknowledges data arrival, but before actually storing the data. The data on the remote node will be stored directly after sending the acknowledgement. This mode is intended to reduce latency, but still provides good reliability. This mode is the default. * _fullsync_: This mode reports a write operation as completed when both the local write and the remote write complete. This is the safest and the slowest replication mode. @@ -1984,9 +2271,14 @@ Users who prefer to statically build `GEOM_GATE` support into the kernel should options GEOM_GATE .... -The following example describes how to configure two nodes in master-slave/primary-secondary operation using HAST to replicate the data between the two. The nodes will be called `hasta`, with an IP address of `172.16.0.1`, and `hastb`, with an IP address of `172.16.0.2`. Both nodes will have a dedicated hard drive [.filename]#/dev/ad6# of the same size for HAST operation. The HAST pool, sometimes referred to as a resource or the GEOM provider in [.filename]#/dev/hast/#, will be called `test`. +The following example describes how to configure two nodes in master-slave/primary-secondary operation using HAST to replicate the data between the two. +The nodes will be called `hasta`, with an IP address of `172.16.0.1`, and `hastb`, with an IP address of `172.16.0.2`. +Both nodes will have a dedicated hard drive [.filename]#/dev/ad6# of the same size for HAST operation. +The HAST pool, sometimes referred to as a resource or the GEOM provider in [.filename]#/dev/hast/#, will be called `test`. -Configuration of HAST is done using [.filename]#/etc/hast.conf#. This file should be identical on both nodes. The simplest configuration is: +Configuration of HAST is done using [.filename]#/etc/hast.conf#. +This file should be identical on both nodes. +The simplest configuration is: [.programlisting] .... @@ -2006,11 +2298,11 @@ For more advanced configuration, refer to man:hast.conf[5]. [TIP] ==== - It is also possible to use host names in the `remote` statements if the hosts are resolvable and defined either in [.filename]#/etc/hosts# or in the local DNS. ==== -Once the configuration exists on both nodes, the HAST pool can be created. Run these commands on both nodes to place the initial metadata onto the local disk and to start man:hastd[8]: +Once the configuration exists on both nodes, the HAST pool can be created. +Run these commands on both nodes to place the initial metadata onto the local disk and to start man:hastd[8]: [source,shell] .... @@ -2020,10 +2312,12 @@ Once the configuration exists on both nodes, the HAST pool can be created. Run t [NOTE] ==== -It is _not_ possible to use GEOM providers with an existing file system or to convert an existing storage to a HAST-managed pool. This procedure needs to store some metadata on the provider and there will not be enough required space available on an existing provider. +It is _not_ possible to use GEOM providers with an existing file system or to convert an existing storage to a HAST-managed pool. +This procedure needs to store some metadata on the provider and there will not be enough required space available on an existing provider. ==== -A HAST node's `primary` or `secondary` role is selected by an administrator, or software like Heartbeat, using man:hastctl[8]. On the primary node, `hasta`, issue this command: +A HAST node's `primary` or `secondary` role is selected by an administrator, or software like Heartbeat, using man:hastctl[8]. +On the primary node, `hasta`, issue this command: [source,shell] .... @@ -2044,9 +2338,15 @@ Verify the result by running `hastctl` on each node: # hastctl status test .... -Check the `status` line in the output. If it says `degraded`, something is wrong with the configuration file. It should say `complete` on each node, meaning that the synchronization between the nodes has started. The synchronization completes when `hastctl status` reports 0 bytes of `dirty` extents. +Check the `status` line in the output. +If it says `degraded`, something is wrong with the configuration file. +It should say `complete` on each node, meaning that the synchronization between the nodes has started. +The synchronization completes when `hastctl status` reports 0 bytes of `dirty` extents. -The next step is to create a file system on the GEOM provider and mount it. This must be done on the `primary` node. Creating the file system can take a few minutes, depending on the size of the hard drive. This example creates a UFS file system on [.filename]#/dev/hast/test#: +The next step is to create a file system on the GEOM provider and mount it. +This must be done on the `primary` node. +Creating the file system can take a few minutes, depending on the size of the hard drive. +This example creates a UFS file system on [.filename]#/dev/hast/test#: [source,shell] .... @@ -2055,7 +2355,8 @@ The next step is to create a file system on the GEOM provider and mount it. This # mount /dev/hast/test /hast/test .... -Once the HAST framework is configured properly, the final step is to make sure that HAST is started automatically during system boot. Add this line to [.filename]#/etc/rc.conf#: +Once the HAST framework is configured properly, the final step is to make sure that HAST is started automatically during system boot. +Add this line to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -2064,13 +2365,22 @@ hastd_enable="YES" ==== Failover Configuration -The goal of this example is to build a robust storage system which is resistant to the failure of any given node. If the primary node fails, the secondary node is there to take over seamlessly, check and mount the file system, and continue to work without missing a single bit of data. +The goal of this example is to build a robust storage system which is resistant to the failure of any given node. +If the primary node fails, the secondary node is there to take over seamlessly, check and mount the file system, and continue to work without missing a single bit of data. -To accomplish this task, the Common Address Redundancy Protocol (CARP) is used to provide for automatic failover at the IP layer. CARP allows multiple hosts on the same network segment to share an IP address. Set up CARP on both nodes of the cluster according to the documentation available in crossref:advanced-networking[carp,“Common Address Redundancy Protocol (CARP)”]. In this example, each node will have its own management IP address and a shared IP address of _172.16.0.254_. The primary HAST node of the cluster must be the master CARP node. +To accomplish this task, the Common Address Redundancy Protocol (CARP) is used to provide for automatic failover at the IP layer. +CARP allows multiple hosts on the same network segment to share an IP address. +Set up CARP on both nodes of the cluster according to the documentation available in crossref:advanced-networking[carp,“Common Address Redundancy Protocol (CARP)”]. +In this example, each node will have its own management IP address and a shared IP address of _172.16.0.254_. +The primary HAST node of the cluster must be the master CARP node. -The HAST pool created in the previous section is now ready to be exported to the other hosts on the network. This can be accomplished by exporting it through NFS or Samba, using the shared IP address _172.16.0.254_. The only problem which remains unresolved is an automatic failover should the primary node fail. +The HAST pool created in the previous section is now ready to be exported to the other hosts on the network. +This can be accomplished by exporting it through NFS or Samba, using the shared IP address _172.16.0.254_. +The only problem which remains unresolved is an automatic failover should the primary node fail. -In the event of CARP interfaces going up or down, the FreeBSD operating system generates a man:devd[8] event, making it possible to watch for state changes on the CARP interfaces. A state change on the CARP interface is an indication that one of the nodes failed or came back online. These state change events make it possible to run a script which will automatically handle the HAST failover. +In the event of CARP interfaces going up or down, the FreeBSD operating system generates a man:devd[8] event, making it possible to watch for state changes on the CARP interfaces. +A state change on the CARP interface is an indication that one of the nodes failed or came back online. +These state change events make it possible to run a script which will automatically handle the HAST failover. To catch state changes on the CARP interfaces, add this configuration to [.filename]#/etc/devd.conf# on each node: @@ -2103,7 +2413,8 @@ Restart man:devd[8] on both nodes to put the new configuration into effect: # service devd restart .... -When the specified interface state changes by going up or down , the system generates a notification, allowing the man:devd[8] subsystem to run the specified automatic failover script, [.filename]#/usr/local/sbin/carp-hast-switch#. For further clarification about this configuration, refer to man:devd.conf[5]. +When the specified interface state changes by going up or down , the system generates a notification, allowing the man:devd[8] subsystem to run the specified automatic failover script, [.filename]#/usr/local/sbin/carp-hast-switch#. +For further clarification about this configuration, refer to man:devd.conf[5]. Here is an example of an automated failover script: @@ -2206,30 +2517,38 @@ When a node becomes secondary: [CAUTION] ==== - -This is just an example script which serves as a proof of concept. It does not handle all the possible scenarios and can be extended or altered in any way, for example, to start or stop required services. +This is just an example script which serves as a proof of concept. +It does not handle all the possible scenarios and can be extended or altered in any way, for example, to start or stop required services. ==== [TIP] ==== - -For this example, a standard UFS file system was used. To reduce the time needed for recovery, a journal-enabled UFS or ZFS file system can be used instead. +For this example, a standard UFS file system was used. +To reduce the time needed for recovery, a journal-enabled UFS or ZFS file system can be used instead. ==== More detailed information with additional examples can be found at http://wiki.FreeBSD.org/HAST[http://wiki.FreeBSD.org/HAST]. === Troubleshooting -HAST should generally work without issues. However, as with any other software product, there may be times when it does not work as supposed. The sources of the problems may be different, but the rule of thumb is to ensure that the time is synchronized between the nodes of the cluster. +HAST should generally work without issues. +However, as with any other software product, there may be times when it does not work as supposed. +The sources of the problems may be different, but the rule of thumb is to ensure that the time is synchronized between the nodes of the cluster. -When troubleshooting HAST, the debugging level of man:hastd[8] should be increased by starting `hastd` with `-d`. This argument may be specified multiple times to further increase the debugging level. Consider also using `-F`, which starts `hastd` in the foreground. +When troubleshooting HAST, the debugging level of man:hastd[8] should be increased by starting `hastd` with `-d`. +This argument may be specified multiple times to further increase the debugging level. +Consider also using `-F`, which starts `hastd` in the foreground. [[disks-hast-sb]] ==== Recovering from the Split-brain Condition -_Split-brain_ occurs when the nodes of the cluster are unable to communicate with each other, and both are configured as primary. This is a dangerous condition because it allows both nodes to make incompatible changes to the data. This problem must be corrected manually by the system administrator. +_Split-brain_ occurs when the nodes of the cluster are unable to communicate with each other, and both are configured as primary. +This is a dangerous condition because it allows both nodes to make incompatible changes to the data. +This problem must be corrected manually by the system administrator. -The administrator must either decide which node has more important changes, or perform the merge manually. Then, let HAST perform full synchronization of the node which has the broken data. To do this, issue these commands on the node which needs to be resynchronized: +The administrator must either decide which node has more important changes, or perform the merge manually. +Then, let HAST perform full synchronization of the node which has the broken data. +To do this, issue these commands on the node which needs to be resynchronized: [source,shell] .... diff --git a/documentation/content/en/books/handbook/dtrace/_index.adoc b/documentation/content/en/books/handbook/dtrace/_index.adoc index d68411983c..f73a7630d2 100644 --- a/documentation/content/en/books/handbook/dtrace/_index.adoc +++ b/documentation/content/en/books/handbook/dtrace/_index.adoc @@ -46,11 +46,16 @@ toc::[] [[dtrace-synopsis]] == Synopsis -DTrace, also known as Dynamic Tracing, was developed by Sun(TM) as a tool for locating performance bottlenecks in production and pre-production systems. In addition to diagnosing performance problems, DTrace can be used to help investigate and debug unexpected behavior in both the FreeBSD kernel and in userland programs. +DTrace, also known as Dynamic Tracing, was developed by Sun(TM) as a tool for locating performance bottlenecks in production and pre-production systems. +In addition to diagnosing performance problems, DTrace can be used to help investigate and debug unexpected behavior in both the FreeBSD kernel and in userland programs. -DTrace is a remarkable profiling tool, with an impressive array of features for diagnosing system issues. It may also be used to run pre-written scripts to take advantage of its capabilities. Users can author their own utilities using the DTrace D Language, allowing them to customize their profiling based on specific needs. +DTrace is a remarkable profiling tool, with an impressive array of features for diagnosing system issues. +It may also be used to run pre-written scripts to take advantage of its capabilities. +Users can author their own utilities using the DTrace D Language, allowing them to customize their profiling based on specific needs. -The FreeBSD implementation provides full support for kernel DTrace and experimental support for userland DTrace. Userland DTrace allows users to perform function boundary tracing for userland programs using the `pid` provider, and to insert static probes into userland programs for later tracing. Some ports, such as package:databases/postgresql12-server[] and package:lang/php74[] have a DTrace option to enable static probes. +The FreeBSD implementation provides full support for kernel DTrace and experimental support for userland DTrace. +Userland DTrace allows users to perform function boundary tracing for userland programs using the `pid` provider, and to insert static probes into userland programs for later tracing. +Some ports, such as package:databases/postgresql12-server[] and package:lang/php74[] have a DTrace option to enable static probes. The official guide to DTrace is maintained by the Illumos project at http://dtrace.org/guide[DTrace Guide]. @@ -68,7 +73,9 @@ Before reading this chapter, you should: [[dtrace-implementation]] == Implementation Differences -While the DTrace in FreeBSD is similar to that found in Solaris(TM), differences do exist. The primary difference is that in FreeBSD, DTrace is implemented as a set of kernel modules and DTrace can not be used until the modules are loaded. To load all of the necessary modules: +While the DTrace in FreeBSD is similar to that found in Solaris(TM), differences do exist. +The primary difference is that in FreeBSD, DTrace is implemented as a set of kernel modules and DTrace can not be used until the modules are loaded. +To load all of the necessary modules: [source,shell] .... @@ -77,18 +84,31 @@ While the DTrace in FreeBSD is similar to that found in Solaris(TM), differences Beginning with FreeBSD 10.0-RELEASE, the modules are automatically loaded when `dtrace` is run. -FreeBSD uses the `DDB_CTF` kernel option to enable support for loading `CTF` data from kernel modules and the kernel itself. `CTF` is the Solaris(TM) Compact C Type Format which encapsulates a reduced form of debugging information similar to `DWARF` and the venerable stabs. `CTF` data is added to binaries by the `ctfconvert` and `ctfmerge` build tools. The `ctfconvert` utility parses `DWARF``ELF` debug sections created by the compiler and `ctfmerge` merges `CTF``ELF` sections from objects into either executables or shared libraries. +FreeBSD uses the `DDB_CTF` kernel option to enable support for loading `CTF` data from kernel modules and the kernel itself. +`CTF` is the Solaris(TM) Compact C Type Format which encapsulates a reduced form of debugging information similar to `DWARF` and the venerable stabs. +`CTF` data is added to binaries by the `ctfconvert` and `ctfmerge` build tools. +The `ctfconvert` utility parses `DWARF``ELF` debug sections created by the compiler and `ctfmerge` merges `CTF``ELF` sections from objects into either executables or shared libraries. -Some different providers exist for FreeBSD than for Solaris(TM). Most notable is the `dtmalloc` provider, which allows tracing `malloc()` by type in the FreeBSD kernel. Some of the providers found in Solaris(TM), such as `cpc` and `mib`, are not present in FreeBSD. These may appear in future versions of FreeBSD. Moreover, some of the providers available in both operating systems are not compatible, in the sense that their probes have different argument types. Thus, `D` scripts written on Solaris(TM) may or may not work unmodified on FreeBSD, and vice versa. +Some different providers exist for FreeBSD than for Solaris(TM). +Most notable is the `dtmalloc` provider, which allows tracing `malloc()` by type in the FreeBSD kernel. +Some of the providers found in Solaris(TM), such as `cpc` and `mib`, are not present in FreeBSD. +These may appear in future versions of FreeBSD. +Moreover, some of the providers available in both operating systems are not compatible, in the sense that their probes have different argument types. +Thus, `D` scripts written on Solaris(TM) may or may not work unmodified on FreeBSD, and vice versa. -Due to security differences, only `root` may use DTrace on FreeBSD. Solaris(TM) has a few low level security checks which do not yet exist in FreeBSD. As such, the [.filename]#/dev/dtrace/dtrace# is strictly limited to `root`. +Due to security differences, only `root` may use DTrace on FreeBSD. +Solaris(TM) has a few low level security checks which do not yet exist in FreeBSD. +As such, the [.filename]#/dev/dtrace/dtrace# is strictly limited to `root`. -DTrace falls under the Common Development and Distribution License (`CDDL`) license. To view this license on FreeBSD, see [.filename]#/usr/src/cddl/contrib/opensolaris/OPENSOLARIS.LICENSE# or view it online at http://opensource.org/licenses/CDDL-1.0[http://opensource.org/licenses/CDDL-1.0]. While a FreeBSD kernel with DTrace support is `BSD` licensed, the `CDDL` is used when the modules are distributed in binary form or the binaries are loaded. +DTrace falls under the Common Development and Distribution License (`CDDL`) license. +To view this license on FreeBSD, see [.filename]#/usr/src/cddl/contrib/opensolaris/OPENSOLARIS.LICENSE# or view it online at http://opensource.org/licenses/CDDL-1.0[http://opensource.org/licenses/CDDL-1.0]. +While a FreeBSD kernel with DTrace support is `BSD` licensed, the `CDDL` is used when the modules are distributed in binary form or the binaries are loaded. [[dtrace-enable]] == Enabling DTrace Support -In FreeBSD 9.2 and 10.0, DTrace support is built into the [.filename]#GENERIC# kernel. Users of earlier versions of FreeBSD or who prefer to statically compile in DTrace support should add the following lines to a custom kernel configuration file and recompile the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]: +In FreeBSD 9.2 and 10.0, DTrace support is built into the [.filename]#GENERIC# kernel. +Users of earlier versions of FreeBSD or who prefer to statically compile in DTrace support should add the following lines to a custom kernel configuration file and recompile the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]: [.programlisting] .... @@ -105,23 +125,37 @@ Users of the AMD64 architecture should also add this line: options KDTRACE_FRAME .... -This option provides support for `FBT`. While DTrace will work without this option, there will be limited support for function boundary tracing. +This option provides support for `FBT`. +While DTrace will work without this option, there will be limited support for function boundary tracing. -Once the FreeBSD system has rebooted into the new kernel, or the DTrace kernel modules have been loaded using `kldload dtraceall`, the system will need support for the Korn shell as the DTrace Toolkit has several utilities written in `ksh`. Make sure that the package:shells/ksh93[] package or port is installed. It is also possible to run these tools under package:shells/pdksh[] or package:shells/mksh[]. +Once the FreeBSD system has rebooted into the new kernel, or the DTrace kernel modules have been loaded using `kldload dtraceall`, the system will need support for the Korn shell as the DTrace Toolkit has several utilities written in `ksh`. +Make sure that the package:shells/ksh93[] package or port is installed. +It is also possible to run these tools under package:shells/pdksh[] or package:shells/mksh[]. -Finally, install the current DTrace Toolkit, a collection of ready-made scripts for collecting system information. There are scripts to check open files, memory, `CPU` usage, and a lot more. FreeBSD 10 installs a few of these scripts into [.filename]#/usr/share/dtrace#. On other FreeBSD versions, or to install the full DTrace Toolkit, use the package:sysutils/dtrace-toolkit[] package or port. +Finally, install the current DTrace Toolkit, a collection of ready-made scripts for collecting system information. +There are scripts to check open files, memory, `CPU` usage, and a lot more. +FreeBSD 10 installs a few of these scripts into [.filename]#/usr/share/dtrace#. +On other FreeBSD versions, or to install the full DTrace Toolkit, use the package:sysutils/dtrace-toolkit[] package or port. [NOTE] ==== -The scripts found in [.filename]#/usr/share/dtrace# have been specifically ported to FreeBSD. Not all of the scripts found in the DTrace Toolkit will work as-is on FreeBSD and some scripts may require some effort in order for them to work on FreeBSD. +The scripts found in [.filename]#/usr/share/dtrace# have been specifically ported to FreeBSD. +Not all of the scripts found in the DTrace Toolkit will work as-is on FreeBSD and some scripts may require some effort in order for them to work on FreeBSD. ==== -The DTrace Toolkit includes many scripts in the special language of DTrace. This language is called the D language and it is very similar to C++. An in depth discussion of the language is beyond the scope of this document. It is covered extensively in the http://www.dtrace.org/guide[Illumos Dynamic Tracing Guide]. +The DTrace Toolkit includes many scripts in the special language of DTrace. +This language is called the D language and it is very similar to C++. +An in depth discussion of the language is beyond the scope of this document. +It is covered extensively in the http://www.dtrace.org/guide[Illumos Dynamic Tracing Guide]. [[dtrace-using]] == Using DTrace -DTrace scripts consist of a list of one or more _probes_, or instrumentation points, where each probe is associated with an action. Whenever the condition for a probe is met, the associated action is executed. For example, an action may occur when a file is opened, a process is started, or a line of code is executed. The action might be to log some information or to modify context variables. The reading and writing of context variables allows probes to share information and to cooperatively analyze the correlation of different events. +DTrace scripts consist of a list of one or more _probes_, or instrumentation points, where each probe is associated with an action. +Whenever the condition for a probe is met, the associated action is executed. +For example, an action may occur when a file is opened, a process is started, or a line of code is executed. +The action might be to log some information or to modify context variables. +The reading and writing of context variables allows probes to share information and to cooperatively analyze the correlation of different events. To view all probes, the administrator can execute the following command: @@ -130,11 +164,13 @@ To view all probes, the administrator can execute the following command: # dtrace -l | more .... -Each probe has an `ID`, a `PROVIDER` (dtrace or fbt), a `MODULE`, and a `FUNCTION NAME`. Refer to man:dtrace[1] for more information about this command. +Each probe has an `ID`, a `PROVIDER` (dtrace or fbt), a `MODULE`, and a `FUNCTION NAME`. +Refer to man:dtrace[1] for more information about this command. The examples in this section provide an overview of how to use two of the fully supported scripts from the DTrace Toolkit: the [.filename]#hotkernel# and [.filename]#procsystime# scripts. -The [.filename]#hotkernel# script is designed to identify which function is using the most kernel time. It will produce output similar to the following: +The [.filename]#hotkernel# script is designed to identify which function is using the most kernel time. +It will produce output similar to the following: [source,shell] .... @@ -143,7 +179,8 @@ The [.filename]#hotkernel# script is designed to identify which function is usin Sampling... Hit Ctrl-C to end. .... -As instructed, use the kbd:[Ctrl+C] key combination to stop the process. Upon termination, the script will display a list of kernel functions and timing information, sorting the output in increasing order of time: +As instructed, use the kbd:[Ctrl+C] key combination to stop the process. +Upon termination, the script will display a list of kernel functions and timing information, sorting the output in increasing order of time: [source,shell] .... @@ -175,7 +212,8 @@ kernel`sched_idletd 137 0.3% 0xc10981a5 42139 99.3% .... -This script will also work with kernel modules. To use this feature, run the script with `-m`: +This script will also work with kernel modules. +To use this feature, run the script with `-m`: [source,shell] .... @@ -197,7 +235,10 @@ kernel 874 0.4% 0xc10981a5 213781 99.6% .... -The [.filename]#procsystime# script captures and prints the system call time usage for a given process `ID` (`PID`) or process name. In the following example, a new instance of [.filename]#/bin/csh# was spawned. Then, [.filename]#procsystime# was executed and remained waiting while a few commands were typed on the other incarnation of `csh`. These are the results of this test: +The [.filename]#procsystime# script captures and prints the system call time usage for a given process `ID` (`PID`) or process name. +In the following example, a new instance of [.filename]#/bin/csh# was spawned. +Then, [.filename]#procsystime# was executed and remained waiting while a few commands were typed on the other incarnation of `csh`. +These are the results of this test: [source,shell] .... diff --git a/documentation/content/en/books/handbook/eresources/_index.adoc b/documentation/content/en/books/handbook/eresources/_index.adoc index 14e12e663f..c86986e887 100644 --- a/documentation/content/en/books/handbook/eresources/_index.adoc +++ b/documentation/content/en/books/handbook/eresources/_index.adoc @@ -29,9 +29,12 @@ include::shared/en/mailing-lists.adoc[] include::shared/en/teams.adoc[] include::shared/en/urls.adoc[] -The rapid pace of FreeBSD progress makes print media impractical as a means of following the latest developments. Electronic resources are the best, if not often the only, way to stay informed of the latest advances. Since FreeBSD is a volunteer effort, the user community itself also generally serves as a "technical support department" of sorts, with electronic mail, web forums, and USENET news being the most effective way of reaching that community. +The rapid pace of FreeBSD progress makes print media impractical as a means of following the latest developments. +Electronic resources are the best, if not often the only, way to stay informed of the latest advances. +Since FreeBSD is a volunteer effort, the user community itself also generally serves as a "technical support department" of sorts, with electronic mail, web forums, and USENET news being the most effective way of reaching that community. -The most important points of contact with the FreeBSD user community are outlined below. Please send other resources not mentioned here to the {freebsd-doc} so that they may also be included. +The most important points of contact with the FreeBSD user community are outlined below. +Please send other resources not mentioned here to the {freebsd-doc} so that they may also be included. [[eresources-www]] == Websites @@ -42,20 +45,29 @@ The most important points of contact with the FreeBSD user community are outline [[eresources-mail]] == Mailing Lists -The mailing lists are the most direct way of addressing questions or opening a technical discussion to a concentrated FreeBSD audience. There are a wide variety of lists on a number of different FreeBSD topics. Sending questions to the most appropriate mailing list will invariably assure a faster and more accurate response. +The mailing lists are the most direct way of addressing questions or opening a technical discussion to a concentrated FreeBSD audience. +There are a wide variety of lists on a number of different FreeBSD topics. +Sending questions to the most appropriate mailing list will invariably assure a faster and more accurate response. -The charters for the various lists are given at the bottom of this document. _Please read the charter before joining or sending mail to any list_. Most list subscribers receive many hundreds of FreeBSD related messages every day, and the charters and rules for use are meant to keep the signal-to-noise ratio of the lists high. To do less would see the mailing lists ultimately fail as an effective communications medium for the Project. +The charters for the various lists are given at the bottom of this document. +_Please read the charter before joining or sending mail to any list_. +Most list subscribers receive many hundreds of FreeBSD related messages every day, and the charters and rules for use are meant to keep the signal-to-noise ratio of the lists high. +To do less would see the mailing lists ultimately fail as an effective communications medium for the Project. [NOTE] ==== -_To test the ability to send email to FreeBSD lists, send a test message to {freebsd-test}._ Please do not send test messages to any other list. +_To test the ability to send email to FreeBSD lists, send a test message to {freebsd-test}._ +Please do not send test messages to any other list. ==== When in doubt about what list to post a question to, see link:{freebsd-questions-article}[How to get best results from the FreeBSD-questions mailing list]. Before posting to any list, please learn about how to best use the mailing lists, such as how to help avoid frequently-repeated discussions, by reading the link:{mailing-list-faq}[Mailing List Frequently Asked Questions] (FAQ) document. -Archives are kept for all of the mailing lists and can be searched using the https://www.FreeBSD.org/search/[FreeBSD World Wide Web server]. The keyword searchable archive offers an excellent way of finding answers to frequently asked questions and should be consulted before posting a question. Note that this also means that messages sent to FreeBSD mailing lists are archived in perpetuity. When protecting privacy is a concern, consider using a disposable secondary email address and posting only public information. +Archives are kept for all of the mailing lists and can be searched using the https://www.FreeBSD.org/search/[FreeBSD World Wide Web server]. +The keyword searchable archive offers an excellent way of finding answers to frequently asked questions and should be consulted before posting a question. +Note that this also means that messages sent to FreeBSD mailing lists are archived in perpetuity. +When protecting privacy is a concern, consider using a disposable secondary email address and posting only public information. [[eresources-summary]] === List Summary @@ -117,7 +129,8 @@ _General lists:_ The following are general lists which anyone is free (and encou |FreeBSD advocacy for women |=== -_Technical lists:_ The following lists are for technical discussion. Read the charter for each list carefully before joining or sending mail to one as there are firm guidelines for their use and content. +_Technical lists:_ The following lists are for technical discussion. +Read the charter for each list carefully before joining or sending mail to one as there are firm guidelines for their use and content. [.informaltable] [cols="20%,80%", frame="none", options="header"] @@ -390,7 +403,8 @@ _Technical lists:_ The following lists are for technical discussion. Read the ch |Zope for FreeBSD - porting and maintaining |=== -_Limited lists:_ The following lists are for more specialized (and demanding) audiences and are probably not of interest to the general public. It is also a good idea to establish a presence in the technical lists before joining one of these limited lists in order to understand the communications etiquette involved. +_Limited lists:_ The following lists are for more specialized (and demanding) audiences and are probably not of interest to the general public. +It is also a good idea to establish a presence in the technical lists before joining one of these limited lists in order to understand the communications etiquette involved. [.informaltable] [cols="20%,80%", frame="none", options="header"] @@ -411,7 +425,8 @@ _Limited lists:_ The following lists are for more specialized (and demanding) au |Discussions of 802.11 stack, tools, device driver development |=== -_Digest lists:_ All of the above lists are available in a digest format. Once subscribed to a list, the digest options can be changed in the account options section. +_Digest lists:_ All of the above lists are available in a digest format. +Once subscribed to a list, the digest options can be changed in the account options section. _Commit message lists:_ The following lists are for people interested in seeing the log messages for changes to various areas of the source tree. @@ -461,7 +476,8 @@ _SVN lists:_ The following lists are for people interested in seeing the SVN log [NOTE] ==== -Only SVN log messages are sent to SVN lists. After the SVN to Git Migration, the following lists no longer receives new commit messages. +Only SVN log messages are sent to SVN lists. +After the SVN to Git Migration, the following lists no longer receives new commit messages. ==== [.informaltable] @@ -571,18 +587,24 @@ Only SVN log messages are sent to SVN lists. After the SVN to Git Migration, the [[eresources-subscribe]] === How to Subscribe -To subscribe to a list, click the list name at {mailman-lists-url}. The page that is displayed should contain all of the necessary subscription instructions for that list. +To subscribe to a list, click the list name at {mailman-lists-url}. +The page that is displayed should contain all of the necessary subscription instructions for that list. -To actually post to a given list, send mail to mailto:listname@FreeBSD.org[listname@FreeBSD.org]. It will then be redistributed to mailing list members world-wide. +To actually post to a given list, send mail to mailto:listname@FreeBSD.org[listname@FreeBSD.org]. +It will then be redistributed to mailing list members world-wide. -To unsubscribe from a list, click on the URL found at the bottom of every email received from the list. It is also possible to send an email to mailto:listname-unsubscribe@FreeBSD.org[listname-unsubscribe@FreeBSD.org] to unsubscribe. +To unsubscribe from a list, click on the URL found at the bottom of every email received from the list. +It is also possible to send an email to mailto:listname-unsubscribe@FreeBSD.org[listname-unsubscribe@FreeBSD.org] to unsubscribe. -It is important to keep discussion in the technical mailing lists on a technical track. To only receive important announcements, instead join the {freebsd-announce}, which is intended for infrequent traffic. +It is important to keep discussion in the technical mailing lists on a technical track. +To only receive important announcements, instead join the {freebsd-announce}, which is intended for infrequent traffic. [[eresources-charters]] === List Charters -_All_ FreeBSD mailing lists have certain basic rules which must be adhered to by anyone using them. Failure to comply with these guidelines will result in two (2) written warnings from the FreeBSD Postmaster mailto:postmaster@FreeBSD.org[postmaster@FreeBSD.org], after which, on a third offense, the poster will removed from all FreeBSD mailing lists and filtered from further posting to them. We regret that such rules and measures are necessary at all, but today's Internet is a pretty harsh environment, it would seem, and many fail to appreciate just how fragile some of its mechanisms are. +_All_ FreeBSD mailing lists have certain basic rules which must be adhered to by anyone using them. +Failure to comply with these guidelines will result in two (2) written warnings from the FreeBSD Postmaster mailto:postmaster@FreeBSD.org[postmaster@FreeBSD.org], after which, on a third offense, the poster will removed from all FreeBSD mailing lists and filtered from further posting to them. +We regret that such rules and measures are necessary at all, but today's Internet is a pretty harsh environment, it would seem, and many fail to appreciate just how fragile some of its mechanisms are. Rules of the road: @@ -599,12 +621,18 @@ _ACPI and power management development_ link:{freebsd-announce-url}[freebsd-announce]:: _Important events / milestones_ + -This is the mailing list for people interested only in occasional announcements of significant FreeBSD events. This includes announcements about snapshots and other releases. It contains announcements of new FreeBSD capabilities. It may contain calls for volunteers etc. This is a low volume, strictly moderated mailing list. +This is the mailing list for people interested only in occasional announcements of significant FreeBSD events. +This includes announcements about snapshots and other releases. +It contains announcements of new FreeBSD capabilities. +It may contain calls for volunteers etc. +This is a low volume, strictly moderated mailing list. link:{freebsd-arch-url}[freebsd-arch]:: _Architecture and design discussions_ + -This list is for discussion of the FreeBSD architecture. Messages will mostly be kept strictly technical in nature. Examples of suitable topics are: +This list is for discussion of the FreeBSD architecture. +Messages will mostly be kept strictly technical in nature. +Examples of suitable topics are: ** How to re-vamp the build system to have several customized builds running at the same time. ** What needs to be fixed with VFS to make Heidemann layers work. @@ -614,22 +642,27 @@ This list is for discussion of the FreeBSD architecture. Messages will mostly be link:{freebsd-bluetooth-url}[freebsd-bluetooth]:: _Bluetooth(R) in FreeBSD_ + -This is the forum where FreeBSD's Bluetooth(R) users congregate. Design issues, implementation details, patches, bug reports, status reports, feature requests, and all matters related to Bluetooth(R) are fair game. +This is the forum where FreeBSD's Bluetooth(R) users congregate. +Design issues, implementation details, patches, bug reports, status reports, feature requests, and all matters related to Bluetooth(R) are fair game. link:{freebsd-bugbusters-url}[freebsd-bugbusters]:: _Coordination of the Problem Report handling effort_ + -The purpose of this list is to serve as a coordination and discussion forum for the Bugmeister, his Bugbusters, and any other parties who have a genuine interest in the PR database. This list is not for discussions about specific bugs, patches or PRs. +The purpose of this list is to serve as a coordination and discussion forum for the Bugmeister, his Bugbusters, and any other parties who have a genuine interest in the PR database. +This list is not for discussions about specific bugs, patches or PRs. link:{freebsd-bugs-url}[freebsd-bugs]:: _Bug reports_ + -This is the mailing list for reporting bugs in FreeBSD. Whenever possible, bugs should be submitted using the https://bugs.freebsd.org/bugzilla/enter_bug.cgi[web interface] to it. +This is the mailing list for reporting bugs in FreeBSD. +Whenever possible, bugs should be submitted using the https://bugs.freebsd.org/bugzilla/enter_bug.cgi[web interface] to it. link:{freebsd-chat-url}[freebsd-chat]:: _Non technical items related to the FreeBSD community_ + -This list contains the overflow from the other lists about non-technical, social information. It includes discussion about whether Jordan looks like a toon ferret or not, whether or not to type in capitals, who is drinking too much coffee, where the best beer is brewed, who is brewing beer in their basement, and so on. Occasional announcements of important events (such as upcoming parties, weddings, births, new jobs, etc) can be made to the technical lists, but the follow ups should be directed to this -chat list. +This list contains the overflow from the other lists about non-technical, social information. +It includes discussion about whether Jordan looks like a toon ferret or not, whether or not to type in capitals, who is drinking too much coffee, where the best beer is brewed, who is brewing beer in their basement, and so on. +Occasional announcements of important events (such as upcoming parties, weddings, births, new jobs, etc) can be made to the technical lists, but the follow ups should be directed to this -chat list. link:{freebsd-chromium-url}[freebsd-chromium]:: _FreeBSD-specific Chromium issues_ @@ -642,17 +675,22 @@ _Running FreeBSD on various cloud platforms_ This list discusses running FreeBSD on Amazon EC2, Google Compute Engine, Microsoft Azure, and other cloud computing platforms. _FreeBSD core team_:: -This is an internal mailing list for use by the core members. Messages can be sent to it when a serious FreeBSD-related matter requires arbitration or high-level scrutiny. +This is an internal mailing list for use by the core members. +Messages can be sent to it when a serious FreeBSD-related matter requires arbitration or high-level scrutiny. link:{freebsd-current-url}[freebsd-current]:: _Discussions about the use of FreeBSD-CURRENT_ + -This is the mailing list for users of FreeBSD-CURRENT. It includes warnings about new features coming out in -CURRENT that will affect the users, and instructions on steps that must be taken to remain -CURRENT. Anyone running "CURRENT" must subscribe to this list. This is a technical mailing list for which strictly technical content is expected. +This is the mailing list for users of FreeBSD-CURRENT. +It includes warnings about new features coming out in -CURRENT that will affect the users, and instructions on steps that must be taken to remain -CURRENT. +Anyone running "CURRENT" must subscribe to this list. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-desktop-url}[freebsd-desktop]:: _Using and improving FreeBSD on the desktop_ + -This is a forum for discussion of FreeBSD on the desktop. It is primarily a place for desktop porters and users to discuss issues and improve FreeBSD's desktop support. +This is a forum for discussion of FreeBSD on the desktop. +It is primarily a place for desktop porters and users to discuss issues and improve FreeBSD's desktop support. link:{dev-ci-url}[dev-ci]:: _Continuous Integration reports of build and test results_ @@ -667,17 +705,21 @@ Automated notifications of work in progress for review in FreeBSD's review tools link:{freebsd-doc-url}[freebsd-doc]:: _Documentation Project_ + -This mailing list is for the discussion of issues and projects related to the creation of documentation for FreeBSD. The members of this mailing list are collectively referred to as "The FreeBSD Documentation Project". It is an open list; feel free to join and contribute! +This mailing list is for the discussion of issues and projects related to the creation of documentation for FreeBSD. +The members of this mailing list are collectively referred to as "The FreeBSD Documentation Project". +It is an open list; feel free to join and contribute! link:{freebsd-drivers-url}[freebsd-drivers]:: _Writing device drivers for FreeBSD_ + -This is a forum for technical discussions related to device drivers on FreeBSD. It is primarily a place for device driver writers to ask questions about how to write device drivers using the APIs in the FreeBSD kernel. +This is a forum for technical discussions related to device drivers on FreeBSD. +It is primarily a place for device driver writers to ask questions about how to write device drivers using the APIs in the FreeBSD kernel. link:{freebsd-dtrace-url}[freebsd-dtrace]:: _Using and working on DTrace in FreeBSD_ + -DTrace is an integrated component of FreeBSD that provides a framework for understanding the kernel as well as user space programs at run time. The mailing list is an archived discussion for developers of the code as well as those using it. +DTrace is an integrated component of FreeBSD that provides a framework for understanding the kernel as well as user space programs at run time. +The mailing list is an archived discussion for developers of the code as well as those using it. link:{freebsd-eclipse-url}[freebsd-eclipse]:: _FreeBSD users of Eclipse IDE, tools, rich client applications and ports._ @@ -691,7 +733,10 @@ Although this list is focused primarily on the needs of Eclipse users it will al link:{freebsd-embedded-url}[freebsd-embedded]:: _Using FreeBSD in embedded applications_ + -This list discusses topics related to using FreeBSD in embedded systems. This is a technical mailing list for which strictly technical content is expected. For the purpose of this list, embedded systems are those computing devices which are not desktops and which usually serve a single purpose as opposed to being general computing environments. Examples include, but are not limited to, all kinds of phone handsets, network equipment such as routers, switches and PBXs, remote measuring equipment, PDAs, Point Of Sale systems, and so on. +This list discusses topics related to using FreeBSD in embedded systems. +This is a technical mailing list for which strictly technical content is expected. +For the purpose of this list, embedded systems are those computing devices which are not desktops and which usually serve a single purpose as opposed to being general computing environments. +Examples include, but are not limited to, all kinds of phone handsets, network equipment such as routers, switches and PBXs, remote measuring equipment, PDAs, Point Of Sale systems, and so on. link:{freebsd-emulation-url}[freebsd-emulation]:: _Emulation of other systems such as Linux/MS-DOS(R)/Windows(R)_ @@ -701,7 +746,8 @@ This is a forum for technical discussions related to running programs written fo link:{freebsd-enlightenment-url}[freebsd-enlightenment]:: _Enlightenment_ + -Discussions concerning the Enlightenment Desktop Environment for FreeBSD systems. This is a technical mailing list for which strictly technical content is expected. +Discussions concerning the Enlightenment Desktop Environment for FreeBSD systems. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-eol-url}[freebsd-eol]:: _Peer support of FreeBSD-related software that is no longer supported by the FreeBSD Project._ @@ -711,7 +757,8 @@ This list is for those interested in providing or making use of peer support of link:{freebsd-firewire-url}[freebsd-firewire]:: _FireWire(R) (iLink, IEEE 1394)_ + -This is a mailing list for discussion of the design and implementation of a FireWire(R) (aka IEEE 1394 aka iLink) subsystem for FreeBSD. Relevant topics specifically include the standards, bus devices and their protocols, adapter boards/cards/chips sets, and the architecture and implementation of code for their proper support. +This is a mailing list for discussion of the design and implementation of a FireWire(R) (aka IEEE 1394 aka iLink) subsystem for FreeBSD. +Relevant topics specifically include the standards, bus devices and their protocols, adapter boards/cards/chips sets, and the architecture and implementation of code for their proper support. link:{freebsd-fortran-url}[freebsd-fortran]:: _Fortran on FreeBSD_ @@ -721,12 +768,15 @@ This is the mailing list for discussion of Fortran related ports on FreeBSD: com link:{freebsd-fs-url}[freebsd-fs]:: _File systems_ + -Discussions concerning FreeBSD filesystems. This is a technical mailing list for which strictly technical content is expected. +Discussions concerning FreeBSD filesystems. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-games-url}[freebsd-games]:: _Games on FreeBSD_ + -This is a technical list for discussions related to bringing games to FreeBSD. It is for individuals actively working on porting games to FreeBSD, to bring up problems or discuss alternative solutions. Individuals interested in following the technical discussion are also welcome. +This is a technical list for discussions related to bringing games to FreeBSD. +It is for individuals actively working on porting games to FreeBSD, to bring up problems or discuss alternative solutions. +Individuals interested in following the technical discussion are also welcome. link:{freebsd-gecko-url}[freebsd-gecko]:: _Gecko Rendering Engine_ @@ -738,17 +788,21 @@ Discussion centers around Gecko Ports applications, their installation, their de link:{freebsd-geom-url}[freebsd-geom]:: _GEOM_ + -Discussions specific to GEOM and related implementations. This is a technical mailing list for which strictly technical content is expected. +Discussions specific to GEOM and related implementations. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-git-url}[freebsd-git]:: _Use of git in the FreeBSD project_ + -Discussions of how to use git in FreeBSD infrastructure including the github mirror and other uses of git for project collaboration. Discussion area for people using git against the FreeBSD github mirror. People wanting to get started with the mirror or git in general on FreeBSD can ask here. +Discussions of how to use git in FreeBSD infrastructure including the github mirror and other uses of git for project collaboration. +Discussion area for people using git against the FreeBSD github mirror. +People wanting to get started with the mirror or git in general on FreeBSD can ask here. link:{freebsd-gnome-url}[freebsd-gnome]:: _GNOME_ + -Discussions concerning The GNOME Desktop Environment for FreeBSD systems. This is a technical mailing list for which strictly technical content is expected. +Discussions concerning The GNOME Desktop Environment for FreeBSD systems. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-infiniband-url}[freebsd-infiniband]:: _Infiniband on FreeBSD_ @@ -758,7 +812,8 @@ Technical mailing list discussing Infiniband, OFED, and OpenSM on FreeBSD. link:{freebsd-ipfw-url}[freebsd-ipfw]:: _IP Firewall_ + -This is the forum for technical discussions concerning the redesign of the IP firewall code in FreeBSD. This is a technical mailing list for which strictly technical content is expected. +This is the forum for technical discussions concerning the redesign of the IP firewall code in FreeBSD. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-isdn-url}[freebsd-isdn]:: _ISDN Communications_ @@ -774,21 +829,29 @@ This is the mailing list for people discussing the development of significant Ja link:{freebsd-jobs-url}[freebsd-jobs]:: _Jobs offered and sought_ + -This is a forum for posting employment notices specifically related to FreeBSD and resumes from those seeking FreeBSD-related employment. This is _not_ a mailing list for general employment issues since adequate forums for that already exist elsewhere. +This is a forum for posting employment notices specifically related to FreeBSD and resumes from those seeking FreeBSD-related employment. +This is _not_ a mailing list for general employment issues since adequate forums for that already exist elsewhere. + -Note that this list, like other `FreeBSD.org` mailing lists, is distributed worldwide. Be clear about the geographic location and the extent to which telecommuting or assistance with relocation is available. +Note that this list, like other `FreeBSD.org` mailing lists, is distributed worldwide. +Be clear about the geographic location and the extent to which telecommuting or assistance with relocation is available. + -Email should use open formats only - preferably plain text, but basic Portable Document Format (PDF), HTML, and a few others are acceptable to many readers. Closed formats such as Microsoft(R) Word ([.filename]#.doc#) will be rejected by the mailing list server. +Email should use open formats only - preferably plain text, but basic Portable Document Format (PDF), HTML, and a few others are acceptable to many readers. +Closed formats such as Microsoft(R) Word ([.filename]#.doc#) will be rejected by the mailing list server. link:{freebsd-kde-url}[freebsd-kde]:: _KDE_ + -Discussions concerning KDE on FreeBSD systems. This is a technical mailing list for which strictly technical content is expected. +Discussions concerning KDE on FreeBSD systems. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-hackers-url}[freebsd-hackers]:: _Technical discussions_ + -This is a forum for technical discussions related to FreeBSD. This is the primary technical mailing list. It is for individuals actively working on FreeBSD, to bring up problems or discuss alternative solutions. Individuals interested in following the technical discussion are also welcome. This is a technical mailing list for which strictly technical content is expected. +This is a forum for technical discussions related to FreeBSD. +This is the primary technical mailing list. +It is for individuals actively working on FreeBSD, to bring up problems or discuss alternative solutions. +Individuals interested in following the technical discussion are also welcome. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-hardware-url}[freebsd-hardware]:: _General discussion of FreeBSD hardware_ @@ -803,7 +866,8 @@ Announcements and discussion for people who run FreeBSD mirror sites. link:{freebsd-isp-url}[freebsd-isp]:: _Issues for Internet Service Providers_ + -This mailing list is for discussing topics relevant to Internet Service Providers (ISPs) using FreeBSD. This is a technical mailing list for which strictly technical content is expected. +This mailing list is for discussing topics relevant to Internet Service Providers (ISPs) using FreeBSD. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-mono-url}[freebsd-mono]:: _Mono and C# applications on FreeBSD_ @@ -813,7 +877,10 @@ This is a list for discussions related to the Mono development framework on Free link:{freebsd-ocaml-url}[freebsd-ocaml]:: _FreeBSD-specific OCaml discussions_ + -This is a list for discussions related to the OCaml support on FreeBSD. This is a technical mailing list. It is for individuals working on OCaml ports, 3rd party libraries and frameworks. Individuals interested in the technical discussion are also welcome. +This is a list for discussions related to the OCaml support on FreeBSD. +This is a technical mailing list. +It is for individuals working on OCaml ports, 3rd party libraries and frameworks. +Individuals interested in the technical discussion are also welcome. link:{freebsd-office-url}[freebsd-office]:: _Office applications on FreeBSD_ @@ -830,12 +897,18 @@ This moderated list is strictly for announcements: no replies, requests, discuss link:{freebsd-performance-url}[freebsd-performance]:: _Discussions about tuning or speeding up FreeBSD_ + -This mailing list exists to provide a place for hackers, administrators, and/or concerned parties to discuss performance related topics pertaining to FreeBSD. Acceptable topics includes talking about FreeBSD installations that are either under high load, are experiencing performance problems, or are pushing the limits of FreeBSD. Concerned parties that are willing to work toward improving the performance of FreeBSD are highly encouraged to subscribe to this list. This is a highly technical list ideally suited for experienced FreeBSD users, hackers, or administrators interested in keeping FreeBSD fast, robust, and scalable. This list is not a question-and-answer list that replaces reading through documentation, but it is a place to make contributions or inquire about unanswered performance related topics. +This mailing list exists to provide a place for hackers, administrators, and/or concerned parties to discuss performance related topics pertaining to FreeBSD. +Acceptable topics includes talking about FreeBSD installations that are either under high load, are experiencing performance problems, or are pushing the limits of FreeBSD. +Concerned parties that are willing to work toward improving the performance of FreeBSD are highly encouraged to subscribe to this list. +This is a highly technical list ideally suited for experienced FreeBSD users, hackers, or administrators interested in keeping FreeBSD fast, robust, and scalable. +This list is not a question-and-answer list that replaces reading through documentation, but it is a place to make contributions or inquire about unanswered performance related topics. link:{freebsd-pf-url}[freebsd-pf]:: _Discussion and questions about the packet filter firewall system_ + -Discussion concerning the packet filter (pf) firewall system in terms of FreeBSD. Technical discussion and user questions are both welcome. This list is also a place to discuss the ALTQ QoS framework. +Discussion concerning the packet filter (pf) firewall system in terms of FreeBSD. +Technical discussion and user questions are both welcome. +This list is also a place to discuss the ALTQ QoS framework. link:{freebsd-pkg-url}[freebsd-pkg]:: _Binary package management and package tools discussion_ @@ -857,59 +930,75 @@ Discussions surrounding implementation and issues regarding packaging the FreeBS link:{freebsd-platforms-url}[freebsd-platforms]:: _Porting to Non Intel(R) platforms_ + -Cross-platform FreeBSD issues, general discussion and proposals for non Intel(R) FreeBSD ports. This is a technical mailing list for which strictly technical content is expected. +Cross-platform FreeBSD issues, general discussion and proposals for non Intel(R) FreeBSD ports. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-ports-url}[freebsd-ports]:: _Discussion of "ports"_ + -Discussions concerning FreeBSD's "ports collection" ([.filename]#/usr/ports#), ports infrastructure, and general ports coordination efforts. This is a technical mailing list for which strictly technical content is expected. +Discussions concerning FreeBSD's "ports collection" ([.filename]#/usr/ports#), ports infrastructure, and general ports coordination efforts. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-ports-announce-url}[freebsd-ports-announce]:: _Important news and instructions about the FreeBSD "Ports Collection"_ + -Important news for developers, porters, and users of the "Ports Collection" ([.filename]#/usr/ports#), including architecture/infrastructure changes, new capabilities, critical upgrade instructions, and release engineering information. This is a low-volume mailing list, intended for announcements. +Important news for developers, porters, and users of the "Ports Collection" ([.filename]#/usr/ports#), including architecture/infrastructure changes, new capabilities, critical upgrade instructions, and release engineering information. +This is a low-volume mailing list, intended for announcements. link:{freebsd-ports-bugs-url}[freebsd-ports-bugs]:: _Discussion of "ports" bugs_ + -Discussions concerning problem reports for FreeBSD's "ports collection" ([.filename]#/usr/ports#), proposed ports, or modifications to ports. This is a technical mailing list for which strictly technical content is expected. +Discussions concerning problem reports for FreeBSD's "ports collection" ([.filename]#/usr/ports#), proposed ports, or modifications to ports. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-proliant-url}[freebsd-proliant]:: _Technical discussion of FreeBSD on HP ProLiant server platforms_ + -This mailing list is to be used for the technical discussion of the usage of FreeBSD on HP ProLiant servers, including the discussion of ProLiant-specific drivers, management software, configuration tools, and BIOS updates. As such, this is the primary place to discuss the hpasmd, hpasmcli, and hpacucli modules. +This mailing list is to be used for the technical discussion of the usage of FreeBSD on HP ProLiant servers, including the discussion of ProLiant-specific drivers, management software, configuration tools, and BIOS updates. +As such, this is the primary place to discuss the hpasmd, hpasmcli, and hpacucli modules. link:{freebsd-python-url}[freebsd-python]:: _Python on FreeBSD_ + -This is a list for discussions related to improving Python-support on FreeBSD. This is a technical mailing list. It is for individuals working on porting Python, its third party modules and Zope stuff to FreeBSD. Individuals interested in following the technical discussion are also welcome. +This is a list for discussions related to improving Python-support on FreeBSD. +This is a technical mailing list. +It is for individuals working on porting Python, its third party modules and Zope stuff to FreeBSD. +Individuals interested in following the technical discussion are also welcome. link:{freebsd-questions-url}[freebsd-questions]:: _User questions_ + -This is the mailing list for questions about FreeBSD. Do not send "how to" questions to the technical lists unless the question is quite technical. +This is the mailing list for questions about FreeBSD. +Do not send "how to" questions to the technical lists unless the question is quite technical. link:{freebsd-ruby-url}[freebsd-ruby]:: _FreeBSD-specific Ruby discussions_ + -This is a list for discussions related to the Ruby support on FreeBSD. This is a technical mailing list. It is for individuals working on Ruby ports, third party libraries and frameworks. +This is a list for discussions related to the Ruby support on FreeBSD. +This is a technical mailing list. +It is for individuals working on Ruby ports, third party libraries and frameworks. + Individuals interested in the technical discussion are also welcome. link:{freebsd-scsi-url}[freebsd-scsi]:: _SCSI subsystem_ + -This is the mailing list for people working on the SCSI subsystem for FreeBSD. This is a technical mailing list for which strictly technical content is expected. +This is the mailing list for people working on the SCSI subsystem for FreeBSD. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-security-url}[freebsd-security]:: _Security issues_ + -FreeBSD computer security issues (DES, Kerberos, known security holes and fixes, etc). This is a technical mailing list for which strictly technical discussion is expected. Note that this is not a question-and-answer list, but that contributions (BOTH question AND answer) to the FAQ are welcome. +FreeBSD computer security issues (DES, Kerberos, known security holes and fixes, etc). +This is a technical mailing list for which strictly technical discussion is expected. +Note that this is not a question-and-answer list, but that contributions (BOTH question AND answer) to the FAQ are welcome. link:{freebsd-security-notifications-url}[freebsd-security-notifications]:: _Security Notifications_ + -Notifications of FreeBSD security problems and fixes. This is not a discussion list. The discussion list is FreeBSD-security. +Notifications of FreeBSD security problems and fixes. +This is not a discussion list. +The discussion list is FreeBSD-security. link:{freebsd-snapshots-url}[freebsd-snapshots]:: _FreeBSD Development Snapshot Announcements_ @@ -919,7 +1008,12 @@ This list provides notifications about the availability of new FreeBSD developme link:{freebsd-stable-url}[freebsd-stable]:: _Discussions about the use of FreeBSD-STABLE_ + -This is the mailing list for users of FreeBSD-STABLE. "STABLE" is the branch where development continues after a RELEASE, including bug fixes and new features. The ABI is kept stable for binary compatibility. It includes warnings about new features coming out in -STABLE that will affect the users, and instructions on steps that must be taken to remain -STABLE. Anyone running "STABLE" should subscribe to this list. This is a technical mailing list for which strictly technical content is expected. +This is the mailing list for users of FreeBSD-STABLE. +"STABLE" is the branch where development continues after a RELEASE, including bug fixes and new features. +The ABI is kept stable for binary compatibility. +It includes warnings about new features coming out in -STABLE that will affect the users, and instructions on steps that must be taken to remain -STABLE. +Anyone running "STABLE" should subscribe to this list. +This is a technical mailing list for which strictly technical content is expected. link:{freebsd-standards-url}[freebsd-standards]:: _C99 POSIX Conformance_ @@ -939,22 +1033,27 @@ Technical mailing list discussing testing on FreeBSD, including ATF/Kyua, test b link:{freebsd-tex-url}[freebsd-tex]:: _Porting TeX and its applications to FreeBSD_ + -This is a technical mailing list for discussions related to TeX and its applications on FreeBSD. It is for individuals actively working on porting TeX to FreeBSD, to bring up problems or discuss alternative solutions. Individuals interested in following the technical discussion are also welcome. +This is a technical mailing list for discussions related to TeX and its applications on FreeBSD. +It is for individuals actively working on porting TeX to FreeBSD, to bring up problems or discuss alternative solutions. +Individuals interested in following the technical discussion are also welcome. link:{freebsd-toolchain-url}[freebsd-toolchain]:: _Maintenance of FreeBSD's integrated toolchain_ + -This is the mailing list for discussions related to the maintenance of the toolchain shipped with FreeBSD. This could include the state of Clang and GCC, but also pieces of software such as assemblers, linkers and debuggers. +This is the mailing list for discussions related to the maintenance of the toolchain shipped with FreeBSD. +This could include the state of Clang and GCC, but also pieces of software such as assemblers, linkers and debuggers. link:{freebsd-transport-url}[freebsd-transport]:: _Discussions of transport level network protocols in FreeBSD_ + -The transport mailing list exists for the discussion of issues and designs around the transport level protocols in the FreeBSD network stack, including TCP, SCTP and UDP. Other networking topics, including driver specific and network protocol issues should be discussed on the {freebsd-net}. +The transport mailing list exists for the discussion of issues and designs around the transport level protocols in the FreeBSD network stack, including TCP, SCTP and UDP. +Other networking topics, including driver specific and network protocol issues should be discussed on the {freebsd-net}. link:{freebsd-translators-url}[freebsd-translators]:: _Translating FreeBSD documents and programs_ + -A discussion list where translators of FreeBSD documents from English into other languages can talk about translation methods and tools. New members are asked to introduce themselves and mention the languages they are interested in translating. +A discussion list where translators of FreeBSD documents from English into other languages can talk about translation methods and tools. +New members are asked to introduce themselves and mention the languages they are interested in translating. link:{freebsd-usb-url}[freebsd-usb]:: _Discussing FreeBSD support for USB_ @@ -964,48 +1063,64 @@ This is a mailing list for technical discussions related to FreeBSD support for link:{freebsd-user-groups-url}[freebsd-user-groups]:: _User Group Coordination List_ + -This is the mailing list for the coordinators from each of the local area Users Groups to discuss matters with each other and a designated individual from the Core Team. This mail list should be limited to meeting synopsis and coordination of projects that span User Groups. +This is the mailing list for the coordinators from each of the local area Users Groups to discuss matters with each other and a designated individual from the Core Team. +This mail list should be limited to meeting synopsis and coordination of projects that span User Groups. link:{freebsd-virtualization-url}[freebsd-virtualization]:: _Discussion of various virtualization techniques supported by FreeBSD_ + -A list to discuss the various virtualization techniques supported by FreeBSD. On one hand the focus will be on the implementation of the basic functionality as well as adding new features. On the other hand users will have a forum to ask for help in case of problems or to discuss their use cases. +A list to discuss the various virtualization techniques supported by FreeBSD. +On one hand the focus will be on the implementation of the basic functionality as well as adding new features. +On the other hand users will have a forum to ask for help in case of problems or to discuss their use cases. link:{freebsd-wip-status-url}[freebsd-wip-status]:: _FreeBSD Work-In-Progress Status_ + -This mailing list can be used by developers to announce the creation and progress of FreeBSD related work. Messages will be moderated. It is suggested to send the message "To:" a more topical FreeBSD list and only "BCC:" this list. This way the WIP can also be discussed on the topical list, as no discussion is allowed on this list. +This mailing list can be used by developers to announce the creation and progress of FreeBSD related work. +Messages will be moderated. It is suggested to send the message "To:" a more topical FreeBSD list and only "BCC:" this list. +This way the WIP can also be discussed on the topical list, as no discussion is allowed on this list. + Look inside the archives for examples of suitable messages. + -An editorial digest of the messages to this list might be posted to the FreeBSD website every few months as part of the Status Reports footnote:[https://www.freebsd.org/news/status/]. Past reports are archived. +An editorial digest of the messages to this list might be posted to the FreeBSD website every few months as part of the Status Reports footnote:[https://www.freebsd.org/news/status/]. +Past reports are archived. link:{freebsd-wireless-url}[freebsd-wireless]:: _Discussions of 802.11 stack, tools device driver development_ + -The FreeBSD-wireless list focuses on 802.11 stack (sys/net80211), device driver and tools development. This includes bugs, new features and maintenance. +The FreeBSD-wireless list focuses on 802.11 stack (sys/net80211), device driver and tools development. +This includes bugs, new features and maintenance. link:{freebsd-xen-url}[freebsd-xen]:: _Discussion of the FreeBSD port to Xen(TM) - implementation and usage_ + -A list that focuses on the FreeBSD Xen(TM) port. The anticipated traffic level is small enough that it is intended as a forum for both technical discussions of the implementation and design details as well as administrative deployment issues. +A list that focuses on the FreeBSD Xen(TM) port. +The anticipated traffic level is small enough that it is intended as a forum for both technical discussions of the implementation and design details as well as administrative deployment issues. link:{freebsd-xfce-url}[freebsd-xfce]:: _XFCE_ + -This is a forum for discussions related to bring the XFCE environment to FreeBSD. This is a technical mailing list. It is for individuals actively working on porting XFCE to FreeBSD, to bring up problems or discuss alternative solutions. Individuals interested in following the technical discussion are also welcome. +This is a forum for discussions related to bring the XFCE environment to FreeBSD. +This is a technical mailing list. +It is for individuals actively working on porting XFCE to FreeBSD, to bring up problems or discuss alternative solutions. +Individuals interested in following the technical discussion are also welcome. link:{freebsd-zope-url}[freebsd-zope]:: _Zope_ + -This is a forum for discussions related to bring the Zope environment to FreeBSD. This is a technical mailing list. It is for individuals actively working on porting Zope to FreeBSD, to bring up problems or discuss alternative solutions. Individuals interested in following the technical discussion are also welcome. +This is a forum for discussions related to bring the Zope environment to FreeBSD. +This is a technical mailing list. +It is for individuals actively working on porting Zope to FreeBSD, to bring up problems or discuss alternative solutions. +Individuals interested in following the technical discussion are also welcome. [[eresources-mailfiltering]] === Filtering on the Mailing Lists -The FreeBSD mailing lists are filtered in multiple ways to avoid the distribution of spam, viruses, and other unwanted emails. The filtering actions described in this section do not include all those used to protect the mailing lists. +The FreeBSD mailing lists are filtered in multiple ways to avoid the distribution of spam, viruses, and other unwanted emails. +The filtering actions described in this section do not include all those used to protect the mailing lists. -Only certain types of attachments are allowed on the mailing lists. All attachments with a MIME content type not found in the list below will be stripped before an email is distributed on the mailing lists. +Only certain types of attachments are allowed on the mailing lists. +All attachments with a MIME content type not found in the list below will be stripped before an email is distributed on the mailing lists. * application/octet-stream * application/pdf @@ -1025,7 +1140,8 @@ Only certain types of attachments are allowed on the mailing lists. All attachme Some of the mailing lists might allow attachments of other MIME content types, but the above list should be applicable for most of the mailing lists. ==== -If an email contains both an HTML and a plain text version, the HTML version will be removed. If an email contains only an HTML version, it will be converted to plain text. +If an email contains both an HTML and a plain text version, the HTML version will be removed. +If an email contains only an HTML version, it will be converted to plain text. [[eresources-news]] == Usenet Newsgroups diff --git a/documentation/content/en/books/handbook/filesystems/_index.adoc b/documentation/content/en/books/handbook/filesystems/_index.adoc index cc08decec3..56dfec03d0 100644 --- a/documentation/content/en/books/handbook/filesystems/_index.adoc +++ b/documentation/content/en/books/handbook/filesystems/_index.adoc @@ -46,11 +46,19 @@ toc::[] [[filesystems-synopsis]] == Synopsis -File systems are an integral part of any operating system. They allow users to upload and store files, provide access to data, and make hard drives useful. Different operating systems differ in their native file system. Traditionally, the native FreeBSD file system has been the Unix File System UFS which has been modernized as UFS2. Since FreeBSD 7.0, the Z File System (ZFS) is also available as a native file system. See crossref:zfs[zfs,The Z File System (ZFS)] for more information. +File systems are an integral part of any operating system. +They allow users to upload and store files, provide access to data, and make hard drives useful. +Different operating systems differ in their native file system. +Traditionally, the native FreeBSD file system has been the Unix File System UFS which has been modernized as UFS2. +Since FreeBSD 7.0, the Z File System (ZFS) is also available as a native file system. +See crossref:zfs[zfs,The Z File System (ZFS)] for more information. -In addition to its native file systems, FreeBSD supports a multitude of other file systems so that data from other operating systems can be accessed locally, such as data stored on locally attached USB storage devices, flash drives, and hard disks. This includes support for the Linux(R) Extended File System (EXT). +In addition to its native file systems, FreeBSD supports a multitude of other file systems so that data from other operating systems can be accessed locally, such as data stored on locally attached USB storage devices, flash drives, and hard disks. +This includes support for the Linux(R) Extended File System (EXT). -There are different levels of FreeBSD support for the various file systems. Some require a kernel module to be loaded and others may require a toolset to be installed. Some non-native file system support is full read-write while others are read-only. +There are different levels of FreeBSD support for the various file systems. +Some require a kernel module to be loaded and others may require a toolset to be installed. +Some non-native file system support is full read-write while others are read-only. After reading this chapter, you will know: @@ -68,17 +76,24 @@ Before reading this chapter, you should: [[filesystems-linux]] == Linux(R) File Systems -FreeBSD provides built-in support for several Linux(R) file systems. This section demonstrates how to load support for and how to mount the supported Linux(R) file systems. +FreeBSD provides built-in support for several Linux(R) file systems. +This section demonstrates how to load support for and how to mount the supported Linux(R) file systems. === ext2 -Kernel support for ext2 file systems has been available since FreeBSD 2.2. In FreeBSD 8.x and earlier, the code is licensed under the GPL. Since FreeBSD 9.0, the code has been rewritten and is now BSD licensed. +Kernel support for ext2 file systems has been available since FreeBSD 2.2. +In FreeBSD 8.x and earlier, the code is licensed under the GPL. +Since FreeBSD 9.0, the code has been rewritten and is now BSD licensed. The man:ext2fs[5] driver allows the FreeBSD kernel to both read and write to ext2 file systems. [NOTE] ==== -This driver can also be used to access ext3 and ext4 file systems. The man:ext2fs[5] filesystem has full read and write support for ext4 as of FreeBSD 12.0-RELEASE. Additionally, extended attributes and ACLs are also supported, while journalling and encryption are not. Starting with FreeBSD 12.1-RELEASE, a DTrace provider will be available as well. Prior versions of FreeBSD can access ext4 in read and write mode using package:sysutils/fusefs-ext2[]. +This driver can also be used to access ext3 and ext4 file systems. +The man:ext2fs[5] filesystem has full read and write support for ext4 as of FreeBSD 12.0-RELEASE. +Additionally, extended attributes and ACLs are also supported, while journalling and encryption are not. +Starting with FreeBSD 12.1-RELEASE, a DTrace provider will be available as well. +Prior versions of FreeBSD can access ext4 in read and write mode using package:sysutils/fusefs-ext2[]. ==== To access an ext file system, first load the kernel loadable module: @@ -88,7 +103,8 @@ To access an ext file system, first load the kernel loadable module: # kldload ext2fs .... -Then, mount the ext volume by specifying its FreeBSD partition name and an existing mount point. This example mounts [.filename]#/dev/ad1s1# on [.filename]#/mnt#: +Then, mount the ext volume by specifying its FreeBSD partition name and an existing mount point. +This example mounts [.filename]#/dev/ad1s1# on [.filename]#/mnt#: [source,shell] .... diff --git a/documentation/content/en/books/handbook/firewalls/_index.adoc b/documentation/content/en/books/handbook/firewalls/_index.adoc index 40a740f25a..0859280681 100644 --- a/documentation/content/en/books/handbook/firewalls/_index.adoc +++ b/documentation/content/en/books/handbook/firewalls/_index.adoc @@ -46,17 +46,24 @@ toc::[] [[firewalls-intro]] == Synopsis -Firewalls make it possible to filter the incoming and outgoing traffic that flows through a system. A firewall can use one or more sets of "rules" to inspect network packets as they come in or go out of network connections and either allows the traffic through or blocks it. The rules of a firewall can inspect one or more characteristics of the packets such as the protocol type, source or destination host address, and source or destination port. +Firewalls make it possible to filter the incoming and outgoing traffic that flows through a system. +A firewall can use one or more sets of "rules" to inspect network packets as they come in or go out of network connections and either allows the traffic through or blocks it. +The rules of a firewall can inspect one or more characteristics of the packets such as the protocol type, source or destination host address, and source or destination port. -Firewalls can enhance the security of a host or a network. They can be used to do one or more of the following: +Firewalls can enhance the security of a host or a network. +They can be used to do one or more of the following: * Protect and insulate the applications, services, and machines of an internal network from unwanted traffic from the public Internet. * Limit or disable access from hosts of the internal network to services of the public Internet. * Support network address translation (NAT), which allows an internal network to use private IP addresses and share a single connection to the public Internet using either a single IP address or a shared pool of automatically assigned public addresses. -FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF. FreeBSD also provides two traffic shapers for controlling bandwidth usage: man:altq[4] and man:dummynet[4]. ALTQ has traditionally been closely tied with PF and dummynet with IPFW. Each firewall uses rules to control the access of packets to and from a FreeBSD system, although they go about it in different ways and each has a different rule syntax. +FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF. +FreeBSD also provides two traffic shapers for controlling bandwidth usage: man:altq[4] and man:dummynet[4]. +ALTQ has traditionally been closely tied with PF and dummynet with IPFW. +Each firewall uses rules to control the access of packets to and from a FreeBSD system, although they go about it in different ways and each has a different rule syntax. -FreeBSD provides multiple firewalls in order to meet the different requirements and preferences for a wide variety of users. Each user should evaluate which firewall best meets their needs. +FreeBSD provides multiple firewalls in order to meet the different requirements and preferences for a wide variety of users. +Each user should evaluate which firewall best meets their needs. After reading this chapter, you will know: @@ -72,40 +79,65 @@ Before reading this chapter, you should: [NOTE] ==== -Since all firewalls are based on inspecting the values of selected packet control fields, the creator of the firewall ruleset must have an understanding of how TCP/IP works, what the different values in the packet control fields are, and how these values are used in a normal session conversation. For a good introduction, refer to http://www.ipprimer.com[Daryl's TCP/IP Primer]. +Since all firewalls are based on inspecting the values of selected packet control fields, the creator of the firewall ruleset must have an understanding of how TCP/IP works, what the different values in the packet control fields are, and how these values are used in a normal session conversation. +For a good introduction, refer to http://www.ipprimer.com[Daryl's TCP/IP Primer]. ==== [[firewalls-concepts]] == Firewall Concepts -A ruleset contains a group of rules which pass or block packets based on the values contained in the packet. The bi-directional exchange of packets between hosts comprises a session conversation. The firewall ruleset processes both the packets arriving from the public Internet, as well as the packets produced by the system as a response to them. Each TCP/IP service is predefined by its protocol and listening port. Packets destined for a specific service originate from the source address using an unprivileged port and target the specific service port on the destination address. All the above parameters can be used as selection criteria to create rules which will pass or block services. +A ruleset contains a group of rules which pass or block packets based on the values contained in the packet. +The bi-directional exchange of packets between hosts comprises a session conversation. +The firewall ruleset processes both the packets arriving from the public Internet, as well as the packets produced by the system as a response to them. +Each TCP/IP service is predefined by its protocol and listening port. +Packets destined for a specific service originate from the source address using an unprivileged port and target the specific service port on the destination address. +All the above parameters can be used as selection criteria to create rules which will pass or block services. -To lookup unknown port numbers, refer to [.filename]#/etc/services#. Alternatively, visit http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers[http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers] and do a port number lookup to find the purpose of a particular port number. +To lookup unknown port numbers, refer to [.filename]#/etc/services#. +Alternatively, visit http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers[http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers] and do a port number lookup to find the purpose of a particular port number. Check out this link for http://web.archive.org/web/20150803024617/http://www.sans.org/security-resources/idfaq/oddports.php[port numbers used by Trojans]. -FTP has two modes: active mode and passive mode. The difference is in how the data channel is acquired. Passive mode is more secure as the data channel is acquired by the ordinal ftp session requester. For a good explanation of FTP and the different modes, see http://www.slacksite.com/other/ftp.html[http://www.slacksite.com/other/ftp.html]. +FTP has two modes: active mode and passive mode. +The difference is in how the data channel is acquired. +Passive mode is more secure as the data channel is acquired by the ordinal ftp session requester. +For a good explanation of FTP and the different modes, see http://www.slacksite.com/other/ftp.html[http://www.slacksite.com/other/ftp.html]. -A firewall ruleset can be either "exclusive" or "inclusive". An exclusive firewall allows all traffic through except for the traffic matching the ruleset. An inclusive firewall does the reverse as it only allows traffic matching the rules through and blocks everything else. +A firewall ruleset can be either "exclusive" or "inclusive". +An exclusive firewall allows all traffic through except for the traffic matching the ruleset. +An inclusive firewall does the reverse as it only allows traffic matching the rules through and blocks everything else. -An inclusive firewall offers better control of the outgoing traffic, making it a better choice for systems that offer services to the public Internet. It also controls the type of traffic originating from the public Internet that can gain access to a private network. All traffic that does not match the rules is blocked and logged. Inclusive firewalls are generally safer than exclusive firewalls because they significantly reduce the risk of allowing unwanted traffic. +An inclusive firewall offers better control of the outgoing traffic, making it a better choice for systems that offer services to the public Internet. +It also controls the type of traffic originating from the public Internet that can gain access to a private network. +All traffic that does not match the rules is blocked and logged. +Inclusive firewalls are generally safer than exclusive firewalls because they significantly reduce the risk of allowing unwanted traffic. [NOTE] ==== Unless noted otherwise, all configuration and example rulesets in this chapter create inclusive firewall rulesets. ==== -Security can be tightened further using a "stateful firewall". This type of firewall keeps track of open connections and only allows traffic which either matches an existing connection or opens a new, allowed connection. +Security can be tightened further using a "stateful firewall". +This type of firewall keeps track of open connections and only allows traffic which either matches an existing connection or opens a new, allowed connection. -Stateful filtering treats traffic as a bi-directional exchange of packets comprising a session. When state is specified on a matching rule the firewall dynamically generates internal rules for each anticipated packet being exchanged during the session. It has sufficient matching capabilities to determine if a packet is valid for a session. Any packets that do not properly fit the session template are automatically rejected. +Stateful filtering treats traffic as a bi-directional exchange of packets comprising a session. +When state is specified on a matching rule the firewall dynamically generates internal rules for each anticipated packet being exchanged during the session. +It has sufficient matching capabilities to determine if a packet is valid for a session. +Any packets that do not properly fit the session template are automatically rejected. When the session completes, it is removed from the dynamic state table. -Stateful filtering allows one to focus on blocking/passing new sessions. If the new session is passed, all its subsequent packets are allowed automatically and any impostor packets are automatically rejected. If a new session is blocked, none of its subsequent packets are allowed. Stateful filtering provides advanced matching abilities capable of defending against the flood of different attack methods employed by attackers. +Stateful filtering allows one to focus on blocking/passing new sessions. +If the new session is passed, all its subsequent packets are allowed automatically and any impostor packets are automatically rejected. +If a new session is blocked, none of its subsequent packets are allowed. +Stateful filtering provides advanced matching abilities capable of defending against the flood of different attack methods employed by attackers. -NAT stands for _Network Address Translation_. NAT function enables the private LAN behind the firewall to share a single ISP-assigned IP address, even if that address is dynamically assigned. NAT allows each computer in the LAN to have Internet access, without having to pay the ISP for multiple Internet accounts or IP addresses. +NAT stands for _Network Address Translation_. +NAT function enables the private LAN behind the firewall to share a single ISP-assigned IP address, even if that address is dynamically assigned. +NAT allows each computer in the LAN to have Internet access, without having to pay the ISP for multiple Internet accounts or IP addresses. -NAT will automatically translate the private LAN IP address for each system on the LAN to the single public IP address as packets exit the firewall bound for the public Internet. It also performs the reverse translation for returning packets. +NAT will automatically translate the private LAN IP address for each system on the LAN to the single public IP address as packets exit the firewall bound for the public Internet. +It also performs the reverse translation for returning packets. According to RFC 1918, the following IP address ranges are reserved for private networks which will never be routed directly to the public Internet, and therefore are available for use with NAT: @@ -115,30 +147,37 @@ According to RFC 1918, the following IP address ranges are reserved for private [WARNING] ==== - -When working with the firewall rules, be _very careful_. Some configurations _can lock the administrator out_ of the server. To be on the safe side, consider performing the initial firewall configuration from the local console rather than doing it remotely over ssh. +When working with the firewall rules, be _very careful_. +Some configurations _can lock the administrator out_ of the server. +To be on the safe side, consider performing the initial firewall configuration from the local console rather than doing it remotely over ssh. ==== [[firewalls-pf]] == PF -Since FreeBSD 5.3, a ported version of OpenBSD's PF firewall has been included as an integrated part of the base system. PF is a complete, full-featured firewall that has optional support for ALTQ (Alternate Queuing), which provides Quality of Service (QoS). +Since FreeBSD 5.3, a ported version of OpenBSD's PF firewall has been included as an integrated part of the base system. +PF is a complete, full-featured firewall that has optional support for ALTQ (Alternate Queuing), which provides Quality of Service (QoS). -The OpenBSD Project maintains the definitive reference for PF in the http://www.openbsd.org/faq/pf/[PF FAQ]. Peter Hansteen maintains a thorough PF tutorial at http://home.nuug.no/\~peter/pf/[http://home.nuug.no/~peter/pf/]. +The OpenBSD Project maintains the definitive reference for PF in the http://www.openbsd.org/faq/pf/[PF FAQ]. +Peter Hansteen maintains a thorough PF tutorial at http://home.nuug.no/\~peter/pf/[http://home.nuug.no/~peter/pf/]. [WARNING] ==== - -When reading the http://www.openbsd.org/faq/pf/[PF FAQ], keep in mind that FreeBSD's version of PF has diverged substantially from the upstream OpenBSD version over the years. Not all features work the same way on FreeBSD as they do in OpenBSD and vice versa. +When reading the http://www.openbsd.org/faq/pf/[PF FAQ], keep in mind that FreeBSD's version of PF has diverged substantially from the upstream OpenBSD version over the years. +Not all features work the same way on FreeBSD as they do in OpenBSD and vice versa. ==== -The {freebsd-pf} is a good place to ask questions about configuring and running the PF firewall. Check the mailing list archives before asking a question as it may have already been answered. +The {freebsd-pf} is a good place to ask questions about configuring and running the PF firewall. +Check the mailing list archives before asking a question as it may have already been answered. -This section of the Handbook focuses on PF as it pertains to FreeBSD. It demonstrates how to enable PF and ALTQ. It also provides several examples for creating rulesets on a FreeBSD system. +This section of the Handbook focuses on PF as it pertains to FreeBSD. +It demonstrates how to enable PF and ALTQ. +It also provides several examples for creating rulesets on a FreeBSD system. === Enabling PF -To use PF, its kernel module must be first loaded. This section describes the entries that can be added to [.filename]#/etc/rc.conf# to enable PF. +To use PF, its kernel module must be first loaded. +This section describes the entries that can be added to [.filename]#/etc/rc.conf# to enable PF. Start by adding `pf_enable=yes` to [.filename]#/etc/rc.conf#: @@ -147,21 +186,26 @@ Start by adding `pf_enable=yes` to [.filename]#/etc/rc.conf#: # sysrc pf_enable=yes .... -Additional options, described in man:pfctl[8], can be passed to PF when it is started. Add or change this entry in [.filename]#/etc/rc.conf# and specify any required flags between the two quotes (`""`): +Additional options, described in man:pfctl[8], can be passed to PF when it is started. +Add or change this entry in [.filename]#/etc/rc.conf# and specify any required flags between the two quotes (`""`): [.programlisting] .... pf_flags="" # additional flags for pfctl startup .... -PF will not start if it cannot find its ruleset configuration file. By default, FreeBSD does not ship with a ruleset and there is no [.filename]#/etc/pf.conf#. Example rulesets can be found in [.filename]#/usr/share/examples/pf/#. If a custom ruleset has been saved somewhere else, add a line to [.filename]#/etc/rc.conf# which specifies the full path to the file: +PF will not start if it cannot find its ruleset configuration file. +By default, FreeBSD does not ship with a ruleset and there is no [.filename]#/etc/pf.conf#. +Example rulesets can be found in [.filename]#/usr/share/examples/pf/#. +If a custom ruleset has been saved somewhere else, add a line to [.filename]#/etc/rc.conf# which specifies the full path to the file: [.programlisting] .... pf_rules="/path/to/pf.conf" .... -Logging support for PF is provided by man:pflog[4]. To enable logging support, add `pflog_enable=yes` to [.filename]#/etc/rc.conf#: +Logging support for PF is provided by man:pflog[4]. +To enable logging support, add `pflog_enable=yes` to [.filename]#/etc/rc.conf#: [source,shell] .... @@ -191,9 +235,13 @@ After saving the needed edits, PF can be started with logging support by typing: # service pflog start .... -By default, PF reads its configuration rules from [.filename]#/etc/pf.conf# and modifies, drops, or passes packets according to the rules or definitions specified in this file. The FreeBSD installation includes several sample files located in [.filename]#/usr/share/examples/pf/#. Refer to the http://www.openbsd.org/faq/pf/[PF FAQ] for complete coverage of PF rulesets. +By default, PF reads its configuration rules from [.filename]#/etc/pf.conf# and modifies, drops, or passes packets according to the rules or definitions specified in this file. +The FreeBSD installation includes several sample files located in [.filename]#/usr/share/examples/pf/#. +Refer to the http://www.openbsd.org/faq/pf/[PF FAQ] for complete coverage of PF rulesets. -To control PF, use `pfctl`. <<pfctl>> summarizes some useful options to this command. Refer to man:pfctl[8] for a description of all available options: +To control PF, use `pfctl`. +<<pfctl>> summarizes some useful options to this command. +Refer to man:pfctl[8] for a description of all available options: [[pfctl]] .Useful `pfctl` Options [cols="1,1", frame="none", options="header"] @@ -219,18 +267,21 @@ To control PF, use `pfctl`. <<pfctl>> summarizes some useful options to this com [TIP] ==== - -package:security/sudo[] is useful for running commands like `pfctl` that require elevated privileges. It can be installed from the Ports Collection. +package:security/sudo[] is useful for running commands like `pfctl` that require elevated privileges. +It can be installed from the Ports Collection. ==== -To keep an eye on the traffic that passes through the PF firewall, consider installing the package:sysutils/pftop[] package or port. Once installed, pftop can be run to view a running snapshot of traffic in a format which is similar to man:top[1]. +To keep an eye on the traffic that passes through the PF firewall, consider installing the package:sysutils/pftop[] package or port. +Once installed, pftop can be run to view a running snapshot of traffic in a format which is similar to man:top[1]. [[pf-tutorial]] === PF Rulesets -This section demonstrates how to create a customized ruleset. It starts with the simplest of rulesets and builds upon its concepts using several examples to demonstrate real-world usage of PF's many features. +This section demonstrates how to create a customized ruleset. +It starts with the simplest of rulesets and builds upon its concepts using several examples to demonstrate real-world usage of PF's many features. -The simplest possible ruleset is for a single machine that does not run any services and which needs access to one network, which may be the Internet. To create this minimal ruleset, edit [.filename]#/etc/pf.conf# so it looks like this: +The simplest possible ruleset is for a single machine that does not run any services and which needs access to one network, which may be the Internet. +To create this minimal ruleset, edit [.filename]#/etc/pf.conf# so it looks like this: [.programlisting] .... @@ -238,14 +289,19 @@ block in all pass out all keep state .... -The first rule denies all incoming traffic by default. The second rule allows connections created by this system to pass out, while retaining state information on those connections. This state information allows return traffic for those connections to pass back and should only be used on machines that can be trusted. The ruleset can be loaded with: +The first rule denies all incoming traffic by default. +The second rule allows connections created by this system to pass out, while retaining state information on those connections. +This state information allows return traffic for those connections to pass back and should only be used on machines that can be trusted. +The ruleset can be loaded with: [source,shell] .... # pfctl -e ; pfctl -f /etc/pf.conf .... -In addition to keeping state, PF provides _lists_ and _macros_ which can be defined for use when creating rules. Macros can include lists and need to be defined before use. As an example, insert these lines at the very top of the ruleset: +In addition to keeping state, PF provides _lists_ and _macros_ which can be defined for use when creating rules. +Macros can include lists and need to be defined before use. +As an example, insert these lines at the very top of the ruleset: [.programlisting] .... @@ -253,7 +309,11 @@ tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }" udp_services = "{ domain }" .... -PF understands port names as well as port numbers, as long as the names are listed in [.filename]#/etc/services#. This example creates two macros. The first is a list of seven TCP port names and the second is one UDP port name. Once defined, macros can be used in rules. In this example, all traffic is blocked except for the connections initiated by this system for the seven specified TCP services and the one specified UDP service: +PF understands port names as well as port numbers, as long as the names are listed in [.filename]#/etc/services#. +This example creates two macros. +The first is a list of seven TCP port names and the second is one UDP port name. +Once defined, macros can be used in rules. +In this example, all traffic is blocked except for the connections initiated by this system for the seven specified TCP services and the one specified UDP service: [.programlisting] .... @@ -264,7 +324,8 @@ pass out proto tcp to any port $tcp_services keep state pass proto udp to any port $udp_services keep state .... -Even though UDP is considered to be a stateless protocol, PF is able to track some state information. For example, when a UDP request is passed which asks a name server about a domain name, PF will watch for the response to pass it back. +Even though UDP is considered to be a stateless protocol, PF is able to track some state information. +For example, when a UDP request is passed which asks a name server about a domain name, PF will watch for the response to pass it back. Whenever an edit is made to a ruleset, the new rules must be loaded so they can be used: @@ -273,27 +334,33 @@ Whenever an edit is made to a ruleset, the new rules must be loaded so they can # pfctl -f /etc/pf.conf .... -If there are no syntax errors, `pfctl` will not output any messages during the rule load. Rules can also be tested before attempting to load them: +If there are no syntax errors, `pfctl` will not output any messages during the rule load. +Rules can also be tested before attempting to load them: [source,shell] .... # pfctl -nf /etc/pf.conf .... -Including `-n` causes the rules to be interpreted only, but not loaded. This provides an opportunity to correct any errors. At all times, the last valid ruleset loaded will be enforced until either PF is disabled or a new ruleset is loaded. +Including `-n` causes the rules to be interpreted only, but not loaded. +This provides an opportunity to correct any errors. +At all times, the last valid ruleset loaded will be enforced until either PF is disabled or a new ruleset is loaded. [TIP] ==== - -Adding `-v` to a `pfctl` ruleset verify or load will display the fully parsed rules exactly the way they will be loaded. This is extremely useful when debugging rules. +Adding `-v` to a `pfctl` ruleset verify or load will display the fully parsed rules exactly the way they will be loaded. +This is extremely useful when debugging rules. ==== [[pftut-gateway]] ==== A Simple Gateway with NAT -This section demonstrates how to configure a FreeBSD system running PF to act as a gateway for at least one other machine. The gateway needs at least two network interfaces, each connected to a separate network. In this example, [.filename]#xl0# is connected to the Internet and [.filename]#xl1# is connected to the internal network. +This section demonstrates how to configure a FreeBSD system running PF to act as a gateway for at least one other machine. +The gateway needs at least two network interfaces, each connected to a separate network. +In this example, [.filename]#xl0# is connected to the Internet and [.filename]#xl1# is connected to the internal network. -First, enable the gateway to let the machine forward the network traffic it receives on one interface to another interface. This sysctl setting will forward IPv4 packets: +First, enable the gateway to let the machine forward the network traffic it receives on one interface to another interface. +This sysctl setting will forward IPv4 packets: [source,shell] .... @@ -317,41 +384,51 @@ To enable these settings at system boot, use man:sysrc[8] to add them to [.filen Verify with `ifconfig` that both of the interfaces are up and running. -Next, create the PF rules to allow the gateway to pass traffic. While the following rule allows stateful traffic from hosts of the internal network to pass to the gateway, the `to` keyword does not guarantee passage all the way from source to destination: +Next, create the PF rules to allow the gateway to pass traffic. +While the following rule allows stateful traffic from hosts of the internal network to pass to the gateway, the `to` keyword does not guarantee passage all the way from source to destination: [.programlisting] .... pass in on xl1 from xl1:network to xl0:network port $ports keep state .... -That rule only lets the traffic pass in to the gateway on the internal interface. To let the packets go further, a matching rule is needed: +That rule only lets the traffic pass in to the gateway on the internal interface. +To let the packets go further, a matching rule is needed: [.programlisting] .... pass out on xl0 from xl1:network to xl0:network port $ports keep state .... -While these two rules will work, rules this specific are rarely needed. For a busy network admin, a readable ruleset is a safer ruleset. The remainder of this section demonstrates how to keep the rules as simple as possible for readability. For example, those two rules could be replaced with one rule: +While these two rules will work, rules this specific are rarely needed. +For a busy network admin, a readable ruleset is a safer ruleset. +The remainder of this section demonstrates how to keep the rules as simple as possible for readability. +For example, those two rules could be replaced with one rule: [.programlisting] .... pass from xl1:network to any port $ports keep state .... -The `interface:network` notation can be replaced with a macro to make the ruleset even more readable. For example, a `$localnet` macro could be defined as the network directly attached to the internal interface (`$xl1:network`). Alternatively, the definition of `$localnet` could be changed to an _IP address/netmask_ notation to denote a network, such as `192.168.100.1/24` for a subnet of private addresses. +The `interface:network` notation can be replaced with a macro to make the ruleset even more readable. +For example, a `$localnet` macro could be defined as the network directly attached to the internal interface (`$xl1:network`). +Alternatively, the definition of `$localnet` could be changed to an _IP address/netmask_ notation to denote a network, such as `192.168.100.1/24` for a subnet of private addresses. -If required, `$localnet` could even be defined as a list of networks. Whatever the specific needs, a sensible `$localnet` definition could be used in a typical pass rule as follows: +If required, `$localnet` could even be defined as a list of networks. +Whatever the specific needs, a sensible `$localnet` definition could be used in a typical pass rule as follows: [.programlisting] .... pass from $localnet to any port $ports keep state .... -The following sample ruleset allows all traffic initiated by machines on the internal network. It first defines two macros to represent the external and internal 3COM interfaces of the gateway. +The following sample ruleset allows all traffic initiated by machines on the internal network. +It first defines two macros to represent the external and internal 3COM interfaces of the gateway. [NOTE] ==== -For dialup users, the external interface will use [.filename]#tun0#. For an ADSL connection, specifically those using PPP over Ethernet (PPPoE), the correct external interface is [.filename]#tun0#, not the physical Ethernet interface. +For dialup users, the external interface will use [.filename]#tun0#. +For an ADSL connection, specifically those using PPP over Ethernet (PPPoE), the correct external interface is [.filename]#tun0#, not the physical Ethernet interface. ==== [.programlisting] @@ -365,9 +442,12 @@ block all pass from { lo0, $localnet } to any keep state .... -This ruleset introduces the `nat` rule which is used to handle the network address translation from the non-routable addresses inside the internal network to the IP address assigned to the external interface. The parentheses surrounding the last part of the nat rule `($ext_if)` is included when the IP address of the external interface is dynamically assigned. It ensures that network traffic runs without serious interruptions even if the external IP address changes. +This ruleset introduces the `nat` rule which is used to handle the network address translation from the non-routable addresses inside the internal network to the IP address assigned to the external interface. +The parentheses surrounding the last part of the nat rule `($ext_if)` is included when the IP address of the external interface is dynamically assigned. +It ensures that network traffic runs without serious interruptions even if the external IP address changes. -Note that this ruleset probably allows more traffic to pass out of the network than is needed. One reasonable setup could create this macro: +Note that this ruleset probably allows more traffic to pass out of the network than is needed. +One reasonable setup could create this macro: [.programlisting] .... @@ -383,7 +463,8 @@ pass inet proto tcp from $localnet to any port $client_out \ flags S/SA keep state .... -A few other pass rules may be needed. This one enables SSH on the external interface: +A few other pass rules may be needed. +This one enables SSH on the external interface: [.programlisting] .... @@ -398,20 +479,29 @@ udp_services = "{ domain, ntp }" pass quick inet proto { tcp, udp } to any port $udp_services keep state .... -Note the `quick` keyword in this rule. Since the ruleset consists of several rules, it is important to understand the relationships between the rules in a ruleset. Rules are evaluated from top to bottom, in the sequence they are written. For each packet or connection evaluated by PF, _the last matching rule_ in the ruleset is the one which is applied. However, when a packet matches a rule which contains the `quick` keyword, the rule processing stops and the packet is treated according to that rule. This is very useful when an exception to the general rules is needed. +Note the `quick` keyword in this rule. +Since the ruleset consists of several rules, it is important to understand the relationships between the rules in a ruleset. +Rules are evaluated from top to bottom, in the sequence they are written. +For each packet or connection evaluated by PF, _the last matching rule_ in the ruleset is the one which is applied. +However, when a packet matches a rule which contains the `quick` keyword, the rule processing stops and the packet is treated according to that rule. +This is very useful when an exception to the general rules is needed. [[pftut-ftp]] ==== Creating an FTP Proxy -Configuring working FTP rules can be problematic due to the nature of the FTP protocol. FTP pre-dates firewalls by several decades and is insecure in its design. The most common points against using FTP include: +Configuring working FTP rules can be problematic due to the nature of the FTP protocol. +FTP pre-dates firewalls by several decades and is insecure in its design. +The most common points against using FTP include: * Passwords are transferred in the clear. * The protocol demands the use of at least two TCP connections (control and data) on separate ports. * When a session is established, data is communicated using randomly selected ports. -All of these points present security challenges, even before considering any potential security weaknesses in client or server software. More secure alternatives for file transfer exist, such as man:sftp[1] or man:scp[1], which both feature authentication and data transfer over encrypted connections.. +All of these points present security challenges, even before considering any potential security weaknesses in client or server software. +More secure alternatives for file transfer exist, such as man:sftp[1] or man:scp[1], which both feature authentication and data transfer over encrypted connections.. -For those situations when FTP is required, PF provides redirection of FTP traffic to a small proxy program called man:ftp-proxy[8], which is included in the base system of FreeBSD. The role of the proxy is to dynamically insert and delete rules in the ruleset, using a set of anchors, to correctly handle FTP traffic. +For those situations when FTP is required, PF provides redirection of FTP traffic to a small proxy program called man:ftp-proxy[8], which is included in the base system of FreeBSD. +The role of the proxy is to dynamically insert and delete rules in the ruleset, using a set of anchors, to correctly handle FTP traffic. To enable the FTP proxy, add this line to [.filename]#/etc/rc.conf#: @@ -422,7 +512,8 @@ ftpproxy_enable="YES" Then start the proxy by running `service ftp-proxy start`. -For a basic configuration, three elements need to be added to [.filename]#/etc/pf.conf#. First, the anchors which the proxy will use to insert the rules it generates for the FTP sessions: +For a basic configuration, three elements need to be added to [.filename]#/etc/pf.conf#. +First, the anchors which the proxy will use to insert the rules it generates for the FTP sessions: [.programlisting] .... @@ -432,7 +523,8 @@ rdr-anchor "ftp-proxy/*" Second, a pass rule is needed to allow FTP traffic in to the proxy. -Third, redirection and NAT rules need to be defined before the filtering rules. Insert this `rdr` rule immediately after the `nat` rule: +Third, redirection and NAT rules need to be defined before the filtering rules. +Insert this `rdr` rule immediately after the `nat` rule: [.programlisting] .... @@ -455,7 +547,10 @@ Save [.filename]#/etc/pf.conf#, load the new rules, and verify from a client tha # pfctl -f /etc/pf.conf .... -This example covers a basic setup where the clients in the local network need to contact FTP servers elsewhere. This basic configuration should work well with most combinations of FTP clients and servers. As shown in man:ftp-proxy[8], the proxy's behavior can be changed in various ways by adding options to the `ftpproxy_flags=` line. Some clients or servers may have specific quirks that must be compensated for in the configuration, or there may be a need to integrate the proxy in specific ways such as assigning FTP traffic to a specific queue. +This example covers a basic setup where the clients in the local network need to contact FTP servers elsewhere. +This basic configuration should work well with most combinations of FTP clients and servers. +As shown in man:ftp-proxy[8], the proxy's behavior can be changed in various ways by adding options to the `ftpproxy_flags=` line. +Some clients or servers may have specific quirks that must be compensated for in the configuration, or there may be a need to integrate the proxy in specific ways such as assigning FTP traffic to a specific queue. For ways to run an FTP server protected by PF and man:ftp-proxy[8], configure a separate `ftp-proxy` in reverse mode, using `-R`, on a separate port with its own redirecting pass rule. @@ -464,9 +559,12 @@ For ways to run an FTP server protected by PF and man:ftp-proxy[8], configure a Many of the tools used for debugging or troubleshooting a TCP/IP network rely on the Internet Control Message Protocol (ICMP), which was designed specifically with debugging in mind. -The ICMP protocol sends and receives _control messages_ between hosts and gateways, mainly to provide feedback to a sender about any unusual or difficult conditions enroute to the target host. Routers use ICMP to negotiate packet sizes and other transmission parameters in a process often referred to as _path MTU discovery_. +The ICMP protocol sends and receives _control messages_ between hosts and gateways, mainly to provide feedback to a sender about any unusual or difficult conditions enroute to the target host. +Routers use ICMP to negotiate packet sizes and other transmission parameters in a process often referred to as _path MTU discovery_. -From a firewall perspective, some ICMP control messages are vulnerable to known attack vectors. Also, letting all diagnostic traffic pass unconditionally makes debugging easier, but it also makes it easier for others to extract information about the network. For these reasons, the following rule may not be optimal: +From a firewall perspective, some ICMP control messages are vulnerable to known attack vectors. +Also, letting all diagnostic traffic pass unconditionally makes debugging easier, but it also makes it easier for others to extract information about the network. +For these reasons, the following rule may not be optimal: [.programlisting] .... @@ -481,7 +579,9 @@ pass inet proto icmp from $localnet to any keep state pass inet proto icmp from any to $ext_if keep state .... -Additional options are available which demonstrate some of PF's flexibility. For example, rather than allowing all ICMP messages, one can specify the messages used by man:ping[8] and man:traceroute[8]. Start by defining a macro for that type of message: +Additional options are available which demonstrate some of PF's flexibility. +For example, rather than allowing all ICMP messages, one can specify the messages used by man:ping[8] and man:traceroute[8]. +Start by defining a macro for that type of message: [.programlisting] .... @@ -495,7 +595,9 @@ and a rule which uses the macro: pass inet proto icmp all icmp-type $icmp_types keep state .... -If other types of ICMP packets are needed, expand `icmp_types` to a list of those packet types. Type `more /usr/src/sbin/pfctl/pfctl_parser.c` to see the list of ICMP message types supported by PF. Refer to http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml[http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml] for an explanation of each message type. +If other types of ICMP packets are needed, expand `icmp_types` to a list of those packet types. +Type `more /usr/src/sbin/pfctl/pfctl_parser.c` to see the list of ICMP message types supported by PF. +Refer to http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml[http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml] for an explanation of each message type. Since Unix `traceroute` uses UDP by default, another rule is needed to allow Unix `traceroute`: @@ -505,14 +607,21 @@ Since Unix `traceroute` uses UDP by default, another rule is needed to allow Uni pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state .... -Since `TRACERT.EXE` on Microsoft Windows systems uses ICMP echo request messages, only the first rule is needed to allow network traces from those systems. Unix `traceroute` can be instructed to use other protocols as well, and will use ICMP echo request messages if `-I` is used. Check the man:traceroute[8] man page for details. +Since `TRACERT.EXE` on Microsoft Windows systems uses ICMP echo request messages, only the first rule is needed to allow network traces from those systems. +Unix `traceroute` can be instructed to use other protocols as well, and will use ICMP echo request messages if `-I` is used. +Check the man:traceroute[8] man page for details. [[pftut-pathmtudisc]] ===== Path MTU Discovery -Internet protocols are designed to be device independent, and one consequence of device independence is that the optimal packet size for a given connection cannot always be predicted reliably. The main constraint on packet size is the _Maximum Transmission Unit_ (MTU) which sets the upper limit on the packet size for an interface. Type `ifconfig` to view the MTUs for a system's network interfaces. +Internet protocols are designed to be device independent, and one consequence of device independence is that the optimal packet size for a given connection cannot always be predicted reliably. +The main constraint on packet size is the _Maximum Transmission Unit_ (MTU) which sets the upper limit on the packet size for an interface. +Type `ifconfig` to view the MTUs for a system's network interfaces. -TCP/IP uses a process known as path MTU discovery to determine the right packet size for a connection. This process sends packets of varying sizes with the "Do not fragment" flag set, expecting an ICMP return packet of "type 3, code 4" when the upper limit has been reached. Type 3 means "destination unreachable", and code 4 is short for "fragmentation needed, but the do-not-fragment flag is set". To allow path MTU discovery in order to support connections to other MTUs, add the `destination unreachable` type to the `icmp_types` macro: +TCP/IP uses a process known as path MTU discovery to determine the right packet size for a connection. +This process sends packets of varying sizes with the "Do not fragment" flag set, expecting an ICMP return packet of "type 3, code 4" when the upper limit has been reached. +Type 3 means "destination unreachable", and code 4 is short for "fragmentation needed, but the do-not-fragment flag is set". +To allow path MTU discovery in order to support connections to other MTUs, add the `destination unreachable` type to the `icmp_types` macro: [.programlisting] .... @@ -526,19 +635,23 @@ Since the pass rule already uses that macro, it does not need to be modified to pass inet proto icmp all icmp-type $icmp_types keep state .... -PF allows filtering on all variations of ICMP types and codes. The list of possible types and codes are documented in man:icmp[4] and man:icmp6[4]. +PF allows filtering on all variations of ICMP types and codes. +The list of possible types and codes are documented in man:icmp[4] and man:icmp6[4]. [[pftut-tables]] ==== Using Tables -Some types of data are relevant to filtering and redirection at a given time, but their definition is too long to be included in the ruleset file. PF supports the use of tables, which are defined lists that can be manipulated without needing to reload the entire ruleset, and which can provide fast lookups. Table names are always enclosed within `< >`, like this: +Some types of data are relevant to filtering and redirection at a given time, but their definition is too long to be included in the ruleset file. +PF supports the use of tables, which are defined lists that can be manipulated without needing to reload the entire ruleset, and which can provide fast lookups. +Table names are always enclosed within `< >`, like this: [.programlisting] .... table <clients> { 192.168.2.0/24, !192.168.2.5 } .... -In this example, the `192.168.2.0/24` network is part of the table, except for the address `192.168.2.5`, which is excluded using the `!` operator. It is also possible to load tables from files where each item is on a separate line, as seen in this example [.filename]#/etc/clients#: +In this example, the `192.168.2.0/24` network is part of the table, except for the address `192.168.2.5`, which is excluded using the `!` operator. +It is also possible to load tables from files where each item is on a separate line, as seen in this example [.filename]#/etc/clients#: [.programlisting] .... @@ -560,14 +673,18 @@ Once the table is defined, it can be referenced by a rule: pass inet proto tcp from <clients> to any port $client_out flags S/SA keep state .... -A table's contents can be manipulated live, using `pfctl`. This example adds another network to the table: +A table's contents can be manipulated live, using `pfctl`. +This example adds another network to the table: [source,shell] .... # pfctl -t clients -T add 192.168.1.0/16 .... -Note that any changes made this way will take affect now, making them ideal for testing, but will not survive a power failure or reboot. To make the changes permanent, modify the definition of the table in the ruleset or edit the file that the table refers to. One can maintain the on-disk copy of the table using a man:cron[8] job which dumps the table's contents to disk at regular intervals, using a command such as `pfctl -t clients -T show >/etc/clients`. Alternatively, [.filename]#/etc/clients# can be updated with the in-memory table contents: +Note that any changes made this way will take affect now, making them ideal for testing, but will not survive a power failure or reboot. +To make the changes permanent, modify the definition of the table in the ruleset or edit the file that the table refers to. +One can maintain the on-disk copy of the table using a man:cron[8] job which dumps the table's contents to disk at regular intervals, using a command such as `pfctl -t clients -T show >/etc/clients`. +Alternatively, [.filename]#/etc/clients# can be updated with the in-memory table contents: [source,shell] .... @@ -591,7 +708,10 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from This is indicative of a brute force attack where somebody or some program is trying to discover the user name and password which will let them into the system. -If external SSH access is needed for legitimate users, changing the default port used by SSH can offer some protection. However, PF provides a more elegant solution. Pass rules can contain limits on what connecting hosts can do and violators can be banished to a table of addresses which are denied some or all access. It is even possible to drop all existing connections from machines which overreach the limits. +If external SSH access is needed for legitimate users, changing the default port used by SSH can offer some protection. +However, PF provides a more elegant solution. +Pass rules can contain limits on what connecting hosts can do and violators can be banished to a table of addresses which are denied some or all access. +It is even possible to drop all existing connections from machines which overreach the limits. To configure this, create this table in the tables section of the ruleset: @@ -611,13 +731,15 @@ pass inet proto tcp from any to $localnet port $tcp_services \ overload <bruteforce> flush global) .... -The part in parentheses defines the limits and the numbers should be changed to meet local requirements. It can be read as follows: +The part in parentheses defines the limits and the numbers should be changed to meet local requirements. +It can be read as follows: `max-src-conn` is the number of simultaneous connections allowed from one host. `max-src-conn-rate` is the rate of new connections allowed from any single host (_15_) per number of seconds (_5_). -`overload <bruteforce>` means that any host which exceeds these limits gets its address added to the `bruteforce` table. The ruleset blocks all traffic from addresses in the `bruteforce` table. +`overload <bruteforce>` means that any host which exceeds these limits gets its address added to the `bruteforce` table. +The ruleset blocks all traffic from addresses in the `bruteforce` table. Finally, `flush global` says that when a host reaches the limit, that all (`global`) of that host's connections will be terminated (`flush`). @@ -626,7 +748,8 @@ Finally, `flush global` says that when a host reaches the limit, that all (`glob These rules will _not_ block slow bruteforcers, as described in http://home.nuug.no/\~peter/hailmary2013/[http://home.nuug.no/~peter/hailmary2013/]. ==== -This example ruleset is intended mainly as an illustration. For example, if a generous number of connections in general are wanted, but the desire is to be more restrictive when it comes to ssh, supplement the rule above with something like the one below, early on in the rule set: +This example ruleset is intended mainly as an illustration. +For example, if a generous number of connections in general are wanted, but the desire is to be more restrictive when it comes to ssh, supplement the rule above with something like the one below, early on in the rule set: [.programlisting] .... @@ -645,9 +768,11 @@ It is worth noting that the overload mechanism is a general technique which does For example, an overload rule could be used to protect a mail service or a web service, and the overload table could be used in a rule to assign offenders to a queue with a minimal bandwidth allocation or to redirect to a specific web page. ==== -Over time, tables will be filled by overload rules and their size will grow incrementally, taking up more memory. Sometimes an IP address that is blocked is a dynamically assigned one, which has since been assigned to a host who has a legitimate reason to communicate with hosts in the local network. +Over time, tables will be filled by overload rules and their size will grow incrementally, taking up more memory. +Sometimes an IP address that is blocked is a dynamically assigned one, which has since been assigned to a host who has a legitimate reason to communicate with hosts in the local network. -For situations like these, pfctl provides the ability to expire table entries. For example, this command will remove `<bruteforce>` table entries which have not been referenced for `86400` seconds: +For situations like these, pfctl provides the ability to expire table entries. +For example, this command will remove `<bruteforce>` table entries which have not been referenced for `86400` seconds: [source,shell] .... @@ -656,7 +781,8 @@ For situations like these, pfctl provides the ability to expire table entries. F Similar functionality is provided by package:security/expiretable[], which removes table entries which have not been accessed for a specified period of time. -Once installed, expiretable can be run to remove `<bruteforce>` table entries older than a specified age. This example removes all entries older than 24 hours: +Once installed, expiretable can be run to remove `<bruteforce>` table entries older than a specified age. +This example removes all entries older than 24 hours: [.programlisting] .... @@ -666,13 +792,17 @@ Once installed, expiretable can be run to remove `<bruteforce>` table entries ol [[pftut-spamd]] ==== Protecting Against SPAM -Not to be confused with the spamd daemon which comes bundled with spamassassin, package:mail/spamd[] can be configured with PF to provide an outer defense against SPAM. This spamd hooks into the PF configuration using a set of redirections. +Not to be confused with the spamd daemon which comes bundled with spamassassin, package:mail/spamd[] can be configured with PF to provide an outer defense against SPAM. +This spamd hooks into the PF configuration using a set of redirections. Spammers tend to send a large number of messages, and SPAM is mainly sent from a few spammer friendly networks and a large number of hijacked machines, both of which are reported to _blacklists_ fairly quickly. -When an SMTP connection from an address in a blacklist is received, spamd presents its banner and immediately switches to a mode where it answers SMTP traffic one byte at a time. This technique, which is intended to waste as much time as possible on the spammer's end, is called _tarpitting_. The specific implementation which uses one byte SMTP replies is often referred to as _stuttering_. +When an SMTP connection from an address in a blacklist is received, spamd presents its banner and immediately switches to a mode where it answers SMTP traffic one byte at a time. +This technique, which is intended to waste as much time as possible on the spammer's end, is called _tarpitting_. +The specific implementation which uses one byte SMTP replies is often referred to as _stuttering_. -This example demonstrates the basic procedure for setting up spamd with automatically updated blacklists. Refer to the man pages which are installed with package:mail/spamd[] for more information. +This example demonstrates the basic procedure for setting up spamd with automatically updated blacklists. +Refer to the man pages which are installed with package:mail/spamd[] for more information. [.procedure] **** @@ -703,10 +833,12 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025 .... + -The two tables `<spamd>` and `<spamd-white>` are essential. SMTP traffic from an address listed in `<spamd>` but not in `<spamd-white>` is redirected to the spamd daemon listening at port 8025. +The two tables `<spamd>` and `<spamd-white>` are essential. +SMTP traffic from an address listed in `<spamd>` but not in `<spamd-white>` is redirected to the spamd daemon listening at port 8025. . The next step is to configure spamd in [.filename]#/usr/local/etc/spamd.conf# and to add some [.filename]#rc.conf# parameters. + -The installation of package:mail/spamd[] includes a sample configuration file ([.filename]#/usr/local/etc/spamd.conf.sample#) and a man page for [.filename]#spamd.conf#. Refer to these for additional configuration options beyond those shown in this example. +The installation of package:mail/spamd[] includes a sample configuration file ([.filename]#/usr/local/etc/spamd.conf.sample#) and a man page for [.filename]#spamd.conf#. +Refer to these for additional configuration options beyond those shown in this example. + One of the first lines in the configuration file that does not begin with a `#` comment sign contains the block which defines the `all` list, which specifies the lists to use: + @@ -716,7 +848,8 @@ all:\ :traplist:whitelist: .... + -This entry adds the desired blacklists, separated by colons (`:`). To use a whitelist to subtract addresses from a blacklist, add the name of the whitelist _immediately_ after the name of that blacklist. For example: `:blacklist:whitelist:`. +This entry adds the desired blacklists, separated by colons (`:`). +To use a whitelist to subtract addresses from a blacklist, add the name of the whitelist _immediately_ after the name of that blacklist. For example: `:blacklist:whitelist:`. + This is followed by the specified blacklist's definition: + @@ -729,7 +862,10 @@ traplist:\ :file=www.openbsd.org/spamd/traplist.gz .... + -where the first line is the name of the blacklist and the second line specifies the list type. The `msg` field contains the message to display to blacklisted senders during the SMTP dialogue. The `method` field specifies how spamd-setup fetches the list data; supported methods are `http`, `ftp`, from a `file` in a mounted file system, and via `exec` of an external program. Finally, the `file` field specifies the name of the file spamd expects to receive. +where the first line is the name of the blacklist and the second line specifies the list type. +The `msg` field contains the message to display to blacklisted senders during the SMTP dialogue. +The `method` field specifies how spamd-setup fetches the list data; supported methods are `http`, `ftp`, from a `file` in a mounted file system, and via `exec` of an external program. +Finally, the `file` field specifies the name of the file spamd expects to receive. + The definition of the specified whitelist is similar, but omits the `msg` field since a message is not needed: + @@ -745,24 +881,31 @@ whitelist:\ ==== *Choose Data Sources with Care:* + -Using all the blacklists in the sample [.filename]#spamd.conf# will blacklist large blocks of the Internet. Administrators need to edit the file to create an optimal configuration which uses applicable data sources and, when necessary, uses custom lists. +Using all the blacklists in the sample [.filename]#spamd.conf# will blacklist large blocks of the Internet. +Administrators need to edit the file to create an optimal configuration which uses applicable data sources and, when necessary, uses custom lists. ==== + -Next, add this entry to [.filename]#/etc/rc.conf#. Additional flags are described in the man page specified by the comment: +Next, add this entry to [.filename]#/etc/rc.conf#. +Additional flags are described in the man page specified by the comment: + [.programlisting] .... spamd_flags="-v" # use "" and see spamd-setup(8) for flags .... + -When finished, reload the ruleset, start spamd by typing `service obspamd start`, and complete the configuration using `spamd-setup`. Finally, create a man:cron[8] job which calls `spamd-setup` to update the tables at reasonable intervals. +When finished, reload the ruleset, start spamd by typing `service obspamd start`, and complete the configuration using `spamd-setup`. +Finally, create a man:cron[8] job which calls `spamd-setup` to update the tables at reasonable intervals. **** On a typical gateway in front of a mail server, hosts will soon start getting trapped within a few seconds to several minutes. -PF also supports _greylisting_, which temporarily rejects messages from unknown hosts with _45n_ codes. Messages from greylisted hosts which try again within a reasonable time are let through. Traffic from senders which are set up to behave within the limits set by RFC 1123 and RFC 2821 are immediately let through. +PF also supports _greylisting_, which temporarily rejects messages from unknown hosts with _45n_ codes. +Messages from greylisted hosts which try again within a reasonable time are let through. +Traffic from senders which are set up to behave within the limits set by RFC 1123 and RFC 2821 are immediately let through. -More information about greylisting as a technique can be found at the http://www.greylisting.org/[greylisting.org] web site. The most amazing thing about greylisting, apart from its simplicity, is that it still works. Spammers and malware writers have been very slow to adapt to bypass this technique. +More information about greylisting as a technique can be found at the http://www.greylisting.org/[greylisting.org] web site. +The most amazing thing about greylisting, apart from its simplicity, is that it still works. +Spammers and malware writers have been very slow to adapt to bypass this technique. The basic procedure for configuring greylisting is as follows: @@ -785,30 +928,38 @@ Refer to the spamd man page for descriptions of additional related parameters. # service obspamlogd start .... -Behind the scenes, the spamdb database tool and the spamlogd whitelist updater perform essential functions for the greylisting feature. spamdb is the administrator's main interface to managing the black, grey, and white lists via the contents of the [.filename]#/var/db/spamdb# database. +Behind the scenes, the spamdb database tool and the spamlogd whitelist updater perform essential functions for the greylisting feature. +spamdb is the administrator's main interface to managing the black, grey, and white lists via the contents of the [.filename]#/var/db/spamdb# database. [[pftut-hygiene]] ==== Network Hygiene This section describes how `block-policy`, `scrub`, and `antispoof` can be used to make the ruleset behave sanely. -The `block-policy` is an option which can be set in the `options` part of the ruleset, which precedes the redirection and filtering rules. This option determines which feedback, if any, PF sends to hosts that are blocked by a rule. The option has two possible values: `drop` drops blocked packets with no feedback, and `return` returns a status code such as `Connection refused`. +The `block-policy` is an option which can be set in the `options` part of the ruleset, which precedes the redirection and filtering rules. +This option determines which feedback, if any, PF sends to hosts that are blocked by a rule. +The option has two possible values: `drop` drops blocked packets with no feedback, and `return` returns a status code such as `Connection refused`. -If not set, the default policy is `drop`. To change the `block-policy`, specify the desired value: +If not set, the default policy is `drop`. +To change the `block-policy`, specify the desired value: [.programlisting] .... set block-policy return .... -In PF, `scrub` is a keyword which enables network packet normalization. This process reassembles fragmented packets and drops TCP packets that have invalid flag combinations. Enabling `scrub` provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments. A number of options are available, but the simplest form is suitable for most configurations: +In PF, `scrub` is a keyword which enables network packet normalization. +This process reassembles fragmented packets and drops TCP packets that have invalid flag combinations. +Enabling `scrub` provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments. +A number of options are available, but the simplest form is suitable for most configurations: [.programlisting] .... scrub in all .... -Some services, such as NFS, require specific fragment handling options. Refer to https://home.nuug.no/\~peter/pf/en/scrub.html[https://home.nuug.no/~peter/pf/en/scrub.html] for more information. +Some services, such as NFS, require specific fragment handling options. +Refer to https://home.nuug.no/\~peter/pf/en/scrub.html[https://home.nuug.no/~peter/pf/en/scrub.html] for more information. This example reassembles fragments, clears the "do not fragment" bit, and sets the maximum segment size to 1440 bytes: @@ -830,9 +981,12 @@ antispoof for $int_if [[pftut-unrouteables]] ==== Handling Non-Routable Addresses -Even with a properly configured gateway to handle network address translation, one may have to compensate for other people's misconfigurations. A common misconfiguration is to let traffic with non-routable addresses out to the Internet. Since traffic from non-routeable addresses can play a part in several DoS attack techniques, consider explicitly blocking traffic from non-routeable addresses from entering the network through the external interface. +Even with a properly configured gateway to handle network address translation, one may have to compensate for other people's misconfigurations. +A common misconfiguration is to let traffic with non-routable addresses out to the Internet. +Since traffic from non-routeable addresses can play a part in several DoS attack techniques, consider explicitly blocking traffic from non-routeable addresses from entering the network through the external interface. -In this example, a macro containing non-routable addresses is defined, then used in blocking rules. Traffic to and from these addresses is quietly dropped on the gateway's external interface. +In this example, a macro containing non-routable addresses is defined, then used in blocking rules. +Traffic to and from these addresses is quietly dropped on the gateway's external interface. [.programlisting] .... @@ -846,11 +1000,16 @@ block drop out quick on $ext_if from any to $martians === Enabling ALTQ -On FreeBSD, ALTQ can be used with PF to provide Quality of Service (QOS). Once ALTQ is enabled, queues can be defined in the ruleset which determine the processing priority of outbound packets. +On FreeBSD, ALTQ can be used with PF to provide Quality of Service (QOS). +Once ALTQ is enabled, queues can be defined in the ruleset which determine the processing priority of outbound packets. Before enabling ALTQ, refer to man:altq[4] to determine if the drivers for the network cards installed on the system support it. -ALTQ is not available as a loadable kernel module. If the system's interfaces support ALTQ, create a custom kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. The following kernel options are available. The first is needed to enable ALTQ. At least one of the other options is necessary to specify the queueing scheduler algorithm: +ALTQ is not available as a loadable kernel module. +If the system's interfaces support ALTQ, create a custom kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. +The following kernel options are available. +The first is needed to enable ALTQ. +At least one of the other options is necessary to specify the queueing scheduler algorithm: [.programlisting] .... @@ -868,7 +1027,8 @@ CBQ:: Class Based Queuing (CBQ) is used to divide a connection's bandwidth into different classes or queues to prioritize traffic based on filter rules. RED:: -Random Early Detection (RED) is used to avoid network congestion by measuring the length of the queue and comparing it to the minimum and maximum thresholds for the queue. When the queue is over the maximum, all new packets are randomly dropped. +Random Early Detection (RED) is used to avoid network congestion by measuring the length of the queue and comparing it to the minimum and maximum thresholds for the queue. +When the queue is over the maximum, all new packets are randomly dropped. RIO:: In Random Early Detection In and Out (RIO) mode, RED maintains multiple average queue lengths and multiple threshold values, one for each QOS level. @@ -884,9 +1044,11 @@ More information about the scheduling algorithms and example rulesets are availa [[firewalls-ipfw]] == IPFW -IPFW is a stateful firewall written for FreeBSD which supports both IPv4 and IPv6. It is comprised of several components: the kernel firewall filter rule processor and its integrated packet accounting facility, the logging facility, NAT, the man:dummynet[4] traffic shaper, a forward facility, a bridge facility, and an ipstealth facility. +IPFW is a stateful firewall written for FreeBSD which supports both IPv4 and IPv6. +It is comprised of several components: the kernel firewall filter rule processor and its integrated packet accounting facility, the logging facility, NAT, the man:dummynet[4] traffic shaper, a forward facility, a bridge facility, and an ipstealth facility. -FreeBSD provides a sample ruleset in [.filename]#/etc/rc.firewall# which defines several firewall types for common scenarios to assist novice users in generating an appropriate ruleset. IPFW provides a powerful syntax which advanced users can use to craft customized rulesets that meet the security requirements of a given environment. +FreeBSD provides a sample ruleset in [.filename]#/etc/rc.firewall# which defines several firewall types for common scenarios to assist novice users in generating an appropriate ruleset. +IPFW provides a powerful syntax which advanced users can use to craft customized rulesets that meet the security requirements of a given environment. This section describes how to enable IPFW, provides an overview of its rule syntax, and demonstrates several rulesets for common configuration scenarios. @@ -925,7 +1087,8 @@ If `firewall_type` is set to either `client` or `simple`, modify the default rul Note that the `filename` type is used to load a custom ruleset. -An alternate way to load a custom ruleset is to set the `firewall_script` variable to the absolute path of an _executable script_ that includes IPFW commands. The examples used in this section assume that the `firewall_script` is set to [.filename]#/etc/ipfw.rules#: +An alternate way to load a custom ruleset is to set the `firewall_script` variable to the absolute path of an _executable script_ that includes IPFW commands. +The examples used in this section assume that the `firewall_script` is set to [.filename]#/etc/ipfw.rules#: [source,shell] .... @@ -941,11 +1104,14 @@ To enable logging through man:syslogd[8], include this line: [WARNING] ==== - -Only firewall rules with the `log` option will be logged. The default rules do not include this option and it must be manually added. Therefore it is advisable that the default ruleset is edited for logging. In addition, log rotation may be desired if the logs are stored in a separate file. +Only firewall rules with the `log` option will be logged. +The default rules do not include this option and it must be manually added. +Therefore it is advisable that the default ruleset is edited for logging. +In addition, log rotation may be desired if the logs are stored in a separate file. ==== -There is no [.filename]#/etc/rc.conf# variable to set logging limits. To limit the number of times a rule is logged per connection attempt, specify the number using this line in [.filename]#/etc/sysctl.conf#: +There is no [.filename]#/etc/rc.conf# variable to set logging limits. +To limit the number of times a rule is logged per connection attempt, specify the number using this line in [.filename]#/etc/sysctl.conf#: [source,shell] .... @@ -972,7 +1138,8 @@ Then use tcpdump to see what is being logged: There is no overhead due to logging unless tcpdump is attached. ==== -After saving the needed edits, start the firewall. To enable logging limits now, also set the `sysctl` value specified above: +After saving the needed edits, start the firewall. +To enable logging limits now, also set the `sysctl` value specified above: [source,shell] .... @@ -983,71 +1150,109 @@ After saving the needed edits, start the firewall. To enable logging limits now, [[firewalls-ipfw-rules]] === IPFW Rule Syntax -When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. When the packet matches the selection parameters of a rule, the rule's action is executed and the search of the ruleset terminates for that packet. This is referred to as "first match wins". If the packet does not match any of the rules, it gets caught by the mandatory IPFW default rule number 65535, which denies all packets and silently discards them. However, if the packet matches a rule that contains the `count`, `skipto`, or `tee` keywords, the search continues. Refer to man:ipfw[8] for details on how these keywords affect rule processing. +When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. +When the packet matches the selection parameters of a rule, the rule's action is executed and the search of the ruleset terminates for that packet. +This is referred to as "first match wins". +If the packet does not match any of the rules, it gets caught by the mandatory IPFW default rule number 65535, which denies all packets and silently discards them. +However, if the packet matches a rule that contains the `count`, `skipto`, or `tee` keywords, the search continues. +Refer to man:ipfw[8] for details on how these keywords affect rule processing. -When creating an IPFW rule, keywords must be written in the following order. Some keywords are mandatory while other keywords are optional. The words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it. The `#` symbol is used to mark the start of a comment and may appear at the end of a rule or on its own line. Blank lines are ignored. +When creating an IPFW rule, keywords must be written in the following order. +Some keywords are mandatory while other keywords are optional. +The words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it. +The `#` symbol is used to mark the start of a comment and may appear at the end of a rule or on its own line. +Blank lines are ignored. `_CMD RULE_NUMBER set SET_NUMBER ACTION log LOG_AMOUNT PROTO from SRC SRC_PORT to DST DST_PORT OPTIONS_` -This section provides an overview of these keywords and their options. It is not an exhaustive list of every possible option. Refer to man:ipfw[8] for a complete description of the rule syntax that can be used when creating IPFW rules. +This section provides an overview of these keywords and their options. +It is not an exhaustive list of every possible option. +Refer to man:ipfw[8] for a complete description of the rule syntax that can be used when creating IPFW rules. CMD:: Every rule must start with `ipfw add`. RULE_NUMBER:: -Each rule is associated with a number from `1` to `65534`. The number is used to indicate the order of rule processing. Multiple rules can have the same number, in which case they are applied according to the order in which they have been added. +Each rule is associated with a number from `1` to `65534`. +The number is used to indicate the order of rule processing. +Multiple rules can have the same number, in which case they are applied according to the order in which they have been added. SET_NUMBER:: -Each rule is associated with a set number from `0` to `31`. Sets can be individually disabled or enabled, making it possible to quickly add or delete a set of rules. If a SET_NUMBER is not specified, the rule will be added to set `0`. +Each rule is associated with a set number from `0` to `31`. +Sets can be individually disabled or enabled, making it possible to quickly add or delete a set of rules. +If a SET_NUMBER is not specified, the rule will be added to set `0`. ACTION:: -A rule can be associated with one of the following actions. The specified action will be executed when the packet matches the selection criterion of the rule. +A rule can be associated with one of the following actions. +The specified action will be executed when the packet matches the selection criterion of the rule. + `allow | accept | pass | permit`: these keywords are equivalent and allow packets that match the rule. + -`check-state`: checks the packet against the dynamic state table. If a match is found, execute the action associated with the rule which generated this dynamic rule, otherwise move to the next rule. A `check-state` rule does not have selection criterion. If no `check-state` rule is present in the ruleset, the dynamic rules table is checked at the first `keep-state` or `limit` rule. +`check-state`: checks the packet against the dynamic state table. +If a match is found, execute the action associated with the rule which generated this dynamic rule, otherwise move to the next rule. +A `check-state` rule does not have selection criterion. +If no `check-state` rule is present in the ruleset, the dynamic rules table is checked at the first `keep-state` or `limit` rule. + -`count`: updates counters for all packets that match the rule. The search continues with the next rule. +`count`: updates counters for all packets that match the rule. +The search continues with the next rule. + `deny | drop`: either word silently discards packets that match this rule. + -Additional actions are available. Refer to man:ipfw[8] for details. +Additional actions are available. +Refer to man:ipfw[8] for details. LOG_AMOUNT:: -When a packet matches a rule with the `log` keyword, a message will be logged to man:syslogd[8] with a facility name of `SECURITY`. Logging only occurs if the number of packets logged for that particular rule does not exceed a specified LOG_AMOUNT. If no LOG_AMOUNT is specified, the limit is taken from the value of `net.inet.ip.fw.verbose_limit`. A value of zero removes the logging limit. Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for that rule, using `ipfw resetlog`. +When a packet matches a rule with the `log` keyword, a message will be logged to man:syslogd[8] with a facility name of `SECURITY`. +Logging only occurs if the number of packets logged for that particular rule does not exceed a specified LOG_AMOUNT. +If no LOG_AMOUNT is specified, the limit is taken from the value of `net.inet.ip.fw.verbose_limit`. +A value of zero removes the logging limit. +Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for that rule, using `ipfw resetlog`. + [NOTE] ==== -Logging is done after all other packet matching conditions have been met, and before performing the final action on the packet. The administrator decides which rules to enable logging on. +Logging is done after all other packet matching conditions have been met, and before performing the final action on the packet. +The administrator decides which rules to enable logging on. ==== PROTO:: This optional value can be used to specify any protocol name or number found in [.filename]#/etc/protocols#. SRC:: -The `from` keyword must be followed by the source address or a keyword that represents the source address. An address can be represented by `any`, `me` (any address configured on an interface on this system), `me6`, (any IPv6 address configured on an interface on this system), or `table` followed by the number of a lookup table which contains a list of addresses. When specifying an IP address, it can be optionally followed by its CIDR mask or subnet mask. For example, `1.2.3.4/25` or `1.2.3.4:255.255.255.128`. +The `from` keyword must be followed by the source address or a keyword that represents the source address. +An address can be represented by `any`, `me` (any address configured on an interface on this system), `me6`, (any IPv6 address configured on an interface on this system), or `table` followed by the number of a lookup table which contains a list of addresses. +When specifying an IP address, it can be optionally followed by its CIDR mask or subnet mask. +For example, `1.2.3.4/25` or `1.2.3.4:255.255.255.128`. SRC_PORT:: An optional source port can be specified using the port number or name from [.filename]#/etc/services#. DST:: -The `to` keyword must be followed by the destination address or a keyword that represents the destination address. The same keywords and addresses described in the SRC section can be used to describe the destination. +The `to` keyword must be followed by the destination address or a keyword that represents the destination address. +The same keywords and addresses described in the SRC section can be used to describe the destination. DST_PORT:: An optional destination port can be specified using the port number or name from [.filename]#/etc/services#. OPTIONS:: -Several keywords can follow the source and destination. As the name suggests, OPTIONS are optional. Commonly used options include `in` or `out`, which specify the direction of packet flow, `icmptypes` followed by the type of ICMP message, and `keep-state`. +Several keywords can follow the source and destination. +As the name suggests, OPTIONS are optional. +Commonly used options include `in` or `out`, which specify the direction of packet flow, `icmptypes` followed by the type of ICMP message, and `keep-state`. + When a `keep-state` rule is matched, the firewall will create a dynamic rule which matches bidirectional traffic between the source and destination addresses and ports using the same protocol. + -The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack with IPFW, use `limit`. This option limits the number of simultaneous sessions by checking the open dynamic rules, counting the number of times this rule and IP address combination occurred. If this count is greater than the value specified by `limit`, the packet is discarded. +The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. +To counter this type of attack with IPFW, use `limit`. +This option limits the number of simultaneous sessions by checking the open dynamic rules, counting the number of times this rule and IP address combination occurred. +If this count is greater than the value specified by `limit`, the packet is discarded. + -Dozens of OPTIONS are available. Refer to man:ipfw[8] for a description of each available option. +Dozens of OPTIONS are available. +Refer to man:ipfw[8] for a description of each available option. === Example Ruleset -This section demonstrates how to create an example stateful firewall ruleset script named [.filename]#/etc/ipfw.rules#. In this example, all connection rules use `in` or `out` to clarify the direction. They also use `via` _interface-name_ to specify the interface the packet is traveling over. +This section demonstrates how to create an example stateful firewall ruleset script named [.filename]#/etc/ipfw.rules#. +In this example, all connection rules use `in` or `out` to clarify the direction. +They also use `via` _interface-name_ to specify the interface the packet is traveling over. [NOTE] ==== @@ -1061,7 +1266,9 @@ net.inet.ip.fw.default_to_accept="1" This sets the default policy of man:ipfw[8] to be more permissive than the default `deny ip from any to any`, making it slightly more difficult to get locked out of the system right after a reboot. ==== -The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. It then creates the `cmd` variable so that `ipfw add` does not have to be typed at the beginning of every rule. It also defines the `pif` variable which represents the name of the interface that is attached to the Internet. +The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. +It then creates the `cmd` variable so that `ipfw add` does not have to be typed at the beginning of every rule. +It also defines the `pif` variable which represents the name of the interface that is attached to the Internet. [.programlisting] .... @@ -1129,7 +1336,9 @@ $cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state $cmd 00299 deny log all from any to any out via $pif .... -The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use `limit` to prevent flooding. +The next set of rules controls connections from Internet hosts to the internal network. +It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. +All the authorized services that originate from the Internet use `limit` to prevent flooding. [.programlisting] .... @@ -1187,11 +1396,16 @@ $cmd 00999 deny log all from any to any [[in-kernel-nat]] === In-kernel NAT -FreeBSD's IPFW firewall has two implementations of NAT: the userland implementation man:natd[8], and the more recent in-kernel NAT implementation. Both work in conjunction with IPFW to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers can connect to the Internet using a single public IP address. +FreeBSD's IPFW firewall has two implementations of NAT: the userland implementation man:natd[8], and the more recent in-kernel NAT implementation. +Both work in conjunction with IPFW to provide network address translation. +This can be used to provide an Internet Connection Sharing solution so that several internal computers can connect to the Internet using a single public IP address. -To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two NICs, where one is connected to the Internet and the other is connected to the internal LAN. Each machine connected to the LAN should be assigned an IP address in the private network space, as defined by https://www.ietf.org/rfc/rfc1918.txt[RFC 1918]. +To do this, the FreeBSD machine connected to the Internet must act as a gateway. +This system must have two NICs, where one is connected to the Internet and the other is connected to the internal LAN. +Each machine connected to the LAN should be assigned an IP address in the private network space, as defined by https://www.ietf.org/rfc/rfc1918.txt[RFC 1918]. -Some additional configuration is needed in order to enable the in-kernel NAT facility of IPFW. To enable in-kernel NAT support at boot time, the following must be set in [.filename]#/etc/rc.conf#: +Some additional configuration is needed in order to enable the in-kernel NAT facility of IPFW. +To enable in-kernel NAT support at boot time, the following must be set in [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -1202,10 +1416,15 @@ firewall_nat_enable="YES" [NOTE] ==== -When `firewall_nat_enable` is set but `firewall_enable` is not, it will have no effect and do nothing. This is because the in-kernel NAT implementation is only compatible with IPFW. +When `firewall_nat_enable` is set but `firewall_enable` is not, it will have no effect and do nothing. +This is because the in-kernel NAT implementation is only compatible with IPFW. ==== -When the ruleset contains stateful rules, the positioning of the NAT rule is critical and the `skipto` action is used. The `skipto` action requires a rule number so that it knows which rule to jump to. The example below builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel NAT. It starts by adding some additional variables which represent the rule number to skip to, the `keep-state` option, and a list of TCP ports which will be used to reduce the number of rules. +When the ruleset contains stateful rules, the positioning of the NAT rule is critical and the `skipto` action is used. +The `skipto` action requires a rule number so that it knows which rule to jump to. +The example below builds upon the firewall ruleset shown in the previous section. +It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel NAT. +It starts by adding some additional variables which represent the rule number to skip to, the `keep-state` option, and a list of TCP ports which will be used to reduce the number of rules. [.programlisting] .... @@ -1218,14 +1437,22 @@ ks="keep-state" good_tcpo="22,25,37,53,80,443,110" .... -With in-kernel NAT it is necessary to disable TCP segmentation offloading (TSO) due to the architecture of man:libalias[3], a library implemented as a kernel module to provide the in-kernel NAT facility of IPFW. TSO can be disabled on a per network interface basis using man:ifconfig[8] or on a system wide basis using man:sysctl[8]. To disable TSO system wide, the following must be set it [.filename]#/etc/sysctl.conf#: +With in-kernel NAT it is necessary to disable TCP segmentation offloading (TSO) due to the architecture of man:libalias[3], a library implemented as a kernel module to provide the in-kernel NAT facility of IPFW. +TSO can be disabled on a per network interface basis using man:ifconfig[8] or on a system wide basis using man:sysctl[8]. +To disable TSO system wide, the following must be set it [.filename]#/etc/sysctl.conf#: [.programlisting] .... net.inet.tcp.tso="0" .... -A NAT instance will also be configured. It is possible to have multiple NAT instances each with their own configuration. For this example only one NAT instance is needed, NAT instance number 1. The configuration can take a few options such as: `if` which indicates the public interface, `same_ports` which takes care that alliased ports and local port numbers are mapped the same, `unreg_only` will result in only unregistered (private) address spaces to be processed by the NAT instance, and `reset` which will help to keep a functioning NAT instance even when the public IP address of the IPFW machine changes. For all possible options that can be passed to a single NAT instance configuration consult man:ipfw[8]. When configuring a stateful NATing firewall, it is necessary to allow translated packets to be reinjected in the firewall for further processing. This can be achieved by disabling `one_pass` behavior at the start of the firewall script. +A NAT instance will also be configured. +It is possible to have multiple NAT instances each with their own configuration. +For this example only one NAT instance is needed, NAT instance number 1. +The configuration can take a few options such as: `if` which indicates the public interface, `same_ports` which takes care that alliased ports and local port numbers are mapped the same, `unreg_only` will result in only unregistered (private) address spaces to be processed by the NAT instance, and `reset` which will help to keep a functioning NAT instance even when the public IP address of the IPFW machine changes. +For all possible options that can be passed to a single NAT instance configuration consult man:ipfw[8]. +When configuring a stateful NATing firewall, it is necessary to allow translated packets to be reinjected in the firewall for further processing. +This can be achieved by disabling `one_pass` behavior at the start of the firewall script. [.programlisting] .... @@ -1233,13 +1460,17 @@ ipfw disable one_pass ipfw -q nat 1 config if $pif same_ports unreg_only reset .... -The inbound NAT rule is inserted _after_ the two rules which allow all traffic on the trusted and loopback interfaces and after the reassemble rule but _before_ the `check-state` rule. It is important that the rule number selected for this NAT rule, in this example `100`, is higher than the first three rules and lower than the `check-state` rule. Furthermore, because of the behavior of in-kernel NAT it is advised to place a reassemble rule just before the first NAT rule and after the rules that allow traffic on trusted interface. Normally, IP fragmentation should not happen, but when dealing with IPSEC/ESP/GRE tunneling traffic it might and the reassembling of fragments is necessary before handing the complete packet over to the in-kernel NAT facility. +The inbound NAT rule is inserted _after_ the two rules which allow all traffic on the trusted and loopback interfaces and after the reassemble rule but _before_ the `check-state` rule. +It is important that the rule number selected for this NAT rule, in this example `100`, is higher than the first three rules and lower than the `check-state` rule. +Furthermore, because of the behavior of in-kernel NAT it is advised to place a reassemble rule just before the first NAT rule and after the rules that allow traffic on trusted interface. +Normally, IP fragmentation should not happen, but when dealing with IPSEC/ESP/GRE tunneling traffic it might and the reassembling of fragments is necessary before handing the complete packet over to the in-kernel NAT facility. [NOTE] ==== The reassemble rule was not needed with userland man:natd[8] because the internal workings of the IPFW `divert` action already takes care of reassembling packets before delivery to the socket as also stated in man:ipfw[8]. -The NAT instance and rule number used in this example does not match with the default NAT instance and rule number created by [.filename]#rc.firewall#. [.filename]#rc.firewall# is a script that sets up the default firewall rules present in FreeBSD. +The NAT instance and rule number used in this example does not match with the default NAT instance and rule number created by [.filename]#rc.firewall#. +[.filename]#rc.firewall# is a script that sets up the default firewall rules present in FreeBSD. ==== [.programlisting] @@ -1252,7 +1483,8 @@ $cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets $cmd 101 check-state .... -The outbound rules are modified to replace the `allow` action with the `$skip` variable, indicating that rule processing will continue at rule `1000`. The seven `tcp` rules have been replaced by rule `125` as the `$good_tcpo` variable contains the seven allowed outbound ports. +The outbound rules are modified to replace the `allow` action with the `$skip` variable, indicating that rule processing will continue at rule `1000`. +The seven `tcp` rules have been replaced by rule `125` as the `$good_tcpo` variable contains the seven allowed outbound ports. [NOTE] ==== @@ -1268,7 +1500,10 @@ $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks .... -The inbound rules remain the same, except for the very last rule which removes the `via $pif` in order to catch both inbound and outbound rules. The NAT rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the `skipto` action. In this ruleset, rule number `1000` handles passing all packets to our configured instance for NAT processing. The next rule allows any packet which has undergone NAT processing to pass. +The inbound rules remain the same, except for the very last rule which removes the `via $pif` in order to catch both inbound and outbound rules. +The NAT rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the `skipto` action. +In this ruleset, rule number `1000` handles passing all packets to our configured instance for NAT processing. +The next rule allows any packet which has undergone NAT processing to pass. [.programlisting] .... @@ -1279,22 +1514,45 @@ $cmd 1001 allow ip from any to any In this example, rules `100`, `101`, `125`, `1000`, and `1001` control the address translation of the outbound and inbound packets so that the entries in the dynamic state table always register the private LANIP address. -Consider an internal web browser which initializes a new outbound HTTP session over port 80. When the first outbound packet enters the firewall, it does not match rule `100` because it is headed out rather than in. It passes rule `101` because this is the first packet and it has not been posted to the dynamic state table yet. The packet finally matches rule `125` as it is outbound on an allowed port and has a source IP address from the internal LAN. On matching this rule, two actions take place. First, the `keep-state` action adds an entry to the dynamic state table and the specified action, `skipto rule 1000`, is executed. Next, the packet undergoes NAT and is sent out to the Internet. This packet makes its way to the destination web server, where a response packet is generated and sent back. This new packet enters the top of the ruleset. It matches rule `100` and has its destination IP address mapped back to the original internal address. It then is processed by the `check-state` rule, is found in the table as an existing session, and is released to the LAN. - -On the inbound side, the ruleset has to deny bad packets and allow only authorized services. A packet which matches an inbound rule is posted to the dynamic state table and the packet is released to the LAN. The packet generated as a response is recognized by the `check-state` rule as belonging to an existing session. It is then sent to rule `1000` to undergo NAT before being released to the outbound interface. +Consider an internal web browser which initializes a new outbound HTTP session over port 80. +When the first outbound packet enters the firewall, it does not match rule `100` because it is headed out rather than in. +It passes rule `101` because this is the first packet and it has not been posted to the dynamic state table yet. +The packet finally matches rule `125` as it is outbound on an allowed port and has a source IP address from the internal LAN. +On matching this rule, two actions take place. +First, the `keep-state` action adds an entry to the dynamic state table and the specified action, `skipto rule 1000`, is executed. +Next, the packet undergoes NAT and is sent out to the Internet. +This packet makes its way to the destination web server, where a response packet is generated and sent back. +This new packet enters the top of the ruleset. +It matches rule `100` and has its destination IP address mapped back to the original internal address. +It then is processed by the `check-state` rule, is found in the table as an existing session, and is released to the LAN. + +On the inbound side, the ruleset has to deny bad packets and allow only authorized services. +A packet which matches an inbound rule is posted to the dynamic state table and the packet is released to the LAN. +The packet generated as a response is recognized by the `check-state` rule as belonging to an existing session. +It is then sent to rule `1000` to undergo NAT before being released to the outbound interface. [NOTE] ==== -Transitioning from userland man:natd[8] to in-kernel NAT might appear seamless at first but there is small catch. When using the GENERIC kernel, IPFW will load the [.filename]#libalias.ko# kernel module, when `firewall_nat_enable` is enabled in [.filename]#/etc/rc.conf#. The [.filename]#libalias.ko# kernel module only provides basic NAT functionality, whereas the userland implementation man:natd[8] has all NAT functionality available in its userland library without any extra configuration. All functionality refers to the following kernel modules that can additionally be loaded when needed besides the standard [.filename]#libalias.ko# kernel module: [.filename]#alias_ftp.ko#, [.filename]#alias_bbt.ko#, [.filename]#skinny.ko#, [.filename]#irc.ko#, [.filename]#alias_pptp.ko# and [.filename]#alias_smedia.ko# using the `kld_list` directive in [.filename]#/etc/rc.conf#. If a custom kernel is used, the full functionality of the userland library can be compiled in, in the kernel, using the `options LIBALIAS`. +Transitioning from userland man:natd[8] to in-kernel NAT might appear seamless at first but there is small catch. +When using the GENERIC kernel, IPFW will load the [.filename]#libalias.ko# kernel module, when `firewall_nat_enable` is enabled in [.filename]#/etc/rc.conf#. +The [.filename]#libalias.ko# kernel module only provides basic NAT functionality, whereas the userland implementation man:natd[8] has all NAT functionality available in its userland library without any extra configuration. +All functionality refers to the following kernel modules that can additionally be loaded when needed besides the standard [.filename]#libalias.ko# kernel module: [.filename]#alias_ftp.ko#, [.filename]#alias_bbt.ko#, [.filename]#skinny.ko#, [.filename]#irc.ko#, [.filename]#alias_pptp.ko# and [.filename]#alias_smedia.ko# using the `kld_list` directive in [.filename]#/etc/rc.conf#. +If a custom kernel is used, the full functionality of the userland library can be compiled in, in the kernel, using the `options LIBALIAS`. ==== ==== Port Redirection -The drawback with NAT in general is that the LAN clients are not accessible from the Internet. Clients on the LAN can make outgoing connections to the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the LAN client machines. A simple way around this is to redirect selected Internet ports on the NAT providing machine to a LAN client. +The drawback with NAT in general is that the LAN clients are not accessible from the Internet. +Clients on the LAN can make outgoing connections to the world but cannot receive incoming ones. +This presents a problem if trying to run Internet services on one of the LAN client machines. +A simple way around this is to redirect selected Internet ports on the NAT providing machine to a LAN client. -For example, an IRC server runs on client `A` and a web server runs on client `B`. For this to work properly, connections received on ports 6667 (IRC) and 80 (HTTP) must be redirected to the respective machines. +For example, an IRC server runs on client `A` and a web server runs on client `B`. +For this to work properly, connections received on ports 6667 (IRC) and 80 (HTTP) must be redirected to the respective machines. -With in-kernel NAT all configuration is done in the NAT instance configuration. For a full list of options that an in-kernel NAT instance can use, consult man:ipfw[8]. The IPFW syntax follows the syntax of natd. The syntax for `redirect_port` is as follows: +With in-kernel NAT all configuration is done in the NAT instance configuration. +For a full list of options that an in-kernel NAT instance can use, consult man:ipfw[8]. +The IPFW syntax follows the syntax of natd. The syntax for `redirect_port` is as follows: [.programlisting] .... @@ -1320,11 +1578,15 @@ ipfw -q nat 1 config if $pif same_ports unreg_only reset \ redirect_port tcp 192.168.0.3:80 80 .... -Port ranges over individual ports can be indicated with `redirect_port`. For example, _tcp 192.168.0.2:2000-3000 2000-3000_ would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client `A`. +Port ranges over individual ports can be indicated with `redirect_port`. +For example, _tcp 192.168.0.2:2000-3000 2000-3000_ would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client `A`. ==== Address Redirection -Address redirection is useful if more than one IP address is available. Each LAN client can be assigned its own external IP address by man:ipfw[8], which will then rewrite outgoing packets from the LAN clients with the proper external IP address and redirects all traffic incoming on that particular IP address back to the specific LAN client. This is also known as static NAT. For example, if IP addresses `128.1.1.1`, `128.1.1.2`, and `128.1.1.3` are available, `128.1.1.1` can be used as the man:ipfw[8] machine's external IP address, while `128.1.1.2` and `128.1.1.3` are forwarded back to LAN clients `A` and `B`. +Address redirection is useful if more than one IP address is available. +Each LAN client can be assigned its own external IP address by man:ipfw[8], which will then rewrite outgoing packets from the LAN clients with the proper external IP address and redirects all traffic incoming on that particular IP address back to the specific LAN client. +This is also known as static NAT. +For example, if IP addresses `128.1.1.1`, `128.1.1.2`, and `128.1.1.3` are available, `128.1.1.1` can be used as the man:ipfw[8] machine's external IP address, while `128.1.1.2` and `128.1.1.3` are forwarded back to LAN clients `A` and `B`. The `redirect_address` syntax is as below, where `localIP` is the internal IP address of the LAN client, and `publicIP` the external IP address corresponding to the LAN client. @@ -1341,15 +1603,20 @@ redirect_address 192.168.0.2 128.1.1.2 redirect_address 192.168.0.3 128.1.1.3 .... -Like `redirect_port`, these arguments are placed in a NAT instance configuration. With address redirection, there is no need for port redirection, as all data received on a particular IP address is redirected. +Like `redirect_port`, these arguments are placed in a NAT instance configuration. +With address redirection, there is no need for port redirection, as all data received on a particular IP address is redirected. -The external IP addresses on the man:ipfw[8] machine must be active and aliased to the external interface. Refer to man:rc.conf[5] for details. +The external IP addresses on the man:ipfw[8] machine must be active and aliased to the external interface. +Refer to man:rc.conf[5] for details. ==== Userspace NAT -Let us start with a statement: the userspace NAT implementation: man:natd[8], has more overhead than in-kernel NAT. For man:natd[8] to translate packets, the packets have to be copied from the kernel to userspace and back which brings in extra overhead that is not present with in-kernel NAT. +Let us start with a statement: the userspace NAT implementation: man:natd[8], has more overhead than in-kernel NAT. +For man:natd[8] to translate packets, the packets have to be copied from the kernel to userspace and back which brings in extra overhead that is not present with in-kernel NAT. -To enable the userpace NAT daemon man:natd[8] at boot time, the following is a minimum configuration in [.filename]#/etc/rc.conf#. Where `natd_interface` is set to the name of the NIC attached to the Internet. The man:rc[8] script of man:natd[8] will automatically check if a dynamic IP address is used and configure itself to handle that. +To enable the userpace NAT daemon man:natd[8] at boot time, the following is a minimum configuration in [.filename]#/etc/rc.conf#. +Where `natd_interface` is set to the name of the NIC attached to the Internet. +The man:rc[8] script of man:natd[8] will automatically check if a dynamic IP address is used and configure itself to handle that. [.programlisting] .... @@ -1358,7 +1625,9 @@ natd_enable="YES" natd_interface="rl0" .... -In general, the above ruleset as explained for in-kernel NAT can also be used together with man:natd[8]. The exceptions are the configuration of the in-kernel NAT instance `(ipfw -q nat 1 config ...)` which is not needed together with reassemble rule 99 because its functionality is included in the `divert` action. Rule number 100 and 1000 will have to change sligthly as shown below. +In general, the above ruleset as explained for in-kernel NAT can also be used together with man:natd[8]. +The exceptions are the configuration of the in-kernel NAT instance `(ipfw -q nat 1 config ...)` which is not needed together with reassemble rule 99 because its functionality is included in the `divert` action. +Rule number 100 and 1000 will have to change sligthly as shown below. [.programlisting] .... @@ -1366,7 +1635,9 @@ $cmd 100 divert natd ip from any to any in via $pif $cmd 1000 divert natd ip from any to any out via $pif .... -To configure port or address redirection, a similar syntax as with in-kernel NAT is used. Although, now, instead of specifying the configuration in our ruleset script like with in-kernel NAT, configuration of man:natd[8] is best done in a configuration file. To do this, an extra flag must be passed via [.filename]#/etc/rc.conf# which specifies the path of the configuration file. +To configure port or address redirection, a similar syntax as with in-kernel NAT is used. +Although, now, instead of specifying the configuration in our ruleset script like with in-kernel NAT, configuration of man:natd[8] is best done in a configuration file. +To do this, an extra flag must be passed via [.filename]#/etc/rc.conf# which specifies the path of the configuration file. [.programlisting] .... @@ -1375,7 +1646,9 @@ natd_flags="-f /etc/natd.conf" [NOTE] ==== -The specified file must contain a list of configuration options, one per line. For more information about the configuration file and possible variables, consult man:natd[8]. Below are two example entries, one per line: +The specified file must contain a list of configuration options, one per line. +For more information about the configuration file and possible variables, consult man:natd[8]. +Below are two example entries, one per line: [.programlisting] .... @@ -1388,9 +1661,13 @@ redirect_address 192.168.0.3 128.1.1.3 [[firewalls-ipfw-cmd]] === The IPFW Command -`ipfw` can be used to make manual, single rule additions or deletions to the active firewall while it is running. The problem with using this method is that all the changes are lost when the system reboots. It is recommended to instead write all the rules in a file and to use that file to load the rules at boot time and to replace the currently running firewall rules whenever that file changes. +`ipfw` can be used to make manual, single rule additions or deletions to the active firewall while it is running. +The problem with using this method is that all the changes are lost when the system reboots. +It is recommended to instead write all the rules in a file and to use that file to load the rules at boot time and to replace the currently running firewall rules whenever that file changes. -`ipfw` is a useful way to display the running firewall rules to the console screen. The IPFW accounting facility dynamically creates a counter for each rule that counts each packet that matches the rule. During the process of testing a rule, listing the rule with its counter is one way to determine if the rule is functioning as expected. +`ipfw` is a useful way to display the running firewall rules to the console screen. +The IPFW accounting facility dynamically creates a counter for each rule that counts each packet that matches the rule. +During the process of testing a rule, listing the rule with its counter is one way to determine if the rule is functioning as expected. To list all the running rules in sequence: @@ -1406,7 +1683,8 @@ To list all the running rules with a time stamp of when the last time the rule w # ipfw -t list .... -The next example lists accounting information and the packet count for matched rules along with the rules themselves. The first column is the rule number, followed by the number of matched packets and bytes, followed by the rule itself. +The next example lists accounting information and the packet count for matched rules along with the rules themselves. +The first column is the rule number, followed by the number of matched packets and bytes, followed by the rule itself. [source,shell] .... @@ -1443,11 +1721,20 @@ To zero the counters for just the rule with number _NUM_: ==== Logging Firewall Messages -Even with the logging facility enabled, IPFW will not generate any rule logging on its own. The firewall administrator decides which rules in the ruleset will be logged, and adds the `log` keyword to those rules. Normally only deny rules are logged. It is customary to duplicate the "ipfw default deny everything" rule with the `log` keyword included as the last rule in the ruleset. This way, it is possible to see all the packets that did not match any of the rules in the ruleset. +Even with the logging facility enabled, IPFW will not generate any rule logging on its own. +The firewall administrator decides which rules in the ruleset will be logged, and adds the `log` keyword to those rules. +Normally only deny rules are logged. +It is customary to duplicate the "ipfw default deny everything" rule with the `log` keyword included as the last rule in the ruleset. +This way, it is possible to see all the packets that did not match any of the rules in the ruleset. -Logging is a two edged sword. If one is not careful, an over abundance of log data or a DoS attack can fill the disk with log files. Log messages are not only written to syslogd, but also are displayed on the root console screen and soon become annoying. +Logging is a two edged sword. +If one is not careful, an over abundance of log data or a DoS attack can fill the disk with log files. +Log messages are not only written to syslogd, but also are displayed on the root console screen and soon become annoying. -The `IPFIREWALL_VERBOSE_LIMIT=5` kernel option limits the number of consecutive messages sent to man:syslogd[8], concerning the packet matching of a given rule. When this option is enabled in the kernel, the number of consecutive messages concerning a particular rule is capped at the number specified. There is nothing to be gained from 200 identical log messages. With this option set to five, five consecutive messages concerning a particular rule would be logged to syslogd and the remainder identical consecutive messages would be counted and posted to syslogd with a phrase like the following: +The `IPFIREWALL_VERBOSE_LIMIT=5` kernel option limits the number of consecutive messages sent to man:syslogd[8], concerning the packet matching of a given rule. +When this option is enabled in the kernel, the number of consecutive messages concerning a particular rule is capped at the number specified. +There is nothing to be gained from 200 identical log messages. +With this option set to five, five consecutive messages concerning a particular rule would be logged to syslogd and the remainder identical consecutive messages would be counted and posted to syslogd with a phrase like the following: [.programlisting] .... @@ -1459,9 +1746,15 @@ All logged packets messages are written by default to [.filename]#/var/log/secur [[firewalls-ipfw-rules-script]] ==== Building a Rule Script -Most experienced IPFW users create a file containing the rules and code them in a manner compatible with running them as a script. The major benefit of doing this is the firewall rules can be refreshed in mass without the need of rebooting the system to activate them. This method is convenient in testing new rules as the procedure can be executed as many times as needed. Being a script, symbolic substitution can be used for frequently used values to be substituted into multiple rules. +Most experienced IPFW users create a file containing the rules and code them in a manner compatible with running them as a script. +The major benefit of doing this is the firewall rules can be refreshed in mass without the need of rebooting the system to activate them. +This method is convenient in testing new rules as the procedure can be executed as many times as needed. +Being a script, symbolic substitution can be used for frequently used values to be substituted into multiple rules. -This example script is compatible with the syntax used by the man:sh[1], man:csh[1], and man:tcsh[1] shells. Symbolic substitution fields are prefixed with a dollar sign ($). Symbolic fields do not have the $ prefix. The value to populate the symbolic field must be enclosed in double quotes (""). +This example script is compatible with the syntax used by the man:sh[1], man:csh[1], and man:tcsh[1] shells. +Symbolic substitution fields are prefixed with a dollar sign ($). +Symbolic fields do not have the $ prefix. +The value to populate the symbolic field must be enclosed in double quotes (""). Start the rules file like this: @@ -1511,7 +1804,8 @@ The same thing could be accomplished by running these commands by hand: [[firewalls-ipfw-kernelconfig]] === IPFW Kernel Options -In order to statically compile IPFW support into a custom kernel, refer to the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. The following options are available for the custom kernel configuration file: +In order to statically compile IPFW support into a custom kernel, refer to the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. +The following options are available for the custom kernel configuration file: [.programlisting] .... @@ -1537,19 +1831,24 @@ IPFW can be loaded as a kernel module: options above are built by default as mod IPFILTER, also known as IPF, is a cross-platform, open source firewall which has been ported to several operating systems, including FreeBSD, NetBSD, OpenBSD, and Solaris(TM). -IPFILTER is a kernel-side firewall and NAT mechanism that can be controlled and monitored by userland programs. Firewall rules can be set or deleted using ipf, NAT rules can be set or deleted using ipnat, run-time statistics for the kernel parts of IPFILTER can be printed using ipfstat, and ipmon can be used to log IPFILTER actions to the system log files. +IPFILTER is a kernel-side firewall and NAT mechanism that can be controlled and monitored by userland programs. +Firewall rules can be set or deleted using ipf, NAT rules can be set or deleted using ipnat, run-time statistics for the kernel parts of IPFILTER can be printed using ipfstat, and ipmon can be used to log IPFILTER actions to the system log files. -IPF was originally written using a rule processing logic of "the last matching rule wins" and only used stateless rules. Since then, IPF has been enhanced to include the `quick` and `keep state` options. +IPF was originally written using a rule processing logic of "the last matching rule wins" and only used stateless rules. +Since then, IPF has been enhanced to include the `quick` and `keep state` options. -The IPF FAQ is at http://www.phildev.net/ipf/index.html[http://www.phildev.net/ipf/index.html]. A searchable archive of the IPFilter mailing list is available at http://marc.info/?l=ipfilter[http://marc.info/?l=ipfilter]. +The IPF FAQ is at http://www.phildev.net/ipf/index.html[http://www.phildev.net/ipf/index.html]. +A searchable archive of the IPFilter mailing list is available at http://marc.info/?l=ipfilter[http://marc.info/?l=ipfilter]. -This section of the Handbook focuses on IPF as it pertains to FreeBSD. It provides examples of rules that contain the `quick` and `keep state` options. +This section of the Handbook focuses on IPF as it pertains to FreeBSD. +It provides examples of rules that contain the `quick` and `keep state` options. === Enabling IPF IPF is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable IPF. -For users who prefer to statically compile IPF support into a custom kernel, refer to the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. The following kernel options are available: +For users who prefer to statically compile IPF support into a custom kernel, refer to the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. +The following kernel options are available: [.programlisting] .... @@ -1561,7 +1860,9 @@ options IPFILTER_DEFAULT_BLOCK where `options IPFILTER` enables support for IPFILTER, `options IPFILTER_LOG` enables IPF logging using the [.filename]#ipl# packet logging pseudo-device for every rule that has the `log` keyword, `IPFILTER_LOOKUP` enables IP pools in order to speed up IP lookups, and `options IPFILTER_DEFAULT_BLOCK` changes the default behavior so that any packet not matching a firewall `pass` rule gets blocked. -To configure the system to enable IPF at boot time, add the following entries to [.filename]#/etc/rc.conf#. These entries will also enable logging and `default pass all`. To change the default policy to `block all` without compiling a custom kernel, remember to add a `block all` rule at the end of the ruleset. +To configure the system to enable IPF at boot time, add the following entries to [.filename]#/etc/rc.conf#. +These entries will also enable logging and `default pass all`. +To change the default policy to `block all` without compiling a custom kernel, remember to add a `block all` rule at the end of the ruleset. [.programlisting] .... @@ -1591,7 +1892,8 @@ Then, to start IPF now: # service ipfilter start .... -To load the firewall rules, specify the name of the ruleset file using `ipf`. The following command can be used to replace the currently running firewall rules: +To load the firewall rules, specify the name of the ruleset file using `ipf`. +The following command can be used to replace the currently running firewall rules: [source,shell] .... @@ -1600,24 +1902,36 @@ To load the firewall rules, specify the name of the ruleset file using `ipf`. Th where `-Fa` flushes all the internal rules tables and `-f` specifies the file containing the rules to load. -This provides the ability to make changes to a custom ruleset and update the running firewall with a fresh copy of the rules without having to reboot the system. This method is convenient for testing new rules as the procedure can be executed as many times as needed. +This provides the ability to make changes to a custom ruleset and update the running firewall with a fresh copy of the rules without having to reboot the system. +This method is convenient for testing new rules as the procedure can be executed as many times as needed. Refer to man:ipf[8] for details on the other flags available with this command. === IPF Rule Syntax -This section describes the IPF rule syntax used to create stateful rules. When creating rules, keep in mind that unless the `quick` keyword appears in a rule, every rule is read in order, with the _last matching rule_ being the one that is applied. This means that even if the first rule to match a packet is a `pass`, if there is a later matching rule that is a `block`, the packet will be dropped. Sample rulesets can be found in [.filename]#/usr/share/examples/ipfilter#. +This section describes the IPF rule syntax used to create stateful rules. +When creating rules, keep in mind that unless the `quick` keyword appears in a rule, every rule is read in order, with the _last matching rule_ being the one that is applied. +This means that even if the first rule to match a packet is a `pass`, if there is a later matching rule that is a `block`, the packet will be dropped. +Sample rulesets can be found in [.filename]#/usr/share/examples/ipfilter#. -When creating rules, a `#` character is used to mark the start of a comment and may appear at the end of a rule, to explain that rule's function, or on its own line. Any blank lines are ignored. +When creating rules, a `#` character is used to mark the start of a comment and may appear at the end of a rule, to explain that rule's function, or on its own line. +Any blank lines are ignored. -The keywords which are used in rules must be written in a specific order, from left to right. Some keywords are mandatory while others are optional. Some keywords have sub-options which may be keywords themselves and also include more sub-options. The keyword order is as follows, where the words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it: +The keywords which are used in rules must be written in a specific order, from left to right. +Some keywords are mandatory while others are optional. +Some keywords have sub-options which may be keywords themselves and also include more sub-options. +The keyword order is as follows, where the words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it: `_ACTION DIRECTION OPTIONS proto PROTO_TYPE from SRC_ADDR SRC_PORT to DST_ADDR DST_PORT TCP_FLAG|ICMP_TYPE keep state STATE_` -This section describes each of these keywords and their options. It is not an exhaustive list of every possible option. Refer to man:ipf[5] for a complete description of the rule syntax that can be used when creating IPF rules and examples for using each keyword. +This section describes each of these keywords and their options. +It is not an exhaustive list of every possible option. +Refer to man:ipf[5] for a complete description of the rule syntax that can be used when creating IPF rules and examples for using each keyword. ACTION:: -The action keyword indicates what to do with the packet if it matches that rule. Every rule _must_ have an action. The following actions are recognized: +The action keyword indicates what to do with the packet if it matches that rule. +Every rule _must_ have an action. +The following actions are recognized: + `block`: drops the packet. + @@ -1645,13 +1959,15 @@ Next, each rule must explicitly state the direction of traffic using one of thes If the system has multiple interfaces, the interface can be specified along with the direction. An example would be `in on fxp0`. OPTIONS:: -Options are optional. However, if multiple options are specified, they must be used in the order shown here. +Options are optional. +However, if multiple options are specified, they must be used in the order shown here. + `log`: when performing the specified ACTION, the contents of the packet's headers will be written to the man:ipl[4] packet log pseudo-device. + `quick`: if a packet matches this rule, the ACTION specified by the rule occurs and no further processing of any following rules will occur for this packet. + -`on`: must be followed by the interface name as displayed by man:ifconfig[8]. The rule will only match if the packet is going through the specified interface in the specified direction. +`on`: must be followed by the interface name as displayed by man:ifconfig[8]. +The rule will only match if the packet is going through the specified interface in the specified direction. + When using the `log` keyword, the following qualifiers may be used in this order: + @@ -1659,46 +1975,72 @@ When using the `log` keyword, the following qualifiers may be used in this order + `first`: if the `log` keyword is being used in conjunction with a `keep state` option, this option is recommended so that only the triggering packet is logged and not every packet which matches the stateful connection. + -Additional options are available to specify error return messages. Refer to man:ipf[5] for more details. +Additional options are available to specify error return messages. +Refer to man:ipf[5] for more details. PROTO_TYPE:: -The protocol type is optional. However, it is mandatory if the rule needs to specify a SRC_PORT or a DST_PORT as it defines the type of protocol. When specifying the type of protocol, use the `proto` keyword followed by either a protocol number or name from [.filename]#/etc/protocols#. Example protocol names include `tcp`, `udp`, or `icmp`. If PROTO_TYPE is specified but no SRC_PORT or DST_PORT is specified, all port numbers for that protocol will match that rule. +The protocol type is optional. +However, it is mandatory if the rule needs to specify a SRC_PORT or a DST_PORT as it defines the type of protocol. +When specifying the type of protocol, use the `proto` keyword followed by either a protocol number or name from [.filename]#/etc/protocols#. +Example protocol names include `tcp`, `udp`, or `icmp`. +If PROTO_TYPE is specified but no SRC_PORT or DST_PORT is specified, all port numbers for that protocol will match that rule. SRC_ADDR:: -The `from` keyword is mandatory and is followed by a keyword which represents the source of the packet. The source can be a hostname, an IP address followed by the CIDR mask, an address pool, or the keyword `all`. Refer to man:ipf[5] for examples. +The `from` keyword is mandatory and is followed by a keyword which represents the source of the packet. +The source can be a hostname, an IP address followed by the CIDR mask, an address pool, or the keyword `all`. +Refer to man:ipf[5] for examples. + -There is no way to match ranges of IP addresses which do not express themselves easily using the dotted numeric form / mask-length notation. The package:net-mgmt/ipcalc[] package or port may be used to ease the calculation of the CIDR mask. Additional information is available at the utility's web page: http://jodies.de/ipcalc[http://jodies.de/ipcalc]. +There is no way to match ranges of IP addresses which do not express themselves easily using the dotted numeric form / mask-length notation. +The package:net-mgmt/ipcalc[] package or port may be used to ease the calculation of the CIDR mask. +Additional information is available at the utility's web page: http://jodies.de/ipcalc[http://jodies.de/ipcalc]. SRC_PORT:: -The port number of the source is optional. However, if it is used, it requires PROTO_TYPE to be first defined in the rule. The port number must also be preceded by the `proto` keyword. +The port number of the source is optional. +However, if it is used, it requires PROTO_TYPE to be first defined in the rule. +The port number must also be preceded by the `proto` keyword. + A number of different comparison operators are supported: `=` (equal to), `!=` (not equal to), `<` (less than), `>` (greater than), `<=` (less than or equal to), and `>=` (greater than or equal to). + To specify port ranges, place the two port numbers between `<>` (less than and greater than ), `><` (greater than and less than ), or `:` (greater than or equal to and less than or equal to). DST_ADDR:: -The `to` keyword is mandatory and is followed by a keyword which represents the destination of the packet. Similar to SRC_ADDR, it can be a hostname, an IP address followed by the CIDR mask, an address pool, or the keyword `all`. +The `to` keyword is mandatory and is followed by a keyword which represents the destination of the packet. +Similar to SRC_ADDR, it can be a hostname, an IP address followed by the CIDR mask, an address pool, or the keyword `all`. DST_PORT:: -Similar to SRC_PORT, the port number of the destination is optional. However, if it is used, it requires PROTO_TYPE to be first defined in the rule. The port number must also be preceded by the `proto` keyword. +Similar to SRC_PORT, the port number of the destination is optional. +However, if it is used, it requires PROTO_TYPE to be first defined in the rule. +The port number must also be preceded by the `proto` keyword. TCP_FLAG|ICMP_TYPE:: -If `tcp` is specified as the PROTO_TYPE, flags can be specified as letters, where each letter represents one of the possible TCP flags used to determine the state of a connection. Possible values are: `S` (SYN), `A` (ACK), `P` (PSH), `F` (FIN), `U` (URG), `R` (RST), `C` (CWN), and `E` (ECN). +If `tcp` is specified as the PROTO_TYPE, flags can be specified as letters, where each letter represents one of the possible TCP flags used to determine the state of a connection. +Possible values are: `S` (SYN), `A` (ACK), `P` (PSH), `F` (FIN), `U` (URG), `R` (RST), `C` (CWN), and `E` (ECN). + -If `icmp` is specified as the PROTO_TYPE, the ICMP type to match can be specified. Refer to man:ipf[5] for the allowable types. +If `icmp` is specified as the PROTO_TYPE, the ICMP type to match can be specified. +Refer to man:ipf[5] for the allowable types. STATE:: -If a `pass` rule contains `keep state`, IPF will add an entry to its dynamic state table and allow subsequent packets that match the connection. IPF can track state for TCP, UDP, and ICMP sessions. Any packet that IPF can be certain is part of an active session, even if it is a different protocol, will be allowed. +If a `pass` rule contains `keep state`, IPF will add an entry to its dynamic state table and allow subsequent packets that match the connection. +IPF can track state for TCP, UDP, and ICMP sessions. +Any packet that IPF can be certain is part of an active session, even if it is a different protocol, will be allowed. + -In IPF, packets destined to go out through the interface connected to the public Internet are first checked against the dynamic state table. If the packet matches the next expected packet comprising an active session conversation, it exits the firewall and the state of the session conversation flow is updated in the dynamic state table. Packets that do not belong to an already active session are checked against the outbound ruleset. Packets coming in from the interface connected to the public Internet are first checked against the dynamic state table. If the packet matches the next expected packet comprising an active session, it exits the firewall and the state of the session conversation flow is updated in the dynamic state table. Packets that do not belong to an already active session are checked against the inbound ruleset. +In IPF, packets destined to go out through the interface connected to the public Internet are first checked against the dynamic state table. +If the packet matches the next expected packet comprising an active session conversation, it exits the firewall and the state of the session conversation flow is updated in the dynamic state table. +Packets that do not belong to an already active session are checked against the outbound ruleset. +Packets coming in from the interface connected to the public Internet are first checked against the dynamic state table. +If the packet matches the next expected packet comprising an active session, it exits the firewall and the state of the session conversation flow is updated in the dynamic state table. +Packets that do not belong to an already active session are checked against the inbound ruleset. + -Several keywords can be added after `keep state`. If used, these keywords set various options that control stateful filtering, such as setting connection limits or connection age. Refer to man:ipf[5] for the list of available options and their descriptions. +Several keywords can be added after `keep state`. +If used, these keywords set various options that control stateful filtering, such as setting connection limits or connection age. +Refer to man:ipf[5] for the list of available options and their descriptions. === Example Ruleset This section demonstrates how to create an example ruleset which only allows services matching `pass` rules and blocks all others. -FreeBSD uses the loopback interface ([.filename]#lo0#) and the IP address `127.0.0.1` for internal communication. The firewall ruleset must contain rules to allow free movement of these internally used packets: +FreeBSD uses the loopback interface ([.filename]#lo0#) and the IP address `127.0.0.1` for internal communication. +The firewall ruleset must contain rules to allow free movement of these internally used packets: [.programlisting] .... @@ -1707,7 +2049,9 @@ pass in quick on lo0 all pass out quick on lo0 all .... -The public interface connected to the Internet is used to authorize and control access of all outbound and inbound connections. If one or more interfaces are cabled to private networks, those internal interfaces may require rules to allow packets originating from the LAN to flow between the internal networks or to the interface attached to the Internet. The ruleset should be organized into three major sections: any trusted internal interfaces, outbound connections through the public interface, and inbound connections through the public interface. +The public interface connected to the Internet is used to authorize and control access of all outbound and inbound connections. +If one or more interfaces are cabled to private networks, those internal interfaces may require rules to allow packets originating from the LAN to flow between the internal networks or to the interface attached to the Internet. +The ruleset should be organized into three major sections: any trusted internal interfaces, outbound connections through the public interface, and inbound connections through the public interface. These two rules allow all traffic to pass through a trusted LAN interface named [.filename]#xl0#: @@ -1720,7 +2064,9 @@ pass in quick on xl0 all The rules for the public interface's outbound and inbound sections should have the most frequently matched rules placed before less commonly matched rules, with the last rule in the section blocking and logging all packets for that interface and direction. -This set of rules defines the outbound section of the public interface named [.filename]#dc0#. These rules keep state and identify the specific services that internal systems are authorized for public Internet access. All the rules use `quick` and specify the appropriate port numbers and, where applicable, destination addresses. +This set of rules defines the outbound section of the public interface named [.filename]#dc0#. +These rules keep state and identify the specific services that internal systems are authorized for public Internet access. +All the rules use `quick` and specify the appropriate port numbers and, where applicable, destination addresses. [.programlisting] .... @@ -1765,7 +2111,8 @@ pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state block out log first quick on dc0 all .... -This example of the rules in the inbound section of the public interface blocks all undesirable packets first. This reduces the number of packets that are logged by the last rule. +This example of the rules in the inbound section of the public interface blocks all undesirable packets first. +This reduces the number of packets that are logged by the last rule. [.programlisting] .... @@ -1806,9 +2153,11 @@ block in log first quick on dc0 proto tcp/udp from any to any port = 139 block in log first quick on dc0 proto tcp/udp from any to any port = 81 .... -Any time there are logged messages on a rule with the `log first` option, run `ipfstat -hio` to evaluate how many times the rule has been matched. A large number of matches may indicate that the system is under attack. +Any time there are logged messages on a rule with the `log first` option, run `ipfstat -hio` to evaluate how many times the rule has been matched. +A large number of matches may indicate that the system is under attack. -The rest of the rules in the inbound section define which connections are allowed to be initiated from the Internet. The last rule denies all connections which were not explicitly allowed by previous rules in this section. +The rest of the rules in the inbound section define which connections are allowed to be initiated from the Internet. +The last rule denies all connections which were not explicitly allowed by previous rules in this section. [.programlisting] .... @@ -1834,7 +2183,9 @@ ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" .... -NAT rules are flexible and can accomplish many different things to fit the needs of both commercial and home users. The rule syntax presented here has been simplified to demonstrate common usage. For a complete rule syntax description, refer to man:ipnat[5]. +NAT rules are flexible and can accomplish many different things to fit the needs of both commercial and home users. +The rule syntax presented here has been simplified to demonstrate common usage. +For a complete rule syntax description, refer to man:ipnat[5]. The basic syntax for a NAT rule is as follows, where `map` starts the rule and _IF_ should be replaced with the name of the external interface: @@ -1843,13 +2194,22 @@ The basic syntax for a NAT rule is as follows, where `map` starts the rule and _ map IF LAN_IP_RANGE -> PUBLIC_ADDRESS .... -The _LAN_IP_RANGE_ is the range of IP addresses used by internal clients. Usually, it is a private address range such as `192.168.1.0/24`. The _PUBLIC_ADDRESS_ can either be the static external IP address or the keyword `0/32` which represents the IP address assigned to _IF_. +The _LAN_IP_RANGE_ is the range of IP addresses used by internal clients. +Usually, it is a private address range such as `192.168.1.0/24`. +The _PUBLIC_ADDRESS_ can either be the static external IP address or the keyword `0/32` which represents the IP address assigned to _IF_. -In IPF, when a packet arrives at the firewall from the LAN with a public destination, it first passes through the outbound rules of the firewall ruleset. Then, the packet is passed to the NAT ruleset which is read from the top down, where the first matching rule wins. IPF tests each NAT rule against the packet's interface name and source IP address. When a packet's interface name matches a NAT rule, the packet's source IP address in the private LAN is checked to see if it falls within the IP address range specified in _LAN_IP_RANGE_. On a match, the packet has its source IP address rewritten with the public IP address specified by _PUBLIC_ADDRESS_. IPF posts an entry in its internal NAT table so that when the packet returns from the Internet, it can be mapped back to its original private IP address before being passed to the firewall rules for further processing. +In IPF, when a packet arrives at the firewall from the LAN with a public destination, it first passes through the outbound rules of the firewall ruleset. +Then, the packet is passed to the NAT ruleset which is read from the top down, where the first matching rule wins. +IPF tests each NAT rule against the packet's interface name and source IP address. +When a packet's interface name matches a NAT rule, the packet's source IP address in the private LAN is checked to see if it falls within the IP address range specified in _LAN_IP_RANGE_. +On a match, the packet has its source IP address rewritten with the public IP address specified by _PUBLIC_ADDRESS_. +IPF posts an entry in its internal NAT table so that when the packet returns from the Internet, it can be mapped back to its original private IP address before being passed to the firewall rules for further processing. -For networks that have large numbers of internal systems or multiple subnets, the process of funneling every private IP address into a single public IP address becomes a resource problem. Two methods are available to relieve this issue. +For networks that have large numbers of internal systems or multiple subnets, the process of funneling every private IP address into a single public IP address becomes a resource problem. +Two methods are available to relieve this issue. -The first method is to assign a range of ports to use as source ports. By adding the `portmap` keyword, NAT can be directed to only use source ports in the specified range: +The first method is to assign a range of ports to use as source ports. +By adding the `portmap` keyword, NAT can be directed to only use source ports in the specified range: [.programlisting] .... @@ -1863,9 +2223,12 @@ Alternately, use the `auto` keyword which tells NAT to determine the ports that map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto .... -The second method is to use a pool of public addresses. This is useful when there are too many LAN addresses to fit into a single public address and a block of public IP addresses is available. These public addresses can be used as a pool from which NAT selects an IP address as a packet's address is mapped on its way out. +The second method is to use a pool of public addresses. +This is useful when there are too many LAN addresses to fit into a single public address and a block of public IP addresses is available. +These public addresses can be used as a pool from which NAT selects an IP address as a packet's address is mapped on its way out. -The range of public IP addresses can be specified using a netmask or CIDR notation. These two rules are equivalent: +The range of public IP addresses can be specified using a netmask or CIDR notation. +These two rules are equivalent: [.programlisting] .... @@ -1873,7 +2236,9 @@ map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0 map dc0 192.168.1.0/24 -> 204.134.75.0/24 .... -A common practice is to have a publically accessible web server or mail server segregated to an internal network segment. The traffic from these servers still has to undergo NAT, but port redirection is needed to direct inbound traffic to the correct server. For example, to map a web server using the internal address `10.0.10.25` to its public IP address of `20.20.20.5`, use this rule: +A common practice is to have a publically accessible web server or mail server segregated to an internal network segment. +The traffic from these servers still has to undergo NAT, but port redirection is needed to direct inbound traffic to the correct server. +For example, to map a web server using the internal address `10.0.10.25` to its public IP address of `20.20.20.5`, use this rule: [.programlisting] .... @@ -1887,9 +2252,12 @@ If it is the only web server, this rule would also work as it redirects all exte rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80 .... -IPF has a built in FTP proxy which can be used with NAT. It monitors all outbound traffic for active or passive FTP connection requests and dynamically creates temporary filter rules containing the port number used by the FTP data channel. This eliminates the need to open large ranges of high order ports for FTP connections. +IPF has a built in FTP proxy which can be used with NAT. +It monitors all outbound traffic for active or passive FTP connection requests and dynamically creates temporary filter rules containing the port number used by the FTP data channel. +This eliminates the need to open large ranges of high order ports for FTP connections. -In this example, the first rule calls the proxy for outbound FTP traffic from the internal LAN. The second rule passes the FTP traffic from the firewall to the Internet, and the third rule handles all non-FTP traffic from the internal LAN: +In this example, the first rule calls the proxy for outbound FTP traffic from the internal LAN. +The second rule passes the FTP traffic from the firewall to the Internet, and the third rule handles all non-FTP traffic from the internal LAN: [.programlisting] .... @@ -1898,9 +2266,11 @@ map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map dc0 10.0.10.0/29 -> 0/32 .... -The FTP `map` rules go before the NAT rule so that when a packet matches an FTP rule, the FTP proxy creates temporary filter rules to let the FTP session packets pass and undergo NAT. All LAN packets that are not FTP will not match the FTP rules but will undergo NAT if they match the third rule. +The FTP `map` rules go before the NAT rule so that when a packet matches an FTP rule, the FTP proxy creates temporary filter rules to let the FTP session packets pass and undergo NAT. +All LAN packets that are not FTP will not match the FTP rules but will undergo NAT if they match the third rule. -Without the FTP proxy, the following firewall rules would instead be needed. Note that without the proxy, all ports above `1024` need to be allowed: +Without the FTP proxy, the following firewall rules would instead be needed. +Note that without the proxy, all ports above `1024` need to be allowed: [.programlisting] .... @@ -1915,7 +2285,8 @@ pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state .... -Whenever the file containing the NAT rules is edited, run `ipnat` with `-CF` to delete the current NAT rules and flush the contents of the dynamic translation table. Include `-f` and specify the name of the NAT ruleset to load: +Whenever the file containing the NAT rules is edited, run `ipnat` with `-CF` to delete the current NAT rules and flush the contents of the dynamic translation table. +Include `-f` and specify the name of the NAT ruleset to load: [source,shell] .... @@ -1945,7 +2316,8 @@ To turn verbose mode on and display information relating to rule processing and === Viewing IPF Statistics -IPF includes man:ipfstat[8] which can be used to retrieve and display statistics which are gathered as packets match rules as they go through the firewall. Statistics are accumulated since the firewall was last started or since the last time they were reset to zero using `ipf -Z`. +IPF includes man:ipfstat[8] which can be used to retrieve and display statistics which are gathered as packets match rules as they go through the firewall. +Statistics are accumulated since the firewall was last started or since the last time they were reset to zero using `ipf -Z`. The default `ipfstat` output looks like this: @@ -1970,7 +2342,10 @@ input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 Packet log flags set: (0) .... -Several options are available. When supplied with either `-i` for inbound or `-o` for outbound, the command will retrieve and display the appropriate list of filter rules currently installed and in use by the kernel. To also see the rule numbers, include `-n`. For example, `ipfstat -on` displays the outbound rules table with rule numbers: +Several options are available. +When supplied with either `-i` for inbound or `-o` for outbound, the command will retrieve and display the appropriate list of filter rules currently installed and in use by the kernel. +To also see the rule numbers, include `-n`. +For example, `ipfstat -on` displays the outbound rules table with rule numbers: [source,shell] .... @@ -1979,7 +2354,8 @@ Several options are available. When supplied with either `-i` for inbound or `-o @3 pass out quick on dc0 proto tcp/udp from any to any keep state .... -Include `-h` to prefix each rule with a count of how many times the rule was matched. For example, `ipfstat -oh` displays the outbound internal rules table, prefixing each rule with its usage count: +Include `-h` to prefix each rule with a count of how many times the rule was matched. +For example, `ipfstat -oh` displays the outbound internal rules table, prefixing each rule with its usage count: [source,shell] .... @@ -1988,13 +2364,18 @@ Include `-h` to prefix each rule with a count of how many times the rule was mat 430918 pass out quick on dc0 proto tcp/udp from any to any keep state .... -To display the state table in a format similar to man:top[1], use `ipfstat -t`. When the firewall is under attack, this option provides the ability to identify and see the attacking packets. The optional sub-flags give the ability to select the destination or source IP, port, or protocol to be monitored in real time. Refer to man:ipfstat[8] for details. +To display the state table in a format similar to man:top[1], use `ipfstat -t`. +When the firewall is under attack, this option provides the ability to identify and see the attacking packets. +The optional sub-flags give the ability to select the destination or source IP, port, or protocol to be monitored in real time. +Refer to man:ipfstat[8] for details. === IPF Logging -IPF provides `ipmon`, which can be used to write the firewall's logging information in a human readable format. It requires that `options IPFILTER_LOG` be first added to a custom kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. +IPF provides `ipmon`, which can be used to write the firewall's logging information in a human readable format. +It requires that `options IPFILTER_LOG` be first added to a custom kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. -This command is typically run in daemon mode in order to provide a continuous system log file so that logging of past events may be reviewed. Since FreeBSD has a built in man:syslogd[8] facility to automatically rotate system logs, the default [.filename]#rc.conf#`ipmon_flags` statement uses `-Ds`: +This command is typically run in daemon mode in order to provide a continuous system log file so that logging of past events may be reviewed. +Since FreeBSD has a built in man:syslogd[8] facility to automatically rotate system logs, the default [.filename]#rc.conf# `ipmon_flags` statement uses `-Ds`: [.programlisting] .... @@ -2004,11 +2385,16 @@ ipmon_flags="-Ds" # D = start as daemon # n = map IP & port to names .... -Logging provides the ability to review, after the fact, information such as which packets were dropped, what addresses they came from, and where they were going. This information is useful in tracking down attackers. +Logging provides the ability to review, after the fact, information such as which packets were dropped, what addresses they came from, and where they were going. +This information is useful in tracking down attackers. -Once the logging facility is enabled in [.filename]#rc.conf# and started with `service ipmon start`, IPF will only log the rules which contain the `log` keyword. The firewall administrator decides which rules in the ruleset should be logged and normally only deny rules are logged. It is customary to include the `log` keyword in the last rule in the ruleset. This makes it possible to see all the packets that did not match any of the rules in the ruleset. +Once the logging facility is enabled in [.filename]#rc.conf# and started with `service ipmon start`, IPF will only log the rules which contain the `log` keyword. +The firewall administrator decides which rules in the ruleset should be logged and normally only deny rules are logged. +It is customary to include the `log` keyword in the last rule in the ruleset. +This makes it possible to see all the packets that did not match any of the rules in the ruleset. -By default, `ipmon -Ds` mode uses `local0` as the logging facility. The following logging levels can be used to further segregate the logged data: +By default, `ipmon -Ds` mode uses `local0` as the logging facility. +The following logging levels can be used to further segregate the logged data: [source,shell] .... @@ -2036,7 +2422,8 @@ To activate the changes and instruct man:syslogd[8] to read the modified [.filen Do not forget to edit [.filename]#/etc/newsyslog.conf# to rotate the new log file. -Messages generated by `ipmon` consist of data fields separated by white space. Fields common to all messages are: +Messages generated by `ipmon` consist of data fields separated by white space. +Fields common to all messages are: . The date of packet receipt. . The time of packet receipt. This is in the form HH:MM:SS.F, for hours, minutes, seconds, and fractions of a second. @@ -2047,20 +2434,32 @@ Messages generated by `ipmon` consist of data fields separated by white space. F . `PR` followed by the protocol name or number: for example, `PR tcp`. . `len` followed by the header length and total length of the packet: for example, `len 20 40`. -If the packet is a TCP packet, there will be an additional field starting with a hyphen followed by letters corresponding to any flags that were set. Refer to man:ipf[5] for a list of letters and their flags. +If the packet is a TCP packet, there will be an additional field starting with a hyphen followed by letters corresponding to any flags that were set. +Refer to man:ipf[5] for a list of letters and their flags. -If the packet is an ICMP packet, there will be two fields at the end: the first always being "icmp" and the next being the ICMP message and sub-message type, separated by a slash. For example: `icmp 3/3` for a port unreachable message. +If the packet is an ICMP packet, there will be two fields at the end: the first always being "icmp" and the next being the ICMP message and sub-message type, separated by a slash. +For example: `icmp 3/3` for a port unreachable message. [[firewalls-blacklistd]] == Blacklistd -Blacklistd is a daemon listening to sockets to receive notifications from other daemons about connection attempts that failed or were successful. It is most widely used in blocking too many connection attempts on open ports. A prime example is SSH running on the internet getting a lot of requests from bots or scripts trying to guess passwords and gain access. Using blacklistd, the daemon can notify the firewall to create a filter rule to block excessive connection attempts from a single source after a number of tries. Blacklistd was first developed on NetBSD and appeared there in version 7. FreeBSD 11 imported blacklistd from NetBSD. +Blacklistd is a daemon listening to sockets to receive notifications from other daemons about connection attempts that failed or were successful. +It is most widely used in blocking too many connection attempts on open ports. +A prime example is SSH running on the internet getting a lot of requests from bots or scripts trying to guess passwords and gain access. +Using blacklistd, the daemon can notify the firewall to create a filter rule to block excessive connection attempts from a single source after a number of tries. Blacklistd was first developed on NetBSD and appeared there in version 7. +FreeBSD 11 imported blacklistd from NetBSD. -This chapter describes how to set up blacklistd, configure it, and provides examples on how to use it. Readers should be familiar with basic firewall concepts like rules. For details, refer to the firewall chapter. PF is used in the examples, but other firewalls available on FreeBSD should be able to work with blacklistd, too. +This chapter describes how to set up blacklistd, configure it, and provides examples on how to use it. +Readers should be familiar with basic firewall concepts like rules. +For details, refer to the firewall chapter. +PF is used in the examples, but other firewalls available on FreeBSD should be able to work with blacklistd, too. === Enabling Blacklistd -The main configuration for blacklistd is stored in man:blacklistd.conf[5]. Various command line options are also available to change blacklistd's run-time behavior. Persistent configuration across reboots should be stored in [.filename]#/etc/blacklistd.conf#. To enable the daemon during system boot, add a `blacklistd_enable` line to [.filename]#/etc/rc.conf# like this: +The main configuration for blacklistd is stored in man:blacklistd.conf[5]. +Various command line options are also available to change blacklistd's run-time behavior. +Persistent configuration across reboots should be stored in [.filename]#/etc/blacklistd.conf#. +To enable the daemon during system boot, add a `blacklistd_enable` line to [.filename]#/etc/rc.conf# like this: [source,shell] .... @@ -2076,7 +2475,9 @@ To start the service manually, run this command: === Creating a Blacklistd Ruleset -Rules for blacklistd are configured in man:blacklistd.conf[5] with one entry per line. Each rule contains a tuple separated by spaces or tabs. Rules either belong to a `local` or a `remote`, which applies to the machine where blacklistd is running or an outside source, respectively. +Rules for blacklistd are configured in man:blacklistd.conf[5] with one entry per line. +Each rule contains a tuple separated by spaces or tabs. +Rules either belong to a `local` or a `remote`, which applies to the machine where blacklistd is running or an outside source, respectively. ==== Local Rules @@ -2088,24 +2489,38 @@ An example blacklistd.conf entry for a local rule looks like this: ssh stream * * * 3 24h .... -All rules that follow the `[local]` section are treated as local rules (which is the default), applying to the local machine. When a `[remote]` section is encountered, all rules that follow it are handled as remote machine rules. +All rules that follow the `[local]` section are treated as local rules (which is the default), applying to the local machine. +When a `[remote]` section is encountered, all rules that follow it are handled as remote machine rules. -Seven fields define a rule separated by either tabs or spaces. The first four fields identify the traffic that should be blacklisted. The three fields that follow define backlistd's behavior. Wildcards are denoted as asterisks (`*`), matching anything in this field. The first field defines the location. In local rules, these are the network ports. The syntax for the location field is as follows: +Seven fields define a rule separated by either tabs or spaces. +The first four fields identify the traffic that should be blacklisted. +The three fields that follow define backlistd's behavior. +Wildcards are denoted as asterisks (`*`), matching anything in this field. +The first field defines the location. +In local rules, these are the network ports. +The syntax for the location field is as follows: [.programlisting] .... [address|interface][/mask][:port] .... -Adressses can be specified as IPv4 in numeric format or IPv6 in square brackets. An interface name like `_em0_` can also be used. +Adressses can be specified as IPv4 in numeric format or IPv6 in square brackets. +An interface name like `_em0_` can also be used. -The socket type is defined by the second field. TCP sockets are of type `stream`, whereas UDP is denoted as `dgram`. The example above uses TCP, since SSH is using that protocol. +The socket type is defined by the second field. +TCP sockets are of type `stream`, whereas UDP is denoted as `dgram`. +The example above uses TCP, since SSH is using that protocol. -A protocol can be used in the third field of a blacklistd rule. The following protocols can be used: `tcp`, `udp`, `tcp6`, `udp6`, or numeric. A wildcard, like in the example, is typically used to match all protocols unless there is a reason to distinguish traffic by a certain protocol. +A protocol can be used in the third field of a blacklistd rule. +The following protocols can be used: `tcp`, `udp`, `tcp6`, `udp6`, or numeric. +A wildcard, like in the example, is typically used to match all protocols unless there is a reason to distinguish traffic by a certain protocol. -In the fourth field, the effective user or owner of the daemon process that is reporting the event is defined. The username or UID can be used here, as well as a wildcard (see example rule above). +In the fourth field, the effective user or owner of the daemon process that is reporting the event is defined. +The username or UID can be used here, as well as a wildcard (see example rule above). -The packet filter rule name is declared by the fifth field, which starts the behavior part of the rule. By default, blacklistd puts all blocks under a pf anchor called `blacklistd` in [.filename]#pf.conf# like this: +The packet filter rule name is declared by the fifth field, which starts the behavior part of the rule. +By default, blacklistd puts all blocks under a pf anchor called `blacklistd` in [.filename]#pf.conf# like this: [.programlisting] .... @@ -2114,7 +2529,10 @@ block in pass out .... -For separate blacklists, an anchor name can be used in this field. In other cases, the wildcard will suffice. When a name starts with a hyphen (`-`) it means that an anchor with the default rule name prepended should be used. A modified example from the above using the hyphen would look like this: +For separate blacklists, an anchor name can be used in this field. +In other cases, the wildcard will suffice. +When a name starts with a hyphen (`-`) it means that an anchor with the default rule name prepended should be used. +A modified example from the above using the hyphen would look like this: [.programlisting] .... @@ -2123,7 +2541,9 @@ ssh stream * * -ssh 3 24h With such a rule, any new blacklist rules are added to an anchor called `blacklistd-ssh`. -To block whole subnets for a single rule violation, a `/` in the rule name can be used. This causes the remaining portion of the name to be interpreted as the mask to be applied to the address specified in the rule. For example, this rule would block every address adjoining `/24`. +To block whole subnets for a single rule violation, a `/` in the rule name can be used. +This causes the remaining portion of the name to be interpreted as the mask to be applied to the address specified in the rule. +For example, this rule would block every address adjoining `/24`. [.programlisting] .... @@ -2132,20 +2552,29 @@ To block whole subnets for a single rule violation, a `/` in the rule name can b [NOTE] ==== -It is important to specify the proper protocol here. IPv4 and IPv6 treat /24 differently, that is the reason why `*` cannot be used in the third field for this rule. +It is important to specify the proper protocol here. +IPv4 and IPv6 treat /24 differently, that is the reason why `*` cannot be used in the third field for this rule. ==== This rule defines that if any one host in that network is misbehaving, everything else on that network will be blocked, too. -The sixth field, called `nfail`, sets the number of login failures required to blacklist the remote IP in question. When a wildcard is used at this position, it means that blocks will never happen. In the example rule above, a limit of three is defined meaning that after three attempts to log into SSH on one connection, the IP is blocked. +The sixth field, called `nfail`, sets the number of login failures required to blacklist the remote IP in question. +When a wildcard is used at this position, it means that blocks will never happen. +In the example rule above, a limit of three is defined meaning that after three attempts to log into SSH on one connection, the IP is blocked. -The last field in a blacklistd rule definition specifies how long a host is blacklisted. The default unit is seconds, but suffixes like `m`, `h`, and `d` can also be specified for minutes, hours, and days, respectively. +The last field in a blacklistd rule definition specifies how long a host is blacklisted. +The default unit is seconds, but suffixes like `m`, `h`, and `d` can also be specified for minutes, hours, and days, respectively. -The example rule in its entirety means that after three times authenticating to SSH will result in a new PF block rule for that host. Rule matches are performed by first checking local rules one after another, from most specific to least specific. When a match occurs, the `remote` rules are applied and the name, `nfail`, and disable fields are changed by the `remote` rule that matched. +The example rule in its entirety means that after three times authenticating to SSH will result in a new PF block rule for that host. +Rule matches are performed by first checking local rules one after another, from most specific to least specific. +When a match occurs, the `remote` rules are applied and the name, `nfail`, and disable fields are changed by the `remote` rule that matched. ==== Remote Rules -Remote rules are used to specify how blacklistd changes its behavior depending on the remote host currently being evaluated. Each field in a remote rule is the same as in a local rule. The only difference is in the way blacklistd is using them. To explain it, this example rule is used: +Remote rules are used to specify how blacklistd changes its behavior depending on the remote host currently being evaluated. +Each field in a remote rule is the same as in a local rule. +The only difference is in the way blacklistd is using them. +To explain it, this example rule is used: [.programlisting] .... @@ -2153,17 +2582,27 @@ Remote rules are used to specify how blacklistd changes its behavior depending o 203.0.113.128/25 * * * =/25 = 48h .... -The address field can be an IP address (either v4 or v6), a port or both. This allows setting special rules for a specific remote address range like in this example. The fields for type, protocol and owner are identically interpreted as in the local rule. +The address field can be an IP address (either v4 or v6), a port or both. +This allows setting special rules for a specific remote address range like in this example. +The fields for type, protocol and owner are identically interpreted as in the local rule. -The name fields is different though: the equal sign (`=`) in a remote rule tells blacklistd to use the value from the matching local rule. It means that the firewall rule entry is taken and the `/25` prefix (a netmask of `255.255.255.128`) is added. When a connection from that address range is blacklisted, the entire subnet is affected. A PF anchor name can also be used here, in which case blacklistd will add rules for this address block to the anchor of that name. The default table is used when a wildcard is specified. +The name fields is different though: the equal sign (`=`) in a remote rule tells blacklistd to use the value from the matching local rule. +It means that the firewall rule entry is taken and the `/25` prefix (a netmask of `255.255.255.128`) is added. +When a connection from that address range is blacklisted, the entire subnet is affected. +A PF anchor name can also be used here, in which case blacklistd will add rules for this address block to the anchor of that name. +The default table is used when a wildcard is specified. -A custom number of failures in the `nfail` column can be defined for an address. This is useful for exceptions to a specific rule, to maybe allow someone a less strict application of rules or a bit more leniency in login tries. Blocking is disabled when an asterisk is used in this sixth field. +A custom number of failures in the `nfail` column can be defined for an address. +This is useful for exceptions to a specific rule, to maybe allow someone a less strict application of rules or a bit more leniency in login tries. +Blocking is disabled when an asterisk is used in this sixth field. Remote rules allow a stricter enforcement of limits on attempts to log in compared to attempts coming from a local network like an office. === Blacklistd Client Configuration -There are a few software packages in FreeBSD that can utilize blacklistd's functionality. The two most prominent ones are man:ftpd[8] and man:sshd[8] to block excessive connection attempts. To activate blacklistd in the SSH daemon, add the following line to [.filename]#/etc/ssh/sshd_config#: +There are a few software packages in FreeBSD that can utilize blacklistd's functionality. +The two most prominent ones are man:ftpd[8] and man:sshd[8] to block excessive connection attempts. +To activate blacklistd in the SSH daemon, add the following line to [.filename]#/etc/ssh/sshd_config#: [.programlisting] .... @@ -2183,7 +2622,9 @@ That is all that is needed to make these programs talk to blacklistd. === Blacklistd Management -Blacklistd provides the user with a management utility called man:blacklistctl[8]. It displays blocked addresses and networks that are blacklisted by the rules defined in man:blacklistd.conf[5]. To see the list of currently blocked hosts, use `dump` combined with `-b` like this. +Blacklistd provides the user with a management utility called man:blacklistctl[8]. +It displays blocked addresses and networks that are blacklisted by the rules defined in man:blacklistd.conf[5]. +To see the list of currently blocked hosts, use `dump` combined with `-b` like this. [source,shell] .... @@ -2192,7 +2633,10 @@ Blacklistd provides the user with a management utility called man:blacklistctl[8 213.0.123.128/25:22 OK 6/3 2019/06/08 14:30:19 .... -This example shows that there were 6 out of three permitted attempts on port 22 coming from the address range `213.0.123.128/25`. There are more attempts listed than are allowed because SSH allows a client to try multiple logins on a single TCP connection. A connection that is currently going on is not stopped by blacklistd. The last connection attempt is listed in the `last access` column of the output. +This example shows that there were 6 out of three permitted attempts on port 22 coming from the address range `213.0.123.128/25`. +There are more attempts listed than are allowed because SSH allows a client to try multiple logins on a single TCP connection. +A connection that is currently going on is not stopped by blacklistd. +The last connection attempt is listed in the `last access` column of the output. To see the remaining time that this host will be on the blacklist, add `-r` to the previous command. @@ -2207,7 +2651,15 @@ In this example, there are 36s seconds left until this host will not be blocked === Removing Hosts from the Block List -Sometimes it is necessary to remove a host from the block list before the remaining time expires. Unfortunately, there is no functionality in blacklistd to do that. However, it is possible to remove the address from the PF table using pfctl. For each blocked port, there is a child anchor inside the blacklistd anchor defined in [.filename]#/etc/pf.conf#. For example, if there is a child anchor for blocking port 22 it is called `blacklistd/22`. There is a table inside that child anchor that contains the blocked addresses. This table is called port followed by the port number. In this example, it would be called `port22`. With that information at hand, it is now possible to use man:pfctl[8] to display all addresses listed like this: +Sometimes it is necessary to remove a host from the block list before the remaining time expires. +Unfortunately, there is no functionality in blacklistd to do that. +However, it is possible to remove the address from the PF table using pfctl. +For each blocked port, there is a child anchor inside the blacklistd anchor defined in [.filename]#/etc/pf.conf#. +For example, if there is a child anchor for blocking port 22 it is called `blacklistd/22`. +There is a table inside that child anchor that contains the blocked addresses. +This table is called port followed by the port number. +In this example, it would be called `port22`. +With that information at hand, it is now possible to use man:pfctl[8] to display all addresses listed like this: [source,shell] .... @@ -2224,4 +2676,6 @@ After identifying the address to be unblocked from the list, the following comma # pfctl -a blacklistd/22 -t port22 -T delete 213.0.123.128/25 .... -The address is now removed from PF, but will still show up in the blacklistctl list, since it does not know about any changes made in PF. The entry in blacklistd's database will eventually expire and be removed from its output eventually. The entry will be added again if the host is matching one of the block rules in blacklistd again. +The address is now removed from PF, but will still show up in the blacklistctl list, since it does not know about any changes made in PF. +The entry in blacklistd's database will eventually expire and be removed from its output eventually. +The entry will be added again if the host is matching one of the block rules in blacklistd again. diff --git a/documentation/content/en/books/handbook/geom/_index.adoc b/documentation/content/en/books/handbook/geom/_index.adoc index dc508411bd..15bb1134b7 100644 --- a/documentation/content/en/books/handbook/geom/_index.adoc +++ b/documentation/content/en/books/handbook/geom/_index.adoc @@ -46,9 +46,12 @@ toc::[] [[geom-synopsis]] == Synopsis -In FreeBSD, the GEOM framework permits access and control to classes, such as Master Boot Records and BSD labels, through the use of providers, or the disk devices in [.filename]#/dev#. By supporting various software RAID configurations, GEOM transparently provides access to the operating system and operating system utilities. +In FreeBSD, the GEOM framework permits access and control to classes, such as Master Boot Records and BSD labels, through the use of providers, or the disk devices in [.filename]#/dev#. +By supporting various software RAID configurations, GEOM transparently provides access to the operating system and operating system utilities. -This chapter covers the use of disks under the GEOM framework in FreeBSD. This includes the major RAID control utilities which use the framework for configuration. This chapter is not a definitive guide to RAID configurations and only GEOM-supported RAID classifications are discussed. +This chapter covers the use of disks under the GEOM framework in FreeBSD. +This includes the major RAID control utilities which use the framework for configuration. +This chapter is not a definitive guide to RAID configurations and only GEOM-supported RAID classifications are discussed. After reading this chapter, you will know: @@ -65,9 +68,13 @@ Before reading this chapter, you should: [[geom-striping]] == RAID0 - Striping -Striping combines several disk drives into a single volume. Striping can be performed through the use of hardware RAID controllers. The GEOM disk subsystem provides software support for disk striping, also known as RAID0, without the need for a RAID disk controller. +Striping combines several disk drives into a single volume. +Striping can be performed through the use of hardware RAID controllers. +The GEOM disk subsystem provides software support for disk striping, also known as RAID0, without the need for a RAID disk controller. -In RAID0, data is split into blocks that are written across all the drives in the array. As seen in the following illustration, instead of having to wait on the system to write 256k to one disk, RAID0 can simultaneously write 64k to each of the four disks in the array, offering superior I/O performance. This performance can be enhanced further by using multiple disk controllers. +In RAID0, data is split into blocks that are written across all the drives in the array. +As seen in the following illustration, instead of having to wait on the system to write 256k to one disk, RAID0 can simultaneously write 64k to each of the four disks in the array, offering superior I/O performance. +This performance can be enhanced further by using multiple disk controllers. image::striping.png[Disk Striping Illustration] @@ -75,10 +82,13 @@ Each disk in a RAID0 stripe must be of the same size, since I/O requests are int [NOTE] ==== -RAID0 does _not_ provide any redundancy. This means that if one disk in the array fails, all of the data on the disks is lost. If the data is important, implement a backup strategy that regularly saves backups to a remote system or device. +RAID0 does _not_ provide any redundancy. +This means that if one disk in the array fails, all of the data on the disks is lost. +If the data is important, implement a backup strategy that regularly saves backups to a remote system or device. ==== -The process for creating a software, GEOM-based RAID0 on a FreeBSD system using commodity disks is as follows. Once the stripe is created, refer to man:gstripe[8] for more information on how to control an existing stripe. +The process for creating a software, GEOM-based RAID0 on a FreeBSD system using commodity disks is as follows. +Once the stripe is created, refer to man:gstripe[8] for more information on how to control an existing stripe. [.procedure] **** @@ -116,7 +126,8 @@ Done. # newfs -U /dev/stripe/st0a .... + -Many numbers will glide across the screen, and after a few seconds, the process will be complete. The volume has been created and is ready to be mounted. +Many numbers will glide across the screen, and after a few seconds, the process will be complete. +The volume has been created and is ready to be mounted. . To manually mount the created disk stripe: + [source,shell] @@ -144,37 +155,50 @@ Many numbers will glide across the screen, and after a few seconds, the process [[geom-mirror]] == RAID1 - Mirroring -RAID1, or _mirroring_, is the technique of writing the same data to more than one disk drive. Mirrors are usually used to guard against data loss due to drive failure. Each drive in a mirror contains an identical copy of the data. When an individual drive fails, the mirror continues to work, providing data from the drives that are still functioning. The computer keeps running, and the administrator has time to replace the failed drive without user interruption. +RAID1, or _mirroring_, is the technique of writing the same data to more than one disk drive. +Mirrors are usually used to guard against data loss due to drive failure. +Each drive in a mirror contains an identical copy of the data. +When an individual drive fails, the mirror continues to work, providing data from the drives that are still functioning. +The computer keeps running, and the administrator has time to replace the failed drive without user interruption. -Two common situations are illustrated in these examples. The first creates a mirror out of two new drives and uses it as a replacement for an existing single drive. The second example creates a mirror on a single new drive, copies the old drive's data to it, then inserts the old drive into the mirror. While this procedure is slightly more complicated, it only requires one new drive. +Two common situations are illustrated in these examples. +The first creates a mirror out of two new drives and uses it as a replacement for an existing single drive. +The second example creates a mirror on a single new drive, copies the old drive's data to it, then inserts the old drive into the mirror. +While this procedure is slightly more complicated, it only requires one new drive. -Traditionally, the two drives in a mirror are identical in model and capacity, but man:gmirror[8] does not require that. Mirrors created with dissimilar drives will have a capacity equal to that of the smallest drive in the mirror. Extra space on larger drives will be unused. Drives inserted into the mirror later must have at least as much capacity as the smallest drive already in the mirror. +Traditionally, the two drives in a mirror are identical in model and capacity, but man:gmirror[8] does not require that. +Mirrors created with dissimilar drives will have a capacity equal to that of the smallest drive in the mirror. +Extra space on larger drives will be unused. +Drives inserted into the mirror later must have at least as much capacity as the smallest drive already in the mirror. [WARNING] ==== - The mirroring procedures shown here are non-destructive, but as with any major disk operation, make a full backup first. ==== [WARNING] ==== - -While man:dump[8] is used in these procedures to copy file systems, it does not work on file systems with soft updates journaling. See man:tunefs[8] for information on detecting and disabling soft updates journaling. +While man:dump[8] is used in these procedures to copy file systems, it does not work on file systems with soft updates journaling. +See man:tunefs[8] for information on detecting and disabling soft updates journaling. ==== [[geom-mirror-metadata]] === Metadata Issues -Many disk systems store metadata at the end of each disk. Old metadata should be erased before reusing the disk for a mirror. Most problems are caused by two particular types of leftover metadata: GPT partition tables and old metadata from a previous mirror. +Many disk systems store metadata at the end of each disk. +Old metadata should be erased before reusing the disk for a mirror. +Most problems are caused by two particular types of leftover metadata: GPT partition tables and old metadata from a previous mirror. -GPT metadata can be erased with man:gpart[8]. This example erases both primary and backup GPT partition tables from disk [.filename]#ada8#: +GPT metadata can be erased with man:gpart[8]. +This example erases both primary and backup GPT partition tables from disk [.filename]#ada8#: [source,shell] .... # gpart destroy -F ada8 .... -A disk can be removed from an active mirror and the metadata erased in one step using man:gmirror[8]. Here, the example disk [.filename]#ada8# is removed from the active mirror [.filename]#gm4#: +A disk can be removed from an active mirror and the metadata erased in one step using man:gmirror[8]. +Here, the example disk [.filename]#ada8# is removed from the active mirror [.filename]#gm4#: [source,shell] .... @@ -188,14 +212,19 @@ If the mirror is not running, but old mirror metadata is still on the disk, use # gmirror clear ada8 .... -man:gmirror[8] stores one block of metadata at the end of the disk. As GPT partition schemes also store metadata at the end of the disk, mirroring entire GPT disks with man:gmirror[8] is not recommended. MBR partitioning is used here because it only stores a partition table at the start of the disk and does not conflict with the mirror metadata. +man:gmirror[8] stores one block of metadata at the end of the disk. +As GPT partition schemes also store metadata at the end of the disk, mirroring entire GPT disks with man:gmirror[8] is not recommended. +MBR partitioning is used here because it only stores a partition table at the start of the disk and does not conflict with the mirror metadata. [[geom-mirror-two-new-disks]] === Creating a Mirror with Two New Disks -In this example, FreeBSD has already been installed on a single disk, [.filename]#ada0#. Two new disks, [.filename]#ada1# and [.filename]#ada2#, have been connected to the system. A new mirror will be created on these two disks and used to replace the old single disk. +In this example, FreeBSD has already been installed on a single disk, [.filename]#ada0#. +Two new disks, [.filename]#ada1# and [.filename]#ada2#, have been connected to the system. +A new mirror will be created on these two disks and used to replace the old single disk. -The [.filename]#geom_mirror.ko# kernel module must either be built into the kernel or loaded at boot- or run-time. Manually load the kernel module now: +The [.filename]#geom_mirror.ko# kernel module must either be built into the kernel or loaded at boot- or run-time. +Manually load the kernel module now: [source,shell] .... @@ -209,9 +238,12 @@ Create the mirror with the two new drives: # gmirror label -v gm0 /dev/ada1 /dev/ada2 .... -[.filename]#gm0# is a user-chosen device name assigned to the new mirror. After the mirror has been started, this device name appears in [.filename]#/dev/mirror/#. +[.filename]#gm0# is a user-chosen device name assigned to the new mirror. +After the mirror has been started, this device name appears in [.filename]#/dev/mirror/#. -MBR and bsdlabel partition tables can now be created on the mirror with man:gpart[8]. This example uses a traditional file system layout, with partitions for [.filename]#/#, swap, [.filename]#/var#, [.filename]#/tmp#, and [.filename]#/usr#. A single [.filename]#/# and a swap partition will also work. +MBR and bsdlabel partition tables can now be created on the mirror with man:gpart[8]. +This example uses a traditional file system layout, with partitions for [.filename]#/#, swap, [.filename]#/var#, [.filename]#/tmp#, and [.filename]#/usr#. +A single [.filename]#/# and a swap partition will also work. Partitions on the mirror do not have to be the same size as those on the existing disk, but they must be large enough to hold all the data already present on [.filename]#ada0#. @@ -297,16 +329,22 @@ If the [.filename]#geom_mirror.ko# kernel module has not been built into the ker geom_mirror_load="YES" .... -Reboot the system to test the new mirror and verify that all data has been copied. The BIOS will see the mirror as two individual drives rather than a mirror. Since the drives are identical, it does not matter which is selected to boot. +Reboot the system to test the new mirror and verify that all data has been copied. +The BIOS will see the mirror as two individual drives rather than a mirror. +Since the drives are identical, it does not matter which is selected to boot. -See <<gmirror-troubleshooting>> if there are problems booting. Powering down and disconnecting the original [.filename]#ada0# disk will allow it to be kept as an offline backup. +See <<gmirror-troubleshooting>> if there are problems booting. +Powering down and disconnecting the original [.filename]#ada0# disk will allow it to be kept as an offline backup. In use, the mirror will behave just like the original single drive. [[geom-mirror-existing-drive]] === Creating a Mirror with an Existing Drive -In this example, FreeBSD has already been installed on a single disk, [.filename]#ada0#. A new disk, [.filename]#ada1#, has been connected to the system. A one-disk mirror will be created on the new disk, the existing system copied onto it, and then the old disk will be inserted into the mirror. This slightly complex procedure is required because `gmirror` needs to put a 512-byte block of metadata at the end of each disk, and the existing [.filename]#ada0# has usually had all of its space already allocated. +In this example, FreeBSD has already been installed on a single disk, [.filename]#ada0#. +A new disk, [.filename]#ada1#, has been connected to the system. +A one-disk mirror will be created on the new disk, the existing system copied onto it, and then the old disk will be inserted into the mirror. +This slightly complex procedure is required because `gmirror` needs to put a 512-byte block of metadata at the end of each disk, and the existing [.filename]#ada0# has usually had all of its space already allocated. Load the [.filename]#geom_mirror.ko# kernel module: @@ -325,7 +363,11 @@ Check the media size of the original disk with `diskinfo`: 1000204821504 # mediasize in bytes (931G) .... -Create a mirror on the new disk. To make certain that the mirror capacity is not any larger than the original [.filename]#ada0# drive, man:gnop[8] is used to create a fake drive of the exact same size. This drive does not store any data, but is used only to limit the size of the mirror. When man:gmirror[8] creates the mirror, it will restrict the capacity to the size of [.filename]#gzero.nop#, even if the new [.filename]#ada1# drive has more space. Note that the _1000204821504_ in the second line is equal to [.filename]#ada0#'s media size as shown by `diskinfo` above. +Create a mirror on the new disk. +To make certain that the mirror capacity is not any larger than the original [.filename]#ada0# drive, man:gnop[8] is used to create a fake drive of the exact same size. +This drive does not store any data, but is used only to limit the size of the mirror. +When man:gmirror[8] creates the mirror, it will restrict the capacity to the size of [.filename]#gzero.nop#, even if the new [.filename]#ada1# drive has more space. +Note that the _1000204821504_ in the second line is equal to [.filename]#ada0#'s media size as shown by `diskinfo` above. [source,shell] .... @@ -335,9 +377,13 @@ Create a mirror on the new disk. To make certain that the mirror capacity is not # gmirror forget gm0 .... -Since [.filename]#gzero.nop# does not store any data, the mirror does not see it as connected. The mirror is told to "forget" unconnected components, removing references to [.filename]#gzero.nop#. The result is a mirror device containing only a single disk, [.filename]#ada1#. +Since [.filename]#gzero.nop# does not store any data, the mirror does not see it as connected. +The mirror is told to "forget" unconnected components, removing references to [.filename]#gzero.nop#. +The result is a mirror device containing only a single disk, [.filename]#ada1#. -After creating [.filename]#gm0#, view the partition table on [.filename]#ada0#. This output is from a 1 TB drive. If there is some unallocated space at the end of the drive, the contents may be copied directly from [.filename]#ada0# to the new mirror. +After creating [.filename]#gm0#, view the partition table on [.filename]#ada0#. +This output is from a 1 TB drive. +If there is some unallocated space at the end of the drive, the contents may be copied directly from [.filename]#ada0# to the new mirror. However, if the output shows that all of the space on the disk is allocated, as in the following listing, there is no space available for the 512-byte mirror metadata at the end of the disk. @@ -348,7 +394,8 @@ However, if the output shows that all of the space on the disk is allocated, as 63 1953525105 1 freebsd [active] (931G) .... -In this case, the partition table must be edited to reduce the capacity by one sector on [.filename]#mirror/gm0#. The procedure will be explained later. +In this case, the partition table must be edited to reduce the capacity by one sector on [.filename]#mirror/gm0#. +The procedure will be explained later. In either case, partition tables on the primary disk should be first copied using `gpart backup` and `gpart restore`. @@ -358,7 +405,8 @@ In either case, partition tables on the primary disk should be first copied usin # gpart backup ada0s1 > table.ada0s1 .... -These commands create two files, [.filename]#table.ada0# and [.filename]#table.ada0s1#. This example is from a 1 TB drive: +These commands create two files, [.filename]#table.ada0# and [.filename]#table.ada0s1#. +This example is from a 1 TB drive: [source,shell] .... @@ -379,7 +427,9 @@ BSD 8 7 freebsd-ufs 968884224 984640881 .... -If no free space is shown at the end of the disk, the size of both the slice and the last partition must be reduced by one sector. Edit the two files, reducing the size of both the slice and last partition by one. These are the last numbers in each listing. +If no free space is shown at the end of the disk, the size of both the slice and the last partition must be reduced by one sector. +Edit the two files, reducing the size of both the slice and last partition by one. +These are the last numbers in each listing. [source,shell] .... @@ -410,7 +460,8 @@ Now restore the partition table into [.filename]#mirror/gm0#: # gpart restore mirror/gm0s1 < table.ada0s1 .... -Check the partition table with `gpart show`. This example has [.filename]#gm0s1a# for [.filename]#/#, [.filename]#gm0s1d# for [.filename]#/var#, [.filename]#gm0s1e# for [.filename]#/usr#, [.filename]#gm0s1f# for [.filename]#/data1#, and [.filename]#gm0s1g# for [.filename]#/data2#. +Check the partition table with `gpart show`. +This example has [.filename]#gm0s1a# for [.filename]#/#, [.filename]#gm0s1d# for [.filename]#/var#, [.filename]#gm0s1e# for [.filename]#/usr#, [.filename]#gm0s1f# for [.filename]#/data1#, and [.filename]#gm0s1g# for [.filename]#/data2#. [source,shell] .... @@ -432,7 +483,8 @@ Check the partition table with `gpart show`. This example has [.filename]#gm0s1a Both the slice and the last partition must have at least one free block at the end of the disk. -Create file systems on these new partitions. The number of partitions will vary to match the original disk, [.filename]#ada0#. +Create file systems on these new partitions. +The number of partitions will vary to match the original disk, [.filename]#ada0#. [source,shell] .... @@ -452,7 +504,8 @@ Make the mirror bootable by installing bootcode in the MBR and bsdlabel and sett # gpart bootcode -b /boot/boot mirror/gm0s1 .... -Adjust [.filename]#/etc/fstab# to use the new partitions on the mirror. Back up this file first by copying it to [.filename]#/etc/fstab.orig#. +Adjust [.filename]#/etc/fstab# to use the new partitions on the mirror. +Back up this file first by copying it to [.filename]#/etc/fstab.orig#. [source,shell] .... @@ -479,7 +532,8 @@ If the [.filename]#geom_mirror.ko# kernel module has not been built into the ker geom_mirror_load="YES" .... -File systems from the original disk can now be copied onto the mirror with man:dump[8] and man:restore[8]. Each file system dumped with `dump -L` will create a snapshot first, which can take some time. +File systems from the original disk can now be copied onto the mirror with man:dump[8] and man:restore[8]. +Each file system dumped with `dump -L` will create a snapshot first, which can take some time. [source,shell] .... @@ -495,7 +549,9 @@ File systems from the original disk can now be copied onto the mirror with man:d # dump -C16 -b64 -0aL -f - /data2 | (cd /mnt/data2 && restore -rf -) .... -Restart the system, booting from [.filename]#ada1#. If everything is working, the system will boot from [.filename]#mirror/gm0#, which now contains the same data as [.filename]#ada0# had previously. See <<gmirror-troubleshooting>> if there are problems booting. +Restart the system, booting from [.filename]#ada1#. +If everything is working, the system will boot from [.filename]#mirror/gm0#, which now contains the same data as [.filename]#ada0# had previously. +See <<gmirror-troubleshooting>> if there are problems booting. At this point, the mirror still consists of only the single [.filename]#ada1# disk. @@ -503,7 +559,9 @@ After booting from [.filename]#mirror/gm0# successfully, the final step is inser [IMPORTANT] ==== -When [.filename]#ada0# is inserted into the mirror, its former contents will be overwritten by data from the mirror. Make certain that [.filename]#mirror/gm0# has the same contents as [.filename]#ada0# before adding [.filename]#ada0# to the mirror. If the contents previously copied by man:dump[8] and man:restore[8] are not identical to what was on [.filename]#ada0#, revert [.filename]#/etc/fstab# to mount the file systems on [.filename]#ada0#, reboot, and start the whole procedure again. +When [.filename]#ada0# is inserted into the mirror, its former contents will be overwritten by data from the mirror. +Make certain that [.filename]#mirror/gm0# has the same contents as [.filename]#ada0# before adding [.filename]#ada0# to the mirror. +If the contents previously copied by man:dump[8] and man:restore[8] are not identical to what was on [.filename]#ada0#, revert [.filename]#/etc/fstab# to mount the file systems on [.filename]#ada0#, reboot, and start the whole procedure again. ==== [source,shell] @@ -512,7 +570,8 @@ When [.filename]#ada0# is inserted into the mirror, its former contents will be GEOM_MIRROR: Device gm0: rebuilding provider ada0 .... -Synchronization between the two disks will start immediately. Use `gmirror status` to view the progress. +Synchronization between the two disks will start immediately. +Use `gmirror status` to view the progress. [source,shell] .... @@ -533,12 +592,14 @@ mirror/gm0 COMPLETE ada1 (ACTIVE) ada0 (ACTIVE) .... -[.filename]#mirror/gm0# now consists of the two disks [.filename]#ada0# and [.filename]#ada1#, and the contents are automatically synchronized with each other. In use, [.filename]#mirror/gm0# will behave just like the original single drive. +[.filename]#mirror/gm0# now consists of the two disks [.filename]#ada0# and [.filename]#ada1#, and the contents are automatically synchronized with each other. +In use, [.filename]#mirror/gm0# will behave just like the original single drive. [[gmirror-troubleshooting]] === Troubleshooting -If the system no longer boots, BIOS settings may have to be changed to boot from one of the new mirrored drives. Either mirror drive can be used for booting, as they contain identical data. +If the system no longer boots, BIOS settings may have to be changed to boot from one of the new mirrored drives. +Either mirror drive can be used for booting, as they contain identical data. If the boot stops with this message, something is wrong with the mirror device: @@ -567,7 +628,9 @@ Manual root filesystem specification: mountroot> .... -Forgetting to load the [.filename]#geom_mirror.ko# module in [.filename]#/boot/loader.conf# can cause this problem. To fix it, boot from a FreeBSD installation media and choose `Shell` at the first prompt. Then load the mirror module and mount the mirror device: +Forgetting to load the [.filename]#geom_mirror.ko# module in [.filename]#/boot/loader.conf# can cause this problem. +To fix it, boot from a FreeBSD installation media and choose `Shell` at the first prompt. +Then load the mirror module and mount the mirror device: [source,shell] .... @@ -584,7 +647,11 @@ geom_mirror_load="YES" Save the file and reboot. -Other problems that cause `error 19` require more effort to fix. Although the system should boot from [.filename]#ada0#, another prompt to select a shell will appear if [.filename]#/etc/fstab# is incorrect. Enter `ufs:/dev/ada0s1a` at the boot loader prompt and press kbd:[Enter]. Undo the edits in [.filename]#/etc/fstab# then mount the file systems from the original disk ([.filename]#ada0#) instead of the mirror. Reboot the system and try the procedure again. +Other problems that cause `error 19` require more effort to fix. +Although the system should boot from [.filename]#ada0#, another prompt to select a shell will appear if [.filename]#/etc/fstab# is incorrect. +Enter `ufs:/dev/ada0s1a` at the boot loader prompt and press kbd:[Enter]. +Undo the edits in [.filename]#/etc/fstab# then mount the file systems from the original disk ([.filename]#ada0#) instead of the mirror. +Reboot the system and try the procedure again. [source,shell] .... @@ -595,34 +662,49 @@ Enter full pathname of shell or RETURN for /bin/sh: === Recovering from Disk Failure -The benefit of disk mirroring is that an individual disk can fail without causing the mirror to lose any data. In the above example, if [.filename]#ada0# fails, the mirror will continue to work, providing data from the remaining working drive, [.filename]#ada1#. +The benefit of disk mirroring is that an individual disk can fail without causing the mirror to lose any data. +In the above example, if [.filename]#ada0# fails, the mirror will continue to work, providing data from the remaining working drive, [.filename]#ada1#. -To replace the failed drive, shut down the system and physically replace the failed drive with a new drive of equal or greater capacity. Manufacturers use somewhat arbitrary values when rating drives in gigabytes, and the only way to really be sure is to compare the total count of sectors shown by `diskinfo -v`. A drive with larger capacity than the mirror will work, although the extra space on the new drive will not be used. +To replace the failed drive, shut down the system and physically replace the failed drive with a new drive of equal or greater capacity. +Manufacturers use somewhat arbitrary values when rating drives in gigabytes, and the only way to really be sure is to compare the total count of sectors shown by `diskinfo -v`. +A drive with larger capacity than the mirror will work, although the extra space on the new drive will not be used. -After the computer is powered back up, the mirror will be running in a "degraded" mode with only one drive. The mirror is told to forget drives that are not currently connected: +After the computer is powered back up, the mirror will be running in a "degraded" mode with only one drive. +The mirror is told to forget drives that are not currently connected: [source,shell] .... # gmirror forget gm0 .... -Any old metadata should be cleared from the replacement disk using the instructions in <<geom-mirror-metadata>>. Then the replacement disk, [.filename]#ada4# for this example, is inserted into the mirror: +Any old metadata should be cleared from the replacement disk using the instructions in <<geom-mirror-metadata>>. +Then the replacement disk, [.filename]#ada4# for this example, is inserted into the mirror: [source,shell] .... # gmirror insert gm0 /dev/ada4 .... -Resynchronization begins when the new drive is inserted into the mirror. This process of copying mirror data to a new drive can take a while. Performance of the mirror will be greatly reduced during the copy, so inserting new drives is best done when there is low demand on the computer. +Resynchronization begins when the new drive is inserted into the mirror. +This process of copying mirror data to a new drive can take a while. +Performance of the mirror will be greatly reduced during the copy, so inserting new drives is best done when there is low demand on the computer. -Progress can be monitored with `gmirror status`, which shows drives that are being synchronized and the percentage of completion. During resynchronization, the status will be `DEGRADED`, changing to `COMPLETE` when the process is finished. +Progress can be monitored with `gmirror status`, which shows drives that are being synchronized and the percentage of completion. +During resynchronization, the status will be `DEGRADED`, changing to `COMPLETE` when the process is finished. [[geom-raid3]] == RAID3 - Byte-level Striping with Dedicated Parity -RAID3 is a method used to combine several disk drives into a single volume with a dedicated parity disk. In a RAID3 system, data is split up into a number of bytes that are written across all the drives in the array except for one disk which acts as a dedicated parity disk. This means that disk reads from a RAID3 implementation access all disks in the array. Performance can be enhanced by using multiple disk controllers. The RAID3 array provides a fault tolerance of 1 drive, while providing a capacity of 1 - 1/n times the total capacity of all drives in the array, where n is the number of hard drives in the array. Such a configuration is mostly suitable for storing data of larger sizes such as multimedia files. +RAID3 is a method used to combine several disk drives into a single volume with a dedicated parity disk. +In a RAID3 system, data is split up into a number of bytes that are written across all the drives in the array except for one disk which acts as a dedicated parity disk. +This means that disk reads from a RAID3 implementation access all disks in the array. +Performance can be enhanced by using multiple disk controllers. +The RAID3 array provides a fault tolerance of 1 drive, while providing a capacity of 1 - 1/n times the total capacity of all drives in the array, where n is the number of hard drives in the array. +Such a configuration is mostly suitable for storing data of larger sizes such as multimedia files. -At least 3 physical hard drives are required to build a RAID3 array. Each disk must be of the same size, since I/O requests are interleaved to read or write to multiple disks in parallel. Also, due to the nature of RAID3, the number of drives must be equal to 3, 5, 9, 17, and so on, or 2^n + 1. +At least 3 physical hard drives are required to build a RAID3 array. +Each disk must be of the same size, since I/O requests are interleaved to read or write to multiple disks in parallel. +Also, due to the nature of RAID3, the number of drives must be equal to 3, 5, 9, 17, and so on, or 2^n + 1. This section demonstrates how to create a software RAID3 on a FreeBSD system. @@ -633,7 +715,8 @@ While it is theoretically possible to boot from a RAID3 array on FreeBSD, that c === Creating a Dedicated RAID3 Array -In FreeBSD, support for RAID3 is implemented by the man:graid3[8] GEOM class. Creating a dedicated RAID3 array on FreeBSD requires the following steps. +In FreeBSD, support for RAID3 is implemented by the man:graid3[8] GEOM class. +Creating a dedicated RAID3 array on FreeBSD requires the following steps. [.procedure] . First, load the [.filename]#geom_raid3.ko# kernel module by issuing one of the following commands: @@ -677,7 +760,8 @@ Done. # newfs -j /dev/raid3/gr0p1 .... + -Many numbers will glide across the screen, and after a bit of time, the process will be complete. The volume has been created and is ready to be mounted: +Many numbers will glide across the screen, and after a bit of time, the process will be complete. +The volume has been created and is ready to be mounted: + [source,shell] .... @@ -706,23 +790,31 @@ geom_raid3_load="YES" [[geom-graid]] == Software RAID Devices -Some motherboards and expansion cards add some simple hardware, usually just a ROM, that allows the computer to boot from a RAID array. After booting, access to the RAID array is handled by software running on the computer's main processor. This "hardware-assisted software RAID" gives RAID arrays that are not dependent on any particular operating system, and which are functional even before an operating system is loaded. +Some motherboards and expansion cards add some simple hardware, usually just a ROM, that allows the computer to boot from a RAID array. +After booting, access to the RAID array is handled by software running on the computer's main processor. +This "hardware-assisted software RAID" gives RAID arrays that are not dependent on any particular operating system, and which are functional even before an operating system is loaded. -Several levels of RAID are supported, depending on the hardware in use. See man:graid[8] for a complete list. +Several levels of RAID are supported, depending on the hardware in use. +See man:graid[8] for a complete list. -man:graid[8] requires the [.filename]#geom_raid.ko# kernel module, which is included in the [.filename]#GENERIC# kernel starting with FreeBSD 9.1. If needed, it can be loaded manually with `graid load`. +man:graid[8] requires the [.filename]#geom_raid.ko# kernel module, which is included in the [.filename]#GENERIC# kernel starting with FreeBSD 9.1. +If needed, it can be loaded manually with `graid load`. [[geom-graid-creating]] === Creating an Array -Software RAID devices often have a menu that can be entered by pressing special keys when the computer is booting. The menu can be used to create and delete RAID arrays. man:graid[8] can also create arrays directly from the command line. +Software RAID devices often have a menu that can be entered by pressing special keys when the computer is booting. +The menu can be used to create and delete RAID arrays. +man:graid[8] can also create arrays directly from the command line. -`graid label` is used to create a new array. The motherboard used for this example has an Intel software RAID chipset, so the Intel metadata format is specified. The new array is given a label of [.filename]#gm0#, it is a mirror (RAID1), and uses drives [.filename]#ada0# and [.filename]#ada1#. +`graid label` is used to create a new array. +The motherboard used for this example has an Intel software RAID chipset, so the Intel metadata format is specified. +The new array is given a label of [.filename]#gm0#, it is a mirror (RAID1), and uses drives [.filename]#ada0# and [.filename]#ada1#. [CAUTION] ==== - -Some space on the drives will be overwritten when they are made into a new array. Back up existing data first! +Some space on the drives will be overwritten when they are made into a new array. +Back up existing data first! ==== [source,shell] @@ -749,9 +841,13 @@ raid/r0 OPTIMAL ada0 (ACTIVE (ACTIVE)) ada1 (ACTIVE (ACTIVE)) .... -The array device appears in [.filename]#/dev/raid/#. The first array is called [.filename]#r0#. Additional arrays, if present, will be [.filename]#r1#, [.filename]#r2#, and so on. +The array device appears in [.filename]#/dev/raid/#. +The first array is called [.filename]#r0#. +Additional arrays, if present, will be [.filename]#r1#, [.filename]#r2#, and so on. -The BIOS menu on some of these devices can create arrays with special characters in their names. To avoid problems with those special characters, arrays are given simple numbered names like [.filename]#r0#. To show the actual labels, like [.filename]#gm0# in the example above, use man:sysctl[8]: +The BIOS menu on some of these devices can create arrays with special characters in their names. +To avoid problems with those special characters, arrays are given simple numbered names like [.filename]#r0#. +To show the actual labels, like [.filename]#gm0# in the example above, use man:sysctl[8]: [source,shell] .... @@ -761,7 +857,10 @@ The BIOS menu on some of these devices can create arrays with special characters [[geom-graid-volumes]] === Multiple Volumes -Some software RAID devices support more than one _volume_ on an array. Volumes work like partitions, allowing space on the physical drives to be split and used in different ways. For example, Intel software RAID devices support two volumes. This example creates a 40 G mirror for safely storing the operating system, followed by a 20 G RAID0 (stripe) volume for fast temporary storage: +Some software RAID devices support more than one _volume_ on an array. +Volumes work like partitions, allowing space on the physical drives to be split and used in different ways. +For example, Intel software RAID devices support two volumes. +This example creates a 40 G mirror for safely storing the operating system, followed by a 20 G RAID0 (stripe) volume for fast temporary storage: [source,shell] .... @@ -769,40 +868,48 @@ Some software RAID devices support more than one _volume_ on an array. Volumes w # graid add -S 20G gm0 RAID0 .... -Volumes appear as additional [.filename]#rX# entries in [.filename]#/dev/raid/#. An array with two volumes will show [.filename]#r0# and [.filename]#r1#. +Volumes appear as additional [.filename]#rX# entries in [.filename]#/dev/raid/#. +An array with two volumes will show [.filename]#r0# and [.filename]#r1#. See man:graid[8] for the number of volumes supported by different software RAID devices. [[geom-graid-converting]] === Converting a Single Drive to a Mirror -Under certain specific conditions, it is possible to convert an existing single drive to a man:graid[8] array without reformatting. To avoid data loss during the conversion, the existing drive must meet these minimum requirements: +Under certain specific conditions, it is possible to convert an existing single drive to a man:graid[8] array without reformatting. +To avoid data loss during the conversion, the existing drive must meet these minimum requirements: * The drive must be partitioned with the MBR partitioning scheme. GPT or other partitioning schemes with metadata at the end of the drive will be overwritten and corrupted by the man:graid[8] metadata. * There must be enough unpartitioned and unused space at the end of the drive to hold the man:graid[8] metadata. This metadata varies in size, but the largest occupies 64 M, so at least that much free space is recommended. -If the drive meets these requirements, start by making a full backup. Then create a single-drive mirror with that drive: +If the drive meets these requirements, start by making a full backup. +Then create a single-drive mirror with that drive: [source,shell] .... # graid label Intel gm0 RAID1 ada0 NONE .... -man:graid[8] metadata was written to the end of the drive in the unused space. A second drive can now be inserted into the mirror: +man:graid[8] metadata was written to the end of the drive in the unused space. +A second drive can now be inserted into the mirror: [source,shell] .... # graid insert raid/r0 ada1 .... -Data from the original drive will immediately begin to be copied to the second drive. The mirror will operate in degraded status until the copy is complete. +Data from the original drive will immediately begin to be copied to the second drive. +The mirror will operate in degraded status until the copy is complete. [[geom-graid-inserting]] === Inserting New Drives into the Array -Drives can be inserted into an array as replacements for drives that have failed or are missing. If there are no failed or missing drives, the new drive becomes a spare. For example, inserting a new drive into a working two-drive mirror results in a two-drive mirror with one spare drive, not a three-drive mirror. +Drives can be inserted into an array as replacements for drives that have failed or are missing. +If there are no failed or missing drives, the new drive becomes a spare. +For example, inserting a new drive into a working two-drive mirror results in a two-drive mirror with one spare drive, not a three-drive mirror. -In the example mirror array, data immediately begins to be copied to the newly-inserted drive. Any existing information on the new drive will be overwritten. +In the example mirror array, data immediately begins to be copied to the newly-inserted drive. +Any existing information on the new drive will be overwritten. [source,shell] .... @@ -829,7 +936,8 @@ GEOM_RAID: Intel-a29ea104: Volume gm0 state changed from OPTIMAL to DEGRADED. [[geom-graid-stopping]] === Stopping the Array -An array can be stopped without removing metadata from the drives. The array will be restarted when the system is booted. +An array can be stopped without removing metadata from the drives. +The array will be restarted when the system is booted. [source,shell] .... @@ -839,7 +947,8 @@ An array can be stopped without removing metadata from the drives. The array wil [[geom-graid-status]] === Checking Array Status -Array status can be checked at any time. After a drive was added to the mirror in the example above, data is being copied from the original drive to the new drive: +Array status can be checked at any time. +After a drive was added to the mirror in the example above, data is being copied from the original drive to the new drive: [source,shell] .... @@ -849,7 +958,8 @@ raid/r0 DEGRADED ada0 (ACTIVE (ACTIVE)) ada1 (ACTIVE (REBUILD 28%)) .... -Some types of arrays, like `RAID0` or `CONCAT`, may not be shown in the status report if disks have failed. To see these partially-failed arrays, add `-ga`: +Some types of arrays, like `RAID0` or `CONCAT`, may not be shown in the status report if disks have failed. +To see these partially-failed arrays, add `-ga`: [source,shell] .... @@ -861,7 +971,8 @@ Intel-e2d07d9a BROKEN ada6 (ACTIVE (ACTIVE)) [[geom-graid-deleting]] === Deleting Arrays -Arrays are destroyed by deleting all of the volumes from them. When the last volume present is deleted, the array is stopped and metadata is removed from the drives: +Arrays are destroyed by deleting all of the volumes from them. +When the last volume present is deleted, the array is stopped and metadata is removed from the drives: [source,shell] .... @@ -871,7 +982,9 @@ Arrays are destroyed by deleting all of the volumes from them. When the last vol [[geom-graid-unexpected]] === Deleting Unexpected Arrays -Drives may unexpectedly contain man:graid[8] metadata, either from previous use or manufacturer testing. man:graid[8] will detect these drives and create an array, interfering with access to the individual drive. To remove the unwanted metadata: +Drives may unexpectedly contain man:graid[8] metadata, either from previous use or manufacturer testing. +man:graid[8] will detect these drives and create an array, interfering with access to the individual drive. +To remove the unwanted metadata: [.procedure] . Boot the system. At the boot menu, select `2` for the loader prompt. Enter: @@ -893,7 +1006,8 @@ kern.geom.raid.enable=0 + to [.filename]#/boot/loader.conf#. + -To permanently remove the man:graid[8] metadata from the affected drive, boot a FreeBSD installation CD-ROM or memory stick, and select `Shell`. Use `status` to find the name of the array, typically `raid/r0`: +To permanently remove the man:graid[8] metadata from the affected drive, boot a FreeBSD installation CD-ROM or memory stick, and select `Shell`. +Use `status` to find the name of the array, typically `raid/r0`: + [source,shell] .... @@ -910,32 +1024,43 @@ Delete the volume by name: # graid delete raid/r0 .... + -If there is more than one volume shown, repeat the process for each volume. After the last array has been deleted, the volume will be destroyed. +If there is more than one volume shown, repeat the process for each volume. +After the last array has been deleted, the volume will be destroyed. + -Reboot and verify data, restoring from backup if necessary. After the metadata has been removed, the `kern.geom.raid.enable=0` entry in [.filename]#/boot/loader.conf# can also be removed. +Reboot and verify data, restoring from backup if necessary. +After the metadata has been removed, the `kern.geom.raid.enable=0` entry in [.filename]#/boot/loader.conf# can also be removed. [[geom-ggate]] == GEOM Gate Network -GEOM provides a simple mechanism for providing remote access to devices such as disks, CDs, and file systems through the use of the GEOM Gate network daemon, ggated. The system with the device runs the server daemon which handles requests made by clients using ggatec. The devices should not contain any sensitive data as the connection between the client and the server is not encrypted. +GEOM provides a simple mechanism for providing remote access to devices such as disks, CDs, and file systems through the use of the GEOM Gate network daemon, ggated. +The system with the device runs the server daemon which handles requests made by clients using ggatec. +The devices should not contain any sensitive data as the connection between the client and the server is not encrypted. -Similar to NFS, which is discussed in crossref:network-servers[network-nfs,"Network File System (NFS)"], ggated is configured using an exports file. This file specifies which systems are permitted to access the exported resources and what level of access they are offered. For example, to give the client `192.168.1.5` read and write access to the fourth slice on the first SCSI disk, create [.filename]#/etc/gg.exports# with this line: +Similar to NFS, which is discussed in crossref:network-servers[network-nfs,"Network File System (NFS)"], ggated is configured using an exports file. +This file specifies which systems are permitted to access the exported resources and what level of access they are offered. +For example, to give the client `192.168.1.5` read and write access to the fourth slice on the first SCSI disk, create [.filename]#/etc/gg.exports# with this line: [.programlisting] .... 192.168.1.5 RW /dev/da0s4d .... -Before exporting the device, ensure it is not currently mounted. Then, start ggated: +Before exporting the device, ensure it is not currently mounted. +Then, start ggated: [source,shell] .... # ggated .... -Several options are available for specifying an alternate listening port or changing the default location of the exports file. Refer to man:ggated[8] for details. +Several options are available for specifying an alternate listening port or changing the default location of the exports file. +Refer to man:ggated[8] for details. -To access the exported device on the client machine, first use `ggatec` to specify the IP address of the server and the device name of the exported device. If successful, this command will display a `ggate` device name to mount. Mount that specified device name on a free mount point. This example connects to the [.filename]#/dev/da0s4d# partition on `192.168.1.1`, then mounts [.filename]#/dev/ggate0# on [.filename]#/mnt#: +To access the exported device on the client machine, first use `ggatec` to specify the IP address of the server and the device name of the exported device. +If successful, this command will display a `ggate` device name to mount. +Mount that specified device name on a free mount point. +This example connects to the [.filename]#/dev/da0s4d# partition on `192.168.1.1`, then mounts [.filename]#/dev/ggate0# on [.filename]#/mnt#: [source,shell] .... @@ -944,11 +1069,13 @@ ggate0 # mount /dev/ggate0 /mnt .... -The device on the server may now be accessed through [.filename]#/mnt# on the client. For more details about `ggatec` and a few usage examples, refer to man:ggatec[8]. +The device on the server may now be accessed through [.filename]#/mnt# on the client. +For more details about `ggatec` and a few usage examples, refer to man:ggatec[8]. [NOTE] ==== -The mount will fail if the device is currently mounted on either the server or any other client on the network. If simultaneous access is needed to network resources, use NFS instead. +The mount will fail if the device is currently mounted on either the server or any other client on the network. +If simultaneous access is needed to network resources, use NFS instead. ==== When the device is no longer needed, unmount it with `umount` so that the resource is available to other clients. @@ -956,22 +1083,38 @@ When the device is no longer needed, unmount it with `umount` so that the resour [[geom-glabel]] == Labeling Disk Devices -During system initialization, the FreeBSD kernel creates device nodes as devices are found. This method of probing for devices raises some issues. For instance, what if a new disk device is added via USB? It is likely that a flash device may be handed the device name of [.filename]#da0# and the original [.filename]#da0# shifted to [.filename]#da1#. This will cause issues mounting file systems if they are listed in [.filename]#/etc/fstab# which may also prevent the system from booting. +During system initialization, the FreeBSD kernel creates device nodes as devices are found. +This method of probing for devices raises some issues. +For instance, what if a new disk device is added via USB? It is likely that a flash device may be handed the device name of [.filename]#da0# and the original [.filename]#da0# shifted to [.filename]#da1#. +This will cause issues mounting file systems if they are listed in [.filename]#/etc/fstab# which may also prevent the system from booting. -One solution is to chain SCSI devices in order so a new device added to the SCSI card will be issued unused device numbers. But what about USB devices which may replace the primary SCSI disk? This happens because USB devices are usually probed before the SCSI card. One solution is to only insert these devices after the system has been booted. Another method is to use only a single ATA drive and never list the SCSI devices in [.filename]#/etc/fstab#. +One solution is to chain SCSI devices in order so a new device added to the SCSI card will be issued unused device numbers. +But what about USB devices which may replace the primary SCSI disk? This happens because USB devices are usually probed before the SCSI card. +One solution is to only insert these devices after the system has been booted. +Another method is to use only a single ATA drive and never list the SCSI devices in [.filename]#/etc/fstab#. -A better solution is to use `glabel` to label the disk devices and use the labels in [.filename]#/etc/fstab#. Since `glabel` stores the label in the last sector of a given provider, the label will remain persistent across reboots. By using this label as a device, the file-system may always be mounted regardless of what device node it is accessed through. +A better solution is to use `glabel` to label the disk devices and use the labels in [.filename]#/etc/fstab#. +Since `glabel` stores the label in the last sector of a given provider, the label will remain persistent across reboots. +By using this label as a device, the file-system may always be mounted regardless of what device node it is accessed through. [NOTE] ==== -`glabel` can create both transient and permanent labels. Only permanent labels are consistent across reboots. Refer to man:glabel[8] for more information on the differences between labels. +`glabel` can create both transient and permanent labels. Only permanent labels are consistent across reboots. +Refer to man:glabel[8] for more information on the differences between labels. ==== === Label Types and Examples -Permanent labels can be a generic or a file system label. Permanent file system labels can be created with man:tunefs[8] or man:newfs[8]. These types of labels are created in a sub-directory of [.filename]#/dev#, and will be named according to the file system type. For example, UFS2 file system labels will be created in [.filename]#/dev/ufs#. Generic permanent labels can be created with `glabel label`. These are not file system specific and will be created in [.filename]#/dev/label#. +Permanent labels can be a generic or a file system label. +Permanent file system labels can be created with man:tunefs[8] or man:newfs[8]. +These types of labels are created in a sub-directory of [.filename]#/dev#, and will be named according to the file system type. +For example, UFS2 file system labels will be created in [.filename]#/dev/ufs#. +Generic permanent labels can be created with `glabel label`. +These are not file system specific and will be created in [.filename]#/dev/label#. -Temporary labels are destroyed at the next reboot. These labels are created in [.filename]#/dev/label# and are suited to experimentation. A temporary label can be created using `glabel create`. +Temporary labels are destroyed at the next reboot. +These labels are created in [.filename]#/dev/label# and are suited to experimentation. +A temporary label can be created using `glabel create`. To create a permanent label for a UFS2 file system without destroying any data, issue the following command: @@ -1001,7 +1144,8 @@ Now the file system may be mounted: From this point on, so long as the [.filename]#geom_label.ko# kernel module is loaded at boot with [.filename]#/boot/loader.conf# or the `GEOM_LABEL` kernel option is present, the device node may change without any ill effect on the system. -File systems may also be created with a default label by using the `-L` flag with `newfs`. Refer to man:newfs[8] for more information. +File systems may also be created with a default label by using the `-L` flag with `newfs`. +Refer to man:newfs[8] for more information. The following command can be used to destroy the label: @@ -1015,9 +1159,12 @@ The following example shows how to label the partitions of a boot disk. .Labeling Partitions on the Boot Disk [example] ==== -By permanently labeling the partitions on the boot disk, the system should be able to continue to boot normally, even if the disk is moved to another controller or transferred to a different system. For this example, it is assumed that a single ATA disk is used, which is currently recognized by the system as [.filename]#ad0#. It is also assumed that the standard FreeBSD partition scheme is used, with [.filename]#/#, [.filename]#/var#, [.filename]#/usr# and [.filename]#/tmp#, as well as a swap partition. +By permanently labeling the partitions on the boot disk, the system should be able to continue to boot normally, even if the disk is moved to another controller or transferred to a different system. +For this example, it is assumed that a single ATA disk is used, which is currently recognized by the system as [.filename]#ad0#. +It is also assumed that the standard FreeBSD partition scheme is used, with [.filename]#/#, [.filename]#/var#, [.filename]#/usr# and [.filename]#/tmp#, as well as a swap partition. -Reboot the system, and at the man:loader[8] prompt, press kbd:[4] to boot into single user mode. Then enter the following commands: +Reboot the system, and at the man:loader[8] prompt, press kbd:[4] to boot into single user mode. +Then enter the following commands: [source,shell] .... @@ -1034,7 +1181,9 @@ GEOM_LABEL: Label for provider /dev/ad0s1b is label/swap # exit .... -The system will continue with multi-user boot. After the boot completes, edit [.filename]#/etc/fstab# and replace the conventional device names, with their respective labels. The final [.filename]#/etc/fstab# will look like this: +The system will continue with multi-user boot. +After the boot completes, edit [.filename]#/etc/fstab# and replace the conventional device names, with their respective labels. +The final [.filename]#/etc/fstab# will look like this: [.programlisting] .... @@ -1046,7 +1195,8 @@ The system will continue with multi-user boot. After the boot completes, edit [. /dev/label/var /var ufs rw 2 2 .... -The system can now be rebooted. If everything went well, it will come up normally and `mount` will show: +The system can now be rebooted. +If everything went well, it will come up normally and `mount` will show: [source,shell] .... @@ -1060,7 +1210,10 @@ devfs on /dev (devfs, local) ==== -The man:glabel[8] class supports a label type for UFS file systems, based on the unique file system id, `ufsid`. These labels may be found in [.filename]#/dev/ufsid# and are created automatically during system startup. It is possible to use `ufsid` labels to mount partitions using [.filename]#/etc/fstab#. Use `glabel status` to receive a list of file systems and their corresponding `ufsid` labels: +The man:glabel[8] class supports a label type for UFS file systems, based on the unique file system id, `ufsid`. +These labels may be found in [.filename]#/dev/ufsid# and are created automatically during system startup. +It is possible to use `ufsid` labels to mount partitions using [.filename]#/etc/fstab#. +Use `glabel status` to receive a list of file systems and their corresponding `ufsid` labels: [source,shell] .... @@ -1070,7 +1223,8 @@ ufsid/486b6fc38d330916 N/A ad4s1d ufsid/486b6fc16926168e N/A ad4s1f .... -In the above example, [.filename]#ad4s1d# represents [.filename]#/var#, while [.filename]#ad4s1f# represents [.filename]#/usr#. Using the `ufsid` values shown, these partitions may now be mounted with the following entries in [.filename]#/etc/fstab#: +In the above example, [.filename]#ad4s1d# represents [.filename]#/var#, while [.filename]#ad4s1f# represents [.filename]#/usr#. +Using the `ufsid` values shown, these partitions may now be mounted with the following entries in [.filename]#/etc/fstab#: [.programlisting] .... @@ -1083,13 +1237,21 @@ Any partitions with `ufsid` labels can be mounted in this way, eliminating the n [[geom-gjournal]] == UFS Journaling Through GEOM -Support for journals on UFS file systems is available on FreeBSD. The implementation is provided through the GEOM subsystem and is configured using `gjournal`. Unlike other file system journaling implementations, the `gjournal` method is block based and not implemented as part of the file system. It is a GEOM extension. +Support for journals on UFS file systems is available on FreeBSD. +The implementation is provided through the GEOM subsystem and is configured using `gjournal`. +Unlike other file system journaling implementations, the `gjournal` method is block based and not implemented as part of the file system. +It is a GEOM extension. -Journaling stores a log of file system transactions, such as changes that make up a complete disk write operation, before meta-data and file writes are committed to the disk. This transaction log can later be replayed to redo file system transactions, preventing file system inconsistencies. +Journaling stores a log of file system transactions, such as changes that make up a complete disk write operation, before meta-data and file writes are committed to the disk. +This transaction log can later be replayed to redo file system transactions, preventing file system inconsistencies. -This method provides another mechanism to protect against data loss and inconsistencies of the file system. Unlike Soft Updates, which tracks and enforces meta-data updates, and snapshots, which create an image of the file system, a log is stored in disk space specifically for this task. For better performance, the journal may be stored on another disk. In this configuration, the journal provider or storage device should be listed after the device to enable journaling on. +This method provides another mechanism to protect against data loss and inconsistencies of the file system. +Unlike Soft Updates, which tracks and enforces meta-data updates, and snapshots, which create an image of the file system, a log is stored in disk space specifically for this task. +For better performance, the journal may be stored on another disk. +In this configuration, the journal provider or storage device should be listed after the device to enable journaling on. -The [.filename]#GENERIC# kernel provides support for `gjournal`. To automatically load the [.filename]#geom_journal.ko# kernel module at boot time, add the following line to [.filename]#/boot/loader.conf#: +The [.filename]#GENERIC# kernel provides support for `gjournal`. +To automatically load the [.filename]#geom_journal.ko# kernel module at boot time, add the following line to [.filename]#/boot/loader.conf#: [.programlisting] .... @@ -1103,7 +1265,8 @@ If a custom kernel is used, ensure the following line is in the kernel configura options GEOM_JOURNAL .... -Once the module is loaded, a journal can be created on a new file system using the following steps. In this example, [.filename]#da4# is a new SCSI disk: +Once the module is loaded, a journal can be created on a new file system using the following steps. +In this example, [.filename]#da4# is a new SCSI disk: [source,shell] .... @@ -1123,9 +1286,14 @@ A UFS file system may now be created on the journaled device, then mounted on an [NOTE] ==== -In the case of several slices, a journal will be created for each individual slice. For instance, if [.filename]#ad4s1# and [.filename]#ad4s2# are both slices, then `gjournal` will create [.filename]#ad4s1.journal# and [.filename]#ad4s2.journal#. +In the case of several slices, a journal will be created for each individual slice. +For instance, if [.filename]#ad4s1# and [.filename]#ad4s2# are both slices, then `gjournal` will create [.filename]#ad4s1.journal# and [.filename]#ad4s2.journal#. ==== -Journaling may also be enabled on current file systems by using `tunefs`. However, _always_ make a backup before attempting to alter an existing file system. In most cases, `gjournal` will fail if it is unable to create the journal, but this does not protect against data loss incurred as a result of misusing `tunefs`. Refer to man:gjournal[8] and man:tunefs[8] for more information about these commands. +Journaling may also be enabled on current file systems by using `tunefs`. +However, _always_ make a backup before attempting to alter an existing file system. +In most cases, `gjournal` will fail if it is unable to create the journal, but this does not protect against data loss incurred as a result of misusing `tunefs`. +Refer to man:gjournal[8] and man:tunefs[8] for more information about these commands. -It is possible to journal the boot disk of a FreeBSD system. Refer to the article link:{gjournal-desktop}[Implementing UFS Journaling on a Desktop PC] for detailed instructions. +It is possible to journal the boot disk of a FreeBSD system. +Refer to the article link:{gjournal-desktop}[Implementing UFS Journaling on a Desktop PC] for detailed instructions. diff --git a/documentation/content/en/books/handbook/introduction/_index.adoc b/documentation/content/en/books/handbook/introduction/_index.adoc index ea8d63aeda..158f15f1fe 100644 --- a/documentation/content/en/books/handbook/introduction/_index.adoc +++ b/documentation/content/en/books/handbook/introduction/_index.adoc @@ -59,7 +59,9 @@ After reading this chapter you will know: [[nutshell]] == Welcome to FreeBSD! -FreeBSD is an Open Source, standards-compliant Unix-like operating system for x86 (both 32 and 64 bit), ARM(R), AArch64, RISC-V(R), MIPS(R), POWER(R), PowerPC(R), and Sun UltraSPARC(R) computers. It provides all the features that are nowadays taken for granted, such as preemptive multitasking, memory protection, virtual memory, multi-user facilities, SMP support, all the Open Source development tools for different languages and frameworks, and desktop features centered around X Window System, KDE, or GNOME. Its particular strengths are: +FreeBSD is an Open Source, standards-compliant Unix-like operating system for x86 (both 32 and 64 bit), ARM(R), AArch64, RISC-V(R), MIPS(R), POWER(R), PowerPC(R), and Sun UltraSPARC(R) computers. +It provides all the features that are nowadays taken for granted, such as preemptive multitasking, memory protection, virtual memory, multi-user facilities, SMP support, all the Open Source development tools for different languages and frameworks, and desktop features centered around X Window System, KDE, or GNOME. +Its particular strengths are: * _Liberal Open Source license_, which grants you rights to freely modify and extend its source code and incorporate it in both Open Source projects and closed products without imposing restrictions typical to copyleft licenses, as well as avoiding potential license incompatibility problems. * _Strong TCP/IP networking_ - FreeBSD implements industry standard protocols with ever increasing performance and scalability. This makes it a good match in both server, and routing/firewalling roles - and indeed many companies and vendors use it precisely for that purpose. @@ -71,14 +73,18 @@ FreeBSD is an Open Source, standards-compliant Unix-like operating system for x8 * _Staying true to Unix philosophy_, preferring composability instead of monolithic "all in one" daemons with hardcoded behavior. * _Binary compatibility_ with Linux, which makes it possible to run many Linux binaries without the need for virtualisation. -FreeBSD is based on the 4.4BSD-Lite release from Computer Systems Research Group (CSRG) at the University of California at Berkeley, and carries on the distinguished tradition of BSD systems development. In addition to the fine work provided by CSRG, the FreeBSD Project has put in many thousands of man-hours into extending the functionality and fine-tuning the system for maximum performance and reliability in real-life load situations. FreeBSD offers performance and reliability on par with other Open Source and commercial offerings, combined with cutting-edge features not available anywhere else. +FreeBSD is based on the 4.4BSD-Lite release from Computer Systems Research Group (CSRG) at the University of California at Berkeley, and carries on the distinguished tradition of BSD systems development. +In addition to the fine work provided by CSRG, the FreeBSD Project has put in many thousands of man-hours into extending the functionality and fine-tuning the system for maximum performance and reliability in real-life load situations. +FreeBSD offers performance and reliability on par with other Open Source and commercial offerings, combined with cutting-edge features not available anywhere else. [[os-overview]] === What Can FreeBSD Do? -The applications to which FreeBSD can be put are truly limited only by your own imagination. From software development to factory automation, inventory control to azimuth correction of remote satellite antennae; if it can be done with a commercial UNIX(R) product then it is more than likely that you can do it with FreeBSD too! FreeBSD also benefits significantly from literally thousands of high quality applications developed by research centers and universities around the world, often available at little to no cost. +The applications to which FreeBSD can be put are truly limited only by your own imagination. +From software development to factory automation, inventory control to azimuth correction of remote satellite antennae; if it can be done with a commercial UNIX(R) product then it is more than likely that you can do it with FreeBSD too! FreeBSD also benefits significantly from literally thousands of high quality applications developed by research centers and universities around the world, often available at little to no cost. -Because the source code for FreeBSD itself is freely available, the system can also be customized to an almost unheard of degree for special applications or projects, and in ways not generally possible with operating systems from most major commercial vendors. Here is just a sampling of some of the applications in which people are currently using FreeBSD: +Because the source code for FreeBSD itself is freely available, the system can also be customized to an almost unheard of degree for special applications or projects, and in ways not generally possible with operating systems from most major commercial vendors. +Here is just a sampling of some of the applications in which people are currently using FreeBSD: * _Internet Services:_ The robust TCP/IP networking built into FreeBSD makes it an ideal platform for a variety of Internet services such as: @@ -96,14 +102,16 @@ Because the source code for FreeBSD itself is freely available, the system can a * _Desktop:_ FreeBSD makes a fine choice for an inexpensive desktop solution using the freely available X11 server. FreeBSD offers a choice from many open-source desktop environments, including the standard GNOME and KDE graphical user interfaces. FreeBSD can even boot "diskless" from a central server, making individual workstations even cheaper and easier to administer. * _Software Development:_ The basic FreeBSD system comes with a full suite of development tools including a full C/C++ compiler and debugger suite. Support for many other languages are also available through the ports and packages collection. -FreeBSD is available to download free of charge, or can be obtained on either CD-ROM or DVD. Please see crossref:mirrors[mirrors, Obtaining FreeBSD] for more information about obtaining FreeBSD. +FreeBSD is available to download free of charge, or can be obtained on either CD-ROM or DVD. +Please see crossref:mirrors[mirrors, Obtaining FreeBSD] for more information about obtaining FreeBSD. [[introduction-nutshell-users]] === Who Uses FreeBSD? FreeBSD has been known for its web serving capabilities - sites that run on FreeBSD include https://news.ycombinator.com/[Hacker News], http://www.netcraft.com/[Netcraft], http://www.163.com/[NetEase], https://signup.netflix.com/openconnect[Netflix], http://www.sina.com/[Sina], http://www.sony.co.jp/[Sony Japan], http://www.rambler.ru/[Rambler], http://www.yahoo.com/[Yahoo!], and http://www.yandex.ru/[Yandex]. -FreeBSD's advanced features, proven security, predictable release cycle, and permissive license have led to its use as a platform for building many commercial and open source appliances, devices, and products. Many of the world's largest IT companies use FreeBSD: +FreeBSD's advanced features, proven security, predictable release cycle, and permissive license have led to its use as a platform for building many commercial and open source appliances, devices, and products. +Many of the world's largest IT companies use FreeBSD: * http://www.apache.org/[Apache] - The Apache Software Foundation runs most of its public facing infrastructure, including possibly one of the largest SVN repositories in the world with over 1.4 million commits, on FreeBSD. * http://www.apple.com/[Apple] - OS X borrows heavily from FreeBSD for the network stack, virtual file system, and many userland components. Apple iOS also contains elements borrowed from FreeBSD. @@ -140,7 +148,8 @@ FreeBSD has also spawned a number of related open source projects: * http://www.pfsense.org/[pfSense] - A firewall distribution based on FreeBSD with a huge array of features and extensive IPv6 support. * http://zrouter.org/[ZRouter] - An open source alternative firmware for embedded devices based on FreeBSD. Designed to replace the proprietary firmware on off-the-shelf routers. -A list of https://www.freebsdfoundation.org/about/testimonials/[testimonials from companies basing their products and services on FreeBSD] can be found at the FreeBSD Foundation website. Wikipedia also maintains a https://en.wikipedia.org/wiki/List_of_products_based_on_FreeBSD[list of products based on FreeBSD]. +A list of https://www.freebsdfoundation.org/about/testimonials/[testimonials from companies basing their products and services on FreeBSD] can be found at the FreeBSD Foundation website. +Wikipedia also maintains a https://en.wikipedia.org/wiki/List_of_products_based_on_FreeBSD[list of products based on FreeBSD]. [[history]] == About the FreeBSD Project @@ -152,17 +161,32 @@ The following section provides some background information on the project, inclu The FreeBSD Project had its genesis in the early part of 1993, partially as the brainchild of the Unofficial 386BSDPatchkit's last 3 coordinators: Nate Williams, Rod Grimes and Jordan Hubbard. -The original goal was to produce an intermediate snapshot of 386BSD in order to fix a number of problems that the patchkit mechanism was just not capable of solving. The early working title for the project was 386BSD 0.5 or 386BSD Interim in reference of that fact. +The original goal was to produce an intermediate snapshot of 386BSD in order to fix a number of problems that the patchkit mechanism was just not capable of solving. +The early working title for the project was 386BSD 0.5 or 386BSD Interim in reference of that fact. -386BSD was Bill Jolitz's operating system, which had been up to that point suffering rather severely from almost a year's worth of neglect. As the patchkit swelled ever more uncomfortably with each passing day, they decided to assist Bill by providing this interim "cleanup" snapshot. Those plans came to a rude halt when Bill Jolitz suddenly decided to withdraw his sanction from the project without any clear indication of what would be done instead. +386BSD was Bill Jolitz's operating system, which had been up to that point suffering rather severely from almost a year's worth of neglect. +As the patchkit swelled ever more uncomfortably with each passing day, they decided to assist Bill by providing this interim "cleanup" snapshot. +Those plans came to a rude halt when Bill Jolitz suddenly decided to withdraw his sanction from the project without any clear indication of what would be done instead. -The trio thought that the goal remained worthwhile, even without Bill's support, and so they adopted the name "FreeBSD" coined by David Greenman. The initial objectives were set after consulting with the system's current users and, once it became clear that the project was on the road to perhaps even becoming a reality, Jordan contacted Walnut Creek CDROM with an eye toward improving FreeBSD's distribution channels for those many unfortunates without easy access to the Internet. Walnut Creek CDROM not only supported the idea of distributing FreeBSD on CD but also went so far as to provide the project with a machine to work on and a fast Internet connection. Without Walnut Creek CDROM's almost unprecedented degree of faith in what was, at the time, a completely unknown project, it is quite unlikely that FreeBSD would have gotten as far, as fast, as it has today. +The trio thought that the goal remained worthwhile, even without Bill's support, and so they adopted the name "FreeBSD" coined by David Greenman. +The initial objectives were set after consulting with the system's current users and, once it became clear that the project was on the road to perhaps even becoming a reality, Jordan contacted Walnut Creek CDROM with an eye toward improving FreeBSD's distribution channels for those many unfortunates without easy access to the Internet. +Walnut Creek CDROM not only supported the idea of distributing FreeBSD on CD but also went so far as to provide the project with a machine to work on and a fast Internet connection. +Without Walnut Creek CDROM's almost unprecedented degree of faith in what was, at the time, a completely unknown project, it is quite unlikely that FreeBSD would have gotten as far, as fast, as it has today. -The first CD-ROM (and general net-wide) distribution was FreeBSD 1.0, released in December of 1993. This was based on the 4.3BSD-Lite ("Net/2") tape from U.C. Berkeley, with many components also provided by 386BSD and the Free Software Foundation. It was a fairly reasonable success for a first offering, and they followed it with the highly successful FreeBSD 1.1 release in May of 1994. +The first CD-ROM (and general net-wide) distribution was FreeBSD 1.0, released in December of 1993. +This was based on the 4.3BSD-Lite ("Net/2") tape from U.C. Berkeley, with many components also provided by 386BSD and the Free Software Foundation. +It was a fairly reasonable success for a first offering, and they followed it with the highly successful FreeBSD 1.1 release in May of 1994. -Around this time, some rather unexpected storm clouds formed on the horizon as Novell and U.C. Berkeley settled their long-running lawsuit over the legal status of the Berkeley Net/2 tape. A condition of that settlement was U.C. Berkeley's concession that large parts of Net/2 were "encumbered" code and the property of Novell, who had in turn acquired it from AT&T some time previously. What Berkeley got in return was Novell's "blessing" that the 4.4BSD-Lite release, when it was finally released, would be declared unencumbered and all existing Net/2 users would be strongly encouraged to switch. This included FreeBSD, and the project was given until the end of July 1994 to stop shipping its own Net/2 based product. Under the terms of that agreement, the project was allowed one last release before the deadline, that release being FreeBSD 1.1.5.1. +Around this time, some rather unexpected storm clouds formed on the horizon as Novell and U.C. Berkeley settled their long-running lawsuit over the legal status of the Berkeley Net/2 tape. +A condition of that settlement was U.C. Berkeley's concession that large parts of Net/2 were "encumbered" code and the property of Novell, who had in turn acquired it from AT&T some time previously. +What Berkeley got in return was Novell's "blessing" that the 4.4BSD-Lite release, when it was finally released, would be declared unencumbered and all existing Net/2 users would be strongly encouraged to switch. +This included FreeBSD, and the project was given until the end of July 1994 to stop shipping its own Net/2 based product. +Under the terms of that agreement, the project was allowed one last release before the deadline, that release being FreeBSD 1.1.5.1. -FreeBSD then set about the arduous task of literally re-inventing itself from a completely new and rather incomplete set of 4.4BSD-Lite bits. The "Lite" releases were light in part because Berkeley's CSRG had removed large chunks of code required for actually constructing a bootable running system (due to various legal requirements) and the fact that the Intel port of 4.4 was highly incomplete. It took the project until November of 1994 to make this transition, and in December it released FreeBSD 2.0 to the world. Despite being still more than a little rough around the edges, the release was a significant success and was followed by the more robust and easier to install FreeBSD 2.0.5 release in June of 1995. +FreeBSD then set about the arduous task of literally re-inventing itself from a completely new and rather incomplete set of 4.4BSD-Lite bits. +The "Lite" releases were light in part because Berkeley's CSRG had removed large chunks of code required for actually constructing a bootable running system (due to various legal requirements) and the fact that the Intel port of 4.4 was highly incomplete. +It took the project until November of 1994 to make this transition, and in December it released FreeBSD 2.0 to the world. +Despite being still more than a little rough around the edges, the release was a significant success and was followed by the more robust and easier to install FreeBSD 2.0.5 release in June of 1995. Since that time, FreeBSD has made a series of releases each time improving the stability, speed, and feature set of the previous version. @@ -171,50 +195,79 @@ For now, long-term development projects continue to take place in the 10.X-CURRE [[goals]] === FreeBSD Project Goals -The goals of the FreeBSD Project are to provide software that may be used for any purpose and without strings attached. Many of us have a significant investment in the code (and project) and would certainly not mind a little financial compensation now and then, but we are definitely not prepared to insist on it. We believe that our first and foremost "mission" is to provide code to any and all comers, and for whatever purpose, so that the code gets the widest possible use and provides the widest possible benefit. This is, I believe, one of the most fundamental goals of Free Software and one that we enthusiastically support. +The goals of the FreeBSD Project are to provide software that may be used for any purpose and without strings attached. +Many of us have a significant investment in the code (and project) and would certainly not mind a little financial compensation now and then, but we are definitely not prepared to insist on it. +We believe that our first and foremost "mission" is to provide code to any and all comers, and for whatever purpose, so that the code gets the widest possible use and provides the widest possible benefit. +This is, I believe, one of the most fundamental goals of Free Software and one that we enthusiastically support. -That code in our source tree which falls under the GNU General Public License (GPL) or Library General Public License (LGPL) comes with slightly more strings attached, though at least on the side of enforced access rather than the usual opposite. Due to the additional complexities that can evolve in the commercial use of GPL software we do, however, prefer software submitted under the more relaxed BSD license when it is a reasonable option to do so. +That code in our source tree which falls under the GNU General Public License (GPL) or Library General Public License (LGPL) comes with slightly more strings attached, though at least on the side of enforced access rather than the usual opposite. +Due to the additional complexities that can evolve in the commercial use of GPL software we do, however, prefer software submitted under the more relaxed BSD license when it is a reasonable option to do so. [[development]] === The FreeBSD Development Model -The development of FreeBSD is a very open and flexible process, being literally built from the contributions of thousands of people around the world, as can be seen from our link:{contributors}[list of contributors]. FreeBSD's development infrastructure allow these thousands of contributors to collaborate over the Internet. We are constantly on the lookout for new developers and ideas, and those interested in becoming more closely involved with the project need simply contact us at the {freebsd-hackers}. The {freebsd-announce} is also available to those wishing to make other FreeBSD users aware of major areas of work. +The development of FreeBSD is a very open and flexible process, being literally built from the contributions of thousands of people around the world, as can be seen from our link:{contributors}[list of contributors]. +FreeBSD's development infrastructure allow these thousands of contributors to collaborate over the Internet. +We are constantly on the lookout for new developers and ideas, and those interested in becoming more closely involved with the project need simply contact us at the {freebsd-hackers}. +The {freebsd-announce} is also available to those wishing to make other FreeBSD users aware of major areas of work. Useful things to know about the FreeBSD Project and its development process, whether working independently or in close cooperation: The SVN repositories[[development-cvs-repository]]:: -For several years, the central source tree for FreeBSD was maintained by http://www.nongnu.org/cvs/[CVS] (Concurrent Versions System), a freely available source code control tool. In June 2008, the Project switched to using http://subversion.tigris.org[SVN] (Subversion). The switch was deemed necessary, as the technical limitations imposed by CVS were becoming obvious due to the rapid expansion of the source tree and the amount of history already stored. The Documentation Project and Ports Collection repositories also moved from CVS to SVN in May 2012 and July 2012, respectively. Please refer to the crossref:cutting-edge[synching, Obtaining the Source] section for more information on obtaining the FreeBSD `src/` repository and crossref:ports[ports-using, Using the Ports Collection] for details on obtaining the FreeBSD Ports Collection. +For several years, the central source tree for FreeBSD was maintained by http://www.nongnu.org/cvs/[CVS] (Concurrent Versions System), a freely available source code control tool. +In June 2008, the Project switched to using http://subversion.tigris.org[SVN] (Subversion). +The switch was deemed necessary, as the technical limitations imposed by CVS were becoming obvious due to the rapid expansion of the source tree and the amount of history already stored. +The Documentation Project and Ports Collection repositories also moved from CVS to SVN in May 2012 and July 2012, respectively. +Please refer to the crossref:cutting-edge[synching, Obtaining the Source] section for more information on obtaining the FreeBSD `src/` repository and crossref:ports[ports-using, Using the Ports Collection] for details on obtaining the FreeBSD Ports Collection. The committers list[[development-committers]]:: -The _committers_ are the people who have _write_ access to the Subversion tree, and are authorized to make modifications to the FreeBSD source (the term "committer" comes from `commit`, the source control command which is used to bring new changes into the repository). Anyone can submit a bug to the https://bugs.FreeBSD.org/submit/[Bug Database]. Before submitting a bug report, the FreeBSD mailing lists, IRC channels, or forums can be used to help verify that an issue is actually a bug. +The _committers_ are the people who have _write_ access to the Subversion tree, and are authorized to make modifications to the FreeBSD source (the term "committer" comes from `commit`, the source control command which is used to bring new changes into the repository). +Anyone can submit a bug to the https://bugs.FreeBSD.org/submit/[Bug Database]. +Before submitting a bug report, the FreeBSD mailing lists, IRC channels, or forums can be used to help verify that an issue is actually a bug. The FreeBSD core team[[development-core]]:: -The _FreeBSD core team_ would be equivalent to the board of directors if the FreeBSD Project were a company. The primary task of the core team is to make sure the project, as a whole, is in good shape and is heading in the right directions. Inviting dedicated and responsible developers to join our group of committers is one of the functions of the core team, as is the recruitment of new core team members as others move on. The current core team was elected from a pool of committer candidates in June 2020. Elections are held every 2 years. +The _FreeBSD core team_ would be equivalent to the board of directors if the FreeBSD Project were a company. +The primary task of the core team is to make sure the project, as a whole, is in good shape and is heading in the right directions. +Inviting dedicated and responsible developers to join our group of committers is one of the functions of the core team, as is the recruitment of new core team members as others move on. +The current core team was elected from a pool of committer candidates in June 2020. +Elections are held every 2 years. + [NOTE] ==== -Like most developers, most members of the core team are also volunteers when it comes to FreeBSD development and do not benefit from the project financially, so "commitment" should also not be misconstrued as meaning "guaranteed support." The "board of directors" analogy above is not very accurate, and it may be more suitable to say that these are the people who gave up their lives in favor of FreeBSD against their better judgement! +Like most developers, most members of the core team are also volunteers when it comes to FreeBSD development and do not benefit from the project financially, so "commitment" should also not be misconstrued as meaning "guaranteed support." +The "board of directors" analogy above is not very accurate, and it may be more suitable to say that these are the people who gave up their lives in favor of FreeBSD against their better judgement! ==== Outside contributors:: -Last, but definitely not least, the largest group of developers are the users themselves who provide feedback and bug fixes to us on an almost constant basis. The primary way of keeping in touch with FreeBSD's more non-centralized development is to subscribe to the {freebsd-hackers} where such things are discussed. See crossref:eresources[eresources, Resources on the Internet] for more information about the various FreeBSD mailing lists. +Last, but definitely not least, the largest group of developers are the users themselves who provide feedback and bug fixes to us on an almost constant basis. +The primary way of keeping in touch with FreeBSD's more non-centralized development is to subscribe to the {freebsd-hackers} where such things are discussed. +See crossref:eresources[eresources, Resources on the Internet] for more information about the various FreeBSD mailing lists. + link:{contributors}[The FreeBSD Contributors List] is a long and growing one, so why not join it by contributing something back to FreeBSD today? + Providing code is not the only way of contributing to the project; for a more complete list of things that need doing, please refer to the link:https://www.FreeBSD.org/[FreeBSD Project web site]. -In summary, our development model is organized as a loose set of concentric circles. The centralized model is designed for the convenience of the _users_ of FreeBSD, who are provided with an easy way of tracking one central code base, not to keep potential contributors out! Our desire is to present a stable operating system with a large set of coherent crossref:ports[ports,application programs] that the users can easily install and use - this model works very well in accomplishing that. +In summary, our development model is organized as a loose set of concentric circles. +The centralized model is designed for the convenience of the _users_ of FreeBSD, who are provided with an easy way of tracking one central code base, not to keep potential contributors out! Our desire is to present a stable operating system with a large set of coherent crossref:ports[ports,application programs] that the users can easily install and use - this model works very well in accomplishing that. All we ask of those who would join us as FreeBSD developers is some of the same dedication its current people have to its continued success! [[third-party-programs]] === Third Party Programs -In addition to the base distributions, FreeBSD offers a ported software collection with thousands of commonly sought-after programs. At the time of this writing, there were over {numports} ports! The list of ports ranges from http servers, to games, languages, editors, and almost everything in between. The entire Ports Collection requires approximately {ports-size}. To compile a port, you simply change to the directory of the program you wish to install, type `make install`, and let the system do the rest. The full original distribution for each port you build is retrieved dynamically so you need only enough disk space to build the ports you want. Almost every port is also provided as a pre-compiled "package", which can be installed with a simple command (`pkg install`) by those who do not wish to compile their own ports from source. More information on packages and ports can be found in crossref:ports[ports,Installing Applications: Packages and Ports]. +In addition to the base distributions, FreeBSD offers a ported software collection with thousands of commonly sought-after programs. +At the time of this writing, there were over {numports} ports! The list of ports ranges from http servers, to games, languages, editors, and almost everything in between. +The entire Ports Collection requires approximately {ports-size}. +To compile a port, you simply change to the directory of the program you wish to install, type `make install`, and let the system do the rest. +The full original distribution for each port you build is retrieved dynamically so you need only enough disk space to build the ports you want. +Almost every port is also provided as a pre-compiled "package", which can be installed with a simple command (`pkg install`) by those who do not wish to compile their own ports from source. +More information on packages and ports can be found in crossref:ports[ports,Installing Applications: Packages and Ports]. === Additional Documentation -All supported FreeBSD versions provide an option in the installer to install additional documentation under [.filename]#/usr/local/share/doc/freebsd# during the initial system setup. Documentation may also be installed at any later time using packages as described in crossref:cutting-edge[doc-ports-install-package,Updating Documentation from Ports]. You may view the locally installed manuals with any HTML capable browser using the following URLs: +All supported FreeBSD versions provide an option in the installer to install additional documentation under [.filename]#/usr/local/share/doc/freebsd# during the initial system setup. +Documentation may also be installed at any later time using packages as described in crossref:cutting-edge[doc-ports-install-package,Updating Documentation from Ports]. +You may view the locally installed manuals with any HTML capable browser using the following URLs: The FreeBSD Handbook:: [.filename]#link:file://localhost/usr/local/share/doc/freebsd/handbook/index.html[/usr/local/share/doc/freebsd/handbook/index.html]# diff --git a/documentation/content/en/books/handbook/jails/_index.adoc b/documentation/content/en/books/handbook/jails/_index.adoc index ed53c3fd42..8c8eaa83e8 100644 --- a/documentation/content/en/books/handbook/jails/_index.adoc +++ b/documentation/content/en/books/handbook/jails/_index.adoc @@ -46,11 +46,25 @@ toc::[] [[jails-synopsis]] == Synopsis -Since system administration is a difficult task, many tools have been developed to make life easier for the administrator. These tools often enhance the way systems are installed, configured, and maintained. One of the tools which can be used to enhance the security of a FreeBSD system is _jails_. Jails have been available since FreeBSD 4.X and continue to be enhanced in their usefulness, performance, reliability, and security. - -Jails build upon the man:chroot[2] concept, which is used to change the root directory of a set of processes. This creates a safe environment, separate from the rest of the system. Processes created in the chrooted environment can not access files or resources outside of it. For that reason, compromising a service running in a chrooted environment should not allow the attacker to compromise the entire system. However, a chroot has several limitations. It is suited to easy tasks which do not require much flexibility or complex, advanced features. Over time, many ways have been found to escape from a chrooted environment, making it a less than ideal solution for securing services. - -Jails improve on the concept of the traditional chroot environment in several ways. In a traditional chroot environment, processes are only limited in the part of the file system they can access. The rest of the system resources, system users, running processes, and the networking subsystem are shared by the chrooted processes and the processes of the host system. Jails expand this model by virtualizing access to the file system, the set of users, and the networking subsystem. More fine-grained controls are available for tuning the access of a jailed environment. Jails can be considered as a type of operating system-level virtualization. +Since system administration is a difficult task, many tools have been developed to make life easier for the administrator. +These tools often enhance the way systems are installed, configured, and maintained. +One of the tools which can be used to enhance the security of a FreeBSD system is _jails_. +Jails have been available since FreeBSD 4.X and continue to be enhanced in their usefulness, performance, reliability, and security. + +Jails build upon the man:chroot[2] concept, which is used to change the root directory of a set of processes. +This creates a safe environment, separate from the rest of the system. +Processes created in the chrooted environment can not access files or resources outside of it. +For that reason, compromising a service running in a chrooted environment should not allow the attacker to compromise the entire system. +However, a chroot has several limitations. +It is suited to easy tasks which do not require much flexibility or complex, advanced features. +Over time, many ways have been found to escape from a chrooted environment, making it a less than ideal solution for securing services. + +Jails improve on the concept of the traditional chroot environment in several ways. +In a traditional chroot environment, processes are only limited in the part of the file system they can access. +The rest of the system resources, system users, running processes, and the networking subsystem are shared by the chrooted processes and the processes of the host system. +Jails expand this model by virtualizing access to the file system, the set of users, and the networking subsystem. +More fine-grained controls are available for tuning the access of a jailed environment. +Jails can be considered as a type of operating system-level virtualization. A jail is characterized by four elements: @@ -59,9 +73,11 @@ A jail is characterized by four elements: * An IP address: which is assigned to the jail. The IP address of a jail is often an alias address for an existing network interface. * A command: the path name of an executable to run inside the jail. The path is relative to the root directory of the jail environment. -Jails have their own set of users and their own `root` account which are limited to the jail environment. The `root` account of a jail is not allowed to perform operations to the system outside of the associated jail environment. +Jails have their own set of users and their own `root` account which are limited to the jail environment. +The `root` account of a jail is not allowed to perform operations to the system outside of the associated jail environment. -This chapter provides an overview of the terminology and commands for managing FreeBSD jails. Jails are a powerful tool for both system administrators, and advanced users. +This chapter provides an overview of the terminology and commands for managing FreeBSD jails. +Jails are a powerful tool for both system administrators, and advanced users. After reading this chapter, you will know: @@ -71,9 +87,11 @@ After reading this chapter, you will know: [IMPORTANT] ==== -Jails are a powerful tool, but they are not a security panacea. While it is not possible for a jailed process to break out on its own, there are several ways in which an unprivileged user outside the jail can cooperate with a privileged user inside the jail to obtain elevated privileges in the host environment. +Jails are a powerful tool, but they are not a security panacea. +While it is not possible for a jailed process to break out on its own, there are several ways in which an unprivileged user outside the jail can cooperate with a privileged user inside the jail to obtain elevated privileges in the host environment. -Most of these attacks can be mitigated by ensuring that the jail root is not accessible to unprivileged users in the host environment. As a general rule, untrusted users with privileged access to a jail should not be given access to the host environment. +Most of these attacks can be mitigated by ensuring that the jail root is not accessible to unprivileged users in the host environment. +As a general rule, untrusted users with privileged access to a jail should not be given access to the host environment. ==== [[jails-terms]] @@ -85,13 +103,16 @@ man:chroot[8] (command):: Utility, which uses man:chroot[2] FreeBSD system call to change the root directory of a process and all its descendants. man:chroot[2] (environment):: -The environment of processes running in a "chroot". This includes resources such as the part of the file system which is visible, user and group IDs which are available, network interfaces and other IPC mechanisms, etc. +The environment of processes running in a "chroot". +This includes resources such as the part of the file system which is visible, user and group IDs which are available, network interfaces and other IPC mechanisms, etc. man:jail[8] (command):: The system administration utility which allows launching of processes within a jail environment. host (system, process, user, etc.):: -The controlling system of a jail environment. The host system has access to all the hardware resources available, and can control processes both outside of and inside a jail environment. One of the important differences of the host system from a jail is that the limitations which apply to superuser processes inside a jail are not enforced for processes of the host system. +The controlling system of a jail environment. +The host system has access to all the hardware resources available, and can control processes both outside of and inside a jail environment. +One of the important differences of the host system from a jail is that the limitations which apply to superuser processes inside a jail are not enforced for processes of the host system. hosted (system, process, user, etc.):: A process, user or other entity, whose access to resources is restricted by a FreeBSD jail. @@ -99,14 +120,17 @@ A process, user or other entity, whose access to resources is restricted by a Fr [[jails-build]] == Creating and Controlling Jails -Some administrators divide jails into the following two types: "complete" jails, which resemble a real FreeBSD system, and "service" jails, dedicated to one application or service, possibly running with privileges. This is only a conceptual division and the process of building a jail is not affected by it. When creating a "complete" jail there are two options for the source of the userland: use prebuilt binaries (such as those supplied on an install media) or build from source. +Some administrators divide jails into the following two types: "complete" jails, which resemble a real FreeBSD system, and "service" jails, dedicated to one application or service, possibly running with privileges. +This is only a conceptual division and the process of building a jail is not affected by it. +When creating a "complete" jail there are two options for the source of the userland: use prebuilt binaries (such as those supplied on an install media) or build from source. === Installing a Jail [[jails-install-internet]] ==== To install a Jail from the Internet -The man:bsdinstall[8] tool can be used to fetch and install the binaries needed for a jail. This will walk through the picking of a mirror, which distributions will be installed into the destination directory, and some basic configuration of the jail: +The man:bsdinstall[8] tool can be used to fetch and install the binaries needed for a jail. +This will walk through the picking of a mirror, which distributions will be installed into the destination directory, and some basic configuration of the jail: [source,shell] .... @@ -118,7 +142,8 @@ Once the command is complete, the next step is configuring the host to run the j [[jails-install-iso]] ==== To install a Jail from an ISO -To install the userland from installation media, first create the root directory for the jail. This can be done by setting the `DESTDIR` variable to the proper location. +To install the userland from installation media, first create the root directory for the jail. +This can be done by setting the `DESTDIR` variable to the proper location. Start a shell and define `DESTDIR`: @@ -136,7 +161,8 @@ Mount the install media as covered in man:mdconfig[8] when using the install ISO # cd /mnt/usr/freebsd-dist/ .... -Extract the binaries from the tarballs on the install media into the declared destination. Minimally, only the base set needs to be extracted, but a complete install can be performed when preferred. +Extract the binaries from the tarballs on the install media into the declared destination. +Minimally, only the base set needs to be extracted, but a complete install can be performed when preferred. To install just the base system: @@ -179,7 +205,11 @@ The man:jail[8] manual page explains the procedure for building a jail: === Configuring the Host -Once a jail is installed, it can be started by using the man:jail[8] utility. The man:jail[8] utility takes four mandatory arguments which are described in the <<jails-synopsis>>. Other arguments may be specified too, e.g., to run the jailed process with the credentials of a specific user. The `_command_` argument depends on the type of the jail; for a _virtual system_, [.filename]#/etc/rc# is a good choice, since it will replicate the startup sequence of a real FreeBSD system. For a _service_ jail, it depends on the service or application that will run within the jail. +Once a jail is installed, it can be started by using the man:jail[8] utility. +The man:jail[8] utility takes four mandatory arguments which are described in the <<jails-synopsis>>. +Other arguments may be specified too, e.g., to run the jailed process with the credentials of a specific user. +The `_command_` argument depends on the type of the jail; for a _virtual system_, [.filename]#/etc/rc# is a good choice, since it will replicate the startup sequence of a real FreeBSD system. +For a _service_ jail, it depends on the service or application that will run within the jail. Jails are often started at boot time and the FreeBSD [.filename]#rc# mechanism provides an easy way to do this. @@ -207,7 +237,8 @@ Configure jails to start at boot time in [.filename]#rc.conf#: jail_enable="YES" # Set to NO to disable starting of any jails .... + -The default startup of jails configured in man:jail.conf[5], will run the [.filename]#/etc/rc# script of the jail, which assumes the jail is a complete virtual system. For service jails, the default startup command of the jail should be changed, by setting the `exec.start` option appropriately. +The default startup of jails configured in man:jail.conf[5], will run the [.filename]#/etc/rc# script of the jail, which assumes the jail is a complete virtual system. +For service jails, the default startup command of the jail should be changed, by setting the `exec.start` option appropriately. + [NOTE] ==== @@ -222,7 +253,8 @@ man:service[8] can be used to start or stop a jail by hand, if an entry for it e # service jail stop www .... -Jails can be shut down with man:jexec[8]. Use man:jls[8] to identify the jail's `JID`, then use man:jexec[8] to run the shutdown script in that jail. +Jails can be shut down with man:jexec[8]. +Use man:jls[8] to identify the jail's `JID`, then use man:jexec[8] to run the shutdown script in that jail. [source,shell] .... @@ -237,7 +269,8 @@ More information about this can be found in the man:jail[8] manual page. [[jails-tuning]] == Fine Tuning and Administration -There are several options which can be set for any jail, and various ways of combining a host FreeBSD system with jails, to produce higher level applications. This section presents: +There are several options which can be set for any jail, and various ways of combining a host FreeBSD system with jails, to produce higher level applications. +This section presents: * Some of the options available for tuning the behavior and security restrictions implemented by a jail installation. * Some of the high-level applications for jail management, which are available through the FreeBSD Ports Collection, and can be used to implement overall jail-based solutions. @@ -245,7 +278,10 @@ There are several options which can be set for any jail, and various ways of com [[jails-tuning-utilities]] === System Tools for Jail Tuning in FreeBSD -Fine tuning of a jail's configuration is mostly done by setting man:sysctl[8] variables. A special subtree of sysctl exists as a basis for organizing all the relevant options: the `security.jail.*` hierarchy of FreeBSD kernel options. Here is a list of the main jail-related sysctls, complete with their default value. Names should be self-explanatory, but for more information about them, please refer to the man:jail[8] and man:sysctl[8] manual pages. +Fine tuning of a jail's configuration is mostly done by setting man:sysctl[8] variables. +A special subtree of sysctl exists as a basis for organizing all the relevant options: the `security.jail.*` hierarchy of FreeBSD kernel options. +Here is a list of the main jail-related sysctls, complete with their default value. +Names should be self-explanatory, but for more information about them, please refer to the man:jail[8] and man:sysctl[8] manual pages. * `security.jail.set_hostname_allowed: 1` * `security.jail.socket_unixiproute_only: 1` @@ -255,9 +291,13 @@ Fine tuning of a jail's configuration is mostly done by setting man:sysctl[8] va * `security.jail.chflags_allowed: 0` * `security.jail.jailed: 0` -These variables can be used by the system administrator of the _host system_ to add or remove some of the limitations imposed by default on the `root` user. Note that there are some limitations which cannot be removed. The `root` user is not allowed to mount or unmount file systems from within a man:jail[8]. The `root` inside a jail may not load or unload man:devfs[8] rulesets, set firewall rules, or do many other administrative tasks which require modifications of in-kernel data, such as setting the `securelevel` of the kernel. +These variables can be used by the system administrator of the _host system_ to add or remove some of the limitations imposed by default on the `root` user. +Note that there are some limitations which cannot be removed. +The `root` user is not allowed to mount or unmount file systems from within a man:jail[8]. +The `root` inside a jail may not load or unload man:devfs[8] rulesets, set firewall rules, or do many other administrative tasks which require modifications of in-kernel data, such as setting the `securelevel` of the kernel. -The base system of FreeBSD contains a basic set of tools for viewing information about the active jails, and attaching to a jail to run administrative commands. The man:jls[8] and man:jexec[8] commands are part of the base FreeBSD system, and can be used to perform the following simple tasks: +The base system of FreeBSD contains a basic set of tools for viewing information about the active jails, and attaching to a jail to run administrative commands. +The man:jls[8] and man:jexec[8] commands are part of the base FreeBSD system, and can be used to perform the following simple tasks: * Print a list of active jails and their corresponding jail identifier (JID), IP address, hostname and path. * Attach to a running jail, from its host system, and run a command inside the jail or perform administrative tasks inside the jail itself. This is especially useful when the `root` user wants to cleanly shut down a jail. The man:jexec[8] utility can also be used to start a shell in a jail to do administration in it; for example: @@ -270,12 +310,16 @@ The base system of FreeBSD contains a basic set of tools for viewing information [[jails-tuning-admintools]] === High-Level Administrative Tools in the FreeBSD Ports Collection -Among the many third-party utilities for jail administration, one of the most complete and useful is package:sysutils/ezjail[]. It is a set of scripts that contribute to man:jail[8] management. Please refer to <<jails-ezjail,the handbook section on ezjail>> for more information. +Among the many third-party utilities for jail administration, one of the most complete and useful is package:sysutils/ezjail[]. +It is a set of scripts that contribute to man:jail[8] management. +Please refer to <<jails-ezjail,the handbook section on ezjail>> for more information. [[jails-updating]] === Keeping Jails Patched and up to Date -Jails should be kept up to date from the host operating system as attempting to patch userland from within the jail may likely fail as the default behavior in FreeBSD is to disallow the use of man:chflags[1] in a jail which prevents the replacement of some files. It is possible to change this behavior but it is recommended to use man:freebsd-update[8] to maintain jails instead. Use `-b` to specify the path of the jail to be updated. +Jails should be kept up to date from the host operating system as attempting to patch userland from within the jail may likely fail as the default behavior in FreeBSD is to disallow the use of man:chflags[1] in a jail which prevents the replacement of some files. +It is possible to change this behavior but it is recommended to use man:freebsd-update[8] to maintain jails instead. +Use `-b` to specify the path of the jail to be updated. To update the jail to the latest patch release of the version of FreeBSD it is already running, then execute the following commands on the host: @@ -285,7 +329,9 @@ To update the jail to the latest patch release of the version of FreeBSD it is a # freebsd-update -b /here/is/the/jail install .... -To upgrade the jail to a new major or minor version, first upgrade the host system as described in crossref:cutting-edge[freebsdupdate-upgrade,“Performing Major and Minor Version Upgrades”]. Once the host has been upgraded and rebooted, the jail can then be upgraded. For example to upgrade from 12.0-RELEASE to 12.1-RELEASE, on the host run: +To upgrade the jail to a new major or minor version, first upgrade the host system as described in crossref:cutting-edge[freebsdupdate-upgrade,“Performing Major and Minor Version Upgrades”]. +Once the host has been upgraded and rebooted, the jail can then be upgraded. +For example to upgrade from 12.0-RELEASE to 12.1-RELEASE, on the host run: [source,shell] .... @@ -295,7 +341,9 @@ To upgrade the jail to a new major or minor version, first upgrade the host syst # freebsd-update -b /here/is/the/jail install .... -Then, if it was a major version upgrade, reinstall all installed packages and restart the jail again. This is required because the ABI version changes when upgrading between major versions of FreeBSD. From the host: +Then, if it was a major version upgrade, reinstall all installed packages and restart the jail again. +This is required because the ABI version changes when upgrading between major versions of FreeBSD. +From the host: [source,shell] .... @@ -306,13 +354,17 @@ Then, if it was a major version upgrade, reinstall all installed packages and re [[jails-application]] == Updating Multiple Jails -The management of multiple jails can become problematic because every jail has to be rebuilt from scratch whenever it is upgraded. This can be time consuming and tedious if a lot of jails are created and manually updated. +The management of multiple jails can become problematic because every jail has to be rebuilt from scratch whenever it is upgraded. +This can be time consuming and tedious if a lot of jails are created and manually updated. -This section demonstrates one method to resolve this issue by safely sharing as much as is possible between jails using read-only man:mount_nullfs[8] mounts, so that updating is simpler. This makes it more attractive to put single services, such as HTTP, DNS, and SMTP, into individual jails. Additionally, it provides a simple way to add, remove, and upgrade jails. +This section demonstrates one method to resolve this issue by safely sharing as much as is possible between jails using read-only man:mount_nullfs[8] mounts, so that updating is simpler. +This makes it more attractive to put single services, such as HTTP, DNS, and SMTP, into individual jails. +Additionally, it provides a simple way to add, remove, and upgrade jails. [NOTE] ==== -Simpler solutions exist, such as ezjail, which provides an easier method of administering FreeBSD jails but is less versatile than this setup. ezjail is covered in more detail in <<jails-ezjail>>. +Simpler solutions exist, such as ezjail, which provides an easier method of administering FreeBSD jails but is less versatile than this setup. +ezjail is covered in more detail in <<jails-ezjail>>. ==== The goals of the setup described in this section are: @@ -324,7 +376,9 @@ The goals of the setup described in this section are: * Be paranoid about security, reducing as much as possible the possibility of compromise. * Save space and inodes, as much as possible. -This design relies on a single, read-only master template which is mounted into each jail and one read-write device per jail. A device can be a separate physical disc, a partition, or a vnode backed memory device. This example uses read-write nullfs mounts. +This design relies on a single, read-only master template which is mounted into each jail and one read-write device per jail. +A device can be a separate physical disc, a partition, or a vnode backed memory device. +This example uses read-write nullfs mounts. The file system layout is as follows: @@ -341,7 +395,8 @@ The file system layout is as follows: This section describes the steps needed to create the master template. -It is recommended to first update the host FreeBSD system to the latest -RELEASE branch using the instructions in crossref:cutting-edge[makeworld,“Updating FreeBSD from Source”]. Additionally, this template uses the package:sysutils/cpdup[] package or port and portsnap will be used to download the FreeBSD Ports Collection. +It is recommended to first update the host FreeBSD system to the latest -RELEASE branch using the instructions in crossref:cutting-edge[makeworld,“Updating FreeBSD from Source”]. +Additionally, this template uses the package:sysutils/cpdup[] package or port and portsnap will be used to download the FreeBSD Ports Collection. [.procedure] . First, create a directory structure for the read-only file system which will contain the FreeBSD binaries for the jails. Then, change directory to the FreeBSD source tree and install the read-only file system to the jail template: @@ -407,12 +462,15 @@ It is recommended to first update the host FreeBSD system to the latest -RELEASE WRKDIRPREFIX?= /s/portbuild .... + -This makes it possible to compile FreeBSD ports inside each jail. Remember that the ports directory is part of the read-only system. The custom path for `WRKDIRPREFIX` allows builds to be done in the read-write portion of every jail. +This makes it possible to compile FreeBSD ports inside each jail. +Remember that the ports directory is part of the read-only system. +The custom path for `WRKDIRPREFIX` allows builds to be done in the read-write portion of every jail. [[jails-service-jails-creating]] === Creating Jails -The jail template can now be used to setup and configure the jails in [.filename]#/etc/rc.conf#. This example demonstrates the creation of 3 jails: `NS`, `MAIL` and `WWW`. +The jail template can now be used to setup and configure the jails in [.filename]#/etc/rc.conf#. +This example demonstrates the creation of 3 jails: `NS`, `MAIL` and `WWW`. [.procedure] . Add the following lines to [.filename]#/etc/fstab#, so that the read-only template for the jails and the read-write space will be available in the respective jails: @@ -449,7 +507,8 @@ jail_www_rootdir="/usr/home/j/www" jail_www_devfs_enable="YES" .... + -The `jail__name__rootdir` variable is set to [.filename]#/usr/home# instead of [.filename]#/home# because the physical path of [.filename]#/home# on a default FreeBSD installation is [.filename]#/usr/home#. The `jail__name__rootdir` variable must _not_ be set to a path which includes a symbolic link, otherwise the jails will refuse to start. +The `jail__name__rootdir` variable is set to [.filename]#/usr/home# instead of [.filename]#/home# because the physical path of [.filename]#/home# on a default FreeBSD installation is [.filename]#/usr/home#. +The `jail__name__rootdir` variable must _not_ be set to a path which includes a symbolic link, otherwise the jails will refuse to start. . Create the required mount points for the read-only file system of each jail: + [source,shell] @@ -475,7 +534,9 @@ The `jail__name__rootdir` variable is set to [.filename]#/usr/home# instead of [ # service jail start .... -The jails should be running now. To check if they have started correctly, use `jls`. Its output should be similar to the following: +The jails should be running now. +To check if they have started correctly, use `jls`. +Its output should be similar to the following: [source,shell] .... @@ -486,7 +547,9 @@ The jails should be running now. To check if they have started correctly, use `j 1 62.123.43.14 www.example.org /home/j/www .... -At this point, it should be possible to log onto each jail, add new users, or configure daemons. The `JID` column indicates the jail identification number of each running jail. Use the following command to perform administrative tasks in the jail whose JID is `3`: +At this point, it should be possible to log onto each jail, add new users, or configure daemons. +The `JID` column indicates the jail identification number of each running jail. +Use the following command to perform administrative tasks in the jail whose JID is `3`: [source,shell] .... @@ -496,7 +559,8 @@ At this point, it should be possible to log onto each jail, add new users, or co [[jails-service-jails-upgrading]] === Upgrading -The design of this setup provides an easy way to upgrade existing jails while minimizing their downtime. Also, it provides a way to roll back to the older version should a problem occur. +The design of this setup provides an easy way to upgrade existing jails while minimizing their downtime. +Also, it provides a way to roll back to the older version should a problem occur. [.procedure] . The first step is to upgrade the host system. Then, create a new temporary read-only template in [.filename]#/home/j/mroot2#. @@ -569,12 +633,18 @@ The `installworld` creates a few unnecessary directories, which should be remove # service jail start .... -Use `jls` to check if the jails started correctly. Run `mergemaster` in each jail to update the configuration files. +Use `jls` to check if the jails started correctly. +Run `mergemaster` in each jail to update the configuration files. [[jails-ezjail]] == Managing Jails with ezjail -Creating and managing multiple jails can quickly become tedious and error-prone. Dirk Engling's ezjail automates and greatly simplifies many jail tasks. A _basejail_ is created as a template. Additional jails use man:mount_nullfs[8] to share many of the basejail directories without using additional disk space. Each additional jail takes only a few megabytes of disk space before applications are installed. Upgrading the copy of the userland in the basejail automatically upgrades all of the other jails. +Creating and managing multiple jails can quickly become tedious and error-prone. +Dirk Engling's ezjail automates and greatly simplifies many jail tasks. +A _basejail_ is created as a template. +Additional jails use man:mount_nullfs[8] to share many of the basejail directories without using additional disk space. +Each additional jail takes only a few megabytes of disk space before applications are installed. +Upgrading the copy of the userland in the basejail automatically upgrades all of the other jails. Additional benefits and features are described in detail on the ezjail web site, https://erdgeist.org/arts/software/ezjail/[]. @@ -592,9 +662,9 @@ Installing ezjail consists of adding a loopback interface for use in jails, inst cloned_interfaces="lo1" .... + -The second loopback interface `lo1` will be created when the system starts. It can also be created manually without a restart: +The second loopback interface `lo1` will be created when the system starts. +It can also be created manually without a restart: + - [source,shell] .... # service netif cloneup @@ -603,7 +673,8 @@ Created clone interfaces: lo1. + Jails can be allowed to use aliases of this secondary loopback interface without interfering with the host. + -Inside a jail, access to the loopback address `127.0.0.1` is redirected to the first IP address assigned to the jail. To make the jail loopback correspond with the new `lo1` interface, that interface must be specified first in the list of interfaces and IP addresses given when creating a new jail. +Inside a jail, access to the loopback address `127.0.0.1` is redirected to the first IP address assigned to the jail. +To make the jail loopback correspond with the new `lo1` interface, that interface must be specified first in the list of interfaces and IP addresses given when creating a new jail. + Give each jail a unique loopback address in the `127.0.0.0/8` netblock. . Install package:sysutils/ezjail[]: @@ -631,16 +702,21 @@ ezjail_enable="YES" [[jails-ezjail-initialsetup]] === Initial Setup -With ezjail installed, the basejail directory structure can be created and populated. This step is only needed once on the jail host computer. +With ezjail installed, the basejail directory structure can be created and populated. +This step is only needed once on the jail host computer. -In both of these examples, `-p` causes the ports tree to be retrieved with man:portsnap[8] into the basejail. That single copy of the ports directory will be shared by all the jails. Using a separate copy of the ports directory for jails isolates them from the host. The ezjailFAQ explains in more detail: http://erdgeist.org/arts/software/ezjail/#FAQ[]. +In both of these examples, `-p` causes the ports tree to be retrieved with man:portsnap[8] into the basejail. +That single copy of the ports directory will be shared by all the jails. +Using a separate copy of the ports directory for jails isolates them from the host. +The ezjailFAQ explains in more detail: http://erdgeist.org/arts/software/ezjail/#FAQ[]. [[jails-ezjail-initialsetup-procedure]] [.procedure] . To Populate the Jail with FreeBSD-RELEASE + -For a basejail based on the FreeBSD RELEASE matching that of the host computer, use `install`. For example, on a host computer running FreeBSD 10-STABLE, the latest RELEASE version of FreeBSD -10 will be installed in the jail): +For a basejail based on the FreeBSD RELEASE matching that of the host computer, use `install`. +For example, on a host computer running FreeBSD 10-STABLE, the latest RELEASE version of FreeBSD -10 will be installed in the jail): + [source,shell] .... @@ -651,25 +727,32 @@ For a basejail based on the FreeBSD RELEASE matching that of the host computer, + The basejail can be installed from binaries created by `buildworld` on the host with `ezjail-admin update`. + -In this example, FreeBSD 10-STABLE has been built from source. The jail directories are created. Then `installworld` is executed, installing the host's [.filename]#/usr/obj# into the basejail. +In this example, FreeBSD 10-STABLE has been built from source. +The jail directories are created. +Then `installworld` is executed, installing the host's [.filename]#/usr/obj# into the basejail. + [source,shell] .... # ezjail-admin update -i -p .... + -The host's [.filename]#/usr/src# is used by default. A different source directory on the host can be specified with `-s` and a path, or set with `ezjail_sourcetree` in [.filename]#/usr/local/etc/ezjail.conf#. +The host's [.filename]#/usr/src# is used by default. +A different source directory on the host can be specified with `-s` and a path, or set with `ezjail_sourcetree` in [.filename]#/usr/local/etc/ezjail.conf#. [TIP] ==== - -The basejail's ports tree is shared by other jails. However, downloaded distfiles are stored in the jail that downloaded them. By default, these files are stored in [.filename]#/var/ports/distfiles# within each jail. [.filename]#/var/ports# inside each jail is also used as a work directory when building ports. +The basejail's ports tree is shared by other jails. +However, downloaded distfiles are stored in the jail that downloaded them. +By default, these files are stored in [.filename]#/var/ports/distfiles# within each jail. +[.filename]#/var/ports# inside each jail is also used as a work directory when building ports. ==== [TIP] ==== - -The FTP protocol is used by default to download packages for the installation of the basejail. Firewall or proxy configurations can prevent or interfere with FTP transfers. The HTTP protocol works differently and avoids these problems. It can be chosen by specifying a full URL for a particular download mirror in [.filename]#/usr/local/etc/ezjail.conf#: +The FTP protocol is used by default to download packages for the installation of the basejail. +Firewall or proxy configurations can prevent or interfere with FTP transfers. +The HTTP protocol works differently and avoids these problems. +It can be chosen by specifying a full URL for a particular download mirror in [.filename]#/usr/local/etc/ezjail.conf#: [.programlisting] .... @@ -682,7 +765,9 @@ See crossref:mirrors[mirrors-ftp,“FTP Sites”] for a list of sites. [[jails-ezjail-create]] === Creating and Starting a New Jail -New jails are created with `ezjail-admin create`. In these examples, the `lo1` loopback interface is used as described above. +New jails are created with `ezjail-admin create`. +In these examples, the `lo1` loopback interface is used as described above. + [[jails-ezjail-create-steps]] [.procedure] .Procedure: Create and Start a New Jail @@ -695,10 +780,15 @@ New jails are created with `ezjail-admin create`. In these examples, the `lo1` l + [TIP] ==== +Most network services run in jails without problems. +A few network services, most notably man:ping[8], use _raw network sockets_. +In jails, raw network sockets are disabled by default for security. +Services that require them will not work. -Most network services run in jails without problems. A few network services, most notably man:ping[8], use _raw network sockets_. In jails, raw network sockets are disabled by default for security. Services that require them will not work. - -Occasionally, a jail genuinely needs raw sockets. For example, network monitoring applications often use man:ping[8] to check the availability of other computers. When raw network sockets are actually needed in a jail, they can be enabled by editing the ezjail configuration file for the individual jail, [.filename]#/usr/local/etc/ezjail/jailname#. Modify the `parameters` entry: +Occasionally, a jail genuinely needs raw sockets. +For example, network monitoring applications often use man:ping[8] to check the availability of other computers. +When raw network sockets are actually needed in a jail, they can be enabled by editing the ezjail configuration file for the individual jail, [.filename]#/usr/local/etc/ezjail/jailname#. +Modify the `parameters` entry: [.programlisting] .... @@ -722,7 +812,8 @@ Do not enable raw network sockets unless services in the jail actually require t # ezjail-admin console dnsjail .... -The jail is operating and additional configuration can be completed. Typical settings added at this point include: +The jail is operating and additional configuration can be completed. +Typical settings added at this point include: [.procedure] . Set the `root` Password @@ -740,7 +831,9 @@ Retype New Password: . Time Zone Configuration + -The jail's time zone can be set with man:tzsetup[8]. To avoid spurious error messages, the man:adjkerntz[8] entry in [.filename]#/etc/crontab# can be commented or removed. This job attempts to update the computer's hardware clock with time zone changes, but jails are not allowed to access that hardware. +The jail's time zone can be set with man:tzsetup[8]. +To avoid spurious error messages, the man:adjkerntz[8] entry in [.filename]#/etc/crontab# can be commented or removed. +This job attempts to update the computer's hardware clock with time zone changes, but jails are not allowed to access that hardware. . DNS Servers + Enter domain name server lines in [.filename]#/etc/resolv.conf# so DNS works in the jail. @@ -749,14 +842,17 @@ Enter domain name server lines in [.filename]#/etc/resolv.conf# so DNS works in Change the address and add the jail name to the `localhost` entries in [.filename]#/etc/hosts#. . Configure [.filename]#/etc/rc.conf# + -Enter configuration settings in [.filename]#/etc/rc.conf#. This is much like configuring a full computer. The host name and IP address are not set here. Those values are already provided by the jail configuration. +Enter configuration settings in [.filename]#/etc/rc.conf#. +This is much like configuring a full computer. +The host name and IP address are not set here. +Those values are already provided by the jail configuration. With the jail configured, the applications for which the jail was created can be installed. [TIP] ==== - -Some ports must be built with special options to be used in a jail. For example, both of the network monitoring plugin packages package:net-mgmt/nagios-plugins[] and package:net-mgmt/monitoring-plugins[] have a `JAIL` option which must be enabled for them to work correctly inside a jail. +Some ports must be built with special options to be used in a jail. +For example, both of the network monitoring plugin packages package:net-mgmt/nagios-plugins[] and package:net-mgmt/monitoring-plugins[] have a `JAIL` option which must be enabled for them to work correctly inside a jail. ==== [[jails-ezjail-update]] @@ -765,7 +861,8 @@ Some ports must be built with special options to be used in a jail. For example, [[jails-ezjail-update-os]] ==== Updating the Operating System -Because the basejail's copy of the userland is shared by the other jails, updating the basejail automatically updates all of the other jails. Either source or binary updates can be used. +Because the basejail's copy of the userland is shared by the other jails, updating the basejail automatically updates all of the other jails. +Either source or binary updates can be used. To build the world from source on the host, then install it in the basejail, use: @@ -781,16 +878,22 @@ If the world has already been compiled on the host, install it in the basejail w # ezjail-admin update -i .... -Binary updates use man:freebsd-update[8]. These updates have the same limitations as if man:freebsd-update[8] were being run directly. The most important one is that only -RELEASE versions of FreeBSD are available with this method. +Binary updates use man:freebsd-update[8]. +These updates have the same limitations as if man:freebsd-update[8] were being run directly. +The most important one is that only -RELEASE versions of FreeBSD are available with this method. -Update the basejail to the latest patched release of the version of FreeBSD on the host. For example, updating from RELEASE-p1 to RELEASE-p2. +Update the basejail to the latest patched release of the version of FreeBSD on the host. +For example, updating from RELEASE-p1 to RELEASE-p2. [source,shell] .... # ezjail-admin update -u .... -To upgrade the basejail to a new version, first upgrade the host system as described in crossref:cutting-edge[freebsdupdate-upgrade,“Performing Major and Minor Version Upgrades”]. Once the host has been upgraded and rebooted, the basejail can then be upgraded. man:freebsd-update[8] has no way of determining which version is currently installed in the basejail, so the original version must be specified. Use man:file[1] to determine the original version in the basejail: +To upgrade the basejail to a new version, first upgrade the host system as described in crossref:cutting-edge[freebsdupdate-upgrade,“Performing Major and Minor Version Upgrades”]. +Once the host has been upgraded and rebooted, the basejail can then be upgraded. +man:freebsd-update[8] has no way of determining which version is currently installed in the basejail, so the original version must be specified. +Use man:file[1] to determine the original version in the basejail: [source,shell] .... @@ -807,13 +910,15 @@ Now use this information to perform the upgrade from `9.3-RELEASE` to the curren After updating the basejail, man:mergemaster[8] must be run to update each jail's configuration files. -How to use man:mergemaster[8] depends on the purpose and trustworthiness of a jail. If a jail's services or users are not trusted, then man:mergemaster[8] should only be run from within that jail: +How to use man:mergemaster[8] depends on the purpose and trustworthiness of a jail. +If a jail's services or users are not trusted, then man:mergemaster[8] should only be run from within that jail: [[jails-ezjail-update-mergemaster-untrusted]] .man:mergemaster[8] on Untrusted Jail [example] ==== -Delete the link from the jail's [.filename]#/usr/src# into the basejail and create a new [.filename]#/usr/src# in the jail as a mountpoint. Mount the host computer's [.filename]#/usr/src# read-only on the jail's new [.filename]#/usr/src# mountpoint: +Delete the link from the jail's [.filename]#/usr/src# into the basejail and create a new [.filename]#/usr/src# in the jail as a mountpoint. +Mount the host computer's [.filename]#/usr/src# read-only on the jail's new [.filename]#/usr/src# mountpoint: [source,shell] .... @@ -829,7 +934,8 @@ Get a console in the jail: # ezjail-admin console jailname .... -Inside the jail, run `mergemaster`. Then exit the jail console: +Inside the jail, run `mergemaster`. +Then exit the jail console: [source,shell] .... @@ -863,8 +969,8 @@ If the users and services in a jail are trusted, man:mergemaster[8] can be run f [TIP] ==== - -After a major version update it is recommended by package:sysutils/ezjail[] to make sure your `pkg` is of the correct version. Therefore enter: +After a major version update it is recommended by package:sysutils/ezjail[] to make sure your `pkg` is of the correct version. +Therefore enter: [source,shell] .... @@ -877,7 +983,8 @@ to upgrade or downgrade to the appropriate version. [[jails-ezjail-update-ports]] ==== Updating Ports -The ports tree in the basejail is shared by the other jails. Updating that copy of the ports tree gives the other jails the updated version also. +The ports tree in the basejail is shared by the other jails. +Updating that copy of the ports tree gives the other jails the updated version also. The basejail ports tree is updated with man:portsnap[8]: @@ -892,7 +999,8 @@ The basejail ports tree is updated with man:portsnap[8]: [[jails-ezjail-control-stop-start]] ==== Stopping and Starting Jails -ezjail automatically starts jails when the computer is started. Jails can be manually stopped and restarted with `stop` and `start`: +ezjail automatically starts jails when the computer is started. +Jails can be manually stopped and restarted with `stop` and `start`: [source,shell] .... @@ -900,14 +1008,16 @@ ezjail automatically starts jails when the computer is started. Jails can be man Stopping jails: sambajail. .... -By default, jails are started automatically when the host computer starts. Autostarting can be disabled with `config`: +By default, jails are started automatically when the host computer starts. +Autostarting can be disabled with `config`: [source,shell] .... # ezjail-admin config -r norun seldomjail .... -This takes effect the next time the host computer is started. A jail that is already running will not be stopped. +This takes effect the next time the host computer is started. +A jail that is already running will not be stopped. Enabling autostart is very similar: @@ -919,9 +1029,13 @@ Enabling autostart is very similar: [[jails-ezjail-control-backup]] ==== Archiving and Restoring Jails -Use `archive` to create a [.filename]#.tar.gz# archive of a jail. The file name is composed from the name of the jail and the current date. Archive files are written to the archive directory, [.filename]#/usr/jails/ezjail_archives#. A different archive directory can be chosen by setting `ezjail_archivedir` in the configuration file. +Use `archive` to create a [.filename]#.tar.gz# archive of a jail. +The file name is composed from the name of the jail and the current date. +Archive files are written to the archive directory, [.filename]#/usr/jails/ezjail_archives#. +A different archive directory can be chosen by setting `ezjail_archivedir` in the configuration file. -The archive file can be copied elsewhere as a backup, or an existing jail can be restored from it with `restore`. A new jail can be created from the archive, providing a convenient way to clone existing jails. +The archive file can be copied elsewhere as a backup, or an existing jail can be restored from it with `restore`. +A new jail can be created from the archive, providing a convenient way to clone existing jails. Stop and archive a jail named `wwwserver`: @@ -934,7 +1048,8 @@ Stopping jails: wwwserver. wwwserver-201407271153.13.tar.gz .... -Create a new jail named `wwwserver-clone` from the archive created in the previous step. Use the [.filename]#em1# interface and assign a new IP address to avoid conflict with the original: +Create a new jail named `wwwserver-clone` from the archive created in the previous step. +Use the [.filename]#em1# interface and assign a new IP address to avoid conflict with the original: [source,shell] .... @@ -944,7 +1059,8 @@ Create a new jail named `wwwserver-clone` from the archive created in the previo [[jails-ezjail-example-bind]] === Full Example: BIND in a Jail -Putting the BINDDNS server in a jail improves security by isolating it. This example creates a simple caching-only name server. +Putting the BINDDNS server in a jail improves security by isolating it. +This example creates a simple caching-only name server. * The jail will be called `dns1`. * The jail will use IP address `192.168.1.240` on the host's `re0` interface. @@ -1010,7 +1126,8 @@ Still using the jail console, install package:dns/bind99[]. Configure the name server by editing [.filename]#/usr/local/etc/namedb/named.conf#. -Create an Access Control List (ACL) of addresses and networks that are permitted to send DNS queries to this name server. This section is added just before the `options` section already in the file: +Create an Access Control List (ACL) of addresses and networks that are permitted to send DNS queries to this name server. +This section is added just before the `options` section already in the file: [.programlisting] .... @@ -1034,7 +1151,8 @@ Use the jail IP address in the `listen-on` setting to accept DNS queries from ot listen-on { 192.168.1.240; }; .... -A simple caching-only DNS name server is created by changing the `forwarders` section. The original file contains: +A simple caching-only DNS name server is created by changing the `forwarders` section. +The original file contains: [.programlisting] .... @@ -1045,7 +1163,9 @@ A simple caching-only DNS name server is created by changing the `forwarders` se */ .... -Uncomment the section by removing the `/\*` and `*/` lines. Enter the IP addresses of the upstream DNS servers. Immediately after the `forwarders` section, add references to the `trusted` ACL defined earlier: +Uncomment the section by removing the `/\*` and `*/` lines. +Enter the IP addresses of the upstream DNS servers. +Immediately after the `forwarders` section, add references to the `trusted` ACL defined earlier: [.programlisting] .... @@ -1083,16 +1203,19 @@ A response that includes ;; Got answer; .... -shows that the new DNS server is working. A long delay followed by a response including +shows that the new DNS server is working. +A long delay followed by a response including [source,shell] .... ;; connection timed out; no servers could be reached .... -shows a problem. Check the configuration settings and make sure any local firewalls allow the new DNS access to the upstream DNS servers. +shows a problem. +Check the configuration settings and make sure any local firewalls allow the new DNS access to the upstream DNS servers. -The new DNS server can use itself for local name resolution, just like other local computers. Set the address of the DNS server in the client computer's [.filename]#/etc/resolv.conf#: +The new DNS server can use itself for local name resolution, just like other local computers. +Set the address of the DNS server in the client computer's [.filename]#/etc/resolv.conf#: [.programlisting] .... diff --git a/documentation/content/en/books/handbook/kernelconfig/_index.adoc b/documentation/content/en/books/handbook/kernelconfig/_index.adoc index 4b7119dbcf..a9031c43b0 100644 --- a/documentation/content/en/books/handbook/kernelconfig/_index.adoc +++ b/documentation/content/en/books/handbook/kernelconfig/_index.adoc @@ -46,7 +46,9 @@ toc::[] [[kernelconfig-synopsis]] == Synopsis -The kernel is the core of the FreeBSD operating system. It is responsible for managing memory, enforcing security controls, networking, disk access, and much more. While much of FreeBSD is dynamically configurable, it is still occasionally necessary to configure and compile a custom kernel. +The kernel is the core of the FreeBSD operating system. +It is responsible for managing memory, enforcing security controls, networking, disk access, and much more. +While much of FreeBSD is dynamically configurable, it is still occasionally necessary to configure and compile a custom kernel. After reading this chapter, you will know: @@ -62,21 +64,32 @@ All of the commands listed in the examples in this chapter should be executed as [[kernelconfig-custom-kernel]] == Why Build a Custom Kernel? -Traditionally, FreeBSD used a monolithic kernel. The kernel was one large program, supported a fixed list of devices, and in order to change the kernel's behavior, one had to compile and then reboot into a new kernel. +Traditionally, FreeBSD used a monolithic kernel. +The kernel was one large program, supported a fixed list of devices, and in order to change the kernel's behavior, one had to compile and then reboot into a new kernel. -Today, most of the functionality in the FreeBSD kernel is contained in modules which can be dynamically loaded and unloaded from the kernel as necessary. This allows the running kernel to adapt immediately to new hardware and for new functionality to be brought into the kernel. This is known as a modular kernel. +Today, most of the functionality in the FreeBSD kernel is contained in modules which can be dynamically loaded and unloaded from the kernel as necessary. +This allows the running kernel to adapt immediately to new hardware and for new functionality to be brought into the kernel. +This is known as a modular kernel. -Occasionally, it is still necessary to perform static kernel configuration. Sometimes the needed functionality is so tied to the kernel that it can not be made dynamically loadable. Some security environments prevent the loading and unloading of kernel modules and require that only needed functionality is statically compiled into the kernel. +Occasionally, it is still necessary to perform static kernel configuration. +Sometimes the needed functionality is so tied to the kernel that it can not be made dynamically loadable. +Some security environments prevent the loading and unloading of kernel modules and require that only needed functionality is statically compiled into the kernel. -Building a custom kernel is often a rite of passage for advanced BSD users. This process, while time consuming, can provide benefits to the FreeBSD system. Unlike the [.filename]#GENERIC# kernel, which must support a wide range of hardware, a custom kernel can be stripped down to only provide support for that computer's hardware. This has a number of benefits, such as: +Building a custom kernel is often a rite of passage for advanced BSD users. +This process, while time consuming, can provide benefits to the FreeBSD system. +Unlike the [.filename]#GENERIC# kernel, which must support a wide range of hardware, a custom kernel can be stripped down to only provide support for that computer's hardware. +This has a number of benefits, such as: * Faster boot time. Since the kernel will only probe the hardware on the system, the time it takes the system to boot can decrease. * Lower memory usage. A custom kernel often uses less memory than the [.filename]#GENERIC# kernel by omitting unused features and device drivers. This is important because the kernel code remains resident in physical memory at all times, preventing that memory from being used by applications. For this reason, a custom kernel is useful on a system with a small amount of RAM. * Additional hardware support. A custom kernel can add support for devices which are not present in the [.filename]#GENERIC# kernel. -Before building a custom kernel, consider the reason for doing so. If there is a need for specific hardware support, it may already exist as a module. +Before building a custom kernel, consider the reason for doing so. +If there is a need for specific hardware support, it may already exist as a module. -Kernel modules exist in [.filename]#/boot/kernel# and may be dynamically loaded into the running kernel using man:kldload[8]. Most kernel drivers have a loadable module and manual page. For example, the man:ath[4] wireless Ethernet driver has the following information in its manual page: +Kernel modules exist in [.filename]#/boot/kernel# and may be dynamically loaded into the running kernel using man:kldload[8]. +Most kernel drivers have a loadable module and manual page. +For example, the man:ath[4] wireless Ethernet driver has the following information in its manual page: [source,shell,subs="macros"] .... @@ -88,19 +101,24 @@ following line in man:loader.conf[5]: Adding `if_ath_load="YES"` to [.filename]#/boot/loader.conf# will load this module dynamically at boot time. -In some cases, there is no associated module in [.filename]#/boot/kernel#. This is mostly true for certain subsystems. +In some cases, there is no associated module in [.filename]#/boot/kernel#. +This is mostly true for certain subsystems. [[kernelconfig-devices]] == Finding the System Hardware -Before editing the kernel configuration file, it is recommended to perform an inventory of the machine's hardware. On a dual-boot system, the inventory can be created from the other operating system. For example, Microsoft(R)'s Device Manager contains information about installed devices. +Before editing the kernel configuration file, it is recommended to perform an inventory of the machine's hardware. +On a dual-boot system, the inventory can be created from the other operating system. +For example, Microsoft(R)'s Device Manager contains information about installed devices. [NOTE] ==== Some versions of Microsoft(R) Windows(R) have a System icon which can be used to access Device Manager. ==== -If FreeBSD is the only installed operating system, use man:dmesg[8] to determine the hardware that was found and listed during the boot probe. Most device drivers on FreeBSD have a manual page which lists the hardware supported by that driver. For example, the following lines indicate that the man:psm[4] driver found a mouse: +If FreeBSD is the only installed operating system, use man:dmesg[8] to determine the hardware that was found and listed during the boot probe. +Most device drivers on FreeBSD have a manual page which lists the hardware supported by that driver. +For example, the following lines indicate that the man:psm[4] driver found a mouse: [source,shell] .... @@ -114,7 +132,8 @@ Since this hardware exists, this driver should not be removed from a custom kern If the output of `dmesg` does not display the results of the boot probe output, instead read the contents of [.filename]#/var/run/dmesg.boot#. -Another tool for finding hardware is man:pciconf[8], which provides more verbose output. For example: +Another tool for finding hardware is man:pciconf[8], which provides more verbose output. +For example: [source,shell] .... @@ -128,7 +147,8 @@ ath0@pci0:3:0:0: class=0x020000 card=0x058a1014 chip=0x1014168c rev=0x01 This output shows that the [.filename]#ath# driver located a wireless Ethernet device. -The `-k` flag of man:man[1] can be used to provide useful information. For example, it can be used to display a list of manual pages which contain a particular device brand or name: +The `-k` flag of man:man[1] can be used to provide useful information. +For example, it can be used to display a list of manual pages which contain a particular device brand or name: [source,shell] .... @@ -144,11 +164,19 @@ Once the hardware inventory list is created, refer to it to ensure that drivers In order to create a custom kernel configuration file and build a custom kernel, the full FreeBSD source tree must first be installed. -If [.filename]#/usr/src/# does not exist or it is empty, source has not been installed. Source can be installed using Subversion and the instructions in crossref:mirrors[svn,“Using Subversion”]. +If [.filename]#/usr/src/# does not exist or it is empty, source has not been installed. +Source can be installed using Subversion and the instructions in crossref:mirrors[svn,“Using Subversion”]. -Once source is installed, review the contents of [.filename]#/usr/src/sys#. This directory contains a number of subdirectories, including those which represent the following supported architectures: [.filename]#amd64#, [.filename]#i386#, [.filename]#powerpc#, and [.filename]#sparc64#. Everything inside a particular architecture's directory deals with that architecture only and the rest of the code is machine independent code common to all platforms. Each supported architecture has a [.filename]#conf# subdirectory which contains the [.filename]#GENERIC# kernel configuration file for that architecture. +Once source is installed, review the contents of [.filename]#/usr/src/sys#. +This directory contains a number of subdirectories, including those which represent the following supported architectures: [.filename]#amd64#, [.filename]#i386#, [.filename]#powerpc#, and [.filename]#sparc64#. +Everything inside a particular architecture's directory deals with that architecture only and the rest of the code is machine independent code common to all platforms. +Each supported architecture has a [.filename]#conf# subdirectory which contains the [.filename]#GENERIC# kernel configuration file for that architecture. -Do not make edits to [.filename]#GENERIC#. Instead, copy the file to a different name and make edits to the copy. The convention is to use a name with all capital letters. When maintaining multiple FreeBSD machines with different hardware, it is a good idea to name it after the machine's hostname. This example creates a copy, named [.filename]#MYKERNEL#, of the [.filename]#GENERIC# configuration file for the `amd64` architecture: +Do not make edits to [.filename]#GENERIC#. +Instead, copy the file to a different name and make edits to the copy. +The convention is to use a name with all capital letters. +When maintaining multiple FreeBSD machines with different hardware, it is a good idea to name it after the machine's hostname. +This example creates a copy, named [.filename]#MYKERNEL#, of the [.filename]#GENERIC# configuration file for the `amd64` architecture: [source,shell] .... @@ -156,21 +184,27 @@ Do not make edits to [.filename]#GENERIC#. Instead, copy the file to a different # cp GENERIC MYKERNEL .... -[.filename]#MYKERNEL# can now be customized with any `ASCII` text editor. The default editor is vi, though an easier editor for beginners, called ee, is also installed with FreeBSD. +[.filename]#MYKERNEL# can now be customized with any `ASCII` text editor. +The default editor is vi, though an easier editor for beginners, called ee, is also installed with FreeBSD. -The format of the kernel configuration file is simple. Each line contains a keyword that represents a device or subsystem, an argument, and a brief description. Any text after a `#` is considered a comment and ignored. To remove kernel support for a device or subsystem, put a `#` at the beginning of the line representing that device or subsystem. Do not add or remove a `#` for any line that you do not understand. +The format of the kernel configuration file is simple. +Each line contains a keyword that represents a device or subsystem, an argument, and a brief description. +Any text after a `#` is considered a comment and ignored. +To remove kernel support for a device or subsystem, put a `#` at the beginning of the line representing that device or subsystem. +Do not add or remove a `#` for any line that you do not understand. [WARNING] ==== - -It is easy to remove support for a device or option and end up with a broken kernel. For example, if the man:ata[4] driver is removed from the kernel configuration file, a system using `ATA` disk drivers may not boot. When in doubt, just leave support in the kernel. +It is easy to remove support for a device or option and end up with a broken kernel. +For example, if the man:ata[4] driver is removed from the kernel configuration file, a system using `ATA` disk drivers may not boot. +When in doubt, just leave support in the kernel. ==== -In addition to the brief descriptions provided in this file, additional descriptions are contained in [.filename]#NOTES#, which can be found in the same directory as [.filename]#GENERIC# for that architecture. For architecture independent options, refer to [.filename]#/usr/src/sys/conf/NOTES#. +In addition to the brief descriptions provided in this file, additional descriptions are contained in [.filename]#NOTES#, which can be found in the same directory as [.filename]#GENERIC# for that architecture. +For architecture independent options, refer to [.filename]#/usr/src/sys/conf/NOTES#. [TIP] ==== - When finished customizing the kernel configuration file, save a backup copy to a location outside of [.filename]#/usr/src#. Alternately, keep the kernel configuration file elsewhere and create a symbolic link to the file: @@ -185,7 +219,9 @@ Alternately, keep the kernel configuration file elsewhere and create a symbolic ==== -An `include` directive is available for use in configuration files. This allows another configuration file to be included in the current one, making it easy to maintain small changes relative to an existing file. If only a small number of additional options or drivers are required, this allows a delta to be maintained with respect to [.filename]#GENERIC#, as seen in this example: +An `include` directive is available for use in configuration files. +This allows another configuration file to be included in the current one, making it easy to maintain small changes relative to an existing file. +If only a small number of additional options or drivers are required, this allows a delta to be maintained with respect to [.filename]#GENERIC#, as seen in this example: [.programlisting] .... @@ -198,7 +234,9 @@ options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT .... -Using this method, the local configuration file expresses local differences from a [.filename]#GENERIC# kernel. As upgrades are performed, new features added to [.filename]#GENERIC# will also be added to the local kernel unless they are specifically prevented using `nooptions` or `nodevice`. A comprehensive list of configuration directives and their descriptions may be found in man:config[5]. +Using this method, the local configuration file expresses local differences from a [.filename]#GENERIC# kernel. +As upgrades are performed, new features added to [.filename]#GENERIC# will also be added to the local kernel unless they are specifically prevented using `nooptions` or `nodevice`. +A comprehensive list of configuration directives and their descriptions may be found in man:config[5]. [NOTE] ==== @@ -241,7 +279,8 @@ Once the edits to the custom configuration file have been saved, the source code . Shutdown the system and reboot into the new kernel. If something goes wrong, refer to <<kernelconfig-noboot, The kernel does not boot>>. -By default, when a custom kernel is compiled, all kernel modules are rebuilt. To update a kernel faster or to build only custom modules, edit [.filename]#/etc/make.conf# before starting to build the kernel. +By default, when a custom kernel is compiled, all kernel modules are rebuilt. +To update a kernel faster or to build only custom modules, edit [.filename]#/etc/make.conf# before starting to build the kernel. For example, this variable specifies the list of modules to build instead of using the default of building all modules: @@ -257,7 +296,8 @@ Alternately, this variable lists which modules to exclude from the build process WITHOUT_MODULES = linux acpi sound .... -Additional variables are available. Refer to man:make.conf[5] for details. +Additional variables are available. +Refer to man:make.conf[5] for details. [[kernelconfig-trouble]] == If Something Goes Wrong @@ -265,7 +305,8 @@ Additional variables are available. Refer to man:make.conf[5] for details. There are four categories of trouble that can occur when building a custom kernel: `config` fails:: -If `config` fails, it will print the line number that is incorrect. As an example, for the following message, make sure that line 17 is typed correctly by comparing it to [.filename]#GENERIC# or [.filename]#NOTES#: +If `config` fails, it will print the line number that is incorrect. +As an example, for the following message, make sure that line 17 is typed correctly by comparing it to [.filename]#GENERIC# or [.filename]#NOTES#: + [source,shell] .... @@ -273,16 +314,25 @@ config: line 17: syntax error .... `make` fails:: -If `make` fails, it is usually due to an error in the kernel configuration file which is not severe enough for `config` to catch. Review the configuration, and if the problem is not apparent, send an email to the {freebsd-questions} which contains the kernel configuration file. +If `make` fails, it is usually due to an error in the kernel configuration file which is not severe enough for `config` to catch. +Review the configuration, and if the problem is not apparent, send an email to the {freebsd-questions} which contains the kernel configuration file. + [[kernelconfig-noboot]] The kernel does not boot:: -If the new kernel does not boot or fails to recognize devices, do not panic! Fortunately, FreeBSD has an excellent mechanism for recovering from incompatible kernels. Simply choose the kernel to boot from at the FreeBSD boot loader. This can be accessed when the system boot menu appears by selecting the "Escape to a loader prompt" option. At the prompt, type `boot _kernel.old_`, or the name of any other kernel that is known to boot properly. +If the new kernel does not boot or fails to recognize devices, do not panic! Fortunately, FreeBSD has an excellent mechanism for recovering from incompatible kernels. +Simply choose the kernel to boot from at the FreeBSD boot loader. +This can be accessed when the system boot menu appears by selecting the "Escape to a loader prompt" option. +At the prompt, type `boot _kernel.old_`, or the name of any other kernel that is known to boot properly. + -After booting with a good kernel, check over the configuration file and try to build it again. One helpful resource is [.filename]#/var/log/messages# which records the kernel messages from every successful boot. Also, man:dmesg[8] will print the kernel messages from the current boot. +After booting with a good kernel, check over the configuration file and try to build it again. +One helpful resource is [.filename]#/var/log/messages# which records the kernel messages from every successful boot. +Also, man:dmesg[8] will print the kernel messages from the current boot. + [NOTE] ==== -When troubleshooting a kernel, make sure to keep a copy of [.filename]#GENERIC#, or some other kernel that is known to work, as a different name that will not get erased on the next build. This is important because every time a new kernel is installed, [.filename]#kernel.old# is overwritten with the last installed kernel, which may or may not be bootable. As soon as possible, move the working kernel by renaming the directory containing the good kernel: +When troubleshooting a kernel, make sure to keep a copy of [.filename]#GENERIC#, or some other kernel that is known to work, as a different name that will not get erased on the next build. +This is important because every time a new kernel is installed, [.filename]#kernel.old# is overwritten with the last installed kernel, which may or may not be bootable. +As soon as possible, move the working kernel by renaming the directory containing the good kernel: [source,shell] .... @@ -293,4 +343,6 @@ When troubleshooting a kernel, make sure to keep a copy of [.filename]#GENERIC#, ==== The kernel works, but man:ps[1] does not:: -If the kernel version differs from the one that the system utilities have been built with, for example, a kernel built from -CURRENT sources is installed on a -RELEASE system, many system status commands like man:ps[1] and man:vmstat[8] will not work. To fix this, crossref:cutting-edge[makeworld,recompile and install a world] built with the same version of the source tree as the kernel. It is never a good idea to use a different version of the kernel than the rest of the operating system. +If the kernel version differs from the one that the system utilities have been built with, for example, a kernel built from -CURRENT sources is installed on a -RELEASE system, many system status commands like man:ps[1] and man:vmstat[8] will not work. +To fix this, crossref:cutting-edge[makeworld,recompile and install a world] built with the same version of the source tree as the kernel. +It is never a good idea to use a different version of the kernel than the rest of the operating system. diff --git a/documentation/content/en/books/handbook/l10n/_index.adoc b/documentation/content/en/books/handbook/l10n/_index.adoc index b7f0814f97..f6ae5652f6 100644 --- a/documentation/content/en/books/handbook/l10n/_index.adoc +++ b/documentation/content/en/books/handbook/l10n/_index.adoc @@ -46,11 +46,16 @@ toc::[] [[l10n-synopsis]] == Synopsis -FreeBSD is a distributed project with users and contributors located all over the world. As such, FreeBSD supports localization into many languages, allowing users to view, input, or process data in non-English languages. One can choose from most of the major languages, including, but not limited to: Chinese, German, Japanese, Korean, French, Russian, and Vietnamese. +FreeBSD is a distributed project with users and contributors located all over the world. +As such, FreeBSD supports localization into many languages, allowing users to view, input, or process data in non-English languages. +One can choose from most of the major languages, including, but not limited to: Chinese, German, Japanese, Korean, French, Russian, and Vietnamese. -The term internationalization has been shortened to i18n, which represents the number of letters between the first and the last letters of `internationalization`. L10n uses the same naming scheme, but from `localization`. The i18n/L10n methods, protocols, and applications allow users to use languages of their choice. +The term internationalization has been shortened to i18n, which represents the number of letters between the first and the last letters of `internationalization`. +L10n uses the same naming scheme, but from `localization`. +The i18n/L10n methods, protocols, and applications allow users to use languages of their choice. -This chapter discusses the internationalization and localization features of FreeBSD. After reading this chapter, you will know: +This chapter discusses the internationalization and localization features of FreeBSD. +After reading this chapter, you will know: * How locale names are constructed. * How to set the locale for a login shell. @@ -66,14 +71,16 @@ Before reading this chapter, you should: [[using-localization]] == Using Localization -Localization settings are based on three components: the language code, country code, and encoding. Locale names are constructed from these parts as follows: +Localization settings are based on three components: the language code, country code, and encoding. +Locale names are constructed from these parts as follows: [.programlisting] .... LanguageCode_CountryCode.Encoding .... -The _LanguageCode_ and _CountryCode_ are used to determine the country and the specific language variation. <<locale-lang-country>> provides some examples of __LanguageCode_CountryCode__: +The _LanguageCode_ and _CountryCode_ are used to determine the country and the specific language variation. +<<locale-lang-country>> provides some examples of __LanguageCode_CountryCode__: [[locale-lang-country]] .Common Language and Country Codes @@ -106,16 +113,21 @@ To determine the current locale setting: % locale .... -Language specific character sets, such as ISO8859-1, ISO8859-15, KOI8-R, and CP437, are described in man:multibyte[3]. The active list of character sets can be found at the http://www.iana.org/assignments/character-sets[IANA Registry]. +Language specific character sets, such as ISO8859-1, ISO8859-15, KOI8-R, and CP437, are described in man:multibyte[3]. +The active list of character sets can be found at the http://www.iana.org/assignments/character-sets[IANA Registry]. -Some languages, such as Chinese or Japanese, cannot be represented using ASCII characters and require an extended language encoding using either wide or multibyte characters. Examples of wide or multibyte encodings include EUC and Big5. Older applications may mistake these encodings for control characters while newer applications usually recognize these characters. Depending on the implementation, users may be required to compile an application with wide or multibyte character support, or to configure it correctly. +Some languages, such as Chinese or Japanese, cannot be represented using ASCII characters and require an extended language encoding using either wide or multibyte characters. +Examples of wide or multibyte encodings include EUC and Big5. +Older applications may mistake these encodings for control characters while newer applications usually recognize these characters. +Depending on the implementation, users may be required to compile an application with wide or multibyte character support, or to configure it correctly. [NOTE] ==== FreeBSD uses Xorg-compatible locale encodings. ==== -The rest of this section describes the various methods for configuring the locale on a FreeBSD system. The next section will discuss the considerations for finding and compiling applications with i18n support. +The rest of this section describes the various methods for configuring the locale on a FreeBSD system. +The next section will discuss the considerations for finding and compiling applications with i18n support. [[setting-locale]] === Setting Locale for Login Shell @@ -129,12 +141,14 @@ Two environment variables should be set: In addition to the user's shell configuration, these variables should also be set for specific application configuration and Xorg configuration. -Two methods are available for making the needed variable assignments: the <<login-class,login class>> method, which is the recommended method, and the <<startup-file,startup file>> method. The next two sections demonstrate how to use both methods. +Two methods are available for making the needed variable assignments: the <<login-class,login class>> method, which is the recommended method, and the <<startup-file,startup file>> method. +The next two sections demonstrate how to use both methods. [[login-class]] ==== Login Classes Method -This first method is the recommended method as it assigns the required environment variables for locale name and MIME character sets for every possible shell. This setup can either be performed by each user or it can be configured for all users by the superuser. +This first method is the recommended method as it assigns the required environment variables for locale name and MIME character sets for every possible shell. +This setup can either be performed by each user or it can be configured for all users by the superuser. This minimal example sets both variables for Latin-1 encoding in the [.filename]#.login_conf# of an individual user's home directory: @@ -145,7 +159,8 @@ me:\ :lang=de_DE.ISO8859-1: .... -Here is an example of a user's [.filename]#~/.login_conf# that sets the variables for Traditional Chinese in BIG-5 encoding. More variables are needed because some applications do not correctly respect locale variables for Chinese, Japanese, and Korean: +Here is an example of a user's [.filename]#~/.login_conf# that sets the variables for Traditional Chinese in BIG-5 encoding. +More variables are needed because some applications do not correctly respect locale variables for Chinese, Japanese, and Korean: [.programlisting] .... @@ -158,7 +173,8 @@ me:\ :xmodifiers="@im=gcin": #Set gcin as the XIM Input Server .... -Alternately, the superuser can configure all users of the system for localization. The following variables in [.filename]#/etc/login.conf# are used to set the locale and MIME character set: +Alternately, the superuser can configure all users of the system for localization. +The following variables in [.filename]#/etc/login.conf# are used to set the locale and MIME character set: [.programlisting] .... @@ -178,7 +194,8 @@ german|German Users Accounts:\ :tc=default: .... -See man:login.conf[5] for more details about these variables. Note that it already contains pre-defined _russian_ class. +See man:login.conf[5] for more details about these variables. +Note that it already contains pre-defined _russian_ class. Whenever [.filename]#/etc/login.conf# is edited, remember to execute the following command to update the capability database: @@ -228,7 +245,8 @@ If `pw` is used to add new users, specify the locale as follows: # pw useradd user_name -L language .... -To change the login class of an existing user, `chpass` can be used. Invoke it as superuser and provide the username to edit as the argument. +To change the login class of an existing user, `chpass` can be used. +Invoke it as superuser and provide the username to edit as the argument. [source,shell] .... @@ -239,7 +257,9 @@ To change the login class of an existing user, `chpass` can be used. Invoke it a [[startup-file]] ==== Shell Startup File Method -This second method is not recommended as each shell that is used requires manual configuration, where each shell has a different configuration file and differing syntax. As an example, to set the German language for the `sh` shell, these lines could be added to [.filename]#~/.profile# to set the shell for that user only. These lines could also be added to [.filename]#/etc/profile# or [.filename]#/usr/share/skel/dot.profile# to set that shell for all users: +This second method is not recommended as each shell that is used requires manual configuration, where each shell has a different configuration file and differing syntax. +As an example, to set the German language for the `sh` shell, these lines could be added to [.filename]#~/.profile# to set the shell for that user only. +These lines could also be added to [.filename]#/etc/profile# or [.filename]#/usr/share/skel/dot.profile# to set that shell for all users: [.programlisting] .... @@ -247,7 +267,8 @@ LANG=de_DE.ISO8859-1; export LANG MM_CHARSET=ISO-8859-1; export MM_CHARSET .... -However, the name of the configuration file and the syntax used differs for the `csh` shell. These are the equivalent settings for [.filename]#~/.login#, [.filename]#/etc/csh.login#, or [.filename]#/usr/share/skel/dot.login#: +However, the name of the configuration file and the syntax used differs for the `csh` shell. +These are the equivalent settings for [.filename]#~/.login#, [.filename]#/etc/csh.login#, or [.filename]#/usr/share/skel/dot.login#: [.programlisting] .... @@ -255,7 +276,8 @@ setenv LANG de_DE.ISO8859-1 setenv MM_CHARSET ISO-8859-1 .... -To complicate matters, the syntax needed to configure Xorg in [.filename]#~/.xinitrc# also depends upon the shell. The first example is for the `sh` shell and the second is for the `csh` shell: +To complicate matters, the syntax needed to configure Xorg in [.filename]#~/.xinitrc# also depends upon the shell. +The first example is for the `sh` shell and the second is for the `csh` shell: [.programlisting] .... @@ -272,7 +294,9 @@ setenv LANG de_DE.ISO8859-1 [[setting-console]] === Console Setup -Several localized fonts are available for the console. To see a listing of available fonts, type `ls /usr/share/syscons/fonts`. To configure the console font, specify the _font_name_, without the [.filename]#.fnt# suffix, in [.filename]#/etc/rc.conf#: +Several localized fonts are available for the console. +To see a listing of available fonts, type `ls /usr/share/syscons/fonts`. +To configure the console font, specify the _font_name_, without the [.filename]#.fnt# suffix, in [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -290,13 +314,19 @@ keymap=keymap_name keychange="fkey_number sequence" .... -To see the list of available screenmaps, type `ls /usr/share/syscons/scrnmaps`. Do not include the [.filename]#.scm# suffix when specifying _screenmap_name_. A screenmap with a corresponding mapped font is usually needed as a workaround for expanding bit 8 to bit 9 on a VGA adapter's font character matrix so that letters are moved out of the pseudographics area if the screen font uses a bit 8 column. +To see the list of available screenmaps, type `ls /usr/share/syscons/scrnmaps`. +Do not include the [.filename]#.scm# suffix when specifying _screenmap_name_. +A screenmap with a corresponding mapped font is usually needed as a workaround for expanding bit 8 to bit 9 on a VGA adapter's font character matrix so that letters are moved out of the pseudographics area if the screen font uses a bit 8 column. -To see the list of available keymaps, type `ls /usr/share/syscons/keymaps`. When specifying the _keymap_name_, do not include the [.filename]#.kbd# suffix. To test keymaps without rebooting, use man:kbdmap[1]. +To see the list of available keymaps, type `ls /usr/share/syscons/keymaps`. +When specifying the _keymap_name_, do not include the [.filename]#.kbd# suffix. +To test keymaps without rebooting, use man:kbdmap[1]. The `keychange` entry is usually needed to program function keys to match the selected terminal type because function key sequences cannot be defined in the keymap. -Next, set the correct console terminal type in [.filename]#/etc/ttys# for all virtual terminal entries. <<locale-charset>> summarizes the available terminal types.: +Next, set the correct console terminal type in [.filename]#/etc/ttys# for all virtual terminal entries. +<<locale-charset>> summarizes the available terminal types.: + [[locale-charset]] .Defined Terminal Types for Character Sets [cols="1,1", frame="none", options="header"] @@ -326,7 +356,9 @@ Next, set the correct console terminal type in [.filename]#/etc/ttys# for all vi |`cons25w` |=== -For languages with wide or multibyte characters, install a console for that language from the FreeBSD Ports Collection. The available ports are summarized in <<locale-console>>. Once installed, refer to the port's [.filename]#pkg-message# or man pages for configuration and usage instructions. +For languages with wide or multibyte characters, install a console for that language from the FreeBSD Ports Collection. +The available ports are summarized in <<locale-console>>. +Once installed, refer to the port's [.filename]#pkg-message# or man pages for configuration and usage instructions. [[locale-console]] .Available Console from Ports Collection @@ -354,7 +386,9 @@ For languages with wide or multibyte characters, install a console for that lang |package:japanese/kon2-16dot[] |=== -If moused is enabled in [.filename]#/etc/rc.conf#, additional configuration may be required. By default, the mouse cursor of the man:syscons[4] driver occupies the `0xd0`-`0xd3` range in the character set. If the language uses this range, move the cursor's range by adding the following line to [.filename]#/etc/rc.conf#: +If moused is enabled in [.filename]#/etc/rc.conf#, additional configuration may be required. +By default, the mouse cursor of the man:syscons[4] driver occupies the `0xd0`-`0xd3` range in the character set. +If the language uses this range, move the cursor's range by adding the following line to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -363,9 +397,13 @@ mousechar_start=3 === Xorg Setup -crossref:x11[x11,The X Window System] describes how to install and configure Xorg. When configuring Xorg for localization, additional fonts and input methods are available from the FreeBSD Ports Collection. Application specific i18n settings such as fonts and menus can be tuned in [.filename]#~/.Xresources# and should allow users to view their selected language in graphical application menus. +crossref:x11[x11,The X Window System] describes how to install and configure Xorg. +When configuring Xorg for localization, additional fonts and input methods are available from the FreeBSD Ports Collection. +Application specific i18n settings such as fonts and menus can be tuned in [.filename]#~/.Xresources# and should allow users to view their selected language in graphical application menus. -The X Input Method (XIM) protocol is an Xorg standard for inputting non-English characters. <<locale-xim>> summarizes the input method applications which are available in the FreeBSD Ports Collection. Additional Fcitx and Uim applications are also available. +The X Input Method (XIM) protocol is an Xorg standard for inputting non-English characters. +<<locale-xim>> summarizes the input method applications which are available in the FreeBSD Ports Collection. +Additional Fcitx and Uim applications are also available. [[locale-xim]] .Available Input Methods @@ -474,21 +512,28 @@ The X Input Method (XIM) protocol is an Xorg standard for inputting non-English [[l10n-compiling]] == Finding i18n Applications -i18n applications are programmed using i18n kits under libraries. These allow developers to write a simple file and translate displayed menus and texts to each language. +i18n applications are programmed using i18n kits under libraries. +These allow developers to write a simple file and translate displayed menus and texts to each language. -The link:https://www.FreeBSD.org/ports/[FreeBSD Ports Collection] contains many applications with built-in support for wide or multibyte characters for several languages. Such applications include `i18n` in their names for easy identification. However, they do not always support the language needed. +The link:https://www.FreeBSD.org/ports/[FreeBSD Ports Collection] contains many applications with built-in support for wide or multibyte characters for several languages. +Such applications include `i18n` in their names for easy identification. +However, they do not always support the language needed. -Some applications can be compiled with the specific charset. This is usually done in the port's [.filename]#Makefile# or by passing a value to configure. Refer to the i18n documentation in the respective FreeBSD port's source for more information on how to determine the needed configure value or the port's [.filename]#Makefile# to determine which compile options to use when building the port. +Some applications can be compiled with the specific charset. +This is usually done in the port's [.filename]#Makefile# or by passing a value to configure. +Refer to the i18n documentation in the respective FreeBSD port's source for more information on how to determine the needed configure value or the port's [.filename]#Makefile# to determine which compile options to use when building the port. [[lang-setup]] == Locale Configuration for Specific Languages -This section provides configuration examples for localizing a FreeBSD system for the Russian language. It then provides some additional resources for localizing other languages. +This section provides configuration examples for localizing a FreeBSD system for the Russian language. +It then provides some additional resources for localizing other languages. [[ru-localize]] === Russian Language (KOI8-R Encoding) -This section shows the specific settings needed to localize a FreeBSD system for the Russian language. Refer to <<using-localization,Using Localization>> for a more complete description of each type of setting. +This section shows the specific settings needed to localize a FreeBSD system for the Russian language. +Refer to <<using-localization,Using Localization>> for a more complete description of each type of setting. To set this locale for the login shell, add the following lines to each user's [.filename]#~/.login_conf#: @@ -513,7 +558,9 @@ mousechar_start=3 For each `ttyv` entry in [.filename]#/etc/ttys#, use `cons25r` as the terminal type. -To configure printing, a special output filter is needed to convert from KOI8-R to CP866 since most printers with Russian characters come with hardware code page CP866. FreeBSD includes a default filter for this purpose, [.filename]#/usr/libexec/lpr/ru/koi2alt#. To use this filter, add this entry to [.filename]#/etc/printcap#: +To configure printing, a special output filter is needed to convert from KOI8-R to CP866 since most printers with Russian characters come with hardware code page CP866. +FreeBSD includes a default filter for this purpose, [.filename]#/usr/libexec/lpr/ru/koi2alt#. +To use this filter, add this entry to [.filename]#/etc/printcap#: [.programlisting] .... @@ -533,7 +580,8 @@ To configure support for Russian filenames in mounted MS-DOS(R) file systems, in Refer to man:mount_msdosfs[8] for more details. -To configure Russian fonts for Xorg, install the package:x11-fonts/xorg-fonts-cyrillic[] package. Then, check the `"Files"` section in [.filename]#/etc/X11/xorg.conf#. The following line must be added _before_ any other `FontPath` entries: +To configure Russian fonts for Xorg, install the package:x11-fonts/xorg-fonts-cyrillic[] package. +Then, check the `"Files"` section in [.filename]#/etc/X11/xorg.conf#. The following line must be added _before_ any other `FontPath` entries: [.programlisting] .... @@ -552,7 +600,8 @@ Option "XkbOptions" "grp:toggle" Make sure that `XkbDisable` is commented out in that file. -For `grp:toggle` use kbd:[Right Alt], for `grp:ctrl_shift_toggle` use kbd[Ctrl+Shift]. For `grp:caps_toggle` use kbd:[CapsLock]. The old kbd:[CapsLock] function is still available in LAT mode only using kbd[Shift+CapsLock]. `grp:caps_toggle` does not work in Xorg for some unknown reason. +For `grp:toggle` use kbd:[Right Alt], for `grp:ctrl_shift_toggle` use kbd:[Ctrl+Shift]. +For `grp:caps_toggle` use kbd:[CapsLock]. The old kbd:[CapsLock] function is still available in LAT mode only using kbd:[Shift+CapsLock]. `grp:caps_toggle` does not work in Xorg for some unknown reason. If the keyboard has "Windows(R)" keys, and some non-alphabetical keys are mapped incorrectly, add the following line to [.filename]#/etc/xorg.conf#: @@ -563,10 +612,12 @@ Option "XkbVariant" ",winkeys" [NOTE] ==== -The Russian XKB keyboard may not work with non-localized applications. Minimally localized applications should call a `XtSetLanguageProc (NULL, NULL, NULL);` function early in the program. +The Russian XKB keyboard may not work with non-localized applications. +Minimally localized applications should call a `XtSetLanguageProc (NULL, NULL, NULL);` function early in the program. ==== -See http://koi8.pp.ru/xwin.html[http://koi8.pp.ru/xwin.html] for more instructions on localizing Xorg applications. For more general information about KOI8-R encoding, refer to http://koi8.pp.ru/[http://koi8.pp.ru/]. +See http://koi8.pp.ru/xwin.html[http://koi8.pp.ru/xwin.html] for more instructions on localizing Xorg applications. +For more general information about KOI8-R encoding, refer to http://koi8.pp.ru/[http://koi8.pp.ru/]. === Additional Language-Specific Resources @@ -582,4 +633,5 @@ Japanese and Korean Language Localization:: For Japanese, refer to http://www.jp.FreeBSD.org/[http://www.jp.FreeBSD.org/], and for Korean, refer to http://www.kr.FreeBSD.org/[http://www.kr.FreeBSD.org/]. Non-English FreeBSD Documentation:: -Some FreeBSD contributors have translated parts of the FreeBSD documentation to other languages. They are available through links on the link:https://www.FreeBSD.org/[FreeBSD web site] or in [.filename]#/usr/share/doc#. +Some FreeBSD contributors have translated parts of the FreeBSD documentation to other languages. +They are available through links on the link:https://www.FreeBSD.org/[FreeBSD web site] or in [.filename]#/usr/share/doc#. diff --git a/documentation/content/en/books/handbook/linuxemu/_index.adoc b/documentation/content/en/books/handbook/linuxemu/_index.adoc index a8b51ac656..48ecda76ee 100644 --- a/documentation/content/en/books/handbook/linuxemu/_index.adoc +++ b/documentation/content/en/books/handbook/linuxemu/_index.adoc @@ -46,9 +46,11 @@ toc::[] [[linuxemu-synopsis]] == Synopsis -FreeBSD provides binary compatibility with Linux(R), allowing users to install and run most Linux(R) binaries on a FreeBSD system without having to first modify the binary. It has even been reported that, in some situations, Linux(R) binaries perform better on FreeBSD than they do on Linux(R). +FreeBSD provides binary compatibility with Linux(R), allowing users to install and run most Linux(R) binaries on a FreeBSD system without having to first modify the binary. +It has even been reported that, in some situations, Linux(R) binaries perform better on FreeBSD than they do on Linux(R). -However, some Linux(R)-specific operating system features are not supported under FreeBSD. For example, Linux(R) binaries will not work on FreeBSD if they overly use i386(TM) specific calls, such as enabling virtual 8086 mode. +However, some Linux(R)-specific operating system features are not supported under FreeBSD. +For example, Linux(R) binaries will not work on FreeBSD if they overly use i386(TM) specific calls, such as enabling virtual 8086 mode. [NOTE] ==== @@ -69,7 +71,8 @@ Before reading this chapter, you should: [[linuxemu-lbc-install]] == Configuring Linux(R) Binary Compatibility -By default, Linux(R) libraries are not installed and Linux(R) binary compatibility is not enabled. Linux(R) libraries can either be installed manually or from the FreeBSD Ports Collection. +By default, Linux(R) libraries are not installed and Linux(R) binary compatibility is not enabled. +Linux(R) libraries can either be installed manually or from the FreeBSD Ports Collection. Before attempting to build the port, load the Linux(R) kernel module, otherwise the build will fail: @@ -95,7 +98,8 @@ To verify that the module is loaded: 7 1 0xc24db000 d000 linux.ko .... -The package:emulators/linux_base-c7[] package or port is the easiest way to install a base set of Linux(R) libraries and binaries on a FreeBSD system. To install the port: +The package:emulators/linux_base-c7[] package or port is the easiest way to install a base set of Linux(R) libraries and binaries on a FreeBSD system. +To install the port: [source,shell] .... @@ -113,7 +117,8 @@ On 64-bit machines, [.filename]#/etc/rc.d/abi# will automatically load the modul Since the Linux(R) binary compatibility layer has gained support for running both 32- and 64-bit Linux(R) binaries (on 64-bit x86 hosts), it is no longer possible to link the emulation functionality statically into a custom kernel. -For some applications, [.filename]#/compat/linux/proc#, [.filename]#/compat/linux/sys#, and [.filename]#/compat/linux/dev/shm# may need to be mounted. Add this line to [.filename]#/etc/fstab#: +For some applications, [.filename]#/compat/linux/proc#, [.filename]#/compat/linux/sys#, and [.filename]#/compat/linux/dev/shm# may need to be mounted. +Add this line to [.filename]#/etc/fstab#: .... linprocfs /compat/linux/proc linprocfs rw 0 0 @@ -135,7 +140,8 @@ Then mount the filesystem accordingly: If a Linux(R) application complains about missing shared libraries after configuring Linux(R) binary compatibility, determine which shared libraries the Linux(R) binary needs and install them manually. -From a Linux(R) system, `ldd` can be used to determine which shared libraries the application needs. For example, to check which shared libraries `linuxdoom` needs, run this command from a Linux(R) system that has Doom installed: +From a Linux(R) system, `ldd` can be used to determine which shared libraries the application needs. +For example, to check which shared libraries `linuxdoom` needs, run this command from a Linux(R) system that has Doom installed: [source,shell] .... @@ -145,7 +151,9 @@ libX11.so.3 (DLL Jump 3.1) => /usr/X11/lib/libX11.so.3.1.0 libc.so.4 (DLL Jump 4.5pl26) => /lib/libc.so.4.6.29 .... -Then, copy all the files in the last column of the output from the Linux(R) system into [.filename]#/compat/linux# on the FreeBSD system. Once copied, create symbolic links to the names in the first column. This example will result in the following files on the FreeBSD system: +Then, copy all the files in the last column of the output from the Linux(R) system into [.filename]#/compat/linux# on the FreeBSD system. +Once copied, create symbolic links to the names in the first column. +This example will result in the following files on the FreeBSD system: [source,shell] .... @@ -157,7 +165,10 @@ Then, copy all the files in the last column of the output from the Linux(R) syst /compat/linux/lib/libc.so.4 -> libc.so.4.6.29 .... -If a Linux(R) shared library already exists with a matching major revision number to the first column of the `ldd` output, it does not need to be copied to the file named in the last column, as the existing library should work. It is advisable to copy the shared library if it is a newer version, though. The old one can be removed, as long as the symbolic link points to the new one. +If a Linux(R) shared library already exists with a matching major revision number to the first column of the `ldd` output, +it does not need to be copied to the file named in the last column, as the existing library should work. +It is advisable to copy the shared library if it is a newer version, though. +The old one can be removed, as long as the symbolic link points to the new one. For example, these libraries already exist on the FreeBSD system: @@ -174,7 +185,8 @@ and `ldd` indicates that a binary requires a later version: libc.so.4 (DLL Jump 4.5pl26) -> libc.so.4.6.29 .... -Since the existing library is only one or two versions out of date in the last digit, the program should still work with the slightly older version. However, it is safe to replace the existing [.filename]#libc.so# with the newer version: +Since the existing library is only one or two versions out of date in the last digit, the program should still work with the slightly older version. +However, it is safe to replace the existing [.filename]#libc.so# with the newer version: [source,shell] .... @@ -182,11 +194,13 @@ Since the existing library is only one or two versions out of date in the last d /compat/linux/lib/libc.so.4 -> libc.so.4.6.29 .... -Generally, one will need to look for the shared libraries that Linux(R) binaries depend on only the first few times that a Linux(R) program is installed on FreeBSD. After a while, there will be a sufficient set of Linux(R) shared libraries on the system to be able to run newly installed Linux(R) binaries without any extra work. +Generally, one will need to look for the shared libraries that Linux(R) binaries depend on only the first few times that a Linux(R) program is installed on FreeBSD. +After a while, there will be a sufficient set of Linux(R) shared libraries on the system to be able to run newly installed Linux(R) binaries without any extra work. === Installing Linux(R) ELF Binaries -ELF binaries sometimes require an extra step. When an unbranded ELF binary is executed, it will generate an error message: +ELF binaries sometimes require an extra step. +When an unbranded ELF binary is executed, it will generate an error message: [source,shell] .... @@ -206,7 +220,8 @@ Since the GNU toolchain places the appropriate branding information into ELF bin === Installing a Linux(R) RPM Based Application -To install a Linux(R) RPM-based application, first install the package:archivers/rpm4[] package or port. Once installed, `root` can use this command to install a [.filename]#.rpm#: +To install a Linux(R) RPM-based application, first install the package:archivers/rpm4[] package or port. +Once installed, `root` can use this command to install a [.filename]#.rpm#: [source,shell] .... @@ -214,7 +229,8 @@ To install a Linux(R) RPM-based application, first install the package:archivers # rpm2cpio < /path/to/linux.archive.rpm | cpio -id .... -If necessary, `brandelf` the installed ELF binaries. Note that this will prevent a clean uninstall. +If necessary, `brandelf` the installed ELF binaries. +Note that this will prevent a clean uninstall. === Configuring the Hostname Resolver @@ -234,24 +250,29 @@ order hosts, bind multi on .... -This specifies that [.filename]#/etc/hosts# is searched first and DNS is searched second. When [.filename]#/compat/linux/etc/host.conf# does not exist, Linux(R) applications use [.filename]#/etc/host.conf# and complain about the incompatible FreeBSD syntax. Remove `bind` if a name server is not configured using [.filename]#/etc/resolv.conf#. +This specifies that [.filename]#/etc/hosts# is searched first and DNS is searched second. +When [.filename]#/compat/linux/etc/host.conf# does not exist, Linux(R) applications use [.filename]#/etc/host.conf# and complain about the incompatible FreeBSD syntax. +Remove `bind` if a name server is not configured using [.filename]#/etc/resolv.conf#. [[linuxemu-advanced]] == Advanced Topics This section describes how Linux(R) binary compatibility works and is based on an email written to {freebsd-chat} by Terry Lambert mailto:tlambert@primenet.com[tlambert@primenet.com] (Message ID: `<199906020108.SAA07001@usr09.primenet.com>`). -FreeBSD has an abstraction called an "execution class loader". This is a wedge into the man:execve[2] system call. +FreeBSD has an abstraction called an "execution class loader". +This is a wedge into the man:execve[2] system call. Historically, the UNIX(R) loader examined the magic number (generally the first 4 or 8 bytes of the file) to see if it was a binary known to the system, and if so, invoked the binary loader. -If it was not the binary type for the system, the man:execve[2] call returned a failure, and the shell attempted to start executing it as shell commands. The assumption was a default of "whatever the current shell is". +If it was not the binary type for the system, the man:execve[2] call returned a failure, and the shell attempted to start executing it as shell commands. +The assumption was a default of "whatever the current shell is". Later, a hack was made for man:sh[1] to examine the first two characters, and if they were `:\n`, it invoked the man:csh[1] shell instead. FreeBSD has a list of loaders, instead of a single loader, with a fallback to the `#!` loader for running shell interpreters or shell scripts. -For the Linux(R) ABI support, FreeBSD sees the magic number as an ELF binary. The ELF loader looks for a specialized _brand_, which is a comment section in the ELF image, and which is not present on SVR4/Solaris(TM) ELF binaries. +For the Linux(R) ABI support, FreeBSD sees the magic number as an ELF binary. +The ELF loader looks for a specialized _brand_, which is a comment section in the ELF image, and which is not present on SVR4/Solaris(TM) ELF binaries. For Linux(R) binaries to function, they must be _branded_ as type `Linux` using man:brandelf[1]: @@ -260,14 +281,27 @@ For Linux(R) binaries to function, they must be _branded_ as type `Linux` using # brandelf -t Linux file .... -When the ELF loader sees the `Linux` brand, the loader replaces a pointer in the `proc` structure. All system calls are indexed through this pointer. In addition, the process is flagged for special handling of the trap vector for the signal trampoline code, and several other (minor) fix-ups that are handled by the Linux(R) kernel module. +When the ELF loader sees the `Linux` brand, the loader replaces a pointer in the `proc` structure. +All system calls are indexed through this pointer. +In addition, the process is flagged for special handling of the trap vector for the signal trampoline code, and several other (minor) fix-ups that are handled by the Linux(R) kernel module. The Linux(R) system call vector contains, among other things, a list of `sysent[]` entries whose addresses reside in the kernel module. When a system call is called by the Linux(R) binary, the trap code dereferences the system call function pointer off the `proc` structure, and gets the Linux(R), not the FreeBSD, system call entry points. -Linux(R) mode dynamically _reroots_ lookups. This is, in effect, equivalent to `union` to file system mounts. First, an attempt is made to lookup the file in [.filename]#/compat/linux/original-path#. If that fails, the lookup is done in [.filename]#/original-path#. This makes sure that binaries that require other binaries can run. For example, the Linux(R) toolchain can all run under Linux(R) ABI support. It also means that the Linux(R) binaries can load and execute FreeBSD binaries, if there are no corresponding Linux(R) binaries present, and that a man:uname[1] command can be placed in the [.filename]#/compat/linux# directory tree to ensure that the Linux(R) binaries cannot tell they are not running on Linux(R). - -In effect, there is a Linux(R) kernel in the FreeBSD kernel. The various underlying functions that implement all of the services provided by the kernel are identical to both the FreeBSD system call table entries, and the Linux(R) system call table entries: file system operations, virtual memory operations, signal delivery, and System V IPC. The only difference is that FreeBSD binaries get the FreeBSD _glue_ functions, and Linux(R) binaries get the Linux(R) _glue_ functions. The FreeBSD _glue_ functions are statically linked into the kernel, and the Linux(R) _glue_ functions can be statically linked, or they can be accessed via a kernel module. - -Technically, this is not really emulation, it is an ABI implementation. It is sometimes called "Linux(R) emulation" because the implementation was done at a time when there was no other word to describe what was going on. Saying that FreeBSD ran Linux(R) binaries was not true, since the code was not compiled in. +Linux(R) mode dynamically _reroots_ lookups. +This is, in effect, equivalent to `union` to file system mounts. +First, an attempt is made to lookup the file in [.filename]#/compat/linux/original-path#. +If that fails, the lookup is done in [.filename]#/original-path#. +This makes sure that binaries that require other binaries can run. +For example, the Linux(R) toolchain can all run under Linux(R) ABI support. +It also means that the Linux(R) binaries can load and execute FreeBSD binaries, if there are no corresponding Linux(R) binaries present, and that a man:uname[1] command can be placed in the [.filename]#/compat/linux# directory tree to ensure that the Linux(R) binaries cannot tell they are not running on Linux(R). + +In effect, there is a Linux(R) kernel in the FreeBSD kernel. +The various underlying functions that implement all of the services provided by the kernel are identical to both the FreeBSD system call table entries, and the Linux(R) system call table entries: file system operations, virtual memory operations, signal delivery, and System V IPC. +The only difference is that FreeBSD binaries get the FreeBSD _glue_ functions, and Linux(R) binaries get the Linux(R) _glue_ functions. +The FreeBSD _glue_ functions are statically linked into the kernel, and the Linux(R) _glue_ functions can be statically linked, or they can be accessed via a kernel module. + +Technically, this is not really emulation, it is an ABI implementation. +It is sometimes called "Linux(R) emulation" because the implementation was done at a time when there was no other word to describe what was going on. +Saying that FreeBSD ran Linux(R) binaries was not true, since the code was not compiled in. diff --git a/documentation/content/en/books/handbook/mac/_index.adoc b/documentation/content/en/books/handbook/mac/_index.adoc index 1820edd8a0..950856d6c8 100644 --- a/documentation/content/en/books/handbook/mac/_index.adoc +++ b/documentation/content/en/books/handbook/mac/_index.adoc @@ -46,7 +46,13 @@ toc::[] [[mac-synopsis]] == Synopsis -FreeBSD supports security extensions based on the POSIX(R).1e draft. These security mechanisms include file system Access Control Lists (crossref:security[fs-acl,“Access Control Lists”]) and Mandatory Access Control (MAC). MAC allows access control modules to be loaded in order to implement security policies. Some modules provide protections for a narrow subset of the system, hardening a particular service. Others provide comprehensive labeled security across all subjects and objects. The mandatory part of the definition indicates that enforcement of controls is performed by administrators and the operating system. This is in contrast to the default security mechanism of Discretionary Access Control (DAC) where enforcement is left to the discretion of users. +FreeBSD supports security extensions based on the POSIX(R).1e draft. +These security mechanisms include file system Access Control Lists (crossref:security[fs-acl,“Access Control Lists”]) and Mandatory Access Control (MAC). +MAC allows access control modules to be loaded in order to implement security policies. +Some modules provide protections for a narrow subset of the system, hardening a particular service. +Others provide comprehensive labeled security across all subjects and objects. +The mandatory part of the definition indicates that enforcement of controls is performed by administrators and the operating system. +This is in contrast to the default security mechanism of Discretionary Access Control (DAC) where enforcement is left to the discretion of users. This chapter focuses on the MAC framework and the set of pluggable security policy modules FreeBSD provides for enabling various security mechanisms. @@ -66,13 +72,18 @@ Before reading this chapter, you should: [WARNING] ==== +Improper MAC configuration may cause loss of system access, aggravation of users, or inability to access the features provided by Xorg. +More importantly, MAC should not be relied upon to completely secure a system. +The MAC framework only augments an existing security policy. +Without sound security practices and regular security checks, the system will never be completely secure. -Improper MAC configuration may cause loss of system access, aggravation of users, or inability to access the features provided by Xorg. More importantly, MAC should not be relied upon to completely secure a system. The MAC framework only augments an existing security policy. Without sound security practices and regular security checks, the system will never be completely secure. - -The examples contained within this chapter are for demonstration purposes and the example settings should _not_ be implemented on a production system. Implementing any security policy takes a good deal of understanding, proper design, and thorough testing. +The examples contained within this chapter are for demonstration purposes and the example settings should _not_ be implemented on a production system. +Implementing any security policy takes a good deal of understanding, proper design, and thorough testing. ==== -While this chapter covers a broad range of security issues relating to the MAC framework, the development of new MAC security policy modules will not be covered. A number of security policy modules included with the MAC framework have specific characteristics which are provided for both testing and new module development. Refer to man:mac_test[4], man:mac_stub[4] and man:mac_none[4] for more information on these security policy modules and the various mechanisms they provide. +While this chapter covers a broad range of security issues relating to the MAC framework, the development of new MAC security policy modules will not be covered. +A number of security policy modules included with the MAC framework have specific characteristics which are provided for both testing and new module development. +Refer to man:mac_test[4], man:mac_stub[4] and man:mac_none[4] for more information on these security policy modules and the various mechanisms they provide. [[mac-inline-glossary]] == Key Terms @@ -95,21 +106,36 @@ The following key terms are used when referring to the MAC framework: [[mac-understandlabel]] == Understanding MAC Labels -A MAC label is a security attribute which may be applied to subjects and objects throughout the system. When setting a label, the administrator must understand its implications in order to prevent unexpected or undesired behavior of the system. The attributes available on an object depend on the loaded policy module, as policy modules interpret their attributes in different ways. +A MAC label is a security attribute which may be applied to subjects and objects throughout the system. +When setting a label, the administrator must understand its implications in order to prevent unexpected or undesired behavior of the system. +The attributes available on an object depend on the loaded policy module, as policy modules interpret their attributes in different ways. -The security label on an object is used as a part of a security access control decision by a policy. With some policies, the label contains all of the information necessary to make a decision. In other policies, the labels may be processed as part of a larger rule set. +The security label on an object is used as a part of a security access control decision by a policy. +With some policies, the label contains all of the information necessary to make a decision. +In other policies, the labels may be processed as part of a larger rule set. -There are two types of label policies: single label and multi label. By default, the system will use single label. The administrator should be aware of the pros and cons of each in order to implement policies which meet the requirements of the system's security model. +There are two types of label policies: single label and multi label. +By default, the system will use single label. +The administrator should be aware of the pros and cons of each in order to implement policies which meet the requirements of the system's security model. -A single label security policy only permits one label to be used for every subject or object. Since a single label policy enforces one set of access permissions across the entire system, it provides lower administration overhead, but decreases the flexibility of policies which support labeling. However, in many environments, a single label policy may be all that is required. +A single label security policy only permits one label to be used for every subject or object. +Since a single label policy enforces one set of access permissions across the entire system, it provides lower administration overhead, but decreases the flexibility of policies which support labeling. +However, in many environments, a single label policy may be all that is required. -A single label policy is somewhat similar to DAC as `root` configures the policies so that users are placed in the appropriate categories and access levels. A notable difference is that many policy modules can also restrict `root`. Basic control over objects will then be released to the group, but `root` may revoke or modify the settings at any time. +A single label policy is somewhat similar to DAC as `root` configures the policies so that users are placed in the appropriate categories and access levels. +A notable difference is that many policy modules can also restrict `root`. +Basic control over objects will then be released to the group, but `root` may revoke or modify the settings at any time. -When appropriate, a multi label policy can be set on a UFS file system by passing `multilabel` to man:tunefs[8]. A multi label policy permits each subject or object to have its own independent MAC label. The decision to use a multi label or single label policy is only required for policies which implement the labeling feature, such as `biba`, `lomac`, and `mls`. Some policies, such as `seeotheruids`, `portacl` and `partition`, do not use labels at all. +When appropriate, a multi label policy can be set on a UFS file system by passing `multilabel` to man:tunefs[8]. +A multi label policy permits each subject or object to have its own independent MAC label. +The decision to use a multi label or single label policy is only required for policies which implement the labeling feature, such as `biba`, `lomac`, and `mls`. +Some policies, such as `seeotheruids`, `portacl` and `partition`, do not use labels at all. -Using a multi label policy on a partition and establishing a multi label security model can increase administrative overhead as everything in that file system has a label. This includes directories, files, and even device nodes. +Using a multi label policy on a partition and establishing a multi label security model can increase administrative overhead as everything in that file system has a label. +This includes directories, files, and even device nodes. -The following command will set `multilabel` on the specified UFS file system. This may only be done in single-user mode and is not a requirement for the swap file system: +The following command will set `multilabel` on the specified UFS file system. +This may only be done in single-user mode and is not a requirement for the swap file system: [source,shell] .... @@ -118,23 +144,34 @@ The following command will set `multilabel` on the specified UFS file system. Th [NOTE] ==== -Some users have experienced problems with setting the `multilabel` flag on the root partition. If this is the case, please review <<mac-troubleshoot>>. +Some users have experienced problems with setting the `multilabel` flag on the root partition. +If this is the case, please review <<mac-troubleshoot>>. ==== -Since the multi label policy is set on a per-file system basis, a multi label policy may not be needed if the file system layout is well designed. Consider an example security MAC model for a FreeBSD web server. This machine uses the single label, `biba/high`, for everything in the default file systems. If the web server needs to run at `biba/low` to prevent write up capabilities, it could be installed to a separate UFS [.filename]#/usr/local# file system set at `biba/low`. +Since the multi label policy is set on a per-file system basis, a multi label policy may not be needed if the file system layout is well designed. +Consider an example security MAC model for a FreeBSD web server. +This machine uses the single label, `biba/high`, for everything in the default file systems. +If the web server needs to run at `biba/low` to prevent write up capabilities, it could be installed to a separate UFS [.filename]#/usr/local# file system set at `biba/low`. === Label Configuration -Virtually all aspects of label policy module configuration will be performed using the base system utilities. These commands provide a simple interface for object or subject configuration or the manipulation and verification of the configuration. +Virtually all aspects of label policy module configuration will be performed using the base system utilities. +These commands provide a simple interface for object or subject configuration or the manipulation and verification of the configuration. -All configuration may be done using `setfmac`, which is used to set MAC labels on system objects, and `setpmac`, which is used to set the labels on system subjects. For example, to set the `biba` MAC label to `high` on [.filename]#test#: +All configuration may be done using `setfmac`, which is used to set MAC labels on system objects, and `setpmac`, which is used to set the labels on system subjects. +For example, to set the `biba` MAC label to `high` on [.filename]#test#: [source,shell] .... # setfmac biba/high test .... -If the configuration is successful, the prompt will be returned without error. A common error is `Permission denied` which usually occurs when the label is being set or modified on a restricted object. Other conditions may produce different failures. For instance, the file may not be owned by the user attempting to relabel the object, the object may not exist, or the object may be read-only. A mandatory policy will not allow the process to relabel the file, maybe because of a property of the file, a property of the process, or a property of the proposed new label value. For example, if a user running at low integrity tries to change the label of a high integrity file, or a user running at low integrity tries to change the label of a low integrity file to a high integrity label, these operations will fail. +If the configuration is successful, the prompt will be returned without error. +A common error is `Permission denied` which usually occurs when the label is being set or modified on a restricted object. +Other conditions may produce different failures. +For instance, the file may not be owned by the user attempting to relabel the object, the object may not exist, or the object may be read-only. +A mandatory policy will not allow the process to relabel the file, maybe because of a property of the file, a property of the process, or a property of the proposed new label value. +For example, if a user running at low integrity tries to change the label of a high integrity file, or a user running at low integrity tries to change the label of a low integrity file to a high integrity label, these operations will fail. The system administrator may use `setpmac` to override the policy module's settings by assigning a different label to the invoked process: @@ -147,7 +184,9 @@ Permission denied test: biba/high .... -For currently running processes, such as sendmail, `getpmac` is usually used instead. This command takes a process ID (PID) in place of a command name. If users attempt to manipulate a file not in their access, subject to the rules of the loaded policy modules, the `Operation not permitted` error will be displayed. +For currently running processes, such as sendmail, `getpmac` is usually used instead. +This command takes a process ID (PID) in place of a command name. +If users attempt to manipulate a file not in their access, subject to the rules of the loaded policy modules, the `Operation not permitted` error will be displayed. === Predefined Labels @@ -157,11 +196,15 @@ A few FreeBSD policy modules which support the labeling feature offer three pred * `equal` sets the subject or object to be disabled or unaffected and should only be placed on objects considered to be exempt from the policy. * `high` grants an object or subject the highest setting available in the Biba and MLS policy modules. -Such policy modules include man:mac_biba[4], man:mac_mls[4] and man:mac_lomac[4]. Each of the predefined labels establishes a different information flow directive. Refer to the manual page of the module to determine the traits of the generic label configurations. +Such policy modules include man:mac_biba[4], man:mac_mls[4] and man:mac_lomac[4]. +Each of the predefined labels establishes a different information flow directive. +Refer to the manual page of the module to determine the traits of the generic label configurations. === Numeric Labels -The Biba and MLS policy modules support a numeric label which may be set to indicate the precise level of hierarchical control. This numeric level is used to partition or sort information into different groups of classification, only permitting access to that group or a higher group level. For example: +The Biba and MLS policy modules support a numeric label which may be set to indicate the precise level of hierarchical control. +This numeric level is used to partition or sort information into different groups of classification, only permitting access to that group or a higher group level. +For example: [.programlisting] .... @@ -170,17 +213,27 @@ biba/10:2+3+6(5:2+3-20:2+3+4+5+6) may be interpreted as "Biba Policy Label/Grade 10:Compartments 2, 3 and 6: (grade 5 ...") -In this example, the first grade would be considered the effective grade with effective compartments, the second grade is the low grade, and the last one is the high grade. In most configurations, such fine-grained settings are not needed as they are considered to be advanced configurations. +In this example, the first grade would be considered the effective grade with effective compartments, the second grade is the low grade, and the last one is the high grade. +In most configurations, such fine-grained settings are not needed as they are considered to be advanced configurations. -System objects only have a current grade and compartment. System subjects reflect the range of available rights in the system, and network interfaces, where they are used for access control. +System objects only have a current grade and compartment. +System subjects reflect the range of available rights in the system, and network interfaces, where they are used for access control. -The grade and compartments in a subject and object pair are used to construct a relationship known as _dominance_, in which a subject dominates an object, the object dominates the subject, neither dominates the other, or both dominate each other. The "both dominate" case occurs when the two labels are equal. Due to the information flow nature of Biba, a user has rights to a set of compartments that might correspond to projects, but objects also have a set of compartments. Users may have to subset their rights using `su` or `setpmac` in order to access objects in a compartment from which they are not restricted. +The grade and compartments in a subject and object pair are used to construct a relationship known as _dominance_, in which a subject dominates an object, the object dominates the subject, neither dominates the other, or both dominate each other. +The "both dominate" case occurs when the two labels are equal. +Due to the information flow nature of Biba, a user has rights to a set of compartments that might correspond to projects, but objects also have a set of compartments. +Users may have to subset their rights using `su` or `setpmac` in order to access objects in a compartment from which they are not restricted. === User Labels -Users are required to have labels so that their files and processes properly interact with the security policy defined on the system. This is configured in [.filename]#/etc/login.conf# using login classes. Every policy module that uses labels will implement the user class setting. +Users are required to have labels so that their files and processes properly interact with the security policy defined on the system. +This is configured in [.filename]#/etc/login.conf# using login classes. +Every policy module that uses labels will implement the user class setting. -To set the user class default label which will be enforced by MAC, add a `label` entry. An example `label` entry containing every policy module is displayed below. Note that in a real configuration, the administrator would never enable every policy module. It is recommended that the rest of this chapter be reviewed before any configuration is implemented. +To set the user class default label which will be enforced by MAC, add a `label` entry. +An example `label` entry containing every policy module is displayed below. +Note that in a real configuration, the administrator would never enable every policy module. +It is recommended that the rest of this chapter be reviewed before any configuration is implemented. [.programlisting] .... @@ -209,15 +262,20 @@ default:\ :label=partition/13,mls/5,biba/10(5-15),lomac/10[2]: .... -While users can not modify the default value, they may change their label after they login, subject to the constraints of the policy. The example above tells the Biba policy that a process's minimum integrity is `5`, its maximum is `15`, and the default effective label is `10`. The process will run at `10` until it chooses to change label, perhaps due to the user using `setpmac`, which will be constrained by Biba to the configured range. +While users can not modify the default value, they may change their label after they login, subject to the constraints of the policy. +The example above tells the Biba policy that a process's minimum integrity is `5`, its maximum is `15`, and the default effective label is `10`. +The process will run at `10` until it chooses to change label, perhaps due to the user using `setpmac`, which will be constrained by Biba to the configured range. After any change to [.filename]#login.conf#, the login class capability database must be rebuilt using `cap_mkdb`. -Many sites have a large number of users requiring several different user classes. In depth planning is required as this can become difficult to manage. +Many sites have a large number of users requiring several different user classes. +In depth planning is required as this can become difficult to manage. === Network Interface Labels -Labels may be set on network interfaces to help control the flow of data across the network. Policies using network interface labels function in the same way that policies function with respect to objects. Users at high settings in Biba, for example, will not be permitted to access network interfaces with a label of `low`. +Labels may be set on network interfaces to help control the flow of data across the network. +Policies using network interface labels function in the same way that policies function with respect to objects. +Users at high settings in Biba, for example, will not be permitted to access network interfaces with a label of `low`. When setting the MAC label on network interfaces, `maclabel` may be passed to `ifconfig`: @@ -226,47 +284,72 @@ When setting the MAC label on network interfaces, `maclabel` may be passed to `i # ifconfig bge0 maclabel biba/equal .... -This example will set the MAC label of `biba/equal` on the `bge0` interface. When using a setting similar to `biba/high(low-high)`, the entire label should be quoted to prevent an error from being returned. +This example will set the MAC label of `biba/equal` on the `bge0` interface. +When using a setting similar to `biba/high(low-high)`, the entire label should be quoted to prevent an error from being returned. -Each policy module which supports labeling has a tunable which may be used to disable the MAC label on network interfaces. Setting the label to `equal` will have a similar effect. Review the output of `sysctl`, the policy manual pages, and the information in the rest of this chapter for more information on those tunables. +Each policy module which supports labeling has a tunable which may be used to disable the MAC label on network interfaces. +Setting the label to `equal` will have a similar effect. +Review the output of `sysctl`, the policy manual pages, and the information in the rest of this chapter for more information on those tunables. [[mac-planning]] == Planning the Security Configuration -Before implementing any MAC policies, a planning phase is recommended. During the planning stages, an administrator should consider the implementation requirements and goals, such as: +Before implementing any MAC policies, a planning phase is recommended. +During the planning stages, an administrator should consider the implementation requirements and goals, such as: * How to classify information and resources available on the target systems. * Which information or resources to restrict access to along with the type of restrictions that should be applied. * Which MAC modules will be required to achieve this goal. -A trial run of the trusted system and its configuration should occur _before_ a MAC implementation is used on production systems. Since different environments have different needs and requirements, establishing a complete security profile will decrease the need of changes once the system goes live. +A trial run of the trusted system and its configuration should occur _before_ a MAC implementation is used on production systems. +Since different environments have different needs and requirements, establishing a complete security profile will decrease the need of changes once the system goes live. -Consider how the MAC framework augments the security of the system as a whole. The various security policy modules provided by the MAC framework could be used to protect the network and file systems or to block users from accessing certain ports and sockets. Perhaps the best use of the policy modules is to load several security policy modules at a time in order to provide a MLS environment. This approach differs from a hardening policy, which typically hardens elements of a system which are used only for specific purposes. The downside to MLS is increased administrative overhead. +Consider how the MAC framework augments the security of the system as a whole. +The various security policy modules provided by the MAC framework could be used to protect the network and file systems or to block users from accessing certain ports and sockets. +Perhaps the best use of the policy modules is to load several security policy modules at a time in order to provide a MLS environment. +This approach differs from a hardening policy, which typically hardens elements of a system which are used only for specific purposes. +The downside to MLS is increased administrative overhead. -The overhead is minimal when compared to the lasting effect of a framework which provides the ability to pick and choose which policies are required for a specific configuration and which keeps performance overhead down. The reduction of support for unneeded policies can increase the overall performance of the system as well as offer flexibility of choice. A good implementation would consider the overall security requirements and effectively implement the various security policy modules offered by the framework. +The overhead is minimal when compared to the lasting effect of a framework which provides the ability to pick and choose which policies are required for a specific configuration and which keeps performance overhead down. +The reduction of support for unneeded policies can increase the overall performance of the system as well as offer flexibility of choice. +A good implementation would consider the overall security requirements and effectively implement the various security policy modules offered by the framework. -A system utilizing MAC guarantees that a user will not be permitted to change security attributes at will. All user utilities, programs, and scripts must work within the constraints of the access rules provided by the selected security policy modules and control of the MAC access rules is in the hands of the system administrator. +A system utilizing MAC guarantees that a user will not be permitted to change security attributes at will. +All user utilities, programs, and scripts must work within the constraints of the access rules provided by the selected security policy modules and control of the MAC access rules is in the hands of the system administrator. -It is the duty of the system administrator to carefully select the correct security policy modules. For an environment that needs to limit access control over the network, the man:mac_portacl[4], man:mac_ifoff[4], and man:mac_biba[4] policy modules make good starting points. For an environment where strict confidentiality of file system objects is required, consider the man:mac_bsdextended[4] and man:mac_mls[4] policy modules. +It is the duty of the system administrator to carefully select the correct security policy modules. +For an environment that needs to limit access control over the network, the man:mac_portacl[4], man:mac_ifoff[4], and man:mac_biba[4] policy modules make good starting points. +For an environment where strict confidentiality of file system objects is required, consider the man:mac_bsdextended[4] and man:mac_mls[4] policy modules. -Policy decisions could be made based on network configuration. If only certain users should be permitted access to man:ssh[1], the man:mac_portacl[4] policy module is a good choice. In the case of file systems, access to objects might be considered confidential to some users, but not to others. As an example, a large development team might be broken off into smaller projects where developers in project A might not be permitted to access objects written by developers in project B. Yet both projects might need to access objects created by developers in project C. Using the different security policy modules provided by the MAC framework, users could be divided into these groups and then given access to the appropriate objects. +Policy decisions could be made based on network configuration. +If only certain users should be permitted access to man:ssh[1], the man:mac_portacl[4] policy module is a good choice. +In the case of file systems, access to objects might be considered confidential to some users, but not to others. +As an example, a large development team might be broken off into smaller projects where developers in project A might not be permitted to access objects written by developers in project B. +Yet both projects might need to access objects created by developers in project C. +Using the different security policy modules provided by the MAC framework, users could be divided into these groups and then given access to the appropriate objects. -Each security policy module has a unique way of dealing with the overall security of a system. Module selection should be based on a well thought out security policy which may require revision and reimplementation. Understanding the different security policy modules offered by the MAC framework will help administrators choose the best policies for their situations. +Each security policy module has a unique way of dealing with the overall security of a system. +Module selection should be based on a well thought out security policy which may require revision and reimplementation. +Understanding the different security policy modules offered by the MAC framework will help administrators choose the best policies for their situations. The rest of this chapter covers the available modules, describes their use and configuration, and in some cases, provides insight on applicable situations. [CAUTION] ==== - -Implementing MAC is much like implementing a firewall since care must be taken to prevent being completely locked out of the system. The ability to revert back to a previous configuration should be considered and the implementation of MAC over a remote connection should be done with extreme caution. +Implementing MAC is much like implementing a firewall since care must be taken to prevent being completely locked out of the system. +The ability to revert back to a previous configuration should be considered and the implementation of MAC over a remote connection should be done with extreme caution. ==== [[mac-policies]] == Available MAC Policies -The default FreeBSD kernel includes `options MAC`. This means that every module included with the MAC framework can be loaded with `kldload` as a run-time kernel module. After testing the module, add the module name to [.filename]#/boot/loader.conf# so that it will load during boot. Each module also provides a kernel option for those administrators who choose to compile their own custom kernel. +The default FreeBSD kernel includes `options MAC`. +This means that every module included with the MAC framework can be loaded with `kldload` as a run-time kernel module. +After testing the module, add the module name to [.filename]#/boot/loader.conf# so that it will load during boot. +Each module also provides a kernel option for those administrators who choose to compile their own custom kernel. -FreeBSD includes a group of policies that will cover most security requirements. Each policy is summarized below. The last three policies support integer settings in place of the three default labels. +FreeBSD includes a group of policies that will cover most security requirements. Each policy is summarized below. +The last three policies support integer settings in place of the three default labels. [[mac-seeotheruids]] === The MAC See Other UIDs Policy @@ -277,7 +360,8 @@ Kernel configuration line: `options MAC_SEEOTHERUIDS` Boot option: `mac_seeotheruids_load="YES"` -The man:mac_seeotheruids[4] module extends the `security.bsd.see_other_uids` and `security.bsd.see_other_gids sysctl` tunables. This option does not require any labels to be set before configuration and can operate transparently with other modules. +The man:mac_seeotheruids[4] module extends the `security.bsd.see_other_uids` and `security.bsd.see_other_gids sysctl` tunables. +This option does not require any labels to be set before configuration and can operate transparently with other modules. After loading the module, the following `sysctl` tunables may be used to control its features: @@ -294,9 +378,14 @@ Kernel configuration line: `options MAC_BSDEXTENDED` Boot option: `mac_bsdextended_load="YES"` -The man:mac_bsdextended[4] module enforces a file system firewall. It provides an extension to the standard file system permissions model, permitting an administrator to create a firewall-like ruleset to protect files, utilities, and directories in the file system hierarchy. When access to a file system object is attempted, the list of rules is iterated until either a matching rule is located or the end is reached. This behavior may be changed using `security.mac.bsdextended.firstmatch_enabled`. Similar to other firewall modules in FreeBSD, a file containing the access control rules can be created and read by the system at boot time using an man:rc.conf[5] variable. +The man:mac_bsdextended[4] module enforces a file system firewall. +It provides an extension to the standard file system permissions model, permitting an administrator to create a firewall-like ruleset to protect files, utilities, and directories in the file system hierarchy. +When access to a file system object is attempted, the list of rules is iterated until either a matching rule is located or the end is reached. +This behavior may be changed using `security.mac.bsdextended.firstmatch_enabled`. +Similar to other firewall modules in FreeBSD, a file containing the access control rules can be created and read by the system at boot time using an man:rc.conf[5] variable. -The rule list may be entered using man:ugidfw[8] which has a syntax similar to man:ipfw[8]. More tools can be written by using the functions in the man:libugidfw[3] library. +The rule list may be entered using man:ugidfw[8] which has a syntax similar to man:ipfw[8]. +More tools can be written by using the functions in the man:libugidfw[3] library. After the man:mac_bsdextended[4] module has been loaded, the following command may be used to list the current rule configuration: @@ -306,14 +395,16 @@ After the man:mac_bsdextended[4] module has been loaded, the following command m 0 slots, 0 rules .... -By default, no rules are defined and everything is completely accessible. To create a rule which blocks all access by users but leaves `root` unaffected: +By default, no rules are defined and everything is completely accessible. +To create a rule which blocks all access by users but leaves `root` unaffected: [source,shell] .... # ugidfw add subject not uid root new object not uid root mode n .... -While this rule is simple to implement, it is a very bad idea as it blocks all users from issuing any commands. A more realistic example blocks `user1` all access, including directory listings, to ``_user2_``'s home directory: +While this rule is simple to implement, it is a very bad idea as it blocks all users from issuing any commands. +A more realistic example blocks `user1` all access, including directory listings, to ``_user2_``'s home directory: [source,shell] .... @@ -321,7 +412,8 @@ While this rule is simple to implement, it is a very bad idea as it blocks all u # ugidfw set 3 subject uid user1 object gid user2 mode n .... -Instead of `user1`, `not uid _user2_` could be used in order to enforce the same access restrictions for all users. However, the `root` user is unaffected by these rules. +Instead of `user1`, `not uid _user2_` could be used in order to enforce the same access restrictions for all users. +However, the `root` user is unaffected by these rules. [NOTE] ==== @@ -337,7 +429,8 @@ Kernel configuration line: `options MAC_IFOFF` Boot option: `mac_ifoff_load="YES"` -The man:mac_ifoff[4] module is used to disable network interfaces on the fly and to keep network interfaces from being brought up during system boot. It does not use labels and does not depend on any other MAC modules. +The man:mac_ifoff[4] module is used to disable network interfaces on the fly and to keep network interfaces from being brought up during system boot. +It does not use labels and does not depend on any other MAC modules. Most of this module's control is performed through these `sysctl` tunables: @@ -345,7 +438,8 @@ Most of this module's control is performed through these `sysctl` tunables: * `security.mac.ifoff.bpfrecv_enabled` enables or disables all traffic on the Berkeley Packet Filter interface, man:bpf[4]. * `security.mac.ifoff.other_enabled` enables or disables traffic on all other interfaces. -One of the most common uses of man:mac_ifoff[4] is network monitoring in an environment where network traffic should not be permitted during the boot sequence. Another use would be to write a script which uses an application such as package:security/aide[] to automatically block network traffic if it finds new or altered files in protected directories. +One of the most common uses of man:mac_ifoff[4] is network monitoring in an environment where network traffic should not be permitted during the boot sequence. +Another use would be to write a script which uses an application such as package:security/aide[] to automatically block network traffic if it finds new or altered files in protected directories. [[mac-portacl]] === The MAC Port Access Control List Policy @@ -358,14 +452,16 @@ Boot option: `mac_portacl_load="YES"` The man:mac_portacl[4] module is used to limit binding to local TCP and UDP ports, making it possible to allow non-`root` users to bind to specified privileged ports below 1024. -Once loaded, this module enables the MAC policy on all sockets. The following tunables are available: +Once loaded, this module enables the MAC policy on all sockets. +The following tunables are available: * `security.mac.portacl.enabled` enables or disables the policy completely. * `security.mac.portacl.port_high` sets the highest port number that man:mac_portacl[4] protects. * `security.mac.portacl.suser_exempt`, when set to a non-zero value, exempts the `root` user from this policy. * `security.mac.portacl.rules` specifies the policy as a text string of the form `rule[,rule,...]`, with as many rules as needed, and where each rule is of the form `idtype:id:protocol:port`. The `idtype` is either `uid` or `gid`. The `protocol` parameter can be `tcp` or `udp`. The `port` parameter is the port number to allow the specified user or group to bind to. Only numeric values can be used for the user ID, group ID, and port parameters. -By default, ports below 1024 can only be used by privileged processes which run as `root`. For man:mac_portacl[4] to allow non-privileged processes to bind to ports below 1024, set the following tunables as follows: +By default, ports below 1024 can only be used by privileged processes which run as `root`. +For man:mac_portacl[4] to allow non-privileged processes to bind to ports below 1024, set the following tunables as follows: [source,shell] .... @@ -404,13 +500,17 @@ Kernel configuration line: `options MAC_PARTITION` Boot option: `mac_partition_load="YES"` -The man:mac_partition[4] policy drops processes into specific "partitions" based on their MAC label. Most configuration for this policy is done using man:setpmac[8]. One `sysctl` tunable is available for this policy: +The man:mac_partition[4] policy drops processes into specific "partitions" based on their MAC label. +Most configuration for this policy is done using man:setpmac[8]. +One `sysctl` tunable is available for this policy: * `security.mac.partition.enabled` enables the enforcement of MAC process partitions. -When this policy is enabled, users will only be permitted to see their processes, and any others within their partition, but will not be permitted to work with utilities outside the scope of this partition. For instance, a user in the `insecure` class will not be permitted to access `top` as well as many other commands that must spawn a process. +When this policy is enabled, users will only be permitted to see their processes, and any others within their partition, but will not be permitted to work with utilities outside the scope of this partition. +For instance, a user in the `insecure` class will not be permitted to access `top` as well as many other commands that must spawn a process. -This example adds `top` to the label set on users in the `insecure` class. All processes spawned by users in the `insecure` class will stay in the `partition/13` label. +This example adds `top` to the label set on users in the `insecure` class. +All processes spawned by users in the `insecure` class will stay in the `partition/13` label. [source,shell] .... @@ -447,7 +547,9 @@ Boot option: `mac_mls_load="YES"` The man:mac_mls[4] policy controls access between subjects and objects in the system by enforcing a strict information flow policy. -In MLS environments, a "clearance" level is set in the label of each subject or object, along with compartments. Since these clearance levels can reach numbers greater than several thousand, it would be a daunting task to thoroughly configure every subject or object. To ease this administrative overhead, three labels are included in this policy: `mls/low`, `mls/equal`, and `mls/high`, where: +In MLS environments, a "clearance" level is set in the label of each subject or object, along with compartments. +Since these clearance levels can reach numbers greater than several thousand, it would be a daunting task to thoroughly configure every subject or object. +To ease this administrative overhead, three labels are included in this policy: `mls/low`, `mls/equal`, and `mls/high`, where: * Anything labeled with `mls/low` will have a low clearance level and not be permitted to access information of a higher level. This label also prevents objects of a higher clearance level from writing or passing information to a lower level. * `mls/equal` should be placed on objects which should be exempt from the policy. @@ -483,9 +585,14 @@ To get the MLS label for the file [.filename]#test#: Another approach is to create a master policy file in [.filename]#/etc/# which specifies the MLS policy information and to feed that file to `setfmac`. -When using the MLS policy module, an administrator plans to control the flow of sensitive information. The default `block read up block write down` sets everything to a low state. Everything is accessible and an administrator slowly augments the confidentiality of the information. +When using the MLS policy module, an administrator plans to control the flow of sensitive information. +The default `block read up block write down` sets everything to a low state. +Everything is accessible and an administrator slowly augments the confidentiality of the information. -Beyond the three basic label options, an administrator may group users and groups as required to block the information flow between them. It might be easier to look at the information in clearance levels using descriptive words, such as classifications of `Confidential`, `Secret`, and `Top Secret`. Some administrators instead create different groups based on project levels. Regardless of the classification method, a well thought out plan must exist before implementing a restrictive policy. +Beyond the three basic label options, an administrator may group users and groups as required to block the information flow between them. +It might be easier to look at the information in clearance levels using descriptive words, such as classifications of `Confidential`, `Secret`, and `Top Secret`. +Some administrators instead create different groups based on project levels. +Regardless of the classification method, a well thought out plan must exist before implementing a restrictive policy. Some example situations for the MLS policy module include an e-commerce web server, a file server holding critical company information, and financial institution environments. @@ -498,9 +605,13 @@ Kernel configuration line: `options MAC_BIBA` Boot option: `mac_biba_load="YES"` -The man:mac_biba[4] module loads the MAC Biba policy. This policy is similar to the MLS policy with the exception that the rules for information flow are slightly reversed. This is to prevent the downward flow of sensitive information whereas the MLS policy prevents the upward flow of sensitive information. +The man:mac_biba[4] module loads the MAC Biba policy. +This policy is similar to the MLS policy with the exception that the rules for information flow are slightly reversed. +This is to prevent the downward flow of sensitive information whereas the MLS policy prevents the upward flow of sensitive information. -In Biba environments, an "integrity" label is set on each subject or object. These labels are made up of hierarchical grades and non-hierarchical components. As a grade ascends, so does its integrity. +In Biba environments, an "integrity" label is set on each subject or object. +These labels are made up of hierarchical grades and non-hierarchical components. +As a grade ascends, so does its integrity. Supported labels are `biba/low`, `biba/equal`, and `biba/high`, where: @@ -530,11 +641,21 @@ To access the Biba policy setting on system objects, use `setfmac` and `getfmac` test: biba/low .... -Integrity, which is different from sensitivity, is used to guarantee that information is not manipulated by untrusted parties. This includes information passed between subjects and objects. It ensures that users will only be able to modify or access information they have been given explicit access to. The man:mac_biba[4] security policy module permits an administrator to configure which files and programs a user may see and invoke while assuring that the programs and files are trusted by the system for that user. +Integrity, which is different from sensitivity, is used to guarantee that information is not manipulated by untrusted parties. +This includes information passed between subjects and objects. +It ensures that users will only be able to modify or access information they have been given explicit access to. +The man:mac_biba[4] security policy module permits an administrator to configure which files and programs a user may see and invoke while assuring that the programs and files are trusted by the system for that user. -During the initial planning phase, an administrator must be prepared to partition users into grades, levels, and areas. The system will default to a high label once this policy module is enabled, and it is up to the administrator to configure the different grades and levels for users. Instead of using clearance levels, a good planning method could include topics. For instance, only allow developers modification access to the source code repository, source code compiler, and other development utilities. Other users would be grouped into other categories such as testers, designers, or end users and would only be permitted read access. +During the initial planning phase, an administrator must be prepared to partition users into grades, levels, and areas. +The system will default to a high label once this policy module is enabled, and it is up to the administrator to configure the different grades and levels for users. +Instead of using clearance levels, a good planning method could include topics. +For instance, only allow developers modification access to the source code repository, source code compiler, and other development utilities. +Other users would be grouped into other categories such as testers, designers, or end users and would only be permitted read access. -A lower integrity subject is unable to write to a higher integrity subject and a higher integrity subject cannot list or read a lower integrity object. Setting a label at the lowest possible grade could make it inaccessible to subjects. Some prospective environments for this security policy module would include a constrained web server, a development and test machine, and a source code repository. A less useful implementation would be a personal workstation, a machine used as a router, or a network firewall. +A lower integrity subject is unable to write to a higher integrity subject and a higher integrity subject cannot list or read a lower integrity object. +Setting a label at the lowest possible grade could make it inaccessible to subjects. +Some prospective environments for this security policy module would include a constrained web server, a development and test machine, and a source code repository. +A less useful implementation would be a personal workstation, a machine used as a router, or a network firewall. [[mac-lomac]] === The MAC Low-watermark Module @@ -547,9 +668,12 @@ Boot option: `mac_lomac_load="YES"` Unlike the MAC Biba policy, the man:mac_lomac[4] policy permits access to lower integrity objects only after decreasing the integrity level to not disrupt any integrity rules. -The Low-watermark integrity policy works almost identically to Biba, with the exception of using floating labels to support subject demotion via an auxiliary grade compartment. This secondary compartment takes the form `[auxgrade]`. When assigning a policy with an auxiliary grade, use the syntax `lomac/10[2]`, where `2` is the auxiliary grade. +The Low-watermark integrity policy works almost identically to Biba, with the exception of using floating labels to support subject demotion via an auxiliary grade compartment. +This secondary compartment takes the form `[auxgrade]`. +When assigning a policy with an auxiliary grade, use the syntax `lomac/10[2]`, where `2` is the auxiliary grade. -This policy relies on the ubiquitous labeling of all system objects with integrity labels, permitting subjects to read from low integrity objects and then downgrading the label on the subject to prevent future writes to high integrity objects using `[auxgrade]`. The policy may provide greater compatibility and require less initial configuration than Biba. +This policy relies on the ubiquitous labeling of all system objects with integrity labels, permitting subjects to read from low integrity objects and then downgrading the label on the subject to prevent future writes to high integrity objects using `[auxgrade]`. +The policy may provide greater compatibility and require less initial configuration than Biba. Like the Biba and MLS policies, `setfmac` and `setpmac` are used to place labels on system objects: @@ -564,7 +688,8 @@ The auxiliary grade `low` is a feature provided only by the MACLOMAC policy. [[mac-userlocked]] == User Lock Down -This example considers a relatively small storage system with fewer than fifty users. Users will have login capabilities and are permitted to store data and access resources. +This example considers a relatively small storage system with fewer than fifty users. +Users will have login capabilities and are permitted to store data and access resources. For this scenario, the man:mac_bsdextended[4] and man:mac_seeotheruids[4] policy modules could co-exist and block access to system objects while hiding user processes. @@ -582,23 +707,31 @@ The man:mac_bsdextended[4] security policy module may be activated by adding thi ugidfw_enable="YES" .... -Default rules stored in [.filename]#/etc/rc.bsdextended# will be loaded at system initialization. However, the default entries may need modification. Since this machine is expected only to service users, everything may be left commented out except the last two lines in order to force the loading of user owned system objects by default. +Default rules stored in [.filename]#/etc/rc.bsdextended# will be loaded at system initialization. +However, the default entries may need modification. +Since this machine is expected only to service users, everything may be left commented out except the last two lines in order to force the loading of user owned system objects by default. -Add the required users to this machine and reboot. For testing purposes, try logging in as a different user across two consoles. Run `ps aux` to see if processes of other users are visible. Verify that running man:ls[1] on another user's home directory fails. +Add the required users to this machine and reboot. +For testing purposes, try logging in as a different user across two consoles. +Run `ps aux` to see if processes of other users are visible. +Verify that running man:ls[1] on another user's home directory fails. Do not try to test with the `root` user unless the specific ``sysctl``s have been modified to block super user access. [NOTE] ==== -When a new user is added, their man:mac_bsdextended[4] rule will not be in the ruleset list. To update the ruleset quickly, unload the security policy module and reload it again using man:kldunload[8] and man:kldload[8]. +When a new user is added, their man:mac_bsdextended[4] rule will not be in the ruleset list. +To update the ruleset quickly, unload the security policy module and reload it again using man:kldunload[8] and man:kldload[8]. ==== [[mac-implementing]] == Nagios in a MAC Jail -This section demonstrates the steps that are needed to implement the Nagios network monitoring system in a MAC environment. This is meant as an example which still requires the administrator to test that the implemented policy meets the security requirements of the network before using in a production environment. +This section demonstrates the steps that are needed to implement the Nagios network monitoring system in a MAC environment. +This is meant as an example which still requires the administrator to test that the implemented policy meets the security requirements of the network before using in a production environment. -This example requires `multilabel` to be set on each file system. It also assumes that package:net-mgmt/nagios-plugins[], package:net-mgmt/nagios[], and package:www/apache22[] are all installed, configured, and working correctly before attempting the integration into the MAC framework. +This example requires `multilabel` to be set on each file system. +It also assumes that package:net-mgmt/nagios-plugins[], package:net-mgmt/nagios[], and package:www/apache22[] are all installed, configured, and working correctly before attempting the integration into the MAC framework. === Create an Insecure User Class @@ -654,7 +787,9 @@ Set the `root` user to the default class using: # pw usermod root -L default .... -All user accounts that are not `root` will now require a login class. The login class is required, otherwise users will be refused access to common commands. The following `sh` script should do the trick: +All user accounts that are not `root` will now require a login class. +The login class is required, otherwise users will be refused access to common commands. +The following `sh` script should do the trick: [source,shell] .... @@ -703,9 +838,12 @@ A contexts file should now be created as [.filename]#/etc/policy.contexts#: /usr/local/etc/apache(/.*)? biba/10 .... -This policy enforces security by setting restrictions on the flow of information. In this specific configuration, users, including `root`, should never be allowed to access Nagios. Configuration files and processes that are a part of Nagios will be completely self contained or jailed. +This policy enforces security by setting restrictions on the flow of information. +In this specific configuration, users, including `root`, should never be allowed to access Nagios. +Configuration files and processes that are a part of Nagios will be completely self contained or jailed. -This file will be read after running `setfsmac` on every file system. This example sets the policy on the root file system: +This file will be read after running `setfsmac` on every file system. +This example sets the policy on the root file system: [source,shell] .... @@ -733,7 +871,8 @@ mac_seeotheruids_load="YES" security.mac.biba.trust_all_interfaces=1 .... -And the following line to the network card configuration stored in [.filename]#/etc/rc.conf#. If the primary network configuration is done via DHCP, this may need to be configured manually after every system boot: +And the following line to the network card configuration stored in [.filename]#/etc/rc.conf#. +If the primary network configuration is done via DHCP, this may need to be configured manually after every system boot: [.programlisting] .... @@ -742,7 +881,10 @@ maclabel biba/equal === Testing the Configuration -First, ensure that the web server and Nagios will not be started on system initialization and reboot. Ensure that `root` cannot access any of the files in the Nagios configuration directory. If `root` can list the contents of [.filename]#/var/spool/nagios#, something is wrong. Instead, a "permission denied" error should be returned. +First, ensure that the web server and Nagios will not be started on system initialization and reboot. +Ensure that `root` cannot access any of the files in the Nagios configuration directory. +If `root` can list the contents of [.filename]#/var/spool/nagios#, something is wrong. +Instead, a "permission denied" error should be returned. If all seems well, Nagios, Apache, and Sendmail can now be started: @@ -753,18 +895,23 @@ setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart .... -Double check to ensure that everything is working properly. If not, check the log files for error messages. If needed, use man:sysctl[8] to disable the man:mac_biba[4] security policy module and try starting everything again as usual. +Double check to ensure that everything is working properly. +If not, check the log files for error messages. +If needed, use man:sysctl[8] to disable the man:mac_biba[4] security policy module and try starting everything again as usual. [NOTE] ==== -The `root` user can still change the security enforcement and edit its configuration files. The following command will permit the degradation of the security policy to a lower grade for a newly spawned shell: +The `root` user can still change the security enforcement and edit its configuration files. +The following command will permit the degradation of the security policy to a lower grade for a newly spawned shell: [source,shell] .... # setpmac biba/10 csh .... -To block this from happening, force the user into a range using man:login.conf[5]. If man:setpmac[8] attempts to run a command outside of the compartment's range, an error will be returned and the command will not be executed. In this case, set root to `biba/high(high-high)`. +To block this from happening, force the user into a range using man:login.conf[5]. +If man:setpmac[8] attempts to run a command outside of the compartment's range, an error will be returned and the command will not be executed. +In this case, set root to `biba/high(high-high)`. ==== [[mac-troubleshoot]] @@ -786,7 +933,8 @@ The following steps may resolve this transient error: ==== After establishing a secure environment with MAC, Xorg no longer starts::: -This could be caused by the MAC `partition` policy or by a mislabeling in one of the MAC labeling policies. To debug, try the following: +This could be caused by the MAC `partition` policy or by a mislabeling in one of the MAC labeling policies. +To debug, try the following: [.procedure] ==== @@ -796,11 +944,19 @@ This could be caused by the MAC `partition` policy or by a mislabeling in one of ==== The `_secure_path: unable to stat .login_conf` error appears::: -This error can appear when a user attempts to switch from the `root` user to another user in the system. This message usually occurs when the user has a higher label setting than that of the user they are attempting to become. For instance, if `joe` has a default label of `biba/low` and `root` has a label of `biba/high`, `root` cannot view ``joe``'s home directory. This will happen whether or not `root` has used `su` to become `joe` as the Biba integrity model will not permit `root` to view objects set at a lower integrity level. +This error can appear when a user attempts to switch from the `root` user to another user in the system. +This message usually occurs when the user has a higher label setting than that of the user they are attempting to become. +For instance, if `joe` has a default label of `biba/low` and `root` has a label of `biba/high`, `root` cannot view ``joe``'s home directory. +This will happen whether or not `root` has used `su` to become `joe` as the Biba integrity model will not permit `root` to view objects set at a lower integrity level. The system no longer recognizes `root`::: When this occurs, `whoami` returns `0` and `su` returns `who are you?`. + -This can happen if a labeling policy has been disabled by man:sysctl[8] or the policy module was unloaded. If the policy is disabled, the login capabilities database needs to be reconfigured. Double check [.filename]#/etc/login.conf# to ensure that all `label` options have been removed and rebuild the database with `cap_mkdb`. +This can happen if a labeling policy has been disabled by man:sysctl[8] or the policy module was unloaded. +If the policy is disabled, the login capabilities database needs to be reconfigured. +Double check [.filename]#/etc/login.conf# to ensure that all `label` options have been removed and rebuild the database with `cap_mkdb`. + -This may also happen if a policy restricts access to [.filename]#master.passwd#. This is usually caused by an administrator altering the file under a label which conflicts with the general policy being used by the system. In these cases, the user information would be read by the system and access would be blocked as the file has inherited the new label. Disable the policy using man:sysctl[8] and everything should return to normal. +This may also happen if a policy restricts access to [.filename]#master.passwd#. +This is usually caused by an administrator altering the file under a label which conflicts with the general policy being used by the system. +In these cases, the user information would be read by the system and access would be blocked as the file has inherited the new label. +Disable the policy using man:sysctl[8] and everything should return to normal. diff --git a/documentation/content/en/books/handbook/mail/_index.adoc b/documentation/content/en/books/handbook/mail/_index.adoc index 1282dede96..aede8782f0 100644 --- a/documentation/content/en/books/handbook/mail/_index.adoc +++ b/documentation/content/en/books/handbook/mail/_index.adoc @@ -46,7 +46,9 @@ toc::[] [[mail-synopsis]] == Synopsis -"Electronic Mail", better known as email, is one of the most widely used forms of communication today. This chapter provides a basic introduction to running a mail server on FreeBSD, as well as an introduction to sending and receiving email using FreeBSD. For more complete coverage of this subject, refer to the books listed in crossref:bibliography[bibliography,Bibliography]. +"Electronic Mail", better known as email, is one of the most widely used forms of communication today. +This chapter provides a basic introduction to running a mail server on FreeBSD, as well as an introduction to sending and receiving email using FreeBSD +For more complete coverage of this subject, refer to the books listed in crossref:bibliography[bibliography,Bibliography]. After reading this chapter, you will know: @@ -75,30 +77,49 @@ Before reading this chapter, you should: There are five major parts involved in an email exchange: the Mail User Agent (MUA), the Mail Transfer Agent (MTA), a mail host, a remote or local mailbox, and DNS. This section provides an overview of these components. Mail User Agent (MUA):: -The Mail User Agent (MUA) is an application which is used to compose, send, and receive emails. This application can be a command line program, such as the built-in `mail` utility or a third-party application from the Ports Collection, such as mutt, alpine, or elm. Dozens of graphical programs are also available in the Ports Collection, including Claws Mail, Evolution, and Thunderbird. Some organizations provide a web mail program which can be accessed through a web browser. More information about installing and using a MUA on FreeBSD can be found in <<mail-agents>>. +The Mail User Agent (MUA) is an application which is used to compose, send, and receive emails. +This application can be a command line program, such as the built-in `mail` utility or a third-party application from the Ports Collection, such as mutt, alpine, or elm. +Dozens of graphical programs are also available in the Ports Collection, including Claws Mail, Evolution, and Thunderbird. +Some organizations provide a web mail program which can be accessed through a web browser. +More information about installing and using a MUA on FreeBSD can be found in <<mail-agents>>. Mail Transfer Agent (MTA):: -The Mail Transfer Agent (MTA) is responsible for receiving incoming mail and delivering outgoing mail. FreeBSD ships with Sendmail as the default MTA, but it also supports numerous other mail server daemons, including Exim, Postfix, and qmail. Sendmail configuration is described in <<sendmail>>. If another MTA is installed using the Ports Collection, refer to its post-installation message for FreeBSD-specific configuration details and the application's website for more general configuration instructions. +The Mail Transfer Agent (MTA) is responsible for receiving incoming mail and delivering outgoing mail. +FreeBSD ships with Sendmail as the default MTA, but it also supports numerous other mail server daemons, including Exim, Postfix, and qmail. +Sendmail configuration is described in <<sendmail>>. +If another MTA is installed using the Ports Collection, refer to its post-installation message for FreeBSD-specific configuration details and the application's website for more general configuration instructions. Mail Host and Mailboxes:: -The mail host is a server that is responsible for delivering and receiving mail for a host or a network. The mail host collects all mail sent to the domain and stores it either in the default [.filename]#mbox# or the alternative Maildir format, depending on the configuration. Once mail has been stored, it may either be read locally using a MUA or remotely accessed and collected using protocols such as POP or IMAP. If mail is read locally, a POP or IMAP server does not need to be installed. +The mail host is a server that is responsible for delivering and receiving mail for a host or a network. +The mail host collects all mail sent to the domain and stores it either in the default [.filename]#mbox# or the alternative Maildir format, depending on the configuration. +Once mail has been stored, it may either be read locally using a MUA or remotely accessed and collected using protocols such as POP or IMAP. +If mail is read locally, a POP or IMAP server does not need to be installed. + -To access mailboxes remotely, a POP or IMAP server is required as these protocols allow users to connect to their mailboxes from remote locations. IMAP offers several advantages over POP. These include the ability to store a copy of messages on a remote server after they are downloaded and concurrent updates. IMAP can be useful over low-speed links as it allows users to fetch the structure of messages without downloading them. It can also perform tasks such as searching on the server in order to minimize data transfer between clients and servers. +To access mailboxes remotely, a POP or IMAP server is required as these protocols allow users to connect to their mailboxes from remote locations. +IMAP offers several advantages over POP. +These include the ability to store a copy of messages on a remote server after they are downloaded and concurrent updates. +IMAP can be useful over low-speed links as it allows users to fetch the structure of messages without downloading them. +It can also perform tasks such as searching on the server in order to minimize data transfer between clients and servers. + -Several POP and IMAP servers are available in the Ports Collection. These include package:mail/qpopper[], package:mail/imap-uw[], package:mail/courier-imap[], and package:mail/dovecot2[]. +Several POP and IMAP servers are available in the Ports Collection. +These include package:mail/qpopper[], package:mail/imap-uw[], package:mail/courier-imap[], and package:mail/dovecot2[]. + [WARNING] ==== - -It should be noted that both POP and IMAP transmit information, including username and password credentials, in clear-text. To secure the transmission of information across these protocols, consider tunneling sessions over man:ssh[1] (crossref:security[security-ssh-tunneling,"SSH Tunneling"]) or using SSL (crossref:security[openssl,"OpenSSL"]). +It should be noted that both POP and IMAP transmit information, including username and password credentials, in clear-text. +To secure the transmission of information across these protocols, consider tunneling sessions over man:ssh[1] (crossref:security[security-ssh-tunneling,"SSH Tunneling"]) or using SSL (crossref:security[openssl,"OpenSSL"]). ==== Domain Name System (DNS):: -The Domain Name System (DNS) and its daemon `named` play a large role in the delivery of email. In order to deliver mail from one site to another, the MTA will look up the remote site in DNS to determine which host will receive mail for the destination. This process also occurs when mail is sent from a remote host to the MTA. +The Domain Name System (DNS) and its daemon `named` play a large role in the delivery of email. +In order to deliver mail from one site to another, the MTA will look up the remote site in DNS to determine which host will receive mail for the destination. +This process also occurs when mail is sent from a remote host to the MTA. + -In addition to mapping hostnames to IP addresses, DNS is responsible for storing information specific to mail delivery, known as Mail eXchanger MX records. The MX record specifies which hosts will receive mail for a particular domain. +In addition to mapping hostnames to IP addresses, DNS is responsible for storing information specific to mail delivery, known as Mail eXchanger MX records. +The MX record specifies which hosts will receive mail for a particular domain. + -To view the MX records for a domain, specify the type of record. Refer to man:host[1], for more details about this command: +To view the MX records for a domain, specify the type of record. +Refer to man:host[1], for more details about this command: + [source,shell] .... @@ -111,12 +132,20 @@ Refer to crossref:network-servers[network-dns,"Domain Name System (DNS)"] for mo [[sendmail]] == Sendmail Configuration Files -Sendmail is the default MTA installed with FreeBSD. It accepts mail from MUAs and delivers it to the appropriate mail host, as defined by its configuration. Sendmail can also accept network connections and deliver mail to local mailboxes or to another program. +Sendmail is the default MTA installed with FreeBSD. It accepts mail from MUAs and delivers it to the appropriate mail host, as defined by its configuration. +Sendmail can also accept network connections and deliver mail to local mailboxes or to another program. -The configuration files for Sendmail are located in [.filename]#/etc/mail#. This section describes these files in more detail. +The configuration files for Sendmail are located in [.filename]#/etc/mail#. +This section describes these files in more detail. [.filename]#/etc/mail/access#:: -This access database file defines which hosts or IP addresses have access to the local mail server and what kind of access they have. Hosts listed as `OK`, which is the default option, are allowed to send mail to this host as long as the mail's final destination is the local machine. Hosts listed as `REJECT` are rejected for all mail connections. Hosts listed as `RELAY` are allowed to send mail for any destination using this mail server. Hosts listed as `ERROR` will have their mail returned with the specified mail error. If a host is listed as `SKIP`, Sendmail will abort the current search for this entry without accepting or rejecting the mail. Hosts listed as `QUARANTINE` will have their messages held and will receive the specified text as the reason for the hold. +This access database file defines which hosts or IP addresses have access to the local mail server and what kind of access they have. +Hosts listed as `OK`, which is the default option, are allowed to send mail to this host as long as the mail's final destination is the local machine. +Hosts listed as `REJECT` are rejected for all mail connections. +Hosts listed as `RELAY` are allowed to send mail for any destination using this mail server. +Hosts listed as `ERROR` will have their mail returned with the specified mail error. +If a host is listed as `SKIP`, Sendmail will abort the current search for this entry without accepting or rejecting the mail. +Hosts listed as `QUARANTINE` will have their messages held and will receive the specified text as the reason for the hold. + Examples of using these options for both IPv4 and IPv6 addresses can be found in the FreeBSD sample configuration, [.filename]#/etc/mail/access.sample#: + @@ -140,7 +169,9 @@ Examples of using these options for both IPv4 and IPv6 addresses can be found in #Connect:[IPv6:1:2:3:4:5:6:7:8] OK .... + -To configure the access database, use the format shown in the sample to make entries in [.filename]#/etc/mail/access#, but do not put a comment symbol (`#`) in front of the entries. Create an entry for each host or network whose access should be configured. Mail senders that match the left side of the table are affected by the action on the right side of the table. +To configure the access database, use the format shown in the sample to make entries in [.filename]#/etc/mail/access#, but do not put a comment symbol (`#`) in front of the entries. +Create an entry for each host or network whose access should be configured. +Mail senders that match the left side of the table are affected by the action on the right side of the table. + Whenever this file is updated, update its database and restart Sendmail: + @@ -151,7 +182,8 @@ Whenever this file is updated, update its database and restart Sendmail: .... [.filename]#/etc/mail/aliases#:: -This database file contains a list of virtual mailboxes that are expanded to users, files, programs, or other aliases. Here are a few entries to illustrate the file format: +This database file contains a list of virtual mailboxes that are expanded to users, files, programs, or other aliases. +Here are a few entries to illustrate the file format: + [.programlisting] .... @@ -161,21 +193,36 @@ bit.bucket: /dev/null procmail: "|/usr/local/bin/procmail" .... + -The mailbox name on the left side of the colon is expanded to the target(s) on the right. The first entry expands the `root` mailbox to the `localuser` mailbox, which is then looked up in the [.filename]#/etc/mail/aliases# database. If no match is found, the message is delivered to `localuser`. The second entry shows a mail list. Mail to `ftp-bugs` is expanded to the three local mailboxes `joe`, `eric`, and `paul`. A remote mailbox could be specified as _user@example.com_. The third entry shows how to write mail to a file, in this case [.filename]#/dev/null#. The last entry demonstrates how to send mail to a program, [.filename]#/usr/local/bin/procmail#, through a UNIX(R) pipe. Refer to man:aliases[5] for more information about the format of this file. +The mailbox name on the left side of the colon is expanded to the target(s) on the right. +The first entry expands the `root` mailbox to the `localuser` mailbox, which is then looked up in the [.filename]#/etc/mail/aliases# database. +If no match is found, the message is delivered to `localuser`. +The second entry shows a mail list. +Mail to `ftp-bugs` is expanded to the three local mailboxes `joe`, `eric`, and `paul`. +A remote mailbox could be specified as _user@example.com_. +The third entry shows how to write mail to a file, in this case [.filename]#/dev/null#. +The last entry demonstrates how to send mail to a program, [.filename]#/usr/local/bin/procmail#, through a UNIX(R) pipe. +Refer to man:aliases[5] for more information about the format of this file. + Whenever this file is updated, run `newaliases` to update and initialize the aliases database. [.filename]#/etc/mail/sendmail.cf#:: -This is the master configuration file for Sendmail. It controls the overall behavior of Sendmail, including everything from rewriting email addresses to printing rejection messages to remote mail servers. Accordingly, this configuration file is quite complex. Fortunately, this file rarely needs to be changed for standard mail servers. +This is the master configuration file for Sendmail. +It controls the overall behavior of Sendmail, including everything from rewriting email addresses to printing rejection messages to remote mail servers. +Accordingly, this configuration file is quite complex. +Fortunately, this file rarely needs to be changed for standard mail servers. + -The master Sendmail configuration file can be built from man:m4[1] macros that define the features and behavior of Sendmail. Refer to [.filename]#/usr/src/contrib/sendmail/cf/README# for some of the details. +The master Sendmail configuration file can be built from man:m4[1] macros that define the features and behavior of Sendmail. +Refer to [.filename]#/usr/src/contrib/sendmail/cf/README# for some of the details. + Whenever changes to this file are made, Sendmail needs to be restarted for the changes to take effect. [.filename]#/etc/mail/virtusertable#:: -This database file maps mail addresses for virtual domains and users to real mailboxes. These mailboxes can be local, remote, aliases defined in [.filename]#/etc/mail/aliases#, or files. This allows multiple virtual domains to be hosted on one machine. +This database file maps mail addresses for virtual domains and users to real mailboxes. +These mailboxes can be local, remote, aliases defined in [.filename]#/etc/mail/aliases#, or files. +This allows multiple virtual domains to be hosted on one machine. + -FreeBSD provides a sample configuration file in [.filename]#/etc/mail/virtusertable.sample# to further demonstrate its format. The following example demonstrates how to create custom entries using that format: +FreeBSD provides a sample configuration file in [.filename]#/etc/mail/virtusertable.sample# to further demonstrate its format. +The following example demonstrates how to create custom entries using that format: + [.programlisting] .... @@ -184,7 +231,12 @@ postmaster@example.com postmaster@noc.example.net @example.com joe .... + -This file is processed in a first match order. When an email address matches the address on the left, it is mapped to the local mailbox listed on the right. The format of the first entry in this example maps a specific email address to a local mailbox, whereas the format of the second entry maps a specific email address to a remote mailbox. Finally, any email address from `example.com` which has not matched any of the previous entries will match the last mapping and be sent to the local mailbox `joe`. When creating custom entries, use this format and add them to [.filename]#/etc/mail/virtusertable#. Whenever this file is edited, update its database and restart Sendmail: +This file is processed in a first match order. +When an email address matches the address on the left, it is mapped to the local mailbox listed on the right. +The format of the first entry in this example maps a specific email address to a local mailbox, whereas the format of the second entry maps a specific email address to a remote mailbox. +Finally, any email address from `example.com` which has not matched any of the previous entries will match the last mapping and be sent to the local mailbox `joe`. +When creating custom entries, use this format and add them to [.filename]#/etc/mail/virtusertable#. +Whenever this file is edited, update its database and restart Sendmail: + [source,shell] .... @@ -193,9 +245,12 @@ This file is processed in a first match order. When an email address matches the .... [.filename]#/etc/mail/relay-domains#:: -In a default FreeBSD installation, Sendmail is configured to only send mail from the host it is running on. For example, if a POP server is available, users will be able to check mail from remote locations but they will not be able to send outgoing emails from outside locations. Typically, a few moments after the attempt, an email will be sent from `MAILER-DAEMON` with a `5.7 Relaying Denied` message. +In a default FreeBSD installation, Sendmail is configured to only send mail from the host it is running on. +For example, if a POP server is available, users will be able to check mail from remote locations but they will not be able to send outgoing emails from outside locations. +Typically, a few moments after the attempt, an email will be sent from `MAILER-DAEMON` with a `5.7 Relaying Denied` message. + -The most straightforward solution is to add the ISP's FQDN to [.filename]#/etc/mail/relay-domains#. If multiple addresses are needed, add them one per line: +The most straightforward solution is to add the ISP's FQDN to [.filename]#/etc/mail/relay-domains#. +If multiple addresses are needed, add them one per line: + [.programlisting] .... @@ -207,14 +262,18 @@ www.example.org + After creating or editing this file, restart Sendmail with `service sendmail restart`. + -Now any mail sent through the system by any host in this list, provided the user has an account on the system, will succeed. This allows users to send mail from the system remotely without opening the system up to relaying SPAM from the Internet. +Now any mail sent through the system by any host in this list, provided the user has an account on the system, will succeed. +This allows users to send mail from the system remotely without opening the system up to relaying SPAM from the Internet. [[mail-changingmta]] == Changing the Mail Transfer Agent -FreeBSD comes with Sendmail already installed as the MTA which is in charge of outgoing and incoming mail. However, the system administrator can change the system's MTA. A wide choice of alternative MTAs is available from the `mail` category of the FreeBSD Ports Collection. +FreeBSD comes with Sendmail already installed as the MTA which is in charge of outgoing and incoming mail. +However, the system administrator can change the system's MTA. +A wide choice of alternative MTAs is available from the `mail` category of the FreeBSD Ports Collection. -Once a new MTA is installed, configure and test the new software before replacing Sendmail. Refer to the documentation of the new MTA for information on how to configure the software. +Once a new MTA is installed, configure and test the new software before replacing Sendmail. +Refer to the documentation of the new MTA for information on how to configure the software. Once the new MTA is working, use the instructions in this section to disable Sendmail and configure FreeBSD to use the replacement MTA. @@ -224,7 +283,10 @@ Once the new MTA is working, use the instructions in this section to disable Sen [WARNING] ==== -If Sendmail's outgoing mail service is disabled, it is important that it is replaced with an alternative mail delivery system. Otherwise, system functions such as man:periodic[8] will be unable to deliver their results by email. Many parts of the system expect a functional MTA. If applications continue to use Sendmail's binaries to try to send email after they are disabled, mail could go into an inactive Sendmail queue and never be delivered. +If Sendmail's outgoing mail service is disabled, it is important that it is replaced with an alternative mail delivery system. +Otherwise, system functions such as man:periodic[8] will be unable to deliver their results by email. +Many parts of the system expect a functional MTA. +If applications continue to use Sendmail's binaries to try to send email after they are disabled, mail could go into an inactive Sendmail queue and never be delivered. ==== In order to completely disable Sendmail, add or edit the following lines in [.filename]#/etc/rc.conf#: @@ -248,7 +310,9 @@ More information on Sendmail's startup options is available in man:rc.sendmail[8 === Replace the Default MTA -When a new MTA is installed using the Ports Collection, its startup script is also installed and startup instructions are mentioned in its package message. Before starting the new MTA, stop the running Sendmail processes. This example stops all of these services, then starts the Postfix service: +When a new MTA is installed using the Ports Collection, its startup script is also installed and startup instructions are mentioned in its package message. +Before starting the new MTA, stop the running Sendmail processes. +This example stops all of these services, then starts the Postfix service: [source,shell] .... @@ -256,14 +320,17 @@ When a new MTA is installed using the Ports Collection, its startup script is al # service postfix start .... -To start the replacement MTA at system boot, add its configuration line to [.filename]#/etc/rc.conf#. This entry enables the Postfix MTA: +To start the replacement MTA at system boot, add its configuration line to [.filename]#/etc/rc.conf#. +This entry enables the Postfix MTA: [.programlisting] .... postfix_enable="YES" .... -Some extra configuration is needed as Sendmail is so ubiquitous that some software assumes it is already installed and configured. Check [.filename]#/etc/periodic.conf# and make sure that these values are set to `NO`. If this file does not exist, create it with these entries: +Some extra configuration is needed as Sendmail is so ubiquitous that some software assumes it is already installed and configured. +Check [.filename]#/etc/periodic.conf# and make sure that these values are set to `NO`. +If this file does not exist, create it with these entries: [.programlisting] .... @@ -273,7 +340,10 @@ daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" .... -Some alternative MTAs provide their own compatible implementations of the Sendmail command-line interface in order to facilitate using them as drop-in replacements for Sendmail. However, some MUAs may try to execute standard Sendmail binaries instead of the new MTA's binaries. FreeBSD uses [.filename]#/etc/mail/mailer.conf# to map the expected Sendmail binaries to the location of the new binaries. More information about this mapping can be found in man:mailwrapper[8]. +Some alternative MTAs provide their own compatible implementations of the Sendmail command-line interface in order to facilitate using them as drop-in replacements for Sendmail. +However, some MUAs may try to execute standard Sendmail binaries instead of the new MTA's binaries. +FreeBSD uses [.filename]#/etc/mail/mailer.conf# to map the expected Sendmail binaries to the location of the new binaries. +More information about this mapping can be found in man:mailwrapper[8]. The default [.filename]#/etc/mail/mailer.conf# looks like this: @@ -291,9 +361,11 @@ hoststat /usr/libexec/sendmail/sendmail purgestat /usr/libexec/sendmail/sendmail .... -When any of the commands listed on the left are run, the system actually executes the associated command shown on the right. This system makes it easy to change what binaries are executed when these default binaries are invoked. +When any of the commands listed on the left are run, the system actually executes the associated command shown on the right. +This system makes it easy to change what binaries are executed when these default binaries are invoked. -Some MTAs, when installed using the Ports Collection, will prompt to update this file for the new binaries. For example, Postfix will update the file like this: +Some MTAs, when installed using the Ports Collection, will prompt to update this file for the new binaries. +For example, Postfix will update the file like this: [.programlisting] .... @@ -306,7 +378,8 @@ mailq /usr/local/sbin/sendmail newaliases /usr/local/sbin/sendmail .... -If the installation of the MTA does not automatically update [.filename]#/etc/mail/mailer.conf#, edit this file in a text editor so that it points to the new binaries. This example points to the binaries installed by package:mail/ssmtp[]: +If the installation of the MTA does not automatically update [.filename]#/etc/mail/mailer.conf#, edit this file in a text editor so that it points to the new binaries. +This example points to the binaries installed by package:mail/ssmtp[]: [.programlisting] .... @@ -318,18 +391,22 @@ hoststat /usr/bin/true purgestat /usr/bin/true .... -Once everything is configured, it is recommended to reboot the system. Rebooting provides the opportunity to ensure that the system is correctly configured to start the new MTA automatically on boot. +Once everything is configured, it is recommended to reboot the system. +Rebooting provides the opportunity to ensure that the system is correctly configured to start the new MTA automatically on boot. [[mail-trouble]] == Troubleshooting === Why do I have to use the FQDN for hosts on my site? -The host may actually be in a different domain. For example, in order for a host in `foo.bar.edu` to reach a host called `mumble` in the `bar.edu` domain, refer to it by the Fully-Qualified Domain Name FQDN, `mumble.bar.edu`, instead of just `mumble`. +The host may actually be in a different domain. +For example, in order for a host in `foo.bar.edu` to reach a host called `mumble` in the `bar.edu` domain, refer to it by the Fully-Qualified Domain Name FQDN, `mumble.bar.edu`, instead of just `mumble`. -This is because the version of BIND which ships with FreeBSD no longer provides default abbreviations for non-FQDNs other than the local domain. An unqualified host such as `mumble` must either be found as `mumble.foo.bar.edu`, or it will be searched for in the root domain. +This is because the version of BIND which ships with FreeBSD no longer provides default abbreviations for non-FQDNs other than the local domain. +An unqualified host such as `mumble` must either be found as `mumble.foo.bar.edu`, or it will be searched for in the root domain. -In older versions of BIND, the search continued across `mumble.bar.edu`, and `mumble.edu`. RFC 1535 details why this is considered bad practice or even a security hole. +In older versions of BIND, the search continued across `mumble.bar.edu`, and `mumble.edu`. +RFC 1535 details why this is considered bad practice or even a security hole. As a good workaround, place the line: @@ -345,13 +422,15 @@ instead of the previous: domain foo.bar.edu .... -into [.filename]#/etc/resolv.conf#. However, make sure that the search order does not go beyond the "boundary between local and public administration", as RFC 1535 calls it. +into [.filename]#/etc/resolv.conf#. +However, make sure that the search order does not go beyond the "boundary between local and public administration", as RFC 1535 calls it. === How can I run a mail server on a dial-up PPP host? Connect to a FreeBSD mail gateway on the LAN. The PPP connection is non-dedicated. -One way to do this is to get a full-time Internet server to provide secondary MX services for the domain. In this example, the domain is `example.com` and the ISP has configured `example.net` to provide secondary MX services to the domain: +One way to do this is to get a full-time Internet server to provide secondary MX services for the domain. +In this example, the domain is `example.com` and the ISP has configured `example.net` to provide secondary MX services to the domain: [.programlisting] .... @@ -359,9 +438,13 @@ example.com. MX 10 example.com. MX 20 example.net. .... -Only one host should be specified as the final recipient. For Sendmail, add `Cw example.com` in [.filename]#/etc/mail/sendmail.cf# on `example.com`. +Only one host should be specified as the final recipient. +For Sendmail, add `Cw example.com` in [.filename]#/etc/mail/sendmail.cf# on `example.com`. -When the sending MTA attempts to deliver mail, it will try to connect to the system, `example.com`, over the PPP link. This will time out if the destination is offline. The MTA will automatically deliver it to the secondary MX site at the Internet Service Provider (ISP), `example.net`. The secondary MX site will periodically try to connect to the primary MX host, `example.com`. +When the sending MTA attempts to deliver mail, it will try to connect to the system, `example.com`, over the PPP link. +This will time out if the destination is offline. +The MTA will automatically deliver it to the secondary MX site at the Internet Service Provider (ISP), `example.net`. +The secondary MX site will periodically try to connect to the primary MX host, `example.com`. Use something like this as a login script: @@ -373,7 +456,8 @@ Use something like this as a login script: /usr/sbin/ppp -direct pppmyisp .... -When creating a separate login script for users, instead use `sendmail -qRexample.com` in the script above. This will force all mail in the queue for `example.com` to be processed immediately. +When creating a separate login script for users, instead use `sendmail -qRexample.com` in the script above. +This will force all mail in the queue for `example.com` to be processed immediately. A further refinement of the situation can be seen from this example from the {freebsd-isp}: @@ -416,12 +500,15 @@ This section covers more involved topics such as mail configuration and setting [[mail-config]] === Basic Configuration -Out of the box, one can send email to external hosts as long as [.filename]#/etc/resolv.conf# is configured or the network has access to a configured DNS server. To have email delivered to the MTA on the FreeBSD host, do one of the following: +Out of the box, one can send email to external hosts as long as [.filename]#/etc/resolv.conf# is configured or the network has access to a configured DNS server. +To have email delivered to the MTA on the FreeBSD host, do one of the following: * Run a DNS server for the domain. * Get mail delivered directly to the FQDN for the machine. -In order to have mail delivered directly to a host, it must have a permanent static IP address, not a dynamic IP address. If the system is behind a firewall, it must be configured to allow SMTP traffic. To receive mail directly at a host, one of these two must be configured: +In order to have mail delivered directly to a host, it must have a permanent static IP address, not a dynamic IP address. +If the system is behind a firewall, it must be configured to allow SMTP traffic. +To receive mail directly at a host, one of these two must be configured: * Make sure that the lowest-numbered MX record in DNS points to the host's static IP address. * Make sure there is no MX entry in the DNS for the host. @@ -451,7 +538,9 @@ example.FreeBSD.org mail is handled (pri=10) by nevdull.FreeBSD.org All mail sent to `example.FreeBSD.org` will be collected on `hub` under the same username instead of being sent directly to your host. -The above information is handled by the DNS server. The DNS record that carries mail routing information is the MX entry. If no MX record exists, mail will be delivered directly to the host by way of its IP address. +The above information is handled by the DNS server. +The DNS record that carries mail routing information is the MX entry. +If no MX record exists, mail will be delivered directly to the host by way of its IP address. The MX entry for `freefall.FreeBSD.org` at one time looked like this: @@ -463,18 +552,23 @@ freefall MX 10 freefall.FreeBSD.org freefall MX 20 who.cdrom.com .... -`freefall` had many MX entries. The lowest MX number is the host that receives mail directly, if available. If it is not accessible for some reason, the next lower-numbered host will accept messages temporarily, and pass it along when a lower-numbered host becomes available. +`freefall` had many MX entries. +The lowest MX number is the host that receives mail directly, if available. +If it is not accessible for some reason, the next lower-numbered host will accept messages temporarily, and pass it along when a lower-numbered host becomes available. -Alternate MX sites should have separate Internet connections in order to be most useful. Your ISP can provide this service. +Alternate MX sites should have separate Internet connections in order to be most useful. +Your ISP can provide this service. [[mail-domain]] === Mail for a Domain When configuring a MTA for a network, any mail sent to hosts in its domain should be diverted to the MTA so that users can receive their mail on the master mail server. -To make life easiest, a user account with the same _username_ should exist on both the MTA and the system with the MUA. Use man:adduser[8] to create the user accounts. +To make life easiest, a user account with the same _username_ should exist on both the MTA and the system with the MUA. +Use man:adduser[8] to create the user accounts. -The MTA must be the designated mail exchanger for each workstation on the network. This is done in the DNS configuration with an MX record: +The MTA must be the designated mail exchanger for each workstation on the network. +This is done in the DNS configuration with an MX record: [.programlisting] .... @@ -482,20 +576,26 @@ example.FreeBSD.org A 204.216.27.XX ; Workstation MX 10 nevdull.FreeBSD.org ; Mailhost .... -This will redirect mail for the workstation to the MTA no matter where the A record points. The mail is sent to the MX host. +This will redirect mail for the workstation to the MTA no matter where the A record points. +The mail is sent to the MX host. -This must be configured on a DNS server. If the network does not run its own DNS server, talk to the ISP or DNS provider. +This must be configured on a DNS server. +If the network does not run its own DNS server, talk to the ISP or DNS provider. -The following is an example of virtual email hosting. Consider a customer with the domain `customer1.org`, where all the mail for `customer1.org` should be sent to `mail.myhost.com`. The DNS entry should look like this: +The following is an example of virtual email hosting. +Consider a customer with the domain `customer1.org`, where all the mail for `customer1.org` should be sent to `mail.myhost.com`. +The DNS entry should look like this: [.programlisting] .... customer1.org MX 10 mail.myhost.com .... -An `A` record is _not_ needed for `customer1.org` in order to only handle email for that domain. However, running `ping` against `customer1.org` will not work unless an `A` record exists for it. +An `A` record is _not_ needed for `customer1.org` in order to only handle email for that domain. +However, running `ping` against `customer1.org` will not work unless an `A` record exists for it. -Tell the MTA which domains and/or hostnames it should accept mail for. Either of the following will work for Sendmail: +Tell the MTA which domains and/or hostnames it should accept mail for. +Either of the following will work for Sendmail: * Add the hosts to [.filename]#/etc/mail/local-host-names# when using the `FEATURE(use_cw_file)`. * Add a `Cwyour.host.com` line to [.filename]#/etc/sendmail.cf#. @@ -503,12 +603,14 @@ Tell the MTA which domains and/or hostnames it should accept mail for. Either of [[outgoing-only]] == Setting Up to Send Only -There are many instances where one may only want to send mail through a relay. Some examples are: +There are many instances where one may only want to send mail through a relay. +Some examples are: * The computer is a desktop machine that needs to use programs such as man:mail[1], using the ISP's mail relay. * The computer is a server that does not handle mail locally, but needs to pass off all mail to a relay for processing. -While any MTA is capable of filling this particular niche, it can be difficult to properly configure a full-featured MTA just to handle offloading mail. Programs such as Sendmail and Postfix are overkill for this use. +While any MTA is capable of filling this particular niche, it can be difficult to properly configure a full-featured MTA just to handle offloading mail. +Programs such as Sendmail and Postfix are overkill for this use. Additionally, a typical Internet access service agreement may forbid one from running a "mail server". @@ -530,9 +632,12 @@ rewriteDomain=example.com hostname=_HOSTNAME_ .... -Use the real email address for `root`. Enter the ISP's outgoing mail relay in place of `mail.example.com`. Some ISPs call this the "outgoing mail server" or "SMTP server". +Use the real email address for `root`. +Enter the ISP's outgoing mail relay in place of `mail.example.com`. +Some ISPs call this the "outgoing mail server" or "SMTP server". -Make sure to disable Sendmail, including the outgoing mail service. See <<mail-disable-sendmail>> for details. +Make sure to disable Sendmail, including the outgoing mail service. +See <<mail-disable-sendmail>> for details. package:mail/ssmtp[] has some other options available. Refer to the examples in [.filename]#/usr/local/etc/ssmtp# or the manual page of ssmtp for more information. @@ -541,11 +646,15 @@ Setting up ssmtp in this manner allows any software on the computer that needs t [[SMTP-dialup]] == Using Mail with a Dialup Connection -When using a static IP address, one should not need to adjust the default configuration. Set the hostname to the assigned Internet name and Sendmail will do the rest. +When using a static IP address, one should not need to adjust the default configuration. +Set the hostname to the assigned Internet name and Sendmail will do the rest. -When using a dynamically assigned IP address and a dialup PPP connection to the Internet, one usually has a mailbox on the ISP's mail server. In this example, the ISP's domain is `example.net`, the user name is `user`, the hostname is `bsd.home`, and the ISP has allowed `relay.example.net` as a mail relay. +When using a dynamically assigned IP address and a dialup PPP connection to the Internet, one usually has a mailbox on the ISP's mail server. +In this example, the ISP's domain is `example.net`, the user name is `user`, the hostname is `bsd.home`, and the ISP has allowed `relay.example.net` as a mail relay. -In order to retrieve mail from the ISP's mailbox, install a retrieval agent from the Ports Collection. package:mail/fetchmail[] is a good choice as it supports many different protocols. Usually, the ISP will provide POP. When using user PPP, email can be automatically fetched when an Internet connection is established with the following entry in [.filename]#/etc/ppp/ppp.linkup#: +In order to retrieve mail from the ISP's mailbox, install a retrieval agent from the Ports Collection. package:mail/fetchmail[] is a good choice as it supports many different protocols. +Usually, the ISP will provide POP. +When using user PPP, email can be automatically fetched when an Internet connection is established with the following entry in [.filename]#/etc/ppp/ppp.linkup#: [.programlisting] .... @@ -553,14 +662,16 @@ MYADDR: !bg su user -c fetchmail .... -When using Sendmail to deliver mail to non-local accounts, configure Sendmail to process the mail queue as soon as the Internet connection is established. To do this, add this line after the above `fetchmail` entry in [.filename]#/etc/ppp/ppp.linkup#: +When using Sendmail to deliver mail to non-local accounts, configure Sendmail to process the mail queue as soon as the Internet connection is established. +To do this, add this line after the above `fetchmail` entry in [.filename]#/etc/ppp/ppp.linkup#: [.programlisting] .... !bg su user -c "sendmail -q" .... -In this example, there is an account for `user` on `bsd.home`. In the home directory of `user` on `bsd.home`, create a [.filename]#.fetchmailrc# which contains this line: +In this example, there is an account for `user` on `bsd.home`. +In the home directory of `user` on `bsd.home`, create a [.filename]#.fetchmailrc# which contains this line: [.programlisting] .... @@ -593,12 +704,14 @@ define(`confDOMAIN_NAME',`bsd.home')dnl define(`confDELIVERY_MODE',`deferred')dnl .... -Refer to the previous section for details of how to convert this file into the [.filename]#sendmail.cf# format. Do not forget to restart Sendmail after updating [.filename]#sendmail.cf#. +Refer to the previous section for details of how to convert this file into the [.filename]#sendmail.cf# format. +Do not forget to restart Sendmail after updating [.filename]#sendmail.cf#. [[SMTP-Auth]] == SMTP Authentication -Configuring SMTP authentication on the MTA provides a number of benefits. SMTP authentication adds a layer of security to Sendmail, and provides mobile users who switch hosts the ability to use the same MTA without the need to reconfigure their mail client's settings each time. +Configuring SMTP authentication on the MTA provides a number of benefits. +SMTP authentication adds a layer of security to Sendmail, and provides mobile users who switch hosts the ability to use the same MTA without the need to reconfigure their mail client's settings each time. [.procedure] . Install package:security/cyrus-sasl2[] from the Ports Collection. This port supports a number of compile-time options. For the SMTP authentication method demonstrated in this example, make sure that `LOGIN` is not disabled. @@ -623,7 +736,8 @@ Finally, start the saslauthd daemon: # service saslauthd start .... + -This daemon serves as a broker for Sendmail to authenticate against the FreeBSD man:passwd[5] database. This saves the trouble of creating a new set of usernames and passwords for each user that needs to use SMTP authentication, and keeps the login and mail password the same. +This daemon serves as a broker for Sendmail to authenticate against the FreeBSD man:passwd[5] database. +This saves the trouble of creating a new set of usernames and passwords for each user that needs to use SMTP authentication, and keeps the login and mail password the same. . Next, edit [.filename]#/etc/make.conf# and add the following lines: + [.programlisting] @@ -632,7 +746,8 @@ SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL SENDMAIL_LDADD=/usr/local/lib/libsasl2.so .... + -These lines provide Sendmail the proper configuration options for linking to package:cyrus-sasl2[] at compile time. Make sure that package:cyrus-sasl2[] has been installed before recompiling Sendmail. +These lines provide Sendmail the proper configuration options for linking to package:cyrus-sasl2[] at compile time. +Make sure that package:cyrus-sasl2[] has been installed before recompiling Sendmail. . Recompile Sendmail by executing the following commands: + [source,shell] @@ -655,22 +770,28 @@ TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl .... + -These options configure the different methods available to Sendmail for authenticating users. To use a method other than pwcheck, refer to the Sendmail documentation. +These options configure the different methods available to Sendmail for authenticating users. +To use a method other than pwcheck, refer to the Sendmail documentation. . Finally, run man:make[1] while in [.filename]#/etc/mail#. That will run the new [.filename]#.mc# and create a [.filename]#.cf# named either [.filename]#freebsd.cf# or the name used for the local [.filename]#.mc#. Then, run `make install restart`, which will copy the file to [.filename]#sendmail.cf#, and properly restart Sendmail. For more information about this process, refer to [.filename]#/etc/mail/Makefile#. -To test the configuration, use a MUA to send a test message. For further investigation, set the `LogLevel` of Sendmail to `13` and watch [.filename]#/var/log/maillog# for any errors. +To test the configuration, use a MUA to send a test message. +For further investigation, set the `LogLevel` of Sendmail to `13` and watch [.filename]#/var/log/maillog# for any errors. For more information, refer to http://www.sendmail.org/~ca/email/auth.html[SMTP authentication]. [[mail-agents]] == Mail User Agents -A MUA is an application that is used to send and receive email. As email "evolves" and becomes more complex, MUAs are becoming increasingly powerful and provide users increased functionality and flexibility. The `mail` category of the FreeBSD Ports Collection contains numerous MUAs. These include graphical email clients such as Evolution or Balsa and console based clients such as mutt or alpine. +A MUA is an application that is used to send and receive email. +As email "evolves" and becomes more complex, MUAs are becoming increasingly powerful and provide users increased functionality and flexibility. +The `mail` category of the FreeBSD Ports Collection contains numerous MUAs. +These include graphical email clients such as Evolution or Balsa and console based clients such as mutt or alpine. [[mail-command]] === `mail` -man:mail[1] is the default MUA installed with FreeBSD. It is a console based MUA that offers the basic functionality required to send and receive text-based email. It provides limited attachment support and can only access local mailboxes. +man:mail[1] is the default MUA installed with FreeBSD. It is a console based MUA that offers the basic functionality required to send and receive text-based email. +It provides limited attachment support and can only access local mailboxes. Although `mail` does not natively support interaction with POP or IMAP servers, these mailboxes may be downloaded to a local [.filename]#mbox# using an application such as fetchmail. @@ -681,7 +802,10 @@ In order to send and receive email, run `mail`: % mail .... -The contents of the user's mailbox in [.filename]#/var/mail# are automatically read by `mail`. Should the mailbox be empty, the utility exits with a message indicating that no mail could be found. If mail exists, the application interface starts, and a list of messages will be displayed. Messages are automatically numbered, as can be seen in the following example: +The contents of the user's mailbox in [.filename]#/var/mail# are automatically read by `mail`. +Should the mailbox be empty, the utility exits with a message indicating that no mail could be found. +If mail exists, the application interface starts, and a list of messages will be displayed. +Messages are automatically numbered, as can be seen in the following example: [source,shell] .... @@ -692,7 +816,8 @@ Mail version 8.1 6/6/93. Type ? for help. N 3 root@localhost Mon Mar 8 14:05 14/509 "sample" .... -Messages can now be read by typing kbd:[t] followed by the message number. This example reads the first email: +Messages can now be read by typing kbd:[t] followed by the message number. +This example reads the first email: [source,shell] .... @@ -709,9 +834,14 @@ From: root@localhost (Charlie Root) This is a test message, please reply if you receive it. .... -As seen in this example, the message will be displayed with full headers. To display the list of messages again, press kbd:[h]. +As seen in this example, the message will be displayed with full headers. +To display the list of messages again, press kbd:[h]. -If the email requires a reply, press either kbd:[R] or kbd:[r] `mail` keys. kbd:[R] instructs `mail` to reply only to the sender of the email, while kbd:[r] replies to all other recipients of the message. These commands can be suffixed with the mail number of the message to reply to. After typing the response, the end of the message should be marked by a single kbd:[.] on its own line. An example can be seen below: +If the email requires a reply, press either kbd:[R] or kbd:[r] `mail` keys. +kbd:[R] instructs `mail` to reply only to the sender of the email, while kbd:[r] replies to all other recipients of the message. +These commands can be suffixed with the mail number of the message to reply to. +After typing the response, the end of the message should be marked by a single kbd:[.] on its own line. +An example can be seen below: [source,shell] .... @@ -724,7 +854,10 @@ Thank you, I did get your email. EOT .... -In order to send a new email, press kbd:[m], followed by the recipient email address. Multiple recipients may be specified by separating each address with the kbd:[,] delimiter. The subject of the message may then be entered, followed by the message contents. The end of the message should be specified by putting a single kbd:[.] on its own line. +In order to send a new email, press kbd:[m], followed by the recipient email address. +Multiple recipients may be specified by separating each address with the kbd:[,] delimiter. +The subject of the message may then be entered, followed by the message contents. +The end of the message should be specified by putting a single kbd:[.] on its own line. [source,shell] .... @@ -736,11 +869,14 @@ Now I can send and receive email using mail ... :) EOT .... -While using `mail`, press kbd:[?] to display help at any time. Refer to man:mail[1] for more help on how to use `mail`. +While using `mail`, press kbd:[?] to display help at any time. +Refer to man:mail[1] for more help on how to use `mail`. [NOTE] ==== -man:mail[1] was not designed to handle attachments and thus deals with them poorly. Newer MUAs handle attachments in a more intelligent way. Users who prefer to use `mail` may find the package:converters/mpack[] port to be of considerable use. +man:mail[1] was not designed to handle attachments and thus deals with them poorly. +Newer MUAs handle attachments in a more intelligent way. +Users who prefer to use `mail` may find the package:converters/mpack[] port to be of considerable use. ==== [[mutt-command]] @@ -756,33 +892,47 @@ mutt is a powerful MUA, with many features, including: Refer to http://www.mutt.org[http://www.mutt.org] for more information on mutt. -mutt may be installed using the package:mail/mutt[] port. After the port has been installed, mutt can be started by issuing the following command: +mutt may be installed using the package:mail/mutt[] port. +After the port has been installed, mutt can be started by issuing the following command: [source,shell] .... % mutt .... -mutt will automatically read and display the contents of the user mailbox in [.filename]#/var/mail#. If no mails are found, mutt will wait for commands from the user. The example below shows mutt displaying a list of messages: +mutt will automatically read and display the contents of the user mailbox in [.filename]#/var/mail#. +If no mails are found, mutt will wait for commands from the user. +The example below shows mutt displaying a list of messages: image::mutt1.png[] -To read an email, select it using the cursor keys and press kbd:[Enter]. An example of mutt displaying email can be seen below: +To read an email, select it using the cursor keys and press kbd:[Enter]. +An example of mutt displaying email can be seen below: image::mutt2.png[] -Similar to man:mail[1], mutt can be used to reply only to the sender of the message as well as to all recipients. To reply only to the sender of the email, press kbd:[r]. To send a group reply to the original sender as well as all the message recipients, press kbd:[g]. +Similar to man:mail[1], mutt can be used to reply only to the sender of the message as well as to all recipients. +To reply only to the sender of the email, press kbd:[r]. +To send a group reply to the original sender as well as all the message recipients, press kbd:[g]. [NOTE] ==== -By default, mutt uses the man:vi[1] editor for creating and replying to emails. Each user can customize this by creating or editing the [.filename]#.muttrc# in their home directory and setting the `editor` variable or by setting the `EDITOR` environment variable. Refer to http://www.mutt.org/[http://www.mutt.org/] for more information about configuring mutt. +By default, mutt uses the man:vi[1] editor for creating and replying to emails. +Each user can customize this by creating or editing the [.filename]#.muttrc# in their home directory and setting the `editor` variable or by setting the `EDITOR` environment variable. +Refer to http://www.mutt.org/[http://www.mutt.org/] for more information about configuring mutt. ==== -To compose a new mail message, press kbd:[m]. After a valid subject has been given, mutt will start man:vi[1] so the email can be written. Once the contents of the email are complete, save and quit from `vi`. mutt will resume, displaying a summary screen of the mail that is to be delivered. In order to send the mail, press kbd:[y]. An example of the summary screen can be seen below: +To compose a new mail message, press kbd:[m]. +After a valid subject has been given, mutt will start man:vi[1] so the email can be written. +Once the contents of the email are complete, save and quit from `vi`. +mutt will resume, displaying a summary screen of the mail that is to be delivered. +In order to send the mail, press kbd:[y]. +An example of the summary screen can be seen below: image::mutt3.png[] -mutt contains extensive help which can be accessed from most of the menus by pressing kbd:[?]. The top line also displays the keyboard shortcuts where appropriate. +mutt contains extensive help which can be accessed from most of the menus by pressing kbd:[?]. +The top line also displays the keyboard shortcuts where appropriate. [[alpine-command]] === alpine @@ -791,59 +941,81 @@ alpine is aimed at a beginner user, but also includes some advanced features. [WARNING] ==== - -alpine has had several remote vulnerabilities discovered in the past, which allowed remote attackers to execute arbitrary code as users on the local system, by the action of sending a specially-prepared email. While _known_ problems have been fixed, alpine code is written in an insecure style and the FreeBSD Security Officer believes there are likely to be other undiscovered vulnerabilities. Users install alpine at their own risk. +alpine has had several remote vulnerabilities discovered in the past, which allowed remote attackers to execute arbitrary code as users on the local system, by the action of sending a specially-prepared email. +While _known_ problems have been fixed, alpine code is written in an insecure style and the FreeBSD Security Officer believes there are likely to be other undiscovered vulnerabilities. +Users install alpine at their own risk. ==== -The current version of alpine may be installed using the package:mail/alpine[] port. Once the port has installed, alpine can be started by issuing the following command: +The current version of alpine may be installed using the package:mail/alpine[] port. +Once the port has installed, alpine can be started by issuing the following command: [source,shell] .... % alpine .... -The first time alpine runs, it displays a greeting page with a brief introduction, as well as a request from the alpine development team to send an anonymous email message allowing them to judge how many users are using their client. To send this anonymous message, press kbd:[Enter]. Alternatively, press kbd:[E] to exit the greeting without sending an anonymous message. An example of the greeting page is shown below: +The first time alpine runs, it displays a greeting page with a brief introduction, as well as a request from the alpine development team to send an anonymous email message allowing them to judge how many users are using their client. +To send this anonymous message, press kbd:[Enter]. +Alternatively, press kbd:[E] to exit the greeting without sending an anonymous message. +An example of the greeting page is shown below: image::pine1.png[] -The main menu is then presented, which can be navigated using the cursor keys. This main menu provides shortcuts for the composing new mails, browsing mail directories, and administering address book entries. Below the main menu, relevant keyboard shortcuts to perform functions specific to the task at hand are shown. +The main menu is then presented, which can be navigated using the cursor keys. +This main menu provides shortcuts for the composing new mails, browsing mail directories, and administering address book entries. +Below the main menu, relevant keyboard shortcuts to perform functions specific to the task at hand are shown. -The default directory opened by alpine is [.filename]#inbox#. To view the message index, press kbd:[I], or select the [.guimenuitem]#MESSAGE INDEX# option shown below: +The default directory opened by alpine is [.filename]#inbox#. +To view the message index, press kbd:[I], or select the [.guimenuitem]#MESSAGE INDEX# option shown below: image::pine2.png[] -The message index shows messages in the current directory and can be navigated by using the cursor keys. Highlighted messages can be read by pressing kbd:[Enter]. +The message index shows messages in the current directory and can be navigated by using the cursor keys. +Highlighted messages can be read by pressing kbd:[Enter]. image::pine3.png[] -In the screenshot below, a sample message is displayed by alpine. Contextual keyboard shortcuts are displayed at the bottom of the screen. An example of one of a shortcut is kbd:[r], which tells the MUA to reply to the current message being displayed. +In the screenshot below, a sample message is displayed by alpine. +Contextual keyboard shortcuts are displayed at the bottom of the screen. +An example of one of a shortcut is kbd:[r], which tells the MUA to reply to the current message being displayed. image::pine4.png[] -Replying to an email in alpine is done using the pico editor, which is installed by default with alpine. pico makes it easy to navigate the message and is easier for novice users to use than man:vi[1] or man:mail[1]. Once the reply is complete, the message can be sent by pressing kbd:[Ctrl+X]. alpine will ask for confirmation before sending the message. +Replying to an email in alpine is done using the pico editor, which is installed by default with alpine. +pico makes it easy to navigate the message and is easier for novice users to use than man:vi[1] or man:mail[1]. +Once the reply is complete, the message can be sent by pressing kbd:[Ctrl+X]. +alpine will ask for confirmation before sending the message. image::pine5.png[] -alpine can be customized using the [.guimenuitem]#SETUP# option from the main menu. Consult http://www.washington.edu/alpine/[http://www.washington.edu/alpine/] for more information. +alpine can be customized using the [.guimenuitem]#SETUP# option from the main menu. +Consult http://www.washington.edu/alpine/[http://www.washington.edu/alpine/] for more information. [[mail-fetchmail]] == Using fetchmail -fetchmail is a full-featured IMAP and POP client. It allows users to automatically download mail from remote IMAP and POP servers and save it into local mailboxes where it can be accessed more easily. fetchmail can be installed using the package:mail/fetchmail[] port, and offers various features, including: +fetchmail is a full-featured IMAP and POP client. +It allows users to automatically download mail from remote IMAP and POP servers and save it into local mailboxes where it can be accessed more easily. +fetchmail can be installed using the package:mail/fetchmail[] port, and offers various features, including: * Support for the POP3, APOP, KPOP, IMAP, ETRN and ODMR protocols. * Ability to forward mail using SMTP, which allows filtering, forwarding, and aliasing to function normally. * May be run in daemon mode to check periodically for new messages. * Can retrieve multiple mailboxes and forward them, based on configuration, to different local users. -This section explains some of the basic features of fetchmail. This utility requires a [.filename]#.fetchmailrc# configuration in the user's home directory in order to run correctly. This file includes server information as well as login credentials. Due to the sensitive nature of the contents of this file, it is advisable to make it readable only by the user, with the following command: +This section explains some of the basic features of fetchmail. +This utility requires a [.filename]#.fetchmailrc# configuration in the user's home directory in order to run correctly. +This file includes server information as well as login credentials. +Due to the sensitive nature of the contents of this file, it is advisable to make it readable only by the user, with the following command: [source,shell] .... % chmod 600 .fetchmailrc .... -The following [.filename]#.fetchmailrc# serves as an example for downloading a single user mailbox using POP. It tells fetchmail to connect to `example.com` using a username of `joesoap` and a password of `XXX`. This example assumes that the user `joesoap` exists on the local system. +The following [.filename]#.fetchmailrc# serves as an example for downloading a single user mailbox using POP. +It tells fetchmail to connect to `example.com` using a username of `joesoap` and a password of `XXX`. +This example assumes that the user `joesoap` exists on the local system. [.programlisting] .... @@ -861,7 +1033,8 @@ poll example2.net proto imap: user "john", with password "XXXXX", is "myth" here; .... -fetchmail can be run in daemon mode by running it with `-d`, followed by the interval (in seconds) that fetchmail should poll servers listed in [.filename]#.fetchmailrc#. The following example configures fetchmail to poll every 600 seconds: +fetchmail can be run in daemon mode by running it with `-d`, followed by the interval (in seconds) that fetchmail should poll servers listed in [.filename]#.fetchmailrc#. +The following example configures fetchmail to poll every 600 seconds: [source,shell] .... @@ -873,14 +1046,20 @@ More information on fetchmail can be found at http://www.fetchmail.info/[http:// [[mail-procmail]] == Using procmail -procmail is a powerful application used to filter incoming mail. It allows users to define "rules" which can be matched to incoming mails to perform specific functions or to reroute mail to alternative mailboxes or email addresses. procmail can be installed using the package:mail/procmail[] port. Once installed, it can be directly integrated into most MTAs. Consult the MTA documentation for more information. Alternatively, procmail can be integrated by adding the following line to a [.filename]#.forward# in the home directory of the user: +procmail is a powerful application used to filter incoming mail. +It allows users to define "rules" which can be matched to incoming mails to perform specific functions or to reroute mail to alternative mailboxes or email addresses. +procmail can be installed using the package:mail/procmail[] port. +Once installed, it can be directly integrated into most MTAs. +Consult the MTA documentation for more information. +Alternatively, procmail can be integrated by adding the following line to a [.filename]#.forward# in the home directory of the user: [.programlisting] .... "|exec /usr/local/bin/procmail || exit 75" .... -The following section displays some basic procmail rules, as well as brief descriptions of what they do. Rules must be inserted into a [.filename]#.procmailrc#, which must reside in the user's home directory. +The following section displays some basic procmail rules, as well as brief descriptions of what they do. +Rules must be inserted into a [.filename]#.procmailrc#, which must reside in the user's home directory. The majority of these rules can be found in man:procmailex[5]. diff --git a/documentation/content/en/books/handbook/mirrors/_index.adoc b/documentation/content/en/books/handbook/mirrors/_index.adoc index c2ef4eb4d9..7be01c8ea6 100644 --- a/documentation/content/en/books/handbook/mirrors/_index.adoc +++ b/documentation/content/en/books/handbook/mirrors/_index.adoc @@ -63,9 +63,16 @@ WWW: http://www.hinner.de/linux/freebsd.html [[mirrors-ftp]] == FTP Sites -The official sources for FreeBSD are available via anonymous FTP from a worldwide set of mirror sites. The site link:ftp://ftp.FreeBSD.org/pub/FreeBSD/[ftp://ftp.FreeBSD.org/pub/FreeBSD/] is available via HTTP and FTP. It is made up of many machines operated by the project cluster administrators and behind GeoDNS to direct users to the closest available mirror. +The official sources for FreeBSD are available via anonymous FTP from a worldwide set of mirror sites. +The site link:ftp://ftp.FreeBSD.org/pub/FreeBSD/[ftp://ftp.FreeBSD.org/pub/FreeBSD/] is available via HTTP and FTP. +It is made up of many machines operated by the project cluster administrators and behind GeoDNS to direct users to the closest available mirror. -Additionally, FreeBSD is available via anonymous FTP from the following mirror sites. When obtaining FreeBSD via anonymous FTP, please try to use a nearby site. The mirror sites listed as "Primary Mirror Sites" typically have the entire FreeBSD archive (all the currently available versions for each of the architectures) but faster download speeds are probably available from a site that is in your country or region. The regional sites carry the most recent versions for the most popular architecture(s) but might not carry the entire FreeBSD archive. All sites provide access via anonymous FTP but some sites also provide access via other methods. The access methods available for each site are provided in parentheses after the hostname. +Additionally, FreeBSD is available via anonymous FTP from the following mirror sites. +When obtaining FreeBSD via anonymous FTP, please try to use a nearby site. +The mirror sites listed as "Primary Mirror Sites" typically have the entire FreeBSD archive (all the currently available versions for each of the architectures) but faster download speeds are probably available from a site that is in your country or region. +The regional sites carry the most recent versions for the most popular architecture(s) but might not carry the entire FreeBSD archive. +All sites provide access via anonymous FTP but some sites also provide access via other methods. +The access methods available for each site are provided in parentheses after the hostname. <<central, {central}>>, <<primary, {mirrors-primary}>>, <<armenia, {mirrors-armenia}>>, <<australia, {mirrors-australia}>>, <<austria, {mirrors-austria}>>, <<brazil, {mirrors-brazil}>>, <<czech-republic, {mirrors-czech}>>, <<denmark, {mirrors-denmark}>>, <<estonia, {mirrors-estonia}>>, <<finland, {mirrors-finland}>>, <<france, {mirrors-france}>>, <<germany, {mirrors-germany}>>, <<greece, {mirrors-greece}>>, <<hong-kong, {mirrors-hongkong}>>, <<ireland, {mirrors-ireland}>>, <<japan, {mirrors-japan}>>, <<korea, {mirrors-korea}>>, <<latvia, {mirrors-latvia}>>, <<lithuania, {mirrors-lithuania}>>, <<netherlands, {mirrors-netherlands}>>, <<new-zealand, {mirrors-new-zealand}>>, <<norway, {mirrors-norway}>>, <<poland, {mirrors-poland}>>, <<russia, {mirrors-russia}>>, <<saudi-arabia, {mirrors-saudi-arabia}>>, <<slovenia, {mirrors-slovenia}>>, <<south-africa, {mirrors-south-africa}>>, <<spain, {mirrors-spain}>>, <<sweden, {mirrors-sweden}>>, <<switzerland, {mirrors-switzerland}>>, <<taiwan, {mirrors-taiwan}>>, <<ukraine, {mirrors-ukraine}>>, <<uk, {mirrors-uk}>>, <<usa, {mirrors-us}>>. @@ -475,11 +482,9 @@ For example, the URL `https://git.FreeBSD.org/src.git` specifies the main branch [WARNING] ==== - Sometime after the switch to git is complete, `gitrepo.freebsd.org` will change to simply `repo.freebsd.org`. ==== - To get started, clone a copy of the FreeBSD repository: [source,shell] @@ -589,9 +594,8 @@ freebsd https://git.freebsd.org/${repo}.git (push) * Configure the FreeBSD committer data: + -The commit hook in repo.freebsd.org checks the "Commit" field matches the -committer's information in FreeBSD.org. The easiest way to get the suggested -config is by executing `/usr/local/bin/gen-gitconfig.sh` script on freefall: +The commit hook in repo.freebsd.org checks the "Commit" field matches the committer's information in FreeBSD.org. +The easiest way to get the suggested config is by executing `/usr/local/bin/gen-gitconfig.sh` script on freefall: + [source,shell] .... @@ -669,7 +673,6 @@ git config push.default upstream These internal details may change often. ==== - [[external-mirrors]] === External mirrors @@ -706,7 +709,8 @@ Commit messages will be sent to the following mailing lists: - https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main[dev-commits-src-main]: All changes to the "main" branch of the src repository (the FreeBSD-CURRENT branch) - https://lists.freebsd.org/mailman/listinfo/dev-commits-src-branches[dev-commits-src-branches]: All changes to all stable branches of the src repository -For more information, please refer to the "Commit message lists" section of C.2. "Mailing Lists" in handbook: https://www.freebsd.org/doc/en/books/handbook/eresources/#eresources-mail +For more information, please refer to the "Commit message lists" section of C.2. +"Mailing Lists" in handbook: https://www.freebsd.org/doc/en/books/handbook/eresources/#eresources-mail [[svn]] == Using Subversion @@ -739,7 +743,8 @@ Installation instructions are described in <<git-ssl-certificates>>. [[svn-svnlite]] === Svnlite -A lightweight version of Subversion is already installed on FreeBSD as `svnlite`. The port or package version of Subversion is only needed if the Python or Perl API is needed, or if a later version of Subversion is desired. +A lightweight version of Subversion is already installed on FreeBSD as `svnlite`. +The port or package version of Subversion is only needed if the Python or Perl API is needed, or if a later version of Subversion is desired. The only difference from normal Subversion use is that the command name is `svnlite`. @@ -766,7 +771,8 @@ Subversion can also be installed as a package: [[svn-usage]] === Running Subversion -To fetch a clean copy of the sources into a local directory, use `svn`. The files in this directory are called a _local working copy_. +To fetch a clean copy of the sources into a local directory, use `svn`. +The files in this directory are called a _local working copy_. [WARNING] ==== @@ -774,7 +780,10 @@ Move or delete an existing destination directory before using `checkout` for the Checkout over an existing non-`svn` directory can cause conflicts between the existing files and those brought in from the repository. ==== -Subversion uses URLs to designate a repository, taking the form of _protocol://hostname/path_. The first component of the path is the FreeBSD repository to access. There are three different repositories, `base` for the FreeBSD base system source code, `ports` for the Ports Collection, and `doc` for documentation. For example, the URL `https://svn.FreeBSD.org/base/head/` specifies the main branch of the src repository, using the `https` protocol. +Subversion uses URLs to designate a repository, taking the form of _protocol://hostname/path_. +The first component of the path is the FreeBSD repository to access. +There are three different repositories, `base` for the FreeBSD base system source code, `ports` for the Ports Collection, and `doc` for documentation. +For example, the URL `https://svn.FreeBSD.org/base/head/` specifies the main branch of the src repository, using the `https` protocol. A checkout from a given repository is performed with a command like this: @@ -789,14 +798,16 @@ where: * _branch_ depends on the repository used. `ports` and `doc` are mostly updated in the `head` branch, while `base` maintains the latest version of -CURRENT under `head` and the respective latest versions of the -STABLE branches under `stable/11` (11._x_) and `stable/12` (12._x_). * _lwcdir_ is the target directory where the contents of the specified branch should be placed. This is usually [.filename]#/usr/ports# for `ports`, [.filename]#/usr/src# for `base`, and [.filename]#/usr/doc# for `doc`. -This example checks out the Source Tree from the FreeBSD repository using the HTTPS protocol, placing the local working copy in [.filename]#/usr/src#. If [.filename]#/usr/src# is already present but was not created by `svn`, remember to rename or delete it before the checkout. +This example checks out the Source Tree from the FreeBSD repository using the HTTPS protocol, placing the local working copy in [.filename]#/usr/src#. +If [.filename]#/usr/src# is already present but was not created by `svn`, remember to rename or delete it before the checkout. [source,shell] .... # svn checkout https://svn.FreeBSD.org/base/head /usr/src .... -Because the initial checkout must download the full branch of the remote repository, it can take a while. Please be patient. +Because the initial checkout must download the full branch of the remote repository, it can take a while. +Please be patient. After the initial checkout, the local working copy can be updated by running: @@ -814,7 +825,9 @@ To update [.filename]#/usr/src# created in the example above, use: The update is much quicker than a checkout, only transferring files that have changed. -An alternate way of updating the local working copy after checkout is provided by the [.filename]#Makefile# in the [.filename]#/usr/ports#, [.filename]#/usr/src#, and [.filename]#/usr/doc# directories. Set `SVN_UPDATE` and use the `update` target. For example, to update [.filename]#/usr/src#: +An alternate way of updating the local working copy after checkout is provided by the [.filename]#Makefile# in the [.filename]#/usr/ports#, [.filename]#/usr/src#, and [.filename]#/usr/doc# directories. +Set `SVN_UPDATE` and use the `update` target. +For example, to update [.filename]#/usr/src#: [source,shell] .... @@ -832,7 +845,8 @@ The FreeBSD Subversion repository is: svn.FreeBSD.org .... -This is a publicly accessible mirror network that uses GeoDNS to select an appropriate back end server. To view the FreeBSD Subversion repositories through a browser, use https://svnweb.FreeBSD.org/[https://svnweb.FreeBSD.org/]. +This is a publicly accessible mirror network that uses GeoDNS to select an appropriate back end server. +To view the FreeBSD Subversion repositories through a browser, use https://svnweb.FreeBSD.org/[https://svnweb.FreeBSD.org/]. HTTPS is the preferred protocol, but the [.filename]#security/ca_root_nss# package will need to be installed in order to automatically validate certificates. @@ -843,7 +857,10 @@ For other information about using Subversion, please see the "Subversion Book", [[mirrors-rsync]] == Using rsync -These sites make FreeBSD available through the rsync protocol. The rsync utility transfers only the differences between two sets of files. This is useful for mirror sites of the FreeBSD FTP server. The rsync suite is available for many operating systems, on FreeBSD, see the package:net/rsync[] port or use the package. +These sites make FreeBSD available through the rsync protocol. +The rsync utility transfers only the differences between two sets of files. +This is useful for mirror sites of the FreeBSD FTP server. +The rsync suite is available for many operating systems, on FreeBSD, see the package:net/rsync[] port or use the package. Czech Republic:: rsync://ftp.cz.FreeBSD.org/ diff --git a/documentation/content/en/books/handbook/multimedia/_index.adoc b/documentation/content/en/books/handbook/multimedia/_index.adoc index edd2f3f665..dcd56eda90 100644 --- a/documentation/content/en/books/handbook/multimedia/_index.adoc +++ b/documentation/content/en/books/handbook/multimedia/_index.adoc @@ -46,11 +46,15 @@ toc::[] [[multimedia-synopsis]] == Synopsis -FreeBSD supports a wide variety of sound cards, allowing users to enjoy high fidelity output from a FreeBSD system. This includes the ability to record and play back audio in the MPEG Audio Layer 3 (`MP3`), Waveform Audio File (`WAV`), Ogg Vorbis, and other formats. The FreeBSD Ports Collection contains many applications for editing recorded audio, adding sound effects, and controlling attached MIDI devices. +FreeBSD supports a wide variety of sound cards, allowing users to enjoy high fidelity output from a FreeBSD system. +This includes the ability to record and play back audio in the MPEG Audio Layer 3 (`MP3`), Waveform Audio File (`WAV`), Ogg Vorbis, and other formats. +The FreeBSD Ports Collection contains many applications for editing recorded audio, adding sound effects, and controlling attached MIDI devices. -FreeBSD also supports the playback of video files and ``DVD``s. The FreeBSD Ports Collection contains applications to encode, convert, and playback various video media. +FreeBSD also supports the playback of video files and ``DVD``s. +The FreeBSD Ports Collection contains applications to encode, convert, and playback various video media. -This chapter describes how to configure sound cards, video playback, TV tuner cards, and scanners on FreeBSD. It also describes some of the applications which are available for using these devices. +This chapter describes how to configure sound cards, video playback, TV tuner cards, and scanners on FreeBSD. +It also describes some of the applications which are available for using these devices. After reading this chapter, you will know how to: @@ -72,36 +76,44 @@ Before reading this chapter, you should: [[sound-setup]] == Setting Up the Sound Card -Before beginning the configuration, determine the model of the sound card and the chip it uses. FreeBSD supports a wide variety of sound cards. Check the supported audio devices list of the link:{u-rel120-hardware}[Hardware Notes] to see if the card is supported and which FreeBSD driver it uses. +Before beginning the configuration, determine the model of the sound card and the chip it uses. +FreeBSD supports a wide variety of sound cards. +Check the supported audio devices list of the link:{u-rel120-hardware}[Hardware Notes] to see if the card is supported and which FreeBSD driver it uses. -In order to use the sound device, its device driver must be loaded. The easiest way is to load a kernel module for the sound card with man:kldload[8]. This example loads the driver for a built-in audio chipset based on the Intel specification: +In order to use the sound device, its device driver must be loaded. +The easiest way is to load a kernel module for the sound card with man:kldload[8]. +This example loads the driver for a built-in audio chipset based on the Intel specification: [source,shell] .... # kldload snd_hda .... -To automate the loading of this driver at boot time, add the driver to [.filename]#/boot/loader.conf#. The line for this driver is: +To automate the loading of this driver at boot time, add the driver to [.filename]#/boot/loader.conf#. +The line for this driver is: [.programlisting] .... snd_hda_load="YES" .... -Other available sound modules are listed in [.filename]#/boot/defaults/loader.conf#. When unsure which driver to use, load the [.filename]#snd_driver# module: +Other available sound modules are listed in [.filename]#/boot/defaults/loader.conf#. +When unsure which driver to use, load the [.filename]#snd_driver# module: [source,shell] .... # kldload snd_driver .... -This is a metadriver which loads all of the most common sound drivers and can be used to speed up the search for the correct driver. It is also possible to load all sound drivers by adding the metadriver to [.filename]#/boot/loader.conf#. +This is a metadriver which loads all of the most common sound drivers and can be used to speed up the search for the correct driver. +It is also possible to load all sound drivers by adding the metadriver to [.filename]#/boot/loader.conf#. To determine which driver was selected for the sound card after loading the [.filename]#snd_driver# metadriver, type `cat /dev/sndstat`. === Configuring a Custom Kernel with Sound Support -This section is for users who prefer to statically compile in support for the sound card in a custom kernel. For more information about recompiling a kernel, refer to crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. +This section is for users who prefer to statically compile in support for the sound card in a custom kernel. +For more information about recompiling a kernel, refer to crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. When using a custom kernel to provide sound support, make sure that the audio framework driver exists in the custom kernel configuration file: @@ -110,7 +122,8 @@ When using a custom kernel to provide sound support, make sure that the audio fr device sound .... -Next, add support for the sound card. To continue the example of the built-in audio chipset based on the Intel specification from the previous section, use the following line in the custom kernel configuration file: +Next, add support for the sound card. +To continue the example of the built-in audio chipset based on the Intel specification from the previous section, use the following line in the custom kernel configuration file: [.programlisting] .... @@ -119,7 +132,10 @@ device snd_hda Be sure to read the manual page of the driver for the device name to use for the driver. -Non-PnP ISA sound cards may require the IRQ and I/O port settings of the card to be added to [.filename]#/boot/device.hints#. During the boot process, man:loader[8] reads this file and passes the settings to the kernel. For example, an old Creative SoundBlaster(R) 16 ISA non-PnP card will use the man:snd_sbc[4] driver in conjunction with `snd_sb16`. For this card, the following lines must be added to the kernel configuration file: +Non-PnP ISA sound cards may require the IRQ and I/O port settings of the card to be added to [.filename]#/boot/device.hints#. +During the boot process, man:loader[8] reads this file and passes the settings to the kernel. +For example, an old Creative SoundBlaster(R) 16 ISA non-PnP card will use the man:snd_sbc[4] driver in conjunction with `snd_sb16`. +For this card, the following lines must be added to the kernel configuration file: [.programlisting] .... @@ -140,12 +156,16 @@ hint.sbc.0.flags="0x15" The syntax used in [.filename]#/boot/device.hints# is described in man:sound[4] and the manual page for the driver of the sound card. -The settings shown above are the defaults. In some cases, the IRQ or other settings may need to be changed to match the card. Refer to man:snd_sbc[4] for more information about this card. +The settings shown above are the defaults. +In some cases, the IRQ or other settings may need to be changed to match the card. +Refer to man:snd_sbc[4] for more information about this card. [[sound-testing]] === Testing Sound -After loading the required module or rebooting into the custom kernel, the sound card should be detected. To confirm, run `dmesg | grep pcm`. This example is from a system with a built-in Conexant CX20590 chipset: +After loading the required module or rebooting into the custom kernel, the sound card should be detected. +To confirm, run `dmesg | grep pcm`. +This example is from a system with a built-in Conexant CX20590 chipset: [source,shell] .... @@ -166,9 +186,12 @@ pcm1: <NVIDIA (0x001c) (HDMI/DP 8ch)> (play) pcm2: <Conexant CX20590 (Analog 2.0+HP/2.0)> (play/rec) default .... -The output will vary depending upon the sound card. If no [.filename]#pcm# devices are listed, double-check that the correct device driver was loaded or compiled into the kernel. The next section lists some common problems and their solutions. +The output will vary depending upon the sound card. +If no [.filename]#pcm# devices are listed, double-check that the correct device driver was loaded or compiled into the kernel. +The next section lists some common problems and their solutions. -If all goes well, the sound card should now work in FreeBSD. If the `CD` or `DVD` drive is properly connected to the sound card, one can insert an audio `CD` in the drive and play it with man:cdcontrol[1]: +If all goes well, the sound card should now work in FreeBSD. +If the `CD` or `DVD` drive is properly connected to the sound card, one can insert an audio `CD` in the drive and play it with man:cdcontrol[1]: [source,shell] .... @@ -177,11 +200,11 @@ If all goes well, the sound card should now work in FreeBSD. If the `CD` or `DVD [WARNING] ==== - Audio ``CD``s have specialized encodings which means that they should not be mounted using man:mount[8]. ==== -Various applications, such as package:audio/workman[], provide a friendlier interface. The package:audio/mpg123[] port can be installed to listen to MP3 audio files. +Various applications, such as package:audio/workman[], provide a friendlier interface. +The package:audio/mpg123[] port can be installed to listen to MP3 audio files. Another quick way to test the card is to send data to [.filename]#/dev/dsp#: @@ -190,17 +213,20 @@ Another quick way to test the card is to send data to [.filename]#/dev/dsp#: % cat filename > /dev/dsp .... -where [.filename]#filename# can be any type of file. This command should produce some noise, confirming that the sound card is working. +where [.filename]#filename# can be any type of file. +This command should produce some noise, confirming that the sound card is working. [NOTE] ==== -The [.filename]#/dev/dsp*# device nodes will be created automatically as needed. When not in use, they do not exist and will not appear in the output of man:ls[1]. +The [.filename]#/dev/dsp*# device nodes will be created automatically as needed. +When not in use, they do not exist and will not appear in the output of man:ls[1]. ==== [[bluetooth-headset]] === Setting up Bluetooth Sound Devices -Connecting to a Bluetooth device is out of scope for this chapter. Refer to crossref:advanced-networking[network-bluetooth,“Bluetooth”] for more information. +Connecting to a Bluetooth device is out of scope for this chapter. +Refer to crossref:advanced-networking[network-bluetooth,“Bluetooth”] for more information. To get Bluetooth sound sink working with FreeBSD's sound system, users have to install package:audio/virtual_oss[] first: @@ -232,7 +258,8 @@ To use headphones as a sound sink with package:audio/virtual_oss[], users need t [NOTE] ==== -_headphones_ in this example is a hostname from [.filename]#/etc/bluetooth/hosts#. `BT_ADDR` could be used instead. +_headphones_ in this example is a hostname from [.filename]#/etc/bluetooth/hosts#. +`BT_ADDR` could be used instead. ==== Refer to man:virtual_oss[8] for more information. @@ -270,7 +297,10 @@ There is not enough available memory to use the device. Type `fstat \| grep` dsp to check if another application is holding the device open. Noteworthy troublemakers are esound and KDE's sound support. |=== -Modern graphics cards often come with their own sound driver for use with `HDMI`. This sound device is sometimes enumerated before the sound card meaning that the sound card will not be used as the default playback device. To check if this is the case, run dmesg and look for `pcm`. The output looks something like this: +Modern graphics cards often come with their own sound driver for use with `HDMI`. +This sound device is sometimes enumerated before the sound card meaning that the sound card will not be used as the default playback device. +To check if this is the case, run dmesg and look for `pcm`. +The output looks something like this: [.programlisting] .... @@ -293,14 +323,17 @@ pcm7: <HDA Realtek ALC889 PCM #3 Digital> at cad 2 nid 1 on hdac1 ... .... -In this example, the graphics card (`NVidia`) has been enumerated before the sound card (`Realtek ALC889`). To use the sound card as the default playback device, change `hw.snd.default_unit` to the unit that should be used for playback: +In this example, the graphics card (`NVidia`) has been enumerated before the sound card (`Realtek ALC889`). +To use the sound card as the default playback device, change `hw.snd.default_unit` to the unit that should be used for playback: [source,shell] .... # sysctl hw.snd.default_unit=n .... -where `n` is the number of the sound device to use. In this example, it should be `4`. Make this change permanent by adding the following line to [.filename]#/etc/sysctl.conf#: +where `n` is the number of the sound device to use. +In this example, it should be `4`. +Make this change permanent by adding the following line to [.filename]#/etc/sysctl.conf#: [.programlisting] .... @@ -310,7 +343,8 @@ hw.snd.default_unit=4 [[sound-multiple-sources]] === Utilizing Multiple Sound Sources -It is often desirable to have multiple sources of sound that are able to play simultaneously. FreeBSD uses "Virtual Sound Channels" to multiplex the sound card's playback by mixing sound in the kernel. +It is often desirable to have multiple sources of sound that are able to play simultaneously. +FreeBSD uses "Virtual Sound Channels" to multiplex the sound card's playback by mixing sound in the kernel. Three man:sysctl[8] knobs are available for configuring virtual channels: @@ -321,18 +355,24 @@ Three man:sysctl[8] knobs are available for configuring virtual channels: # sysctl hw.snd.maxautovchans=4 .... -This example allocates four virtual channels, which is a practical number for everyday use. Both `dev.pcm.0.play.vchans=4` and `dev.pcm.0.rec.vchans=4` are configurable after a device has been attached and represent the number of virtual channels [.filename]#pcm0# has for playback and recording. Since the [.filename]#pcm# module can be loaded independently of the hardware drivers, `hw.snd.maxautovchans` indicates how many virtual channels will be given to an audio device when it is attached. Refer to man:pcm[4] for more information. +This example allocates four virtual channels, which is a practical number for everyday use. +Both `dev.pcm.0.play.vchans=4` and `dev.pcm.0.rec.vchans=4` are configurable after a device has been attached and represent the number of virtual channels [.filename]#pcm0# has for playback and recording. +Since the [.filename]#pcm# module can be loaded independently of the hardware drivers, `hw.snd.maxautovchans` indicates how many virtual channels will be given to an audio device when it is attached. +Refer to man:pcm[4] for more information. [NOTE] ==== -The number of virtual channels for a device cannot be changed while it is in use. First, close any programs using the device, such as music players or sound daemons. +The number of virtual channels for a device cannot be changed while it is in use. +First, close any programs using the device, such as music players or sound daemons. ==== The correct [.filename]#pcm# device will automatically be allocated transparently to a program that requests [.filename]#/dev/dsp0#. === Setting Default Values for Mixer Channels -The default values for the different mixer channels are hardcoded in the source code of the man:pcm[4] driver. While sound card mixer levels can be changed using man:mixer[8] or third-party applications and daemons, this is not a permanent solution. To instead set default mixer values at the driver level, define the appropriate values in [.filename]#/boot/device.hints#, as seen in this example: +The default values for the different mixer channels are hardcoded in the source code of the man:pcm[4] driver. +While sound card mixer levels can be changed using man:mixer[8] or third-party applications and daemons, this is not a permanent solution. +To instead set default mixer values at the driver level, define the appropriate values in [.filename]#/boot/device.hints#, as seen in this example: [.programlisting] .... @@ -349,9 +389,16 @@ This section describes some `MP3` players available for FreeBSD, how to rip audi [[mp3-players]] === MP3 Players -A popular graphical `MP3` player is Audacious. It supports Winamp skins and additional plugins. The interface is intuitive, with a playlist, graphic equalizer, and more. Those familiar with Winamp will find Audacious simple to use. On FreeBSD, Audacious can be installed from the package:multimedia/audacious[] port or package. Audacious is a descendant of XMMS. +A popular graphical `MP3` player is Audacious. +It supports Winamp skins and additional plugins. +The interface is intuitive, with a playlist, graphic equalizer, and more. +Those familiar with Winamp will find Audacious simple to use. +On FreeBSD, Audacious can be installed from the package:multimedia/audacious[] port or package. +Audacious is a descendant of XMMS. -The package:audio/mpg123[] package or port provides an alternative, command-line `MP3` player. Once installed, specify the `MP3` file to play on the command line. If the system has multiple audio devices, the sound device can also be specified: +The package:audio/mpg123[] package or port provides an alternative, command-line `MP3` player. +Once installed, specify the `MP3` file to play on the command line. +If the system has multiple audio devices, the sound device can also be specified: [source,shell] .... @@ -369,7 +416,8 @@ Additional `MP3` players are available in the FreeBSD Ports Collection. [[rip-cd]] === Ripping `CD` Audio Tracks -Before encoding a `CD` or `CD` track to `MP3`, the audio data on the `CD` must be ripped to the hard drive. This is done by copying the raw `CD` Digital Audio (`CDDA`) data to `WAV` files. +Before encoding a `CD` or `CD` track to `MP3`, the audio data on the `CD` must be ripped to the hard drive. +This is done by copying the raw `CD` Digital Audio (`CDDA`) data to `WAV` files. The `cdda2wav` tool, which is installed with the package:sysutils/cdrtools[] suite, can be used to rip audio information from ``CD``s. @@ -380,7 +428,8 @@ With the audio `CD` in the drive, the following command can be issued as `root` # cdda2wav -D 0,1,0 -B .... -In this example, the `-D _0,1,0_` indicates the `SCSI` device [.filename]#0,1,0# containing the `CD` to rip. Use `cdrecord -scanbus` to determine the correct device parameters for the system. +In this example, the `-D _0,1,0_` indicates the `SCSI` device [.filename]#0,1,0# containing the `CD` to rip. +Use `cdrecord -scanbus` to determine the correct device parameters for the system. To rip individual tracks, use `-t` to specify the track: @@ -396,7 +445,8 @@ To rip a range of tracks, such as track one to seven, specify a range: # cdda2wav -D 0,1,0 -t 1+7 .... -To rip from an `ATAPI` (`IDE`) `CDROM` drive, specify the device name in place of the `SCSI` unit numbers. For example, to rip track 7 from an IDE drive: +To rip from an `ATAPI` (`IDE`) `CDROM` drive, specify the device name in place of the `SCSI` unit numbers. +For example, to rip track 7 from an IDE drive: [source,shell] .... @@ -408,7 +458,8 @@ Alternately, `dd` can be used to extract audio tracks on `ATAPI` drives, as desc [[mp3-encoding]] === Encoding and Decoding MP3s -Lame is a popular `MP3` encoder which can be installed from the package:audio/lame[] port. Due to patent issues, a package is not available. +Lame is a popular `MP3` encoder which can be installed from the package:audio/lame[] port. +Due to patent issues, a package is not available. The following command will convert the ripped `WAV` file [.filename]#audio01.wav# to [.filename]#audio01.mp3#: @@ -418,9 +469,14 @@ The following command will convert the ripped `WAV` file [.filename]#audio01.wav --ty "2014" --tc "Ripped and encoded by Foo" --tg "Genre" audio01.wav audio01.mp3 .... -The specified 128 kbits is a standard `MP3` bitrate while the 160 and 192 bitrates provide higher quality. The higher the bitrate, the larger the size of the resulting `MP3`. The `-h` turns on the "higher quality but a little slower" mode. The options beginning with `--t` indicate `ID3` tags, which usually contain song information, to be embedded within the `MP3` file. Additional encoding options can be found in the lame manual page. +The specified 128 kbits is a standard `MP3` bitrate while the 160 and 192 bitrates provide higher quality. +The higher the bitrate, the larger the size of the resulting `MP3`. +The `-h` turns on the "higher quality but a little slower" mode. +The options beginning with `--t` indicate `ID3` tags, which usually contain song information, to be embedded within the `MP3` file. +Additional encoding options can be found in the lame manual page. -In order to burn an audio `CD` from ``MP3``s, they must first be converted to a non-compressed file format. XMMS can be used to convert to the `WAV` format, while mpg123 can be used to convert to the raw Pulse-Code Modulation (`PCM`) audio data format. +In order to burn an audio `CD` from ``MP3``s, they must first be converted to a non-compressed file format. +XMMS can be used to convert to the `WAV` format, while mpg123 can be used to convert to the raw Pulse-Code Modulation (`PCM`) audio data format. To convert [.filename]#audio01.mp3# using mpg123, specify the name of the `PCM` file: @@ -443,7 +499,10 @@ To use XMMS to convert a `MP3` to `WAV` format, use these steps: . Press `Play`. The XMMS will appear as if it is playing the `MP3`, but no music will be heard. It is actually playing the `MP3` to a file. . When finished, be sure to set the default Output Plugin back to what it was before in order to listen to ``MP3``s again. -Both the `WAV` and `PCM` formats can be used with cdrecord. When using `WAV` files, there will be a small tick sound at the beginning of each track. This sound is the header of the `WAV` file. The package:audio/sox[] port or package can be used to remove the header: +Both the `WAV` and `PCM` formats can be used with cdrecord. +When using `WAV` files, there will be a small tick sound at the beginning of each track. +This sound is the header of the `WAV` file. +The package:audio/sox[] port or package can be used to remove the header: [source,shell] .... @@ -455,16 +514,20 @@ Refer to crossref:disks[creating-cds,“Creating and Using CD Media”] for more [[video-playback]] == Video Playback -Before configuring video playback, determine the model and chipset of the video card. While Xorg supports a wide variety of video cards, not all provide good playback performance. To obtain a list of extensions supported by the Xorg server using the card, run `xdpyinfo` while Xorg is running. +Before configuring video playback, determine the model and chipset of the video card. +While Xorg supports a wide variety of video cards, not all provide good playback performance. +To obtain a list of extensions supported by the Xorg server using the card, run `xdpyinfo` while Xorg is running. -It is a good idea to have a short MPEG test file for evaluating various players and options. Since some `DVD` applications look for `DVD` media in [.filename]#/dev/dvd# by default, or have this device name hardcoded in them, it might be useful to make a symbolic link to the proper device: +It is a good idea to have a short MPEG test file for evaluating various players and options. +Since some `DVD` applications look for `DVD` media in [.filename]#/dev/dvd# by default, or have this device name hardcoded in them, it might be useful to make a symbolic link to the proper device: [source,shell] .... # ln -sf /dev/cd0 /dev/dvd .... -Due to the nature of man:devfs[5], manually created links will not persist after a system reboot. In order to recreate the symbolic link automatically when the system boots, add the following line to [.filename]#/etc/devfs.conf#: +Due to the nature of man:devfs[5], manually created links will not persist after a system reboot. +In order to recreate the symbolic link automatically when the system boots, add the following line to [.filename]#/etc/devfs.conf#: [.programlisting] .... @@ -484,7 +547,8 @@ kern.ipc.shmall=32768 [[video-interface]] === Determining Video Capabilities -There are several possible ways to display video under Xorg and what works is largely hardware dependent. Each method described below will have varying quality across different hardware. +There are several possible ways to display video under Xorg and what works is largely hardware dependent. +Each method described below will have varying quality across different hardware. Common video interfaces include: @@ -589,7 +653,8 @@ screen #0 no adaptors present .... -XVideo is probably not supported for the card. This means that it will be more difficult for the display to meet the computational demands of rendering video, depending on the video card and processor. +XVideo is probably not supported for the card. +This means that it will be more difficult for the display to meet the computational demands of rendering video, depending on the video card and processor. [[video-ports]] === Ports and Packages Dealing with Video @@ -599,17 +664,27 @@ This section introduces some of the software available from the FreeBSD Ports Co [[video-mplayer]] ==== MPlayer and MEncoder -MPlayer is a command-line video player with an optional graphical interface which aims to provide speed and flexibility. Other graphical front-ends to MPlayer are available from the FreeBSD Ports Collection. +MPlayer is a command-line video player with an optional graphical interface which aims to provide speed and flexibility. +Other graphical front-ends to MPlayer are available from the FreeBSD Ports Collection. -MPlayer can be installed using the package:multimedia/mplayer[] package or port. Several compile options are available and a variety of hardware checks occur during the build process. For these reasons, some users prefer to build the port rather than install the package. +MPlayer can be installed using the package:multimedia/mplayer[] package or port. +Several compile options are available and a variety of hardware checks occur during the build process. +For these reasons, some users prefer to build the port rather than install the package. -When compiling the port, the menu options should be reviewed to determine the type of support to compile into the port. If an option is not selected, MPlayer will not be able to display that type of video format. Use the arrow keys and spacebar to select the required formats. When finished, press kbd:[Enter] to continue the port compile and installation. +When compiling the port, the menu options should be reviewed to determine the type of support to compile into the port. +If an option is not selected, MPlayer will not be able to display that type of video format. +Use the arrow keys and spacebar to select the required formats. +When finished, press kbd:[Enter] to continue the port compile and installation. -By default, the package or port will build the `mplayer` command line utility and the `gmplayer` graphical utility. To encode videos, compile the package:multimedia/mencoder[] port. Due to licensing restrictions, a package is not available for MEncoder. +By default, the package or port will build the `mplayer` command line utility and the `gmplayer` graphical utility. +To encode videos, compile the package:multimedia/mencoder[] port. +Due to licensing restrictions, a package is not available for MEncoder. -The first time MPlayer is run, it will create [.filename]#~/.mplayer# in the user's home directory. This subdirectory contains default versions of the user-specific configuration files. +The first time MPlayer is run, it will create [.filename]#~/.mplayer# in the user's home directory. +This subdirectory contains default versions of the user-specific configuration files. -This section describes only a few common uses. Refer to mplayer(1) for a complete description of its numerous options. +This section describes only a few common uses. +Refer to mplayer(1) for a complete description of its numerous options. To play the file [.filename]#testfile.avi#, specify the video interfaces with `-vo`, as seen in the following examples: @@ -640,7 +715,8 @@ To play the file [.filename]#testfile.avi#, specify the video interfaces with `- It is worth trying all of these options, as their relative performance depends on many factors and will vary significantly with hardware. -To play a `DVD`, replace [.filename]#testfile.avi# with `dvd://_N_ -dvd-device _DEVICE_`, where _N_ is the title number to play and _DEVICE_ is the device node for the `DVD`. For example, to play title 3 from [.filename]#/dev/dvd#: +To play a `DVD`, replace [.filename]#testfile.avi# with `dvd://_N_ -dvd-device _DEVICE_`, where _N_ is the title number to play and _DEVICE_ is the device node for the `DVD`. +For example, to play title 3 from [.filename]#/dev/dvd#: [source,shell] .... @@ -649,10 +725,12 @@ To play a `DVD`, replace [.filename]#testfile.avi# with `dvd://_N_ -dvd-device _ [NOTE] ==== -The default `DVD` device can be defined during the build of the MPlayer port by including the `WITH_DVD_DEVICE=/path/to/desired/device` option. By default, the device is [.filename]#/dev/cd0#. More details can be found in the port's [.filename]#Makefile.options#. +The default `DVD` device can be defined during the build of the MPlayer port by including the `WITH_DVD_DEVICE=/path/to/desired/device` option. +By default, the device is [.filename]#/dev/cd0#. More details can be found in the port's [.filename]#Makefile.options#. ==== -To stop, pause, advance, and so on, use a keybinding. To see the list of keybindings, run `mplayer -h` or read mplayer(1). +To stop, pause, advance, and so on, use a keybinding. +To see the list of keybindings, run `mplayer -h` or read mplayer(1). Additional playback options include `-fs -zoom`, which engages fullscreen mode, and `-framedrop`, which helps performance. @@ -665,7 +743,8 @@ fs=yes zoom=yes .... -`mplayer` can be used to rip a `DVD` title to a [.filename]#.vob#. To dump the second title from a `DVD`: +`mplayer` can be used to rip a `DVD` title to a [.filename]#.vob#. +To dump the second title from a `DVD`: [source,shell] .... @@ -674,9 +753,12 @@ zoom=yes The output file, [.filename]#out.vob#, will be in `MPEG` format. -Anyone wishing to obtain a high level of expertise with UNIX(R) video should consult http://www.mplayerhq.hu/DOCS/[mplayerhq.hu/DOCS] as it is technically informative. This documentation should be considered as required reading before submitting any bug reports. +Anyone wishing to obtain a high level of expertise with UNIX(R) video should consult http://www.mplayerhq.hu/DOCS/[mplayerhq.hu/DOCS] as it is technically informative. +This documentation should be considered as required reading before submitting any bug reports. -Before using `mencoder`, it is a good idea to become familiar with the options described at http://www.mplayerhq.hu/DOCS/HTML/en/mencoder.html[mplayerhq.hu/DOCS/HTML/en/mencoder.html]. There are innumerable ways to improve quality, lower bitrate, and change formats, and some of these options may make the difference between good or bad performance. Improper combinations of command line options can yield output files that are unplayable even by `mplayer`. +Before using `mencoder`, it is a good idea to become familiar with the options described at http://www.mplayerhq.hu/DOCS/HTML/en/mencoder.html[mplayerhq.hu/DOCS/HTML/en/mencoder.html]. +There are innumerable ways to improve quality, lower bitrate, and change formats, and some of these options may make the difference between good or bad performance. +Improper combinations of command line options can yield output files that are unplayable even by `mplayer`. Here is an example of a simple copy: @@ -687,7 +769,9 @@ Here is an example of a simple copy: To rip to a file, use `-dumpfile` with `mplayer`. -To convert [.filename]#input.avi# to the MPEG4 codec with MPEG3 audio encoding, first install the package:audio/lame[] port. Due to licensing restrictions, a package is not available. Once installed, type: +To convert [.filename]#input.avi# to the MPEG4 codec with MPEG3 audio encoding, first install the package:audio/lame[] port. +Due to licensing restrictions, a package is not available. +Once installed, type: [source,shell] .... @@ -697,16 +781,20 @@ To convert [.filename]#input.avi# to the MPEG4 codec with MPEG3 audio encoding, This will produce output playable by applications such as `mplayer` and `xine`. -[.filename]#input.avi# can be replaced with `dvd://1 -dvd-device /dev/dvd` and run as `root` to re-encode a `DVD` title directly. Since it may take a few tries to get the desired result, it is recommended to instead dump the title to a file and to work on the file. +[.filename]#input.avi# can be replaced with `dvd://1 -dvd-device /dev/dvd` and run as `root` to re-encode a `DVD` title directly. +Since it may take a few tries to get the desired result, it is recommended to instead dump the title to a file and to work on the file. [[video-xine]] ==== The xine Video Player -xine is a video player with a reusable base library and a modular executable which can be extended with plugins. It can be installed using the package:multimedia/xine[] package or port. +xine is a video player with a reusable base library and a modular executable which can be extended with plugins. +It can be installed using the package:multimedia/xine[] package or port. -In practice, xine requires either a fast CPU with a fast video card, or support for the XVideo extension. The xine video player performs best on XVideo interfaces. +In practice, xine requires either a fast CPU with a fast video card, or support for the XVideo extension. +The xine video player performs best on XVideo interfaces. -By default, the xine player starts a graphical user interface. The menus can then be used to open a specific file. +By default, the xine player starts a graphical user interface. +The menus can then be used to open a specific file. Alternatively, xine may be invoked from the command line by specifying the name of the file to play: @@ -720,9 +808,14 @@ Refer to http://www.xine-project.org/faq[xine-project.org/faq] for more informat [[video-ports-transcode]] ==== The Transcode Utilities -Transcode provides a suite of tools for re-encoding video and audio files. Transcode can be used to merge video files or repair broken files using command line tools with stdin/stdout stream interfaces. +Transcode provides a suite of tools for re-encoding video and audio files. +Transcode can be used to merge video files or repair broken files using command line tools with stdin/stdout stream interfaces. -In FreeBSD, Transcode can be installed using the package:multimedia/transcode[] package or port. Many users prefer to compile the port as it provides a menu of compile options for specifying the support and codecs to compile in. If an option is not selected, Transcode will not be able to encode that format. Use the arrow keys and spacebar to select the required formats. When finished, press kbd:[Enter] to continue the port compile and installation. +In FreeBSD, Transcode can be installed using the package:multimedia/transcode[] package or port. +Many users prefer to compile the port as it provides a menu of compile options for specifying the support and codecs to compile in. +If an option is not selected, Transcode will not be able to encode that format. +Use the arrow keys and spacebar to select the required formats. +When finished, press kbd:[Enter] to continue the port compile and installation. This example demonstrates how to convert a DivX file into a PAL MPEG-1 file (PAL VCD): @@ -732,27 +825,33 @@ This example demonstrates how to convert a DivX file into a PAL MPEG-1 file (PAL % mplex -f 1 -o output_vcd.mpg output_vcd.m1v output_vcd.mpa .... -The resulting `MPEG` file, [.filename]#output_vcd.mpg#, is ready to be played with MPlayer. The file can be burned on a `CD` media to create a video `CD` using a utility such as package:multimedia/vcdimager[] or package:sysutils/cdrdao[]. +The resulting `MPEG` file, [.filename]#output_vcd.mpg#, is ready to be played with MPlayer. +The file can be burned on a `CD` media to create a video `CD` using a utility such as package:multimedia/vcdimager[] or package:sysutils/cdrdao[]. In addition to the manual page for `transcode`, refer to http://www.transcoding.org/cgi-bin/transcode[transcoding.org/cgi-bin/transcode] for further information and examples. [[tvcard]] == TV Cards -TV cards can be used to watch broadcast or cable TV on a computer. Most cards accept composite video via an `RCA` or S-video input and some cards include a `FM` radio tuner. +TV cards can be used to watch broadcast or cable TV on a computer. +Most cards accept composite video via an `RCA` or S-video input and some cards include a `FM` radio tuner. -FreeBSD provides support for PCI-based TV cards using a Brooktree Bt848/849/878/879 video capture chip with the man:bktr[4] driver. This driver supports most Pinnacle PCTV video cards. Before purchasing a TV card, consult man:bktr[4] for a list of supported tuners. +FreeBSD provides support for PCI-based TV cards using a Brooktree Bt848/849/878/879 video capture chip with the man:bktr[4] driver. +This driver supports most Pinnacle PCTV video cards. +Before purchasing a TV card, consult man:bktr[4] for a list of supported tuners. === Loading the Driver -In order to use the card, the man:bktr[4] driver must be loaded. To automate this at boot time, add the following line to [.filename]#/boot/loader.conf#: +In order to use the card, the man:bktr[4] driver must be loaded. +To automate this at boot time, add the following line to [.filename]#/boot/loader.conf#: [.programlisting] .... bktr_load="YES" .... -Alternatively, one can statically compile support for the TV card into a custom kernel. In that case, add the following lines to the custom kernel configuration file: +Alternatively, one can statically compile support for the TV card into a custom kernel. +In that case, add the following lines to the custom kernel configuration file: [.programlisting] .... @@ -762,9 +861,11 @@ device iicbb device smbus .... -These additional devices are necessary as the card components are interconnected via an I2C bus. Then, build and install a new kernel. +These additional devices are necessary as the card components are interconnected via an I2C bus. +Then, build and install a new kernel. -To test that the tuner is correctly detected, reboot the system. The TV card should appear in the boot messages, as seen in this example: +To test that the tuner is correctly detected, reboot the system. +The TV card should appear in the boot messages, as seen in this example: [.programlisting] .... @@ -776,7 +877,9 @@ smbus0: <System Management Bus> on bti2c0 bktr0: Pinnacle/Miro TV, Philips SECAM tuner. .... -The messages will differ according to the hardware. If necessary, it is possible to override some of the detected parameters using man:sysctl[8] or custom kernel configuration options. For example, to force the tuner to a Philips SECAM tuner, add the following line to a custom kernel configuration file: +The messages will differ according to the hardware. +If necessary, it is possible to override some of the detected parameters using man:sysctl[8] or custom kernel configuration options. +For example, to force the tuner to a Philips SECAM tuner, add the following line to a custom kernel configuration file: [.programlisting] .... @@ -804,22 +907,35 @@ More applications are available in the FreeBSD Ports Collection. === Troubleshooting -If any problems are encountered with the TV card, check that the video capture chip and the tuner are supported by man:bktr[4] and that the right configuration options were used. For more support or to ask questions about supported TV cards, refer to the {freebsd-multimedia} mailing list. +If any problems are encountered with the TV card, check that the video capture chip and the tuner are supported by man:bktr[4] and that the right configuration options were used. +For more support or to ask questions about supported TV cards, refer to the {freebsd-multimedia} mailing list. [[mythtv]] == MythTV -MythTV is a popular, open source Personal Video Recorder (`PVR`) application. This section demonstrates how to install and setup MythTV on FreeBSD. Refer to http://www.mythtv.org/wiki/[mythtv.org/wiki] for more information on how to use MythTV. +MythTV is a popular, open source Personal Video Recorder (`PVR`) application. +This section demonstrates how to install and setup MythTV on FreeBSD. +Refer to http://www.mythtv.org/wiki/[mythtv.org/wiki] for more information on how to use MythTV. -MythTV requires a frontend and a backend. These components can either be installed on the same system or on different machines. +MythTV requires a frontend and a backend. +These components can either be installed on the same system or on different machines. -The frontend can be installed on FreeBSD using the package:multimedia/mythtv-frontend[] package or port. Xorg must also be installed and configured as described in crossref:x11[x11,The X Window System]. Ideally, this system has a video card that supports X-Video Motion Compensation (`XvMC`) and, optionally, a Linux Infrared Remote Control (`LIRC`)-compatible remote. +The frontend can be installed on FreeBSD using the package:multimedia/mythtv-frontend[] package or port. +Xorg must also be installed and configured as described in crossref:x11[x11,The X Window System]. +Ideally, this system has a video card that supports X-Video Motion Compensation (`XvMC`) and, optionally, a Linux Infrared Remote Control (`LIRC`)-compatible remote. -To install both the backend and the frontend on FreeBSD, use the package:multimedia/mythtv[] package or port. A MySQL(TM) database server is also required and should automatically be installed as a dependency. Optionally, this system should have a tuner card and sufficient storage to hold recorded data. +To install both the backend and the frontend on FreeBSD, use the package:multimedia/mythtv[] package or port. +A MySQL(TM) database server is also required and should automatically be installed as a dependency. +Optionally, this system should have a tuner card and sufficient storage to hold recorded data. === Hardware -MythTV uses Video for Linux (`V4L`) to access video input devices such as encoders and tuners. In FreeBSD, MythTV works best with `USB` DVB-S/C/T cards as they are well supported by the package:multimedia/webcamd[] package or port which provides a `V4L` userland application. Any Digital Video Broadcasting (`DVB`) card supported by webcamd should work with MythTV. A list of known working cards can be found at https://wiki.freebsd.org/WebcamCompat[wiki.freebsd.org/WebcamCompat]. Drivers are also available for Hauppauge cards in the package:multimedia/pvr250[] and package:multimedia/pvrxxx[] ports, but they provide a non-standard driver interface that does not work with versions of MythTV greater than 0.23. Due to licensing restrictions, no packages are available and these two ports must be compiled. +MythTV uses Video for Linux (`V4L`) to access video input devices such as encoders and tuners. +In FreeBSD, MythTV works best with `USB` DVB-S/C/T cards as they are well supported by the package:multimedia/webcamd[] package or port which provides a `V4L` userland application. +Any Digital Video Broadcasting (`DVB`) card supported by webcamd should work with MythTV. +A list of known working cards can be found at https://wiki.freebsd.org/WebcamCompat[wiki.freebsd.org/WebcamCompat]. +Drivers are also available for Hauppauge cards in the package:multimedia/pvr250[] and package:multimedia/pvrxxx[] ports, but they provide a non-standard driver interface that does not work with versions of MythTV greater than 0.23. +Due to licensing restrictions, no packages are available and these two ports must be compiled. The https://wiki.freebsd.org/HTPC[wiki.freebsd.org/HTPC] page contains a list of all available `DVB` drivers. @@ -865,16 +981,22 @@ Finally, start the backend: [[scanners]] == Image Scanners -In FreeBSD, access to image scanners is provided by SANE (Scanner Access Now Easy), which is available in the FreeBSD Ports Collection. SANE will also use some FreeBSD device drivers to provide access to the scanner hardware. +In FreeBSD, access to image scanners is provided by SANE (Scanner Access Now Easy), which is available in the FreeBSD Ports Collection. +SANE will also use some FreeBSD device drivers to provide access to the scanner hardware. -FreeBSD supports both `SCSI` and `USB` scanners. Depending upon the scanner interface, different device drivers are required. Be sure the scanner is supported by SANE prior to performing any configuration. Refer to http://www.sane-project.org/sane-supported-devices.html[http://www.sane-project.org/sane-supported-devices.html] for more information about supported scanners. +FreeBSD supports both `SCSI` and `USB` scanners. +Depending upon the scanner interface, different device drivers are required. +Be sure the scanner is supported by SANE prior to performing any configuration. +Refer to http://www.sane-project.org/sane-supported-devices.html[http://www.sane-project.org/sane-supported-devices.html] for more information about supported scanners. -This chapter describes how to determine if the scanner has been detected by FreeBSD. It then provides an overview of how to configure and use SANE on a FreeBSD system. +This chapter describes how to determine if the scanner has been detected by FreeBSD. +It then provides an overview of how to configure and use SANE on a FreeBSD system. [[scanners-kernel-usb]] === Checking the Scanner -The [.filename]#GENERIC# kernel includes the device drivers needed to support `USB` scanners. Users with a custom kernel should ensure that the following lines are present in the custom kernel configuration file: +The [.filename]#GENERIC# kernel includes the device drivers needed to support `USB` scanners. +Users with a custom kernel should ensure that the following lines are present in the custom kernel configuration file: [.programlisting] .... @@ -885,7 +1007,8 @@ device ehci device xhci .... -To determine if the `USB` scanner is detected, plug it in and use `dmesg` to determine whether the scanner appears in the system message buffer. If it does, it should display a message similar to this: +To determine if the `USB` scanner is detected, plug it in and use `dmesg` to determine whether the scanner appears in the system message buffer. +If it does, it should display a message similar to this: [source,shell] .... @@ -894,7 +1017,11 @@ ugen0.2: <EPSON> at usbus0 In this example, an EPSON Perfection(R) 1650 `USB` scanner was detected on [.filename]#/dev/ugen0.2#. -If the scanner uses a `SCSI` interface, it is important to know which `SCSI` controller board it will use. Depending upon the `SCSI` chipset, a custom kernel configuration file may be needed. The [.filename]#GENERIC# kernel supports the most common `SCSI` controllers. Refer to [.filename]#/usr/src/sys/conf/NOTES# to determine the correct line to add to a custom kernel configuration file. In addition to the `SCSI` adapter driver, the following lines are needed in a custom kernel configuration file: +If the scanner uses a `SCSI` interface, it is important to know which `SCSI` controller board it will use. +Depending upon the `SCSI` chipset, a custom kernel configuration file may be needed. +The [.filename]#GENERIC# kernel supports the most common `SCSI` controllers. +Refer to [.filename]#/usr/src/sys/conf/NOTES# to determine the correct line to add to a custom kernel configuration file. +In addition to the `SCSI` adapter driver, the following lines are needed in a custom kernel configuration file: [.programlisting] .... @@ -937,7 +1064,10 @@ Refer to man:scsi[4] and man:camcontrol[8] for more details about `SCSI` devices === SANE Configuration -The SANE system provides the access to the scanner via backends (package:graphics/sane-backends[]). Refer to http://www.sane-project.org/sane-supported-devices.html[http://www.sane-project.org/sane-supported-devices.html] to determine which backend supports the scanner. A graphical scanning interface is provided by third party applications like Kooka (package:graphics/kooka[]) or XSane (package:graphics/xsane[]). SANE's backends are enough to test the scanner. +The SANE system provides the access to the scanner via backends (package:graphics/sane-backends[]). +Refer to http://www.sane-project.org/sane-supported-devices.html[http://www.sane-project.org/sane-supported-devices.html] to determine which backend supports the scanner. +A graphical scanning interface is provided by third party applications like Kooka (package:graphics/kooka[]) or XSane (package:graphics/xsane[]). +SANE's backends are enough to test the scanner. To install the backends from binary package: @@ -962,14 +1092,19 @@ After installing the package:graphics/sane-backends[] port or package, use `sane found SCSI scanner "AGFA SNAPSCAN 600 1.10" at /dev/pass3 .... -The output should show the interface type of the scanner and the device node used to attach the scanner to the system. The vendor and the product model may or may not appear. +The output should show the interface type of the scanner and the device node used to attach the scanner to the system. +The vendor and the product model may or may not appear. [NOTE] ==== -Some `USB` scanners require firmware to be loaded. Refer to sane-find-scanner(1) and sane(7) for details. +Some `USB` scanners require firmware to be loaded. +Refer to sane-find-scanner(1) and sane(7) for details. ==== -Next, check if the scanner will be identified by a scanning frontend. The SANE backends include `scanimage` which can be used to list the devices and perform an image acquisition. Use `-L` to list the scanner devices. The first example is for a `SCSI` scanner and the second is for a `USB` scanner: +Next, check if the scanner will be identified by a scanning frontend. +The SANE backends include `scanimage` which can be used to list the devices and perform an image acquisition. +Use `-L` to list the scanner devices. +The first example is for a `SCSI` scanner and the second is for a `USB` scanner: [source,shell] .... @@ -993,7 +1128,10 @@ sane-find-scanner tool (if appropriate). Please read the documentation which came with this software (README, FAQ, manpages). .... -If this happens, edit the backend configuration file in [.filename]#/usr/local/etc/sane.d/# and define the scanner device used. For example, if the undetected scanner model is an EPSON Perfection(R) 1650 and it uses the `epson2` backend, edit [.filename]#/usr/local/etc/sane.d/epson2.conf#. When editing, add a line specifying the interface and the device node used. In this case, add the following line: +If this happens, edit the backend configuration file in [.filename]#/usr/local/etc/sane.d/# and define the scanner device used. +For example, if the undetected scanner model is an EPSON Perfection(R) 1650 and it uses the `epson2` backend, edit [.filename]#/usr/local/etc/sane.d/epson2.conf#. +When editing, add a line specifying the interface and the device node used. +In this case, add the following line: [.programlisting] .... @@ -1010,11 +1148,18 @@ device 'epson2:libusb:000:002' is a Epson GT-8200 flatbed scanner Once `scanimage -L` sees the scanner, the configuration is complete and the scanner is now ready to use. -While `scanimage` can be used to perform an image acquisition from the command line, it is often preferable to use a graphical interface to perform image scanning. Applications like Kooka or XSane are popular scanning frontends. They offer advanced features such as various scanning modes, color correction, and batch scans. XSane is also usable as a GIMP plugin. +While `scanimage` can be used to perform an image acquisition from the command line, it is often preferable to use a graphical interface to perform image scanning. +Applications like Kooka or XSane are popular scanning frontends. +They offer advanced features such as various scanning modes, color correction, and batch scans. +XSane is also usable as a GIMP plugin. === Scanner Permissions -In order to have access to the scanner, a user needs read and write permissions to the device node used by the scanner. In the previous example, the `USB` scanner uses the device node [.filename]#/dev/ugen0.2# which is really a symlink to the real device node [.filename]#/dev/usb/0.2.0#. The symlink and the device node are owned, respectively, by the `wheel` and `operator` groups. While adding the user to these groups will allow access to the scanner, it is considered insecure to add a user to `wheel`. A better solution is to create a group and make the scanner device accessible to members of this group. +In order to have access to the scanner, a user needs read and write permissions to the device node used by the scanner. +In the previous example, the `USB` scanner uses the device node [.filename]#/dev/ugen0.2# which is really a symlink to the real device node [.filename]#/dev/usb/0.2.0#. +The symlink and the device node are owned, respectively, by the `wheel` and `operator` groups. +While adding the user to these groups will allow access to the scanner, it is considered insecure to add a user to `wheel`. +A better solution is to create a group and make the scanner device accessible to members of this group. This example creates a group called `_usb_`: diff --git a/documentation/content/en/books/handbook/network-servers/_index.adoc b/documentation/content/en/books/handbook/network-servers/_index.adoc index f1dde63018..1bce38f5c8 100644 --- a/documentation/content/en/books/handbook/network-servers/_index.adoc +++ b/documentation/content/en/books/handbook/network-servers/_index.adoc @@ -46,7 +46,9 @@ toc::[] [[network-servers-synopsis]] == Synopsis -This chapter covers some of the more frequently used network services on UNIX(R) systems. This includes installing, configuring, testing, and maintaining many different types of network services. Example configuration files are included throughout this chapter for reference. +This chapter covers some of the more frequently used network services on UNIX(R) systems. +This includes installing, configuring, testing, and maintaining many different types of network services. +Example configuration files are included throughout this chapter for reference. By the end of this chapter, readers will know: @@ -71,7 +73,10 @@ This chapter assumes a basic knowledge of: [[network-inetd]] == The inetd Super-Server -The man:inetd[8] daemon is sometimes referred to as a Super-Server because it manages connections for many services. Instead of starting multiple applications, only the inetd service needs to be started. When a connection is received for a service that is managed by inetd, it determines which program the connection is destined for, spawns a process for that program, and delegates the program a socket. Using inetd for services that are not heavily used can reduce system load, when compared to running each daemon individually in stand-alone mode. +The man:inetd[8] daemon is sometimes referred to as a Super-Server because it manages connections for many services. +Instead of starting multiple applications, only the inetd service needs to be started. +When a connection is received for a service that is managed by inetd, it determines which program the connection is destined for, spawns a process for that program, and delegates the program a socket. +Using inetd for services that are not heavily used can reduce system load, when compared to running each daemon individually in stand-alone mode. Primarily, inetd is used to spawn other daemons, but several trivial protocols are handled internally, such as chargen, auth, time, echo, discard, and daytime. @@ -80,7 +85,10 @@ This section covers the basics of configuring inetd. [[network-inetd-conf]] === Configuration File -Configuration of inetd is done by editing [.filename]#/etc/inetd.conf#. Each line of this configuration file represents an application which can be started by inetd. By default, every line starts with a comment (`#`), meaning that inetd is not listening for any applications. To configure inetd to listen for an application's connections, remove the `#` at the beginning of the line for that application. +Configuration of inetd is done by editing [.filename]#/etc/inetd.conf#. +Each line of this configuration file represents an application which can be started by inetd. +By default, every line starts with a comment (`#`), meaning that inetd is not listening for any applications. +To configure inetd to listen for an application's connections, remove the `#` at the beginning of the line for that application. After saving your edits, configure inetd to start at system boot by editing [.filename]#/etc/rc.conf#: @@ -110,7 +118,8 @@ Once inetd is started, it needs to be notified whenever a modification is made t ==== -Typically, the default entry for an application does not need to be edited beyond removing the `#`. In some situations, it may be appropriate to edit the default entry. +Typically, the default entry for an application does not need to be edited beyond removing the `#`. +In some situations, it may be appropriate to edit the default entry. As an example, this is the default entry for man:ftpd[8] over IPv4: @@ -135,10 +144,14 @@ server-program-arguments where: service-name:: -The service name of the daemon to start. It must correspond to a service listed in [.filename]#/etc/services#. This determines which port inetd listens on for incoming connections to that service. When using a custom service, it must first be added to [.filename]#/etc/services#. +The service name of the daemon to start. +It must correspond to a service listed in [.filename]#/etc/services#. +This determines which port inetd listens on for incoming connections to that service. +When using a custom service, it must first be added to [.filename]#/etc/services#. socket-type:: -Either `stream`, `dgram`, `raw`, or `seqpacket`. Use `stream` for TCP connections and `dgram` for UDP services. +Either `stream`, `dgram`, `raw`, or `seqpacket`. +Use `stream` for TCP connections and `dgram` for UDP services. protocol:: Use one of the following protocol names: @@ -168,14 +181,24 @@ Use one of the following protocol names: |udp46 |Both UDP IPv4 and IPv6 |=== + {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]:: -In this field, `wait` or `nowait` must be specified. `max-child`, `max-connections-per-ip-per-minute` and `max-child-per-ip` are optional. +In this field, `wait` or `nowait` must be specified. +`max-child`, `max-connections-per-ip-per-minute` and `max-child-per-ip` are optional. + -`wait|nowait` indicates whether or not the service is able to handle its own socket. `dgram` socket types must use `wait` while `stream` daemons, which are usually multi-threaded, should use `nowait`. `wait` usually hands off multiple sockets to a single daemon, while `nowait` spawns a child daemon for each new socket. +`wait|nowait` indicates whether or not the service is able to handle its own socket. +`dgram` socket types must use `wait` while `stream` daemons, which are usually multi-threaded, should use `nowait`. +`wait` usually hands off multiple sockets to a single daemon, while `nowait` spawns a child daemon for each new socket. + -The maximum number of child daemons inetd may spawn is set by `max-child`. For example, to limit ten instances of the daemon, place a `/10` after `nowait`. Specifying `/0` allows an unlimited number of children. +The maximum number of child daemons inetd may spawn is set by `max-child`. +For example, to limit ten instances of the daemon, place a `/10` after `nowait`. +Specifying `/0` allows an unlimited number of children. + -`max-connections-per-ip-per-minute` limits the number of connections from any particular IP address per minute. Once the limit is reached, further connections from this IP address will be dropped until the end of the minute. For example, a value of `/10` would limit any particular IP address to ten connection attempts per minute. `max-child-per-ip` limits the number of child processes that can be started on behalf on any single IP address at any moment. These options can limit excessive resource consumption and help to prevent Denial of Service attacks. +`max-connections-per-ip-per-minute` limits the number of connections from any particular IP address per minute. +Once the limit is reached, further connections from this IP address will be dropped until the end of the minute. +For example, a value of `/10` would limit any particular IP address to ten connection attempts per minute. +`max-child-per-ip` limits the number of child processes that can be started on behalf on any single IP address at any moment. +These options can limit excessive resource consumption and help to prevent Denial of Service attacks. + An example can be seen in the default settings for man:fingerd[8]: + @@ -185,50 +208,66 @@ finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s .... user:: -The username the daemon will run as. Daemons typically run as `root`, `daemon`, or `nobody`. +The username the daemon will run as. +Daemons typically run as `root`, `daemon`, or `nobody`. server-program:: -The full path to the daemon. If the daemon is a service provided by inetd internally, use `internal`. +The full path to the daemon. +If the daemon is a service provided by inetd internally, use `internal`. server-program-arguments:: -Used to specify any command arguments to be passed to the daemon on invocation. If the daemon is an internal service, use `internal`. +Used to specify any command arguments to be passed to the daemon on invocation. +If the daemon is an internal service, use `internal`. [[network-inetd-cmdline]] === Command-Line Options -Like most server daemons, inetd has a number of options that can be used to modify its behavior. By default, inetd is started with `-wW -C 60`. These options enable TCP wrappers for all services, including internal services, and prevent any IP address from requesting any service more than 60 times per minute. +Like most server daemons, inetd has a number of options that can be used to modify its behavior. +By default, inetd is started with `-wW -C 60`. +These options enable TCP wrappers for all services, including internal services, and prevent any IP address from requesting any service more than 60 times per minute. -To change the default options which are passed to inetd, add an entry for `inetd_flags` in [.filename]#/etc/rc.conf#. If inetd is already running, restart it with `service inetd restart`. +To change the default options which are passed to inetd, add an entry for `inetd_flags` in [.filename]#/etc/rc.conf#. +If inetd is already running, restart it with `service inetd restart`. The available rate limiting options are: -c maximum:: -Specify the default maximum number of simultaneous invocations of each service, where the default is unlimited. May be overridden on a per-service basis by using `max-child` in [.filename]#/etc/inetd.conf#. +Specify the default maximum number of simultaneous invocations of each service, where the default is unlimited. +May be overridden on a per-service basis by using `max-child` in [.filename]#/etc/inetd.conf#. -C rate:: -Specify the default maximum number of times a service can be invoked from a single IP address per minute. May be overridden on a per-service basis by using `max-connections-per-ip-per-minute` in [.filename]#/etc/inetd.conf#. +Specify the default maximum number of times a service can be invoked from a single IP address per minute. +May be overridden on a per-service basis by using `max-connections-per-ip-per-minute` in [.filename]#/etc/inetd.conf#. -R rate:: -Specify the maximum number of times a service can be invoked in one minute, where the default is `256`. A rate of `0` allows an unlimited number. +Specify the maximum number of times a service can be invoked in one minute, where the default is `256`. +A rate of `0` allows an unlimited number. -s maximum:: -Specify the maximum number of times a service can be invoked from a single IP address at any one time, where the default is unlimited. May be overridden on a per-service basis by using `max-child-per-ip` in [.filename]#/etc/inetd.conf#. +Specify the maximum number of times a service can be invoked from a single IP address at any one time, where the default is unlimited. +May be overridden on a per-service basis by using `max-child-per-ip` in [.filename]#/etc/inetd.conf#. Additional options are available. Refer to man:inetd[8] for the full list of options. [[network-inetd-security]] === Security Considerations -Many of the daemons which can be managed by inetd are not security-conscious. Some daemons, such as fingerd, can provide information that may be useful to an attacker. Only enable the services which are needed and monitor the system for excessive connection attempts. `max-connections-per-ip-per-minute`, `max-child` and `max-child-per-ip` can be used to limit such attacks. +Many of the daemons which can be managed by inetd are not security-conscious. +Some daemons, such as fingerd, can provide information that may be useful to an attacker. +Only enable the services which are needed and monitor the system for excessive connection attempts. +`max-connections-per-ip-per-minute`, `max-child` and `max-child-per-ip` can be used to limit such attacks. -By default, TCP wrappers is enabled. Consult man:hosts_access[5] for more information on placing TCP restrictions on various inetd invoked daemons. +By default, TCP wrappers is enabled. +Consult man:hosts_access[5] for more information on placing TCP restrictions on various inetd invoked daemons. [[network-nfs]] == Network File System (NFS) -FreeBSD supports the Network File System (NFS), which allows a server to share directories and files with clients over a network. With NFS, users and programs can access files on remote systems as if they were stored locally. +FreeBSD supports the Network File System (NFS), which allows a server to share directories and files with clients over a network. +With NFS, users and programs can access files on remote systems as if they were stored locally. -NFS has many practical uses. Some of the more common uses include: +NFS has many practical uses. +Some of the more common uses include: * Data that would otherwise be duplicated on each client can be kept in a single location and accessed by clients on the network. * Several clients may need access to the [.filename]#/usr/ports/distfiles# directory. Sharing that directory allows for quick access to the source files without having to download them to each client. @@ -236,7 +275,9 @@ NFS has many practical uses. Some of the more common uses include: * Administration of NFS exports is simplified. For example, there is only one file system where security or backup policies must be set. * Removable media storage devices can be used by other machines on the network. This reduces the number of devices throughout the network and provides a centralized location to manage their security. It is often more convenient to install software on multiple machines from a centralized installation media. -NFS consists of a server and one or more clients. The client remotely accesses the data that is stored on the server machine. In order for this to function properly, a few processes have to be configured and running. +NFS consists of a server and one or more clients. +The client remotely accesses the data that is stored on the server machine. +In order for this to function properly, a few processes have to be configured and running. These daemons must be running on the server: @@ -262,9 +303,15 @@ Running man:nfsiod[8] on the client can improve performance, but is not required [[network-configuring-nfs]] === Configuring the Server -The file systems which the NFS server will share are specified in [.filename]#/etc/exports#. Each line in this file specifies a file system to be exported, which clients have access to that file system, and any access options. When adding entries to this file, each exported file system, its properties, and allowed hosts must occur on a single line. If no clients are listed in the entry, then any client on the network can mount that file system. +The file systems which the NFS server will share are specified in [.filename]#/etc/exports#. +Each line in this file specifies a file system to be exported, which clients have access to that file system, and any access options. +When adding entries to this file, each exported file system, its properties, and allowed hosts must occur on a single line. +If no clients are listed in the entry, then any client on the network can mount that file system. -The following [.filename]#/etc/exports# entries demonstrate how to export file systems. The examples can be modified to match the file systems and client names on the reader's network. There are many options that can be used in this file, but only a few will be mentioned here. See man:exports[5] for the full list of options. +The following [.filename]#/etc/exports# entries demonstrate how to export file systems. +The examples can be modified to match the file systems and client names on the reader's network. +There are many options that can be used in this file, but only a few will be mentioned here. +See man:exports[5] for the full list of options. This example shows how to export [.filename]#/cdrom# to three hosts named _alpha_, _bravo_, and _charlie_: @@ -273,23 +320,31 @@ This example shows how to export [.filename]#/cdrom# to three hosts named _alpha /cdrom -ro alpha bravo charlie .... -The `-ro` flag makes the file system read-only, preventing clients from making any changes to the exported file system. This example assumes that the host names are either in DNS or in [.filename]#/etc/hosts#. Refer to man:hosts[5] if the network does not have a DNS server. +The `-ro` flag makes the file system read-only, preventing clients from making any changes to the exported file system. +This example assumes that the host names are either in DNS or in [.filename]#/etc/hosts#. +Refer to man:hosts[5] if the network does not have a DNS server. -The next example exports [.filename]#/home# to three clients by IP address. This can be useful for networks without DNS or [.filename]#/etc/hosts# entries. The `-alldirs` flag allows subdirectories to be mount points. In other words, it will not automatically mount the subdirectories, but will permit the client to mount the directories that are required as needed. +The next example exports [.filename]#/home# to three clients by IP address. +This can be useful for networks without DNS or [.filename]#/etc/hosts# entries. +The `-alldirs` flag allows subdirectories to be mount points. +In other words, it will not automatically mount the subdirectories, but will permit the client to mount the directories that are required as needed. [.programlisting] .... /usr/home -alldirs 10.0.0.2 10.0.0.3 10.0.0.4 .... -This next example exports [.filename]#/a# so that two clients from different domains may access that file system. The `-maproot=root` allows `root` on the remote system to write data on the exported file system as `root`. If `-maproot=root` is not specified, the client's `root` user will be mapped to the server's `nobody` account and will be subject to the access limitations defined for `nobody`. +This next example exports [.filename]#/a# so that two clients from different domains may access that file system. +The `-maproot=root` allows `root` on the remote system to write data on the exported file system as `root`. +If `-maproot=root` is not specified, the client's `root` user will be mapped to the server's `nobody` account and will be subject to the access limitations defined for `nobody`. [.programlisting] .... /a -maproot=root host.example.com box.example.org .... -A client can only be specified once per file system. For example, if [.filename]#/usr# is a single file system, these entries would be invalid as both entries specify the same host: +A client can only be specified once per file system. +For example, if [.filename]#/usr# is a single file system, these entries would be invalid as both entries specify the same host: [.programlisting] .... @@ -335,7 +390,9 @@ The server can be started now by running this command: # service nfsd start .... -Whenever the NFS server is started, mountd also starts automatically. However, mountd only reads [.filename]#/etc/exports# when it is started. To make subsequent [.filename]#/etc/exports# edits take effect immediately, force mountd to reread it: +Whenever the NFS server is started, mountd also starts automatically. +However, mountd only reads [.filename]#/etc/exports# when it is started. +To make subsequent [.filename]#/etc/exports# edits take effect immediately, force mountd to reread it: [source,shell] .... @@ -359,7 +416,9 @@ Then, run this command on each NFS client: # service nfsclient start .... -The client now has everything it needs to mount a remote file system. In these examples, the server's name is `server` and the client's name is `client`. To mount [.filename]#/home# on `server` to the [.filename]#/mnt# mount point on `client`: +The client now has everything it needs to mount a remote file system. +In these examples, the server's name is `server` and the client's name is `client`. +To mount [.filename]#/home# on `server` to the [.filename]#/mnt# mount point on `client`: [source,shell] .... @@ -379,7 +438,8 @@ Refer to man:fstab[5] for a description of all available options. === Locking -Some applications require file locking to operate correctly. To enable locking, add these lines to [.filename]#/etc/rc.conf# on both the client and server: +Some applications require file locking to operate correctly. +To enable locking, add these lines to [.filename]#/etc/rc.conf# on both the client and server: [.programlisting] .... @@ -395,25 +455,34 @@ Then start the applications: # service statd start .... -If locking is not required on the server, the NFS client can be configured to lock locally by including `-L` when running mount. Refer to man:mount_nfs[8] for further details. +If locking is not required on the server, the NFS client can be configured to lock locally by including `-L` when running mount. +Refer to man:mount_nfs[8] for further details. [[network-autofs]] === Automating Mounts with man:autofs[5] [NOTE] ==== -The man:autofs[5] automount facility is supported starting with FreeBSD 10.1-RELEASE. To use the automounter functionality in older versions of FreeBSD, use man:amd[8] instead. This chapter only describes the man:autofs[5] automounter. +The man:autofs[5] automount facility is supported starting with FreeBSD 10.1-RELEASE. +To use the automounter functionality in older versions of FreeBSD, use man:amd[8] instead. +This chapter only describes the man:autofs[5] automounter. ==== -The man:autofs[5] facility is a common name for several components that, together, allow for automatic mounting of remote and local filesystems whenever a file or directory within that file system is accessed. It consists of the kernel component, man:autofs[5], and several userspace applications: man:automount[8], man:automountd[8] and man:autounmountd[8]. It serves as an alternative for man:amd[8] from previous FreeBSD releases. Amd is still provided for backward compatibility purposes, as the two use different map format; the one used by autofs is the same as with other SVR4 automounters, such as the ones in Solaris, MacOS X, and Linux. +The man:autofs[5] facility is a common name for several components that, together, allow for automatic mounting of remote and local filesystems whenever a file or directory within that file system is accessed. +It consists of the kernel component, man:autofs[5], and several userspace applications: man:automount[8], man:automountd[8] and man:autounmountd[8]. +It serves as an alternative for man:amd[8] from previous FreeBSD releases. +Amd is still provided for backward compatibility purposes, as the two use different map format; the one used by autofs is the same as with other SVR4 automounters, such as the ones in Solaris, MacOS X, and Linux. The man:autofs[5] virtual filesystem is mounted on specified mountpoints by man:automount[8], usually invoked during boot. Whenever a process attempts to access file within the man:autofs[5] mountpoint, the kernel will notify man:automountd[8] daemon and pause the triggering process. The man:automountd[8] daemon will handle kernel requests by finding the proper map and mounting the filesystem according to it, then signal the kernel to release blocked process. The man:autounmountd[8] daemon automatically unmounts automounted filesystems after some time, unless they are still being used. -The primary autofs configuration file is [.filename]#/etc/auto_master#. It assigns individual maps to top-level mounts. For an explanation of [.filename]#auto_master# and the map syntax, refer to man:auto_master[5]. +The primary autofs configuration file is [.filename]#/etc/auto_master#. It assigns individual maps to top-level mounts. +For an explanation of [.filename]#auto_master# and the map syntax, refer to man:auto_master[5]. -There is a special automounter map mounted on [.filename]#/net#. When a file is accessed within this directory, man:autofs[5] looks up the corresponding remote mount and automatically mounts it. For instance, an attempt to access a file within [.filename]#/net/foobar/usr# would tell man:automountd[8] to mount the [.filename]#/usr# export from the host `foobar`. +There is a special automounter map mounted on [.filename]#/net#. +When a file is accessed within this directory, man:autofs[5] looks up the corresponding remote mount and automatically mounts it. +For instance, an attempt to access a file within [.filename]#/net/foobar/usr# would tell man:automountd[8] to mount the [.filename]#/usr# export from the host `foobar`. .Mounting an Export with man:autofs[5] [example] @@ -431,7 +500,9 @@ Exports list on foobar: ==== -The output from `showmount` shows [.filename]#/usr# as an export. When changing directories to [.filename]#/host/foobar/usr#, man:automountd[8] intercepts the request and attempts to resolve the hostname `foobar`. If successful, man:automountd[8] automatically mounts the source export. +The output from `showmount` shows [.filename]#/usr# as an export. +When changing directories to [.filename]#/host/foobar/usr#, man:automountd[8] intercepts the request and attempts to resolve the hostname `foobar`. +If successful, man:automountd[8] automatically mounts the source export. To enable man:autofs[5] at boot time, add this line to [.filename]#/etc/rc.conf#: @@ -449,16 +520,20 @@ Then man:autofs[5] can be started by running: # service autounmountd start .... -The man:autofs[5] map format is the same as in other operating systems. Information about this format from other sources can be useful, like the http://web.archive.org/web/20160813071113/http://images.apple.com/business/docs/Autofs.pdf[Mac OS X document]. +The man:autofs[5] map format is the same as in other operating systems. +Information about this format from other sources can be useful, like the http://web.archive.org/web/20160813071113/http://images.apple.com/business/docs/Autofs.pdf[Mac OS X document]. Consult the man:automount[8], man:automountd[8], man:autounmountd[8], and man:auto_master[5] manual pages for more information. [[network-nis]] == Network Information System (NIS) -Network Information System (NIS) is designed to centralize administration of UNIX(R)-like systems such as Solaris(TM), HP-UX, AIX(R), Linux, NetBSD, OpenBSD, and FreeBSD. NIS was originally known as Yellow Pages but the name was changed due to trademark issues. This is the reason why NIS commands begin with `yp`. +Network Information System (NIS) is designed to centralize administration of UNIX(R)-like systems such as Solaris(TM), HP-UX, AIX(R), Linux, NetBSD, OpenBSD, and FreeBSD. +NIS was originally known as Yellow Pages but the name was changed due to trademark issues. +This is the reason why NIS commands begin with `yp`. -NIS is a Remote Procedure Call (RPC)-based client/server system that allows a group of machines within an NIS domain to share a common set of configuration files. This permits a system administrator to set up NIS client systems with only minimal configuration data and to add, remove, or modify configuration data from a single location. +NIS is a Remote Procedure Call (RPC)-based client/server system that allows a group of machines within an NIS domain to share a common set of configuration files. +This permits a system administrator to set up NIS client systems with only minimal configuration data and to add, remove, or modify configuration data from a single location. FreeBSD uses version 2 of the NIS protocol. @@ -494,19 +569,27 @@ There are three types of hosts in an NIS environment: * NIS master server + -This server acts as a central repository for host configuration information and maintains the authoritative copy of the files used by all of the NIS clients. The [.filename]#passwd#, [.filename]#group#, and other various files used by NIS clients are stored on the master server. While it is possible for one machine to be an NIS master server for more than one NIS domain, this type of configuration will not be covered in this chapter as it assumes a relatively small-scale NIS environment. +This server acts as a central repository for host configuration information and maintains the authoritative copy of the files used by all of the NIS clients. +The [.filename]#passwd#, [.filename]#group#, and other various files used by NIS clients are stored on the master server. +While it is possible for one machine to be an NIS master server for more than one NIS domain, this type of configuration will not be covered in this chapter as it assumes a relatively small-scale NIS environment. * NIS slave servers + -NIS slave servers maintain copies of the NIS master's data files in order to provide redundancy. Slave servers also help to balance the load of the master server as NIS clients always attach to the NIS server which responds first. +NIS slave servers maintain copies of the NIS master's data files in order to provide redundancy. +Slave servers also help to balance the load of the master server as NIS clients always attach to the NIS server which responds first. * NIS clients + NIS clients authenticate against the NIS server during log on. -Information in many files can be shared using NIS. The [.filename]#master.passwd#, [.filename]#group#, and [.filename]#hosts# files are commonly shared via NIS. Whenever a process on a client needs information that would normally be found in these files locally, it makes a query to the NIS server that it is bound to instead. +Information in many files can be shared using NIS. +The [.filename]#master.passwd#, [.filename]#group#, and [.filename]#hosts# files are commonly shared via NIS. +Whenever a process on a client needs information that would normally be found in these files locally, it makes a query to the NIS server that it is bound to instead. === Planning Considerations -This section describes a sample NIS environment which consists of 15 FreeBSD machines with no centralized point of administration. Each machine has its own [.filename]#/etc/passwd# and [.filename]#/etc/master.passwd#. These files are kept in sync with each other only through manual intervention. Currently, when a user is added to the lab, the process must be repeated on all 15 machines. +This section describes a sample NIS environment which consists of 15 FreeBSD machines with no centralized point of administration. +Each machine has its own [.filename]#/etc/passwd# and [.filename]#/etc/master.passwd#. +These files are kept in sync with each other only through manual intervention. +Currently, when a user is added to the lab, the process must be repeated on all 15 machines. The configuration of the lab will be as follows: @@ -539,27 +622,45 @@ The configuration of the lab will be as follows: |Other client machines |=== -If this is the first time an NIS scheme is being developed, it should be thoroughly planned ahead of time. Regardless of network size, several decisions need to be made as part of the planning process. +If this is the first time an NIS scheme is being developed, it should be thoroughly planned ahead of time. +Regardless of network size, several decisions need to be made as part of the planning process. ==== Choosing a NIS Domain Name -When a client broadcasts its requests for info, it includes the name of the NIS domain that it is part of. This is how multiple servers on one network can tell which server should answer which request. Think of the NIS domain name as the name for a group of hosts. +When a client broadcasts its requests for info, it includes the name of the NIS domain that it is part of. +This is how multiple servers on one network can tell which server should answer which request. +Think of the NIS domain name as the name for a group of hosts. -Some organizations choose to use their Internet domain name for their NIS domain name. This is not recommended as it can cause confusion when trying to debug network problems. The NIS domain name should be unique within the network and it is helpful if it describes the group of machines it represents. For example, the Art department at Acme Inc. might be in the "acme-art"NIS domain. This example will use the domain name `test-domain`. +Some organizations choose to use their Internet domain name for their NIS domain name. +This is not recommended as it can cause confusion when trying to debug network problems. +The NIS domain name should be unique within the network and it is helpful if it describes the group of machines it represents. +For example, the Art department at Acme Inc. might be in the "acme-art"NIS domain. +This example will use the domain name `test-domain`. -However, some non-FreeBSD operating systems require the NIS domain name to be the same as the Internet domain name. If one or more machines on the network have this restriction, the Internet domain name _must_ be used as the NIS domain name. +However, some non-FreeBSD operating systems require the NIS domain name to be the same as the Internet domain name. +If one or more machines on the network have this restriction, the Internet domain name _must_ be used as the NIS domain name. ==== Physical Server Requirements -There are several things to keep in mind when choosing a machine to use as a NIS server. Since NIS clients depend upon the availability of the server, choose a machine that is not rebooted frequently. The NIS server should ideally be a stand alone machine whose sole purpose is to be an NIS server. If the network is not heavily used, it is acceptable to put the NIS server on a machine running other services. However, if the NIS server becomes unavailable, it will adversely affect all NIS clients. +There are several things to keep in mind when choosing a machine to use as a NIS server. +Since NIS clients depend upon the availability of the server, choose a machine that is not rebooted frequently. +The NIS server should ideally be a stand alone machine whose sole purpose is to be an NIS server. +If the network is not heavily used, it is acceptable to put the NIS server on a machine running other services. +However, if the NIS server becomes unavailable, it will adversely affect all NIS clients. === Configuring the NIS Master Server -The canonical copies of all NIS files are stored on the master server. The databases used to store the information are called NIS maps. In FreeBSD, these maps are stored in [.filename]#/var/yp/[domainname]# where [.filename]#[domainname]# is the name of the NIS domain. Since multiple domains are supported, it is possible to have several directories, one for each domain. Each domain will have its own independent set of maps. +The canonical copies of all NIS files are stored on the master server. +The databases used to store the information are called NIS maps. +In FreeBSD, these maps are stored in [.filename]#/var/yp/[domainname]# where [.filename]#[domainname]# is the name of the NIS domain. +Since multiple domains are supported, it is possible to have several directories, one for each domain. +Each domain will have its own independent set of maps. -NIS master and slave servers handle all NIS requests through man:ypserv[8]. This daemon is responsible for receiving incoming requests from NIS clients, translating the requested domain and map name to a path to the corresponding database file, and transmitting data from the database back to the client. +NIS master and slave servers handle all NIS requests through man:ypserv[8]. +This daemon is responsible for receiving incoming requests from NIS clients, translating the requested domain and map name to a path to the corresponding database file, and transmitting data from the database back to the client. -Setting up a master NIS server can be relatively straight forward, depending on environmental needs. Since FreeBSD provides built-in NIS support, it only needs to be enabled by adding the following lines to [.filename]#/etc/rc.conf#: +Setting up a master NIS server can be relatively straight forward, depending on environmental needs. +Since FreeBSD provides built-in NIS support, it only needs to be enabled by adding the following lines to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -572,7 +673,10 @@ nis_yppasswdd_enable="YES" <.> <.> This automates the start up of the NIS server processes when the system boots. <.> This enables the man:rpc.yppasswdd[8] daemon so that users can change their NIS password from a client machine. -Care must be taken in a multi-server domain where the server machines are also NIS clients. It is generally a good idea to force the servers to bind to themselves rather than allowing them to broadcast bind requests and possibly become bound to each other. Strange failure modes can result if one server goes down and others are dependent upon it. Eventually, all the clients will time out and attempt to bind to other servers, but the delay involved can be considerable and the failure mode is still present since the servers might bind to each other all over again. +Care must be taken in a multi-server domain where the server machines are also NIS clients. +It is generally a good idea to force the servers to bind to themselves rather than allowing them to broadcast bind requests and possibly become bound to each other. +Strange failure modes can result if one server goes down and others are dependent upon it. +Eventually, all the clients will time out and attempt to bind to other servers, but the delay involved can be considerable and the failure mode is still present since the servers might bind to each other all over again. A server that is also a client can be forced to bind to a particular server by adding these additional lines to [.filename]#/etc/rc.conf#: @@ -585,7 +689,8 @@ nis_client_flags="-S test-domain,server" <.> <.> This enables running client stuff as well. <.> This line sets the NIS domain name to `test-domain` and bind to itself. -After saving the edits, type `/etc/netstart` to restart the network and apply the values defined in [.filename]#/etc/rc.conf#. Before initializing the NIS maps, start man:ypserv[8]: +After saving the edits, type `/etc/netstart` to restart the network and apply the values defined in [.filename]#/etc/rc.conf#. +Before initializing the NIS maps, start man:ypserv[8]: [source,shell] .... @@ -595,7 +700,9 @@ After saving the edits, type `/etc/netstart` to restart the network and apply th ==== Initializing the NIS Maps -NIS maps are generated from the configuration files in [.filename]#/etc# on the NIS master, with one exception: [.filename]#/etc/master.passwd#. This is to prevent the propagation of passwords to all the servers in the NIS domain. Therefore, before the NIS maps are initialized, configure the primary password files: +NIS maps are generated from the configuration files in [.filename]#/etc# on the NIS master, with one exception: [.filename]#/etc/master.passwd#. +This is to prevent the propagation of passwords to all the servers in the NIS domain. +Therefore, before the NIS maps are initialized, configure the primary password files: [source,shell] .... @@ -611,7 +718,9 @@ It is advisable to remove all entries for system accounts as well as any user ac Ensure that the [.filename]#/var/yp/master.passwd# is neither group or world readable by setting its permissions to `600`. ==== -After completing this task, initialize the NIS maps. FreeBSD includes the man:ypinit[8] script to do this. When generating maps for the master server, include `-m` and specify the NIS domain name: +After completing this task, initialize the NIS maps. +FreeBSD includes the man:ypinit[8] script to do this. +When generating maps for the master server, include `-m` and specify the NIS domain name: [source,shell] .... @@ -640,7 +749,9 @@ NIS Map update completed. ellington has been setup as an YP master server without any errors. .... -This will create [.filename]#/var/yp/Makefile# from [.filename]#/var/yp/Makefile.dist#. By default, this file assumes that the environment has a single NIS server with only FreeBSD clients. Since `test-domain` has a slave server, edit this line in [.filename]#/var/yp/Makefile# so that it begins with a comment (`#`): +This will create [.filename]#/var/yp/Makefile# from [.filename]#/var/yp/Makefile.dist#. +By default, this file assumes that the environment has a single NIS server with only FreeBSD clients. +Since `test-domain` has a slave server, edit this line in [.filename]#/var/yp/Makefile# so that it begins with a comment (`#`): [.programlisting] .... @@ -650,7 +761,9 @@ NOPUSH = "True" ==== Adding New Users -Every time a new user is created, the user account must be added to the master NIS server and the NIS maps rebuilt. Until this occurs, the new user will not be able to login anywhere except on the NIS master. For example, to add the new user `jsmith` to the `test-domain` domain, run these commands on the master server: +Every time a new user is created, the user account must be added to the master NIS server and the NIS maps rebuilt. +Until this occurs, the new user will not be able to login anywhere except on the NIS master. +For example, to add the new user `jsmith` to the `test-domain` domain, run these commands on the master server: [source,shell] .... @@ -663,7 +776,10 @@ The user could also be added using `adduser jsmith` instead of `pw useradd smith === Setting up a NIS Slave Server -To set up an NIS slave server, log on to the slave server and edit [.filename]#/etc/rc.conf# as for the master server. Do not generate any NIS maps, as these already exist on the master server. When running `ypinit` on the slave server, use `-s` (for slave) instead of `-m` (for master). This option requires the name of the NIS master in addition to the domain name, as seen in this example: +To set up an NIS slave server, log on to the slave server and edit [.filename]#/etc/rc.conf# as for the master server. +Do not generate any NIS maps, as these already exist on the master server. +When running `ypinit` on the slave server, use `-s` (for slave) instead of `-m` (for master). +This option requires the name of the NIS master in addition to the domain name, as seen in this example: [source,shell] .... @@ -725,7 +841,8 @@ coltrane has been setup as an YP slave server without any errors. Remember to update map ypservers on ellington. .... -This will generate a directory on the slave server called [.filename]#/var/yp/test-domain# which contains copies of the NIS master server's maps. Adding these [.filename]#/etc/crontab# entries on each slave server will force the slaves to sync their maps with the maps on the master server: +This will generate a directory on the slave server called [.filename]#/var/yp/test-domain# which contains copies of the NIS master server's maps. +Adding these [.filename]#/etc/crontab# entries on each slave server will force the slaves to sync their maps with the maps on the master server: [.programlisting] .... @@ -733,13 +850,21 @@ This will generate a directory on the slave server called [.filename]#/var/yp/te 21 * * * * root /usr/libexec/ypxfr passwd.byuid .... -These entries are not mandatory because the master server automatically attempts to push any map changes to its slaves. However, since clients may depend upon the slave server to provide correct password information, it is recommended to force frequent password map updates. This is especially important on busy networks where map updates might not always complete. +These entries are not mandatory because the master server automatically attempts to push any map changes to its slaves. +However, since clients may depend upon the slave server to provide correct password information, it is recommended to force frequent password map updates. +This is especially important on busy networks where map updates might not always complete. To finish the configuration, run `/etc/netstart` on the slave server in order to start the NIS services. === Setting Up an NIS Client -An NIS client binds to an NIS server using man:ypbind[8]. This daemon broadcasts RPC requests on the local network. These requests specify the domain name configured on the client. If an NIS server in the same domain receives one of the broadcasts, it will respond to ypbind, which will record the server's address. If there are several servers available, the client will use the address of the first server to respond and will direct all of its NIS requests to that server. The client will automatically ping the server on a regular basis to make sure it is still available. If it fails to receive a reply within a reasonable amount of time, ypbind will mark the domain as unbound and begin broadcasting again in the hopes of locating another server. +An NIS client binds to an NIS server using man:ypbind[8]. +This daemon broadcasts RPC requests on the local network. +These requests specify the domain name configured on the client. +If an NIS server in the same domain receives one of the broadcasts, it will respond to ypbind, which will record the server's address. +If there are several servers available, the client will use the address of the first server to respond and will direct all of its NIS requests to that server. +The client will automatically ping the server on a regular basis to make sure it is still available. +If it fails to receive a reply within a reasonable amount of time, ypbind will mark the domain as unbound and begin broadcasting again in the hopes of locating another server. To configure a FreeBSD machine to be an NIS client: @@ -760,7 +885,10 @@ nis_client_enable="YES" +::::::::: .... + -This line configures the client to provide anyone with a valid account in the NIS server's password maps an account on the client. There are many ways to configure the NIS client by modifying this line. One method is described in <<network-netgroups>>. For more detailed reading, refer to the book `Managing NFS and NIS`, published by O'Reilly Media. +This line configures the client to provide anyone with a valid account in the NIS server's password maps an account on the client. +There are many ways to configure the NIS client by modifying this line. +One method is described in <<network-netgroups>>. +For more detailed reading, refer to the book `Managing NFS and NIS`, published by O'Reilly Media. . To import all possible group entries from the NIS server, add this line to [.filename]#/etc/group#: + [.programlisting] @@ -781,7 +909,12 @@ After completing these steps, running `ypcat passwd` on the client should show t === NIS Security -Since RPC is a broadcast-based service, any system running ypbind within the same domain can retrieve the contents of the NIS maps. To prevent unauthorized transactions, man:ypserv[8] supports a feature called "securenets" which can be used to restrict access to a given set of hosts. By default, this information is stored in [.filename]#/var/yp/securenets#, unless man:ypserv[8] is started with `-p` and an alternate path. This file contains entries that consist of a network specification and a network mask separated by white space. Lines starting with `#` are considered to be comments. A sample [.filename]#securenets# might look like this: +Since RPC is a broadcast-based service, any system running ypbind within the same domain can retrieve the contents of the NIS maps. +To prevent unauthorized transactions, man:ypserv[8] supports a feature called "securenets" which can be used to restrict access to a given set of hosts. +By default, this information is stored in [.filename]#/var/yp/securenets#, unless man:ypserv[8] is started with `-p` and an alternate path. +This file contains entries that consist of a network specification and a network mask separated by white space. +Lines starting with `#` are considered to be comments. +A sample [.filename]#securenets# might look like this: [.programlisting] .... @@ -796,19 +929,31 @@ Since RPC is a broadcast-based service, any system running ypbind within the sam 10.0.0.0 255.255.240.0 .... -If man:ypserv[8] receives a request from an address that matches one of these rules, it will process the request normally. If the address fails to match a rule, the request will be ignored and a warning message will be logged. If the [.filename]#securenets# does not exist, `ypserv` will allow connections from any host. +If man:ypserv[8] receives a request from an address that matches one of these rules, it will process the request normally. +If the address fails to match a rule, the request will be ignored and a warning message will be logged. +If the [.filename]#securenets# does not exist, `ypserv` will allow connections from any host. -crossref:security[tcpwrappers,"TCP Wrapper"] is an alternate mechanism for providing access control instead of [.filename]#securenets#. While either access control mechanism adds some security, they are both vulnerable to "IP spoofing" attacks. All NIS-related traffic should be blocked at the firewall. +crossref:security[tcpwrappers,"TCP Wrapper"] is an alternate mechanism for providing access control instead of [.filename]#securenets#. +While either access control mechanism adds some security, they are both vulnerable to "IP spoofing" attacks. +All NIS-related traffic should be blocked at the firewall. -Servers using [.filename]#securenets# may fail to serve legitimate NIS clients with archaic TCP/IP implementations. Some of these implementations set all host bits to zero when doing broadcasts or fail to observe the subnet mask when calculating the broadcast address. While some of these problems can be fixed by changing the client configuration, other problems may force the retirement of these client systems or the abandonment of [.filename]#securenets#. +Servers using [.filename]#securenets# may fail to serve legitimate NIS clients with archaic TCP/IP implementations. +Some of these implementations set all host bits to zero when doing broadcasts or fail to observe the subnet mask when calculating the broadcast address. +While some of these problems can be fixed by changing the client configuration, other problems may force the retirement of these client systems or the abandonment of [.filename]#securenets#. -The use of TCP Wrapper increases the latency of the NIS server. The additional delay may be long enough to cause timeouts in client programs, especially in busy networks with slow NIS servers. If one or more clients suffer from latency, convert those clients into NIS slave servers and force them to bind to themselves. +The use of TCP Wrapper increases the latency of the NIS server. +The additional delay may be long enough to cause timeouts in client programs, especially in busy networks with slow NIS servers. +If one or more clients suffer from latency, convert those clients into NIS slave servers and force them to bind to themselves. ==== Barring Some Users -In this example, the `basie` system is a faculty workstation within the NIS domain. The [.filename]#passwd# map on the master NIS server contains accounts for both faculty and students. This section demonstrates how to allow faculty logins on this system while refusing student logins. +In this example, the `basie` system is a faculty workstation within the NIS domain. +The [.filename]#passwd# map on the master NIS server contains accounts for both faculty and students. +This section demonstrates how to allow faculty logins on this system while refusing student logins. -To prevent specified users from logging on to a system, even if they are present in the NIS database, use `vipw` to add `-_username_` with the correct number of colons towards the end of [.filename]#/etc/master.passwd# on the client, where _username_ is the username of a user to bar from logging in. The line with the blocked user must be before the `+` line that allows NIS users. In this example, `bill` is barred from logging on to `basie`: +To prevent specified users from logging on to a system, even if they are present in the NIS database, use `vipw` to add `-_username_` with the correct number of colons towards the end of [.filename]#/etc/master.passwd# on the client, where _username_ is the username of a user to bar from logging in. +The line with the blocked user must be before the `+` line that allows NIS users. +In this example, `bill` is barred from logging on to `basie`: [source,shell] .... @@ -840,7 +985,8 @@ basie# Barring specified users from logging on to individual systems becomes unscaleable on larger networks and quickly loses the main benefit of NIS: _centralized_ administration. -Netgroups were developed to handle large, complex networks with hundreds of users and machines. Their use is comparable to UNIX(R) groups, where the main difference is the lack of a numeric ID and the ability to define a netgroup by including both user accounts and other netgroups. +Netgroups were developed to handle large, complex networks with hundreds of users and machines. +Their use is comparable to UNIX(R) groups, where the main difference is the lack of a numeric ID and the ability to define a netgroup by including both user accounts and other netgroups. To expand on the example used in this chapter, the NIS domain will be extended to add the users and systems shown in Tables 28.2 and 28.3: @@ -882,9 +1028,14 @@ To expand on the example used in this chapter, the NIS domain will be extended t |A very old machine without any critical data. Even interns are allowed to use this system. |=== -When using netgroups to configure this scenario, each user is assigned to one or more netgroups and logins are then allowed or forbidden for all members of the netgroup. When adding a new machine, login restrictions must be defined for all netgroups. When a new user is added, the account must be added to one or more netgroups. If the NIS setup is planned carefully, only one central configuration file needs modification to grant or deny access to machines. +When using netgroups to configure this scenario, each user is assigned to one or more netgroups and logins are then allowed or forbidden for all members of the netgroup. +When adding a new machine, login restrictions must be defined for all netgroups. +When a new user is added, the account must be added to one or more netgroups. +If the NIS setup is planned carefully, only one central configuration file needs modification to grant or deny access to machines. -The first step is the initialization of the NIS`netgroup` map. In FreeBSD, this map is not created by default. On the NIS master server, use an editor to create a map named [.filename]#/var/yp/netgroup#. +The first step is the initialization of the NIS`netgroup` map. +In FreeBSD, this map is not created by default. +On the NIS master server, use an editor to create a map named [.filename]#/var/yp/netgroup#. This example creates four netgroups to represent IT employees, IT apprentices, employees, and interns: @@ -897,17 +1048,23 @@ USERS (,echo,test-domain) (,foxtrott,test-domain) \ INTERNS (,able,test-domain) (,baker,test-domain) .... -Each entry configures a netgroup. The first column in an entry is the name of the netgroup. Each set of brackets represents either a group of one or more users or the name of another netgroup. When specifying a user, the three comma-delimited fields inside each group represent: +Each entry configures a netgroup. The first column in an entry is the name of the netgroup. +Each set of brackets represents either a group of one or more users or the name of another netgroup. +When specifying a user, the three comma-delimited fields inside each group represent: . The name of the host(s) where the other fields representing the user are valid. If a hostname is not specified, the entry is valid on all hosts. . The name of the account that belongs to this netgroup. . The NIS domain for the account. Accounts may be imported from other NIS domains into a netgroup. -If a group contains multiple users, separate each user with whitespace. Additionally, each field may contain wildcards. See man:netgroup[5] for details. +If a group contains multiple users, separate each user with whitespace. +Additionally, each field may contain wildcards. +See man:netgroup[5] for details. -Netgroup names longer than 8 characters should not be used. The names are case sensitive and using capital letters for netgroup names is an easy way to distinguish between user, machine and netgroup names. +Netgroup names longer than 8 characters should not be used. +The names are case sensitive and using capital letters for netgroup names is an easy way to distinguish between user, machine and netgroup names. -Some non-FreeBSD NIS clients cannot handle netgroups containing more than 15 entries. This limit may be circumvented by creating several sub-netgroups with 15 users or fewer and a real netgroup consisting of the sub-netgroups, as seen in this example: +Some non-FreeBSD NIS clients cannot handle netgroups containing more than 15 entries. +This limit may be circumvented by creating several sub-netgroups with 15 users or fewer and a real netgroup consisting of the sub-netgroups, as seen in this example: [.programlisting] .... @@ -927,7 +1084,8 @@ ellington# cd /var/yp ellington# make .... -This will generate the three NIS maps [.filename]#netgroup#, [.filename]#netgroup.byhost# and [.filename]#netgroup.byuser#. Use the map key option of man:ypcat[1] to check if the new NIS maps are available: +This will generate the three NIS maps [.filename]#netgroup#, [.filename]#netgroup.byhost# and [.filename]#netgroup.byuser#. +Use the map key option of man:ypcat[1] to check if the new NIS maps are available: [source,shell] .... @@ -936,9 +1094,12 @@ ellington% ypcat -k netgroup.byhost ellington% ypcat -k netgroup.byuser .... -The output of the first command should resemble the contents of [.filename]#/var/yp/netgroup#. The second command only produces output if host-specific netgroups were created. The third command is used to get the list of netgroups for a user. +The output of the first command should resemble the contents of [.filename]#/var/yp/netgroup#. +The second command only produces output if host-specific netgroups were created. +The third command is used to get the list of netgroups for a user. -To configure a client, use man:vipw[8] to specify the name of the netgroup. For example, on the server named `war`, replace this line: +To configure a client, use man:vipw[8] to specify the name of the netgroup. +For example, on the server named `war`, replace this line: [.programlisting] .... @@ -954,7 +1115,10 @@ with This specifies that only the users defined in the netgroup `IT_EMP` will be imported into this system's password database and only those users are allowed to login to this system. -This configuration also applies to the `~` function of the shell and all routines which convert between user names and numerical user IDs. In other words, `cd ~_user_` will not work, `ls -l` will show the numerical ID instead of the username, and `find . -user joe -print` will fail with the message `No such user`. To fix this, import all user entries without allowing them to login into the servers. This can be achieved by adding an extra line: +This configuration also applies to the `~` function of the shell and all routines which convert between user names and numerical user IDs. +In other words, `cd ~_user_` will not work, `ls -l` will show the numerical ID instead of the username, and `find . -user joe -print` will fail with the message `No such user`. +To fix this, import all user entries without allowing them to login into the servers. +This can be achieved by adding an extra line: [.programlisting] .... @@ -963,7 +1127,8 @@ This configuration also applies to the `~` function of the shell and all routine This line configures the client to import all entries but to replace the shell in those entries with [.filename]#/usr/sbin/nologin#. -Make sure that extra line is placed _after_`+@IT_EMP:::::::::`. Otherwise, all user accounts imported from NIS will have [.filename]#/usr/sbin/nologin# as their login shell and no one will be able to login to the system. +Make sure that extra line is placed _after_ `+@IT_EMP:::::::::`. +Otherwise, all user accounts imported from NIS will have [.filename]#/usr/sbin/nologin# as their login shell and no one will be able to login to the system. To configure the less important servers, replace the old `+:::::::::` on the servers with these lines: @@ -983,7 +1148,11 @@ The corresponding lines for the workstations would be: +:::::::::/usr/sbin/nologin .... -NIS supports the creation of netgroups from other netgroups which can be useful if the policy regarding user access changes. One possibility is the creation of role-based netgroups. For example, one might create a netgroup called `BIGSRV` to define the login restrictions for the important servers, another netgroup called `SMALLSRV` for the less important servers, and a third netgroup called `USERBOX` for the workstations. Each of these netgroups contains the netgroups that are allowed to login onto these machines. The new entries for the NIS`netgroup` map would look like this: +NIS supports the creation of netgroups from other netgroups which can be useful if the policy regarding user access changes. +One possibility is the creation of role-based netgroups. +For example, one might create a netgroup called `BIGSRV` to define the login restrictions for the important servers, another netgroup called `SMALLSRV` for the less important servers, and a third netgroup called `USERBOX` for the workstations. +Each of these netgroups contains the netgroups that are allowed to login onto these machines. +The new entries for the NIS`netgroup` map would look like this: [.programlisting] .... @@ -992,9 +1161,14 @@ SMALLSRV IT_EMP IT_APP ITINTERN USERBOX IT_EMP ITINTERN USERS .... -This method of defining login restrictions works reasonably well when it is possible to define groups of machines with identical restrictions. Unfortunately, this is the exception and not the rule. Most of the time, the ability to define login restrictions on a per-machine basis is required. +This method of defining login restrictions works reasonably well when it is possible to define groups of machines with identical restrictions. +Unfortunately, this is the exception and not the rule. +Most of the time, the ability to define login restrictions on a per-machine basis is required. -Machine-specific netgroup definitions are another possibility to deal with the policy changes. In this scenario, the [.filename]#/etc/master.passwd# of each system contains two lines starting with "+". The first line adds a netgroup with the accounts allowed to login onto this machine and the second line adds all other accounts with [.filename]#/usr/sbin/nologin# as shell. It is recommended to use the "ALL-CAPS" version of the hostname as the name of the netgroup: +Machine-specific netgroup definitions are another possibility to deal with the policy changes. +In this scenario, the [.filename]#/etc/master.passwd# of each system contains two lines starting with "+". +The first line adds a netgroup with the accounts allowed to login onto this machine and the second line adds all other accounts with [.filename]#/usr/sbin/nologin# as shell. +It is recommended to use the "ALL-CAPS" version of the hostname as the name of the netgroup: [.programlisting] .... @@ -1002,7 +1176,9 @@ Machine-specific netgroup definitions are another possibility to deal with the p +:::::::::/usr/sbin/nologin .... -Once this task is completed on all the machines, there is no longer a need to modify the local versions of [.filename]#/etc/master.passwd# ever again. All further changes can be handled by modifying the NIS map. Here is an example of a possible `netgroup` map for this scenario: +Once this task is completed on all the machines, there is no longer a need to modify the local versions of [.filename]#/etc/master.passwd# ever again. +All further changes can be handled by modifying the NIS map. +Here is an example of a possible `netgroup` map for this scenario: [.programlisting] .... @@ -1043,11 +1219,14 @@ TWO (,hotel,test-domain) # [...more groups to follow] .... -It may not always be advisable to use machine-based netgroups. When deploying a couple of dozen or hundreds of systems, role-based netgroups instead of machine-based netgroups may be used to keep the size of the NIS map within reasonable limits. +It may not always be advisable to use machine-based netgroups. +When deploying a couple of dozen or hundreds of systems, role-based netgroups instead of machine-based netgroups may be used to keep the size of the NIS map within reasonable limits. === Password Formats -NIS requires that all hosts within an NIS domain use the same format for encrypting passwords. If users have trouble authenticating on an NIS client, it may be due to a differing password format. In a heterogeneous network, the format must be supported by all operating systems, where DES is the lowest common standard. +NIS requires that all hosts within an NIS domain use the same format for encrypting passwords. +If users have trouble authenticating on an NIS client, it may be due to a differing password format. +In a heterogeneous network, the format must be supported by all operating systems, where DES is the lowest common standard. To check which format a server or client is using, look at this section of [.filename]#/etc/login.conf#: @@ -1059,7 +1238,8 @@ default:\ [Further entries elided] .... -In this example, the system is using the DES format. Other possible values are `blf` for Blowfish and `md5` for MD5 encrypted passwords. +In this example, the system is using the DES format. +Other possible values are `blf` for Blowfish and `md5` for MD5 encrypted passwords. If the format on a host needs to be edited to match the one being used in the NIS domain, the login capability database must be rebuilt after saving the change: @@ -1076,15 +1256,23 @@ The format of passwords for existing user accounts will not be updated until eac [[network-ldap]] == Lightweight Directory Access Protocol (LDAP) -The Lightweight Directory Access Protocol (LDAP) is an application layer protocol used to access, modify, and authenticate objects using a distributed directory information service. Think of it as a phone or record book which stores several levels of hierarchical, homogeneous information. It is used in Active Directory and OpenLDAP networks and allows users to access to several levels of internal information utilizing a single account. For example, email authentication, pulling employee contact information, and internal website authentication might all make use of a single user account in the LDAP server's record base. +The Lightweight Directory Access Protocol (LDAP) is an application layer protocol used to access, modify, and authenticate objects using a distributed directory information service. +Think of it as a phone or record book which stores several levels of hierarchical, homogeneous information. +It is used in Active Directory and OpenLDAP networks and allows users to access to several levels of internal information utilizing a single account. +For example, email authentication, pulling employee contact information, and internal website authentication might all make use of a single user account in the LDAP server's record base. -This section provides a quick start guide for configuring an LDAP server on a FreeBSD system. It assumes that the administrator already has a design plan which includes the type of information to store, what that information will be used for, which users should have access to that information, and how to secure this information from unauthorized access. +This section provides a quick start guide for configuring an LDAP server on a FreeBSD system. +It assumes that the administrator already has a design plan which includes the type of information to store, what that information will be used for, which users should have access to that information, and how to secure this information from unauthorized access. === LDAP Terminology and Structure -LDAP uses several terms which should be understood before starting the configuration. All directory entries consist of a group of _attributes_. Each of these attribute sets contains a unique identifier known as a _Distinguished Name_ (DN) which is normally built from several other attributes such as the common or _Relative Distinguished Name_ (RDN). Similar to how directories have absolute and relative paths, consider a DN as an absolute path and the RDN as the relative path. +LDAP uses several terms which should be understood before starting the configuration. +All directory entries consist of a group of _attributes_. +Each of these attribute sets contains a unique identifier known as a _Distinguished Name_ (DN) which is normally built from several other attributes such as the common or _Relative Distinguished Name_ (RDN). +Similar to how directories have absolute and relative paths, consider a DN as an absolute path and the RDN as the relative path. -An example LDAP entry looks like the following. This example searches for the entry for the specified user account (`uid`), organizational unit (`ou`), and organization (`o`): +An example LDAP entry looks like the following. +This example searches for the entry for the specified user account (`uid`), organizational unit (`ou`), and organization (`o`): [source,shell] .... @@ -1112,46 +1300,59 @@ result: 0 Success # numEntries: 1 .... -This example entry shows the values for the `dn`, `mail`, `cn`, `uid`, and `telephoneNumber` attributes. The cn attribute is the RDN. +This example entry shows the values for the `dn`, `mail`, `cn`, `uid`, and `telephoneNumber` attributes. +The cn attribute is the RDN. More information about LDAP and its terminology can be found at http://www.openldap.org/doc/admin24/intro.html[http://www.openldap.org/doc/admin24/intro.html]. [[ldap-config]] === Configuring an LDAP Server -FreeBSD does not provide a built-in LDAP server. Begin the configuration by installing package:net/openldap-server[] package or port: +FreeBSD does not provide a built-in LDAP server. +Begin the configuration by installing package:net/openldap-server[] package or port: [source,shell] .... # pkg install openldap-server .... -There is a large set of default options enabled in the link:{linux-users}#software[package]. Review them by running `pkg info openldap-server`. If they are not sufficient (for example if SQL support is needed), please consider recompiling the port using the appropriate crossref:ports[ports-using,framework]. +There is a large set of default options enabled in the link:{linux-users}#software[package]. +Review them by running `pkg info openldap-server`. +If they are not sufficient (for example if SQL support is needed), please consider recompiling the port using the appropriate crossref:ports[ports-using,framework]. -The installation creates the directory [.filename]#/var/db/openldap-data# to hold the data. The directory to store the certificates must be created: +The installation creates the directory [.filename]#/var/db/openldap-data# to hold the data. +The directory to store the certificates must be created: [source,shell] .... # mkdir /usr/local/etc/openldap/private .... -The next phase is to configure the Certificate Authority. The following commands must be executed from [.filename]#/usr/local/etc/openldap/private#. This is important as the file permissions need to be restrictive and users should not have access to these files. More detailed information about certificates and their parameters can be found in crossref:security[openssl,"OpenSSL"]. To create the Certificate Authority, start with this command and follow the prompts: +The next phase is to configure the Certificate Authority. +The following commands must be executed from [.filename]#/usr/local/etc/openldap/private#. +This is important as the file permissions need to be restrictive and users should not have access to these files. +More detailed information about certificates and their parameters can be found in crossref:security[openssl,"OpenSSL"]. +To create the Certificate Authority, start with this command and follow the prompts: [source,shell] .... # openssl req -days 365 -nodes -new -x509 -keyout ca.key -out ../ca.crt .... -The entries for the prompts may be generic _except_ for the `Common Name`. This entry must be _different_ than the system hostname. If this will be a self signed certificate, prefix the hostname with `CA` for Certificate Authority. +The entries for the prompts may be generic _except_ for the `Common Name`. +This entry must be _different_ than the system hostname. +If this will be a self signed certificate, prefix the hostname with `CA` for Certificate Authority. -The next task is to create a certificate signing request and a private key. Input this command and follow the prompts: +The next task is to create a certificate signing request and a private key. +Input this command and follow the prompts: [source,shell] .... # openssl req -days 365 -nodes -new -keyout server.key -out server.csr .... -During the certificate generation process, be sure to correctly set the `Common Name` attribute. The Certificate Signing Request must be signed with the Certificate Authority in order to be used as a valid certificate: +During the certificate generation process, be sure to correctly set the `Common Name` attribute. +The Certificate Signing Request must be signed with the Certificate Authority in order to be used as a valid certificate: [source,shell] .... @@ -1166,11 +1367,18 @@ The final part of the certificate generation process is to generate and sign the # openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key .... -Remember to use the same `Common Name` attribute when prompted. When finished, ensure that a total of eight (8) new files have been generated through the proceeding commands. +Remember to use the same `Common Name` attribute when prompted. +When finished, ensure that a total of eight (8) new files have been generated through the proceeding commands. -The daemon running the OpenLDAP server is [.filename]#slapd#. Its configuration is performed through [.filename]#slapd.ldif#: the old [.filename]#slapd.conf# has been deprecated by OpenLDAP. +The daemon running the OpenLDAP server is [.filename]#slapd#. +Its configuration is performed through [.filename]#slapd.ldif#: the old [.filename]#slapd.conf# has been deprecated by OpenLDAP. -http://www.openldap.org/doc/admin24/slapdconf2.html[Configuration examples] for [.filename]#slapd.ldif# are available and can also be found in [.filename]#/usr/local/etc/openldap/slapd.ldif.sample#. Options are documented in slapd-config(5). Each section of [.filename]#slapd.ldif#, like all the other LDAP attribute sets, is uniquely identified through a DN. Be sure that no blank lines are left between the `dn:` statement and the desired end of the section. In the following example, TLS will be used to implement a secure channel. The first section represents the global configuration: +http://www.openldap.org/doc/admin24/slapdconf2.html[Configuration examples] for [.filename]#slapd.ldif# are available and can also be found in [.filename]#/usr/local/etc/openldap/slapd.ldif.sample#. +Options are documented in slapd-config(5). +Each section of [.filename]#slapd.ldif#, like all the other LDAP attribute sets, is uniquely identified through a DN. +Be sure that no blank lines are left between the `dn:` statement and the desired end of the section. +In the following example, TLS will be used to implement a secure channel. +The first section represents the global configuration: [.programlisting] .... @@ -1195,7 +1403,9 @@ olcTLSProtocolMin: 3.1 olcTLSVerifyClient: never .... -The Certificate Authority, server certificate and server private key files must be specified here. It is recommended to let the clients choose the security cipher and omit option `olcTLSCipherSuite` (incompatible with TLS clients other than [.filename]#openssl#). Option `olcTLSProtocolMin` lets the server require a minimum security level: it is recommended. While verification is mandatory for the server, it is not for the client: `olcTLSVerifyClient: never`. +The Certificate Authority, server certificate and server private key files must be specified here. +It is recommended to let the clients choose the security cipher and omit option `olcTLSCipherSuite` (incompatible with TLS clients other than [.filename]#openssl#). Option `olcTLSProtocolMin` lets the server require a minimum security level: it is recommended. +While verification is mandatory for the server, it is not for the client: `olcTLSVerifyClient: never`. The second section is about the backend modules and can be configured as follows: @@ -1278,7 +1488,9 @@ olcAccess: to * by * none olcRootPW: {SSHA}iae+lrQZILpiUdf16Z9KmDmSwT77Dj4U .... -The default administrator username is `cn=config`. Type [.filename]#slappasswd# in a shell, choose a password and use its hash in `olcRootPW`. If this option is not specified now, before [.filename]#slapd.ldif# is imported, no one will be later able to modify the _global configuration_ section. +The default administrator username is `cn=config`. +Type [.filename]#slappasswd# in a shell, choose a password and use its hash in `olcRootPW`. +If this option is not specified now, before [.filename]#slapd.ldif# is imported, no one will be later able to modify the _global configuration_ section. The last section is about the database backend: @@ -1307,11 +1519,15 @@ olcDbDirectory: /var/db/openldap-data olcDbIndex: objectClass eq .... -This database hosts the _actual contents_ of the LDAP directory. Types other than `mdb` are available. Its super-user, not to be confused with the global one, is configured here: a (possibly custom) username in `olcRootDN` and the password hash in `olcRootPW`; [.filename]#slappasswd# can be used as before. +This database hosts the _actual contents_ of the LDAP directory. +Types other than `mdb` are available. +Its super-user, not to be confused with the global one, is configured here: a (possibly custom) username in `olcRootDN` and the password hash in `olcRootPW`; [.filename]#slappasswd# can be used as before. -This http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=tree;f=tests/data/regressions/its8444;h=8a5e808e63b0de3d2bdaf2cf34fecca8577ca7fd;hb=HEAD[repository] contains four examples of [.filename]#slapd.ldif#. To convert an existing [.filename]#slapd.conf# into [.filename]#slapd.ldif#, refer to http://www.openldap.org/doc/admin24/slapdconf2.html[this page] (please note that this may introduce some unuseful options). +This http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=tree;f=tests/data/regressions/its8444;h=8a5e808e63b0de3d2bdaf2cf34fecca8577ca7fd;hb=HEAD[repository] contains four examples of [.filename]#slapd.ldif#. +To convert an existing [.filename]#slapd.conf# into [.filename]#slapd.ldif#, refer to http://www.openldap.org/doc/admin24/slapdconf2.html[this page] (please note that this may introduce some unuseful options). -When the configuration is completed, [.filename]#slapd.ldif# must be placed in an empty directory. It is recommended to create it as: +When the configuration is completed, [.filename]#slapd.ldif# must be placed in an empty directory. +It is recommended to create it as: [source,shell] .... @@ -1332,7 +1548,8 @@ Start the [.filename]#slapd# daemon: # /usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d/ .... -Option `-d` can be used for debugging, as specified in slapd(8). To verify that the server is running and working: +Option `-d` can be used for debugging, as specified in slapd(8). +To verify that the server is running and working: [source,shell] .... @@ -1357,7 +1574,9 @@ result: 0 Success # numEntries: 1 .... -The server must still be trusted. If that has never been done before, follow these instructions. Install the OpenSSL package or port: +The server must still be trusted. +If that has never been done before, follow these instructions. +Install the OpenSSL package or port: [source,shell] .... @@ -1371,14 +1590,16 @@ From the directory where [.filename]#ca.crt# is stored (in this example, [.filen # c_rehash . .... -Both the CA and the server certificate are now correctly recognized in their respective roles. To verify this, run this command from the [.filename]#server.crt# directory: +Both the CA and the server certificate are now correctly recognized in their respective roles. +To verify this, run this command from the [.filename]#server.crt# directory: [source,shell] .... # openssl verify -verbose -CApath . server.crt .... -If [.filename]#slapd# was running, restart it. As stated in [.filename]#/usr/local/etc/rc.d/slapd#, to properly run [.filename]#slapd# at boot the following lines must be added to [.filename]#/etc/rc.conf#: +If [.filename]#slapd# was running, restart it. +As stated in [.filename]#/usr/local/etc/rc.d/slapd#, to properly run [.filename]#slapd# at boot the following lines must be added to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -1389,9 +1610,11 @@ slapd_sockets="/var/run/openldap/ldapi" slapd_cn_config="YES" .... -[.filename]#slapd# does not provide debugging at boot. Check [.filename]#/var/log/debug.log#, [.filename]#dmesg -a# and [.filename]#/var/log/messages# for this purpose. +[.filename]#slapd# does not provide debugging at boot. +Check [.filename]#/var/log/debug.log#, [.filename]#dmesg -a# and [.filename]#/var/log/messages# for this purpose. -The following example adds the group `team` and the user `john` to the `domain.example`LDAP database, which is still empty. First, create the file [.filename]#domain.ldif#: +The following example adds the group `team` and the user `john` to the `domain.example` LDAP database, which is still empty. +First, create the file [.filename]#domain.ldif#: [source,shell] .... @@ -1432,14 +1655,19 @@ loginShell: /usr/bin/bash userPassword: secret .... -See the OpenLDAP documentation for more details. Use [.filename]#slappasswd# to replace the plain text password `secret` with a hash in `userPassword`. The path specified as `loginShell` must exist in all the systems where `john` is allowed to login. Finally, use the `mdb` administrator to modify the database: +See the OpenLDAP documentation for more details. +Use [.filename]#slappasswd# to replace the plain text password `secret` with a hash in `userPassword`. +The path specified as `loginShell` must exist in all the systems where `john` is allowed to login. +Finally, use the `mdb` administrator to modify the database: [source,shell] .... # ldapadd -W -D "cn=mdbadmin,dc=domain,dc=example" -f domain.ldif .... -Modifications to the _global configuration_ section can only be performed by the global super-user. For example, assume that the option `olcTLSCipherSuite: HIGH:MEDIUM:SSLv3` was initially specified and must now be deleted. First, create a file that contains the following: +Modifications to the _global configuration_ section can only be performed by the global super-user. +For example, assume that the option `olcTLSCipherSuite: HIGH:MEDIUM:SSLv3` was initially specified and must now be deleted. +First, create a file that contains the following: [source,shell] .... @@ -1456,7 +1684,9 @@ Then, apply the modifications: # ldapmodify -f global_mod -x -D "cn=config" -W .... -When asked, provide the password chosen in the _configuration backend_ section. The username is not required: here, `cn=config` represents the DN of the database section to be modified. Alternatively, use `ldapmodify` to delete a single line of the database, `ldapdelete` to delete a whole entry. +When asked, provide the password chosen in the _configuration backend_ section. +The username is not required: here, `cn=config` represents the DN of the database section to be modified. +Alternatively, use `ldapmodify` to delete a single line of the database, `ldapdelete` to delete a whole entry. If something goes wrong, or if the global super-user cannot access the configuration backend, it is possible to delete and re-write the whole configuration: @@ -1465,20 +1695,29 @@ If something goes wrong, or if the global super-user cannot access the configura # rm -rf /usr/local/etc/openldap/slapd.d/ .... -[.filename]#slapd.ldif# can then be edited and imported again. Please, follow this procedure only when no other solution is available. +[.filename]#slapd.ldif# can then be edited and imported again. +Please, follow this procedure only when no other solution is available. -This is the configuration of the server only. The same machine can also host an LDAP client, with its own separate configuration. +This is the configuration of the server only. +The same machine can also host an LDAP client, with its own separate configuration. [[network-dhcp]] == Dynamic Host Configuration Protocol (DHCP) -The Dynamic Host Configuration Protocol (DHCP) allows a system to connect to a network in order to be assigned the necessary addressing information for communication on that network. FreeBSD includes the OpenBSD version of `dhclient` which is used by the client to obtain the addressing information. FreeBSD does not install a DHCP server, but several servers are available in the FreeBSD Ports Collection. The DHCP protocol is fully described in http://www.freesoft.org/CIE/RFC/2131/[RFC 2131]. Informational resources are also available at http://www.isc.org/downloads/dhcp/[isc.org/downloads/dhcp/]. +The Dynamic Host Configuration Protocol (DHCP) allows a system to connect to a network in order to be assigned the necessary addressing information for communication on that network. +FreeBSD includes the OpenBSD version of `dhclient` which is used by the client to obtain the addressing information. +FreeBSD does not install a DHCP server, but several servers are available in the FreeBSD Ports Collection. +The DHCP protocol is fully described in http://www.freesoft.org/CIE/RFC/2131/[RFC 2131]. +Informational resources are also available at http://www.isc.org/downloads/dhcp/[isc.org/downloads/dhcp/]. -This section describes how to use the built-in DHCP client. It then describes how to install and configure a DHCP server. +This section describes how to use the built-in DHCP client. +It then describes how to install and configure a DHCP server. [NOTE] ==== -In FreeBSD, the man:bpf[4] device is needed by both the DHCP server and DHCP client. This device is included in the [.filename]#GENERIC# kernel that is installed with FreeBSD. Users who prefer to create a custom kernel need to keep this device if DHCP is used. +In FreeBSD, the man:bpf[4] device is needed by both the DHCP server and DHCP client. +This device is included in the [.filename]#GENERIC# kernel that is installed with FreeBSD. +Users who prefer to create a custom kernel need to keep this device if DHCP is used. It should be noted that [.filename]#bpf# also allows privileged users to run network packet sniffers on that system. ==== @@ -1486,13 +1725,24 @@ It should be noted that [.filename]#bpf# also allows privileged users to run net === Configuring a DHCP Client -DHCP client support is included in the FreeBSD installer, making it easy to configure a newly installed system to automatically receive its networking addressing information from an existing DHCP server. Refer to crossref:bsdinstall[bsdinstall-post,"Accounts, Time Zone, Services and Hardening"] for examples of network configuration. +DHCP client support is included in the FreeBSD installer, making it easy to configure a newly installed system to automatically receive its networking addressing information from an existing DHCP server. +Refer to crossref:bsdinstall[bsdinstall-post,"Accounts, Time Zone, Services and Hardening"] for examples of network configuration. -When `dhclient` is executed on the client machine, it begins broadcasting requests for configuration information. By default, these requests use UDP port 68. The server replies on UDP port 67, giving the client an IP address and other relevant network information such as a subnet mask, default gateway, and DNS server addresses. This information is in the form of a DHCP"lease" and is valid for a configurable time. This allows stale IP addresses for clients no longer connected to the network to automatically be reused. DHCP clients can obtain a great deal of information from the server. An exhaustive list may be found in man:dhcp-options[5]. +When `dhclient` is executed on the client machine, it begins broadcasting requests for configuration information. +By default, these requests use UDP port 68. +The server replies on UDP port 67, giving the client an IP address and other relevant network information such as a subnet mask, default gateway, and DNS server addresses. +This information is in the form of a DHCP "lease" and is valid for a configurable time. +This allows stale IP addresses for clients no longer connected to the network to automatically be reused. +DHCP clients can obtain a great deal of information from the server. +An exhaustive list may be found in man:dhcp-options[5]. -By default, when a FreeBSD system boots, its DHCP client runs in the background, or _asynchronously_. Other startup scripts continue to run while the DHCP process completes, which speeds up system startup. +By default, when a FreeBSD system boots, its DHCP client runs in the background, or _asynchronously_. +Other startup scripts continue to run while the DHCP process completes, which speeds up system startup. -Background DHCP works well when the DHCP server responds quickly to the client's requests. However, DHCP may take a long time to complete on some systems. If network services attempt to run before DHCP has assigned the network addressing information, they will fail. Using DHCP in _synchronous_ mode prevents this problem as it pauses startup until the DHCP configuration has completed. +Background DHCP works well when the DHCP server responds quickly to the client's requests. +However, DHCP may take a long time to complete on some systems. +If network services attempt to run before DHCP has assigned the network addressing information, they will fail. +Using DHCP in _synchronous_ mode prevents this problem as it pauses startup until the DHCP configuration has completed. This line in [.filename]#/etc/rc.conf# is used to configure background or asynchronous mode: @@ -1501,7 +1751,8 @@ This line in [.filename]#/etc/rc.conf# is used to configure background or asynch ifconfig_fxp0="DHCP" .... -This line may already exist if the system was configured to use DHCP during installation. Replace the _fxp0_ shown in these examples with the name of the interface to be dynamically configured, as described in crossref:config[config-network-setup,“Setting Up Network Interface Cards”]. +This line may already exist if the system was configured to use DHCP during installation. +Replace the _fxp0_ shown in these examples with the name of the interface to be dynamically configured, as described in crossref:config[config-network-setup,“Setting Up Network Interface Cards”]. To instead configure the system to use synchronous mode, and to pause during startup while DHCP completes, use "`SYNCDHCP`": @@ -1510,19 +1761,23 @@ To instead configure the system to use synchronous mode, and to pause during sta ifconfig_fxp0="SYNCDHCP" .... -Additional client options are available. Search for `dhclient` in man:rc.conf[5] for details. +Additional client options are available. +Search for `dhclient` in man:rc.conf[5] for details. The DHCP client uses the following files: * [.filename]#/etc/dhclient.conf# + -The configuration file used by `dhclient`. Typically, this file contains only comments as the defaults are suitable for most clients. This configuration file is described in man:dhclient.conf[5]. +The configuration file used by `dhclient`. +Typically, this file contains only comments as the defaults are suitable for most clients. +This configuration file is described in man:dhclient.conf[5]. * [.filename]#/sbin/dhclient# + More information about the command itself can be found in man:dhclient[8]. * [.filename]#/sbin/dhclient-script# + -The FreeBSD-specific DHCP client configuration script. It is described in man:dhclient-script[8], but should not need any user modification to function properly. +The FreeBSD-specific DHCP client configuration script. +It is described in man:dhclient-script[8], but should not need any user modification to function properly. * [.filename]#/var/db/dhclient.leases.interface# + The DHCP client keeps a database of valid leases in this file, which is written as a log and is described in man:dhclient.leases[5]. @@ -1531,11 +1786,14 @@ The DHCP client keeps a database of valid leases in this file, which is written [[network-dhcp-server]] === Installing and Configuring a DHCP Server -This section demonstrates how to configure a FreeBSD system to act as a DHCP server using the Internet Systems Consortium (ISC) implementation of the DHCP server. This implementation and its documentation can be installed using the package:net/isc-dhcp43-server[] package or port. +This section demonstrates how to configure a FreeBSD system to act as a DHCP server using the Internet Systems Consortium (ISC) implementation of the DHCP server. +This implementation and its documentation can be installed using the package:net/isc-dhcp43-server[] package or port. -The installation of package:net/isc-dhcp43-server[] installs a sample configuration file. Copy [.filename]#/usr/local/etc/dhcpd.conf.example# to [.filename]#/usr/local/etc/dhcpd.conf# and make any edits to this new file. +The installation of package:net/isc-dhcp43-server[] installs a sample configuration file. +Copy [.filename]#/usr/local/etc/dhcpd.conf.example# to [.filename]#/usr/local/etc/dhcpd.conf# and make any edits to this new file. -The configuration file is comprised of declarations for subnets and hosts which define the information that is provided to DHCP clients. For example, these lines configure the following: +The configuration file is comprised of declarations for subnets and hosts which define the information that is provided to DHCP clients. +For example, these lines configure the following: [.programlisting] .... @@ -1569,7 +1827,8 @@ host fantasia { <.> Specifies the hardware MAC address of a client so that the DHCP server can recognize the client when it makes a request. <.> Specifies that this host should always be given the same IP address. Using the hostname is correct, since the DHCP server will resolve the hostname before returning the lease information. -This configuration file supports many more options. Refer to dhcpd.conf(5), installed with the server, for details and examples. +This configuration file supports many more options. +Refer to dhcpd.conf(5), installed with the server, for details and examples. Once the configuration of [.filename]#dhcpd.conf# is complete, enable the DHCP server in [.filename]#/etc/rc.conf#: @@ -1590,26 +1849,33 @@ Start the server by issuing the following command: Any future changes to the configuration of the server will require the dhcpd service to be stopped and then started using man:service[8]. -The DHCP server uses the following files. Note that the manual pages are installed with the server software. +The DHCP server uses the following files. +Note that the manual pages are installed with the server software. * [.filename]#/usr/local/sbin/dhcpd# + More information about the dhcpd server can be found in dhcpd(8). * [.filename]#/usr/local/etc/dhcpd.conf# + -The server configuration file needs to contain all the information that should be provided to clients, along with information regarding the operation of the server. This configuration file is described in dhcpd.conf(5). +The server configuration file needs to contain all the information that should be provided to clients, along with information regarding the operation of the server. +This configuration file is described in dhcpd.conf(5). * [.filename]#/var/db/dhcpd.leases# + -The DHCP server keeps a database of leases it has issued in this file, which is written as a log. Refer to dhcpd.leases(5), which gives a slightly longer description. +The DHCP server keeps a database of leases it has issued in this file, which is written as a log. +Refer to dhcpd.leases(5), which gives a slightly longer description. * [.filename]#/usr/local/sbin/dhcrelay# + -This daemon is used in advanced environments where one DHCP server forwards a request from a client to another DHCP server on a separate network. If this functionality is required, install the package:net/isc-dhcp43-relay[] package or port. The installation includes dhcrelay(8) which provides more detail. +This daemon is used in advanced environments where one DHCP server forwards a request from a client to another DHCP server on a separate network. +If this functionality is required, install the package:net/isc-dhcp43-relay[] package or port. +The installation includes dhcrelay(8) which provides more detail. [[network-dns]] == Domain Name System (DNS) -Domain Name System (DNS) is the protocol through which domain names are mapped to IP addresses, and vice versa. DNS is coordinated across the Internet through a somewhat complex system of authoritative root, Top Level Domain (TLD), and other smaller-scale name servers, which host and cache individual domain information. It is not necessary to run a name server to perform DNS lookups on a system. +Domain Name System (DNS) is the protocol through which domain names are mapped to IP addresses, and vice versa. +DNS is coordinated across the Internet through a somewhat complex system of authoritative root, Top Level Domain (TLD), and other smaller-scale name servers, which host and cache individual domain information. +It is not necessary to run a name server to perform DNS lookups on a system. The following table describes some of the terms associated with DNS: @@ -1645,7 +1911,9 @@ Examples of zones: * `example.org.` is a zone under the `org.`TLD. * `1.168.192.in-addr.arpa` is a zone referencing all IP addresses which fall under the `192.168.1.*`IP address space. -As one can see, the more specific part of a hostname appears to its left. For example, `example.org.` is more specific than `org.`, as `org.` is more specific than the root zone. The layout of each part of a hostname is much like a file system: the [.filename]#/dev# directory falls within the root, and so on. +As one can see, the more specific part of a hostname appears to its left. +For example, `example.org.` is more specific than `org.`, as `org.` is more specific than the root zone. +The layout of each part of a hostname is much like a file system: the [.filename]#/dev# directory falls within the root, and so on. === Reasons to Run a Name Server @@ -1662,11 +1930,15 @@ A caching name server is needed when: * A local DNS server may cache and respond more quickly than querying an outside name server. -When one queries for `www.FreeBSD.org`, the resolver usually queries the uplink ISP's name server, and retrieves the reply. With a local, caching DNS server, the query only has to be made once to the outside world by the caching DNS server. Additional queries will not have to go outside the local network, since the information is cached locally. +When one queries for `www.FreeBSD.org`, the resolver usually queries the uplink ISP's name server, and retrieves the reply. +With a local, caching DNS server, the query only has to be made once to the outside world by the caching DNS server. +Additional queries will not have to go outside the local network, since the information is cached locally. === DNS Server Configuration -Unbound is provided in the FreeBSD base system. By default, it will provide DNS resolution to the local machine only. While the base system package can be configured to provide resolution services beyond the local machine, it is recommended that such requirements be addressed by installing Unbound from the FreeBSD Ports Collection. +Unbound is provided in the FreeBSD base system. +By default, it will provide DNS resolution to the local machine only. +While the base system package can be configured to provide resolution services beyond the local machine, it is recommended that such requirements be addressed by installing Unbound from the FreeBSD Ports Collection. To enable Unbound, add the following to [.filename]#/etc/rc.conf#: @@ -1679,7 +1951,9 @@ Any existing nameservers in [.filename]#/etc/resolv.conf# will be configured as [NOTE] ==== -If any of the listed nameservers do not support DNSSEC, local DNS resolution will fail. Be sure to test each nameserver and remove any that fail the test. The following command will show the trust tree or a failure for a nameserver running on `192.168.1.1`: +If any of the listed nameservers do not support DNSSEC, local DNS resolution will fail. +Be sure to test each nameserver and remove any that fail the test. +The following command will show the trust tree or a failure for a nameserver running on `192.168.1.1`: ==== @@ -1695,7 +1969,8 @@ Once each nameserver is confirmed to support DNSSEC, start Unbound: # service local_unbound onestart .... -This will take care of updating [.filename]#/etc/resolv.conf# so that queries for DNSSEC secured domains will now work. For example, run the following to validate the FreeBSD.org DNSSEC trust tree: +This will take care of updating [.filename]#/etc/resolv.conf# so that queries for DNSSEC secured domains will now work. +For example, run the following to validate the FreeBSD.org DNSSEC trust tree: [source,shell] .... @@ -1724,27 +1999,39 @@ freebsd.org. (A) [[network-apache]] == Apache HTTP Server -The open source Apache HTTP Server is the most widely used web server. FreeBSD does not install this web server by default, but it can be installed from the package:www/apache24[] package or port. +The open source Apache HTTP Server is the most widely used web server. +FreeBSD does not install this web server by default, but it can be installed from the package:www/apache24[] package or port. -This section summarizes how to configure and start version 2._x_ of the Apache HTTP Server on FreeBSD. For more detailed information about Apache 2.X and its configuration directives, refer to http://httpd.apache.org/[httpd.apache.org]. +This section summarizes how to configure and start version 2._x_ of the Apache HTTP Server on FreeBSD. +For more detailed information about Apache 2.X and its configuration directives, refer to http://httpd.apache.org/[httpd.apache.org]. === Configuring and Starting Apache -In FreeBSD, the main Apache HTTP Server configuration file is installed as [.filename]#/usr/local/etc/apache2x/httpd.conf#, where _x_ represents the version number. This ASCII text file begins comment lines with a `#`. The most frequently modified directives are: +In FreeBSD, the main Apache HTTP Server configuration file is installed as [.filename]#/usr/local/etc/apache2x/httpd.conf#, where _x_ represents the version number. +This ASCII text file begins comment lines with a `#`. +The most frequently modified directives are: `ServerRoot "/usr/local"`:: -Specifies the default directory hierarchy for the Apache installation. Binaries are stored in the [.filename]#bin# and [.filename]#sbin# subdirectories of the server root and configuration files are stored in the [.filename]#etc/apache2x# subdirectory. +Specifies the default directory hierarchy for the Apache installation. +Binaries are stored in the [.filename]#bin# and [.filename]#sbin# subdirectories of the server root and configuration files are stored in the [.filename]#etc/apache2x# subdirectory. `ServerAdmin you@example.com`:: -Change this to the email address to receive problems with the server. This address also appears on some server-generated pages, such as error documents. +Change this to the email address to receive problems with the server. +This address also appears on some server-generated pages, such as error documents. `ServerName www.example.com:80`:: -Allows an administrator to set a hostname which is sent back to clients for the server. For example, `www` can be used instead of the actual hostname. If the system does not have a registered DNS name, enter its IP address instead. If the server will listen on an alternate report, change `80` to the alternate port number. +Allows an administrator to set a hostname which is sent back to clients for the server. +For example, `www` can be used instead of the actual hostname. +If the system does not have a registered DNS name, enter its IP address instead. +If the server will listen on an alternate report, change `80` to the alternate port number. `DocumentRoot "/usr/local/www/apache2_x_/data"`:: -The directory where documents will be served from. By default, all requests are taken from this directory, but symbolic links and aliases may be used to point to other locations. +The directory where documents will be served from. +By default, all requests are taken from this directory, but symbolic links and aliases may be used to point to other locations. -It is always a good idea to make a backup copy of the default Apache configuration file before making changes. When the configuration of Apache is complete, save the file and verify the configuration using `apachectl`. Running `apachectl configtest` should return `Syntax OK`. +It is always a good idea to make a backup copy of the default Apache configuration file before making changes. +When the configuration of Apache is complete, save the file and verify the configuration using `apachectl`. +Running `apachectl configtest` should return `Syntax OK`. To launch Apache at system startup, add the following line to [.filename]#/etc/rc.conf#: @@ -1767,7 +2054,8 @@ If apachectl does not report configuration errors, start `httpd` now: # service apache24 start .... -The `httpd` service can be tested by entering `http://_localhost_` in a web browser, replacing _localhost_ with the fully-qualified domain name of the machine running `httpd`. The default web page that is displayed is [.filename]#/usr/local/www/apache24/data/index.html#. +The `httpd` service can be tested by entering `http://_localhost_` in a web browser, replacing _localhost_ with the fully-qualified domain name of the machine running `httpd`. +The default web page that is displayed is [.filename]#/usr/local/www/apache24/data/index.html#. The Apache configuration can be tested for errors after making subsequent configuration changes while `httpd` is running using the following command: @@ -1783,9 +2071,13 @@ It is important to note that `configtest` is not an man:rc[8] standard, and shou === Virtual Hosting -Virtual hosting allows multiple websites to run on one Apache server. The virtual hosts can be _IP-based_ or _name-based_. IP-based virtual hosting uses a different IP address for each website. Name-based virtual hosting uses the clients HTTP/1.1 headers to figure out the hostname, which allows the websites to share the same IP address. +Virtual hosting allows multiple websites to run on one Apache server. +The virtual hosts can be _IP-based_ or _name-based_. +IP-based virtual hosting uses a different IP address for each website. +Name-based virtual hosting uses the clients HTTP/1.1 headers to figure out the hostname, which allows the websites to share the same IP address. -To setup Apache to use name-based virtual hosting, add a `VirtualHost` block for each website. For example, for the webserver named `www.domain.tld` with a virtual domain of `www.someotherdomain.tld`, add the following entries to [.filename]#httpd.conf#: +To setup Apache to use name-based virtual hosting, add a `VirtualHost` block for each website. +For example, for the webserver named `www.domain.tld` with a virtual domain of `www.someotherdomain.tld`, add the following entries to [.filename]#httpd.conf#: [.programlisting] .... @@ -1806,13 +2098,21 @@ For more information about setting up virtual hosts, consult the official Apache === Apache Modules -Apache uses modules to augment the functionality provided by the basic server. Refer to http://httpd.apache.org/docs/current/mod/[http://httpd.apache.org/docs/current/mod/] for a complete listing of and the configuration details for the available modules. +Apache uses modules to augment the functionality provided by the basic server. +Refer to http://httpd.apache.org/docs/current/mod/[http://httpd.apache.org/docs/current/mod/] for a complete listing of and the configuration details for the available modules. -In FreeBSD, some modules can be compiled with the package:www/apache24[] port. Type `make config` within [.filename]#/usr/ports/www/apache24# to see which modules are available and which are enabled by default. If the module is not compiled with the port, the FreeBSD Ports Collection provides an easy way to install many modules. This section describes three of the most commonly used modules. +In FreeBSD, some modules can be compiled with the package:www/apache24[] port. +Type `make config` within [.filename]#/usr/ports/www/apache24# to see which modules are available and which are enabled by default. +If the module is not compiled with the port, the FreeBSD Ports Collection provides an easy way to install many modules. +This section describes three of the most commonly used modules. ==== SSL support -At one in point in time, support for SSL inside of Apache required a secondary module called [.filename]#mod_ssl#. This is no longer the case and the default install of Apache comes with SSL built into the web server. An example of how to enable support for SSL websites is available in the installed file, [.filename]#httpd-ssl.conf# inside of the [.filename]#/usr/local/etc/apache24/extra# directory. Inside this directory is also a sample file called named [.filename]#ssl.conf-sample#. It is recommended that both files be evaluated to properly set up secure websites in the Apache web server. +At one in point in time, support for SSL inside of Apache required a secondary module called [.filename]#mod_ssl#. +This is no longer the case and the default install of Apache comes with SSL built into the web server. +An example of how to enable support for SSL websites is available in the installed file, [.filename]#httpd-ssl.conf# inside of the [.filename]#/usr/local/etc/apache24/extra# directory +Inside this directory is also a sample file called named [.filename]#ssl.conf-sample#. +It is recommended that both files be evaluated to properly set up secure websites in the Apache web server. After the configuration of SSL is complete, the following line must be uncommented in the main [.filename]#http.conf# to activate the changes on the next restart or reload of Apache: @@ -1823,7 +2123,9 @@ After the configuration of SSL is complete, the following line must be uncomment [WARNING] ==== -SSL version two and version three have known vulnerability issues. It is highly recommended TLS version 1.2 and 1.3 be enabled in place of the older SSL options. This can be accomplished by setting the following options in the [.filename]#ssl.conf#: +SSL version two and version three have known vulnerability issues. +It is highly recommended TLS version 1.2 and 1.3 be enabled in place of the older SSL options. +This can be accomplished by setting the following options in the [.filename]#ssl.conf#: ==== @@ -1850,17 +2152,21 @@ LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so LoadModule ssl_module libexec/apache24/mod_ssl.so .... -The next step is to work with a certificate authority to have the appropriate certificates installed on the system. This will set up a chain of trust for the site and prevent any warnings of self-signed certificates. +The next step is to work with a certificate authority to have the appropriate certificates installed on the system. +This will set up a chain of trust for the site and prevent any warnings of self-signed certificates. ==== [.filename]#mod_perl# -The [.filename]#mod_perl# module makes it possible to write Apache modules in Perl. In addition, the persistent interpreter embedded in the server avoids the overhead of starting an external interpreter and the penalty of Perl start-up time. +The [.filename]#mod_perl# module makes it possible to write Apache modules in Perl. +In addition, the persistent interpreter embedded in the server avoids the overhead of starting an external interpreter and the penalty of Perl start-up time. -The [.filename]#mod_perl# can be installed using the package:www/mod_perl2[] package or port. Documentation for using this module can be found at http://perl.apache.org/docs/2.0/index.html[http://perl.apache.org/docs/2.0/index.html]. +The [.filename]#mod_perl# can be installed using the package:www/mod_perl2[] package or port. +Documentation for using this module can be found at http://perl.apache.org/docs/2.0/index.html[http://perl.apache.org/docs/2.0/index.html]. ==== [.filename]#mod_php# -_PHP: Hypertext Preprocessor_ (PHP) is a general-purpose scripting language that is especially suited for web development. Capable of being embedded into HTML, its syntax draws upon C, Java(TM), and Perl with the intention of allowing web developers to write dynamically generated webpages quickly. +_PHP: Hypertext Preprocessor_ (PHP) is a general-purpose scripting language that is especially suited for web development. +Capable of being embedded into HTML, its syntax draws upon C, Java(TM), and Perl with the intention of allowing web developers to write dynamically generated webpages quickly. Support for PHP for Apache and any other feature written in the language, can be added by installing the appropriate port. @@ -1871,7 +2177,9 @@ For all supported versions, search the package database using `pkg`: # pkg search php .... -A list will be displayed including the versions and additional features they provide. The components are completely modular, meaning features are enabled by installing the appropriate port. To install PHP version 7.4 for Apache, issue the following command: +A list will be displayed including the versions and additional features they provide. +The components are completely modular, meaning features are enabled by installing the appropriate port. +To install PHP version 7.4 for Apache, issue the following command: [source,shell] .... @@ -1880,7 +2188,8 @@ A list will be displayed including the versions and additional features they pro If any dependency packages need to be installed, they will be installed as well. -By default, PHP will not be enabled. The following lines will need to be added to the Apache configuration file located in [.filename]#/usr/local/etc/apache24# to make it active: +By default, PHP will not be enabled. +The following lines will need to be added to the Apache configuration file located in [.filename]#/usr/local/etc/apache24# to make it active: [.programlisting] .... @@ -1894,7 +2203,8 @@ By default, PHP will not be enabled. The following lines will need to be added t In addition, the `DirectoryIndex` in the configuration file will also need to be updated and Apache will either need to be restarted or reloaded for the changes to take effect. -Support for many of the PHP features may also be installed by using `pkg`. For example, to install support for XML or SSL, install their respective ports: +Support for many of the PHP features may also be installed by using `pkg`. +For example, to install support for XML or SSL, install their respective ports: [source,shell] .... @@ -1910,7 +2220,8 @@ To perform a graceful restart to reload the configuration, issue the following c # apachectl graceful .... -Once the install is complete, there are two methods of obtaining the installed PHP support modules and the environmental information of the build. The first is to install the full PHP binary and running the command to gain the information: +Once the install is complete, there are two methods of obtaining the installed PHP support modules and the environmental information of the build. +The first is to install the full PHP binary and running the command to gain the information: [source,shell] .... @@ -1925,19 +2236,26 @@ Once the install is complete, there are two methods of obtaining the installed P It is necessary to pass the output to a pager, such as the `more` or `less` to easier digest the amount of output. -Finally, to make any changes to the global configuration of PHP there is a well documented file installed into [.filename]#/usr/local/etc/php.ini#. At the time of install, this file will not exist because there are two versions to choose from, one is [.filename]#php.ini-development# and the other is [.filename]#php.ini-production#. These are starting points to assist administrators in their deployment. +Finally, to make any changes to the global configuration of PHP there is a well documented file installed into [.filename]#/usr/local/etc/php.ini#. +At the time of install, this file will not exist because there are two versions to choose from, one is [.filename]#php.ini-development# and the other is [.filename]#php.ini-production#. +These are starting points to assist administrators in their deployment. ==== HTTP2 Support -Apache support for the HTTP2 protocol is included by default when installing the port with `pkg`. The new version of HTTP includes many improvements over the previous version, including utilizing a single connection to a website, reducing overall roundtrips of TCP connections. Also, packet header data is compressed and HTTP2 requires encryption by default. +Apache support for the HTTP2 protocol is included by default when installing the port with `pkg`. +The new version of HTTP includes many improvements over the previous version, including utilizing a single connection to a website, reducing overall roundtrips of TCP connections. +Also, packet header data is compressed and HTTP2 requires encryption by default. -When Apache is configured to only use HTTP2, web browsers will require secure, encrypted HTTPS connections. When Apache is configured to use both versions, HTTP1.1 will be considered a fall back option if any issues arise during the connection. +When Apache is configured to only use HTTP2, web browsers will require secure, encrypted HTTPS connections. +When Apache is configured to use both versions, HTTP1.1 will be considered a fall back option if any issues arise during the connection. -While this change does require administrators to make changes, they are positive and equate to a more secure Internet for everyone. The changes are only required for sites not currently implementing SSL and TLS. +While this change does require administrators to make changes, they are positive and equate to a more secure Internet for everyone. +The changes are only required for sites not currently implementing SSL and TLS. [NOTE] ==== -This configuration depends on the previous sections, including TLS support. It is recommended those instructions be followed before continuing with this configuration. +This configuration depends on the previous sections, including TLS support. +It is recommended those instructions be followed before continuing with this configuration. ==== Start the process by enabling the http2 module by uncommenting the line in [.filename]#/usr/local/etc/apache24/httpd.conf# and replace the mpm_prefork module with mpm_event as the former does not support HTTP2. @@ -1950,10 +2268,14 @@ LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so [NOTE] ==== -There is a separate [.filename]#mod_http2# port that is available. It exists to deliver security and bug fixes quicker than the module installed with the bundled [.filename]#apache24# port. It is not required for HTTP2 support but is available. When installed, the [.filename]#mod_h2.so# should be used in place of [.filename]#mod_http2.so# in the Apache configuration. +There is a separate [.filename]#mod_http2# port that is available. +It exists to deliver security and bug fixes quicker than the module installed with the bundled [.filename]#apache24# port. +It is not required for HTTP2 support but is available. +When installed, the [.filename]#mod_h2.so# should be used in place of [.filename]#mod_http2.so# in the Apache configuration. ==== -There are two methods to implement HTTP2 in Apache; one way is globally for all sites and each VirtualHost running on the system. To enable HTTP2 globally, add the following line under the ServerName directive: +There are two methods to implement HTTP2 in Apache; one way is globally for all sites and each VirtualHost running on the system. +To enable HTTP2 globally, add the following line under the ServerName directive: [.programlisting] .... @@ -1965,7 +2287,8 @@ Protocols h2 http/1.1 To enable HTTP2 over plaintext, use h2h2chttp/1.1 in the [.filename]#httpd.conf#. ==== -Having the h2c here will allow plaintext HTTP2 data to pass on the system but is not recommended. In addition, using the http/1.1 here will allow fallback to the HTTP1.1 version of the protocol should it be needed by the system. +Having the h2c here will allow plaintext HTTP2 data to pass on the system but is not recommended. +In addition, using the http/1.1 here will allow fallback to the HTTP1.1 version of the protocol should it be needed by the system. To enable HTTP2 for individual VirtualHosts, add the same line within the VirtualHost directive in either [.filename]#httpd.conf# or [.filename]#httpd-ssl.conf#. @@ -1988,19 +2311,27 @@ This should return something similar to the following: The other method is using the web browser's built in site debugger or `tcpdump`; however, using either method is beyond the scope of this document. -Support for HTTP2 reverse proxy connections by using the [.filename]#mod_proxy_http2.so# module. When configuring the ProxyPass or RewriteRules [P] statements, they should use h2:// for the connection. +Support for HTTP2 reverse proxy connections by using the [.filename]#mod_proxy_http2.so# module. +When configuring the ProxyPass or RewriteRules [P] statements, they should use h2:// for the connection. === Dynamic Websites -In addition to mod_perl and mod_php, other languages are available for creating dynamic web content. These include Django and Ruby on Rails. +In addition to mod_perl and mod_php, other languages are available for creating dynamic web content. +These include Django and Ruby on Rails. ==== Django -Django is a BSD-licensed framework designed to allow developers to write high performance, elegant web applications quickly. It provides an object-relational mapper so that data types are developed as Python objects. A rich dynamic database-access API is provided for those objects without the developer ever having to write SQL. It also provides an extensible template system so that the logic of the application is separated from the HTML presentation. +Django is a BSD-licensed framework designed to allow developers to write high performance, elegant web applications quickly. +It provides an object-relational mapper so that data types are developed as Python objects. +A rich dynamic database-access API is provided for those objects without the developer ever having to write SQL. +It also provides an extensible template system so that the logic of the application is separated from the HTML presentation. -Django depends on [.filename]#mod_python#, and an SQL database engine. In FreeBSD, the package:www/py-django[] port automatically installs [.filename]#mod_python# and supports the PostgreSQL, MySQL, or SQLite databases, with the default being SQLite. To change the database engine, type `make config` within [.filename]#/usr/ports/www/py-django#, then install the port. +Django depends on [.filename]#mod_python#, and an SQL database engine. +In FreeBSD, the package:www/py-django[] port automatically installs [.filename]#mod_python# and supports the PostgreSQL, MySQL, or SQLite databases, with the default being SQLite. +To change the database engine, type `make config` within [.filename]#/usr/ports/www/py-django#, then install the port. -Once Django is installed, the application will need a project directory along with the Apache configuration in order to use the embedded Python interpreter. This interpreter is used to call the application for specific URLs on the site. +Once Django is installed, the application will need a project directory along with the Apache configuration in order to use the embedded Python interpreter. +This interpreter is used to call the application for specific URLs on the site. To configure Apache to pass requests for certain URLs to the web application, add the following to [.filename]#httpd.conf#, specifying the full path to the project directory: @@ -2020,26 +2351,42 @@ Refer to https://docs.djangoproject.com[https://docs.djangoproject.com] for more ==== Ruby on Rails -Ruby on Rails is another open source web framework that provides a full development stack. It is optimized to make web developers more productive and capable of writing powerful applications quickly. On FreeBSD, it can be installed using the package:www/rubygem-rails[] package or port. +Ruby on Rails is another open source web framework that provides a full development stack. +It is optimized to make web developers more productive and capable of writing powerful applications quickly. +On FreeBSD, it can be installed using the package:www/rubygem-rails[] package or port. Refer to http://guides.rubyonrails.org[http://guides.rubyonrails.org] for more information on how to use Ruby on Rails. [[network-ftp]] == File Transfer Protocol (FTP) -The File Transfer Protocol (FTP) provides users with a simple way to transfer files to and from an FTP server. FreeBSD includes FTP server software, ftpd, in the base system. +The File Transfer Protocol (FTP) provides users with a simple way to transfer files to and from an FTP server. +FreeBSD includes FTP server software, ftpd, in the base system. -FreeBSD provides several configuration files for controlling access to the FTP server. This section summarizes these files. Refer to man:ftpd[8] for more details about the built-in FTP server. +FreeBSD provides several configuration files for controlling access to the FTP server. +This section summarizes these files. +Refer to man:ftpd[8] for more details about the built-in FTP server. === Configuration -The most important configuration step is deciding which accounts will be allowed access to the FTP server. A FreeBSD system has a number of system accounts which should not be allowed FTP access. The list of users disallowed any FTP access can be found in [.filename]#/etc/ftpusers#. By default, it includes system accounts. Additional users that should not be allowed access to FTP can be added. +The most important configuration step is deciding which accounts will be allowed access to the FTP server. +A FreeBSD system has a number of system accounts which should not be allowed FTP access. +The list of users disallowed any FTP access can be found in [.filename]#/etc/ftpusers#. By default, it includes system accounts. +Additional users that should not be allowed access to FTP can be added. -In some cases it may be desirable to restrict the access of some users without preventing them completely from using FTP. This can be accomplished be creating [.filename]#/etc/ftpchroot# as described in man:ftpchroot[5]. This file lists users and groups subject to FTP access restrictions. +In some cases it may be desirable to restrict the access of some users without preventing them completely from using FTP. +This can be accomplished be creating [.filename]#/etc/ftpchroot# as described in man:ftpchroot[5]. +This file lists users and groups subject to FTP access restrictions. -To enable anonymous FTP access to the server, create a user named `ftp` on the FreeBSD system. Users will then be able to log on to the FTP server with a username of `ftp` or `anonymous`. When prompted for the password, any input will be accepted, but by convention, an email address should be used as the password. The FTP server will call man:chroot[2] when an anonymous user logs in, to restrict access to only the home directory of the `ftp` user. +To enable anonymous FTP access to the server, create a user named `ftp` on the FreeBSD system. +Users will then be able to log on to the FTP server with a username of `ftp` or `anonymous`. +When prompted for the password, any input will be accepted, but by convention, an email address should be used as the password. +The FTP server will call man:chroot[2] when an anonymous user logs in, to restrict access to only the home directory of the `ftp` user. -There are two text files that can be created to specify welcome messages to be displayed to FTP clients. The contents of [.filename]#/etc/ftpwelcome# will be displayed to users before they reach the login prompt. After a successful login, the contents of [.filename]#/etc/ftpmotd# will be displayed. Note that the path to this file is relative to the login environment, so the contents of [.filename]#~ftp/etc/ftpmotd# would be displayed for anonymous users. +There are two text files that can be created to specify welcome messages to be displayed to FTP clients. +The contents of [.filename]#/etc/ftpwelcome# will be displayed to users before they reach the login prompt. +After a successful login, the contents of [.filename]#/etc/ftpmotd# will be displayed. +Note that the path to this file is relative to the login environment, so the contents of [.filename]#~ftp/etc/ftpmotd# would be displayed for anonymous users. Once the FTP server has been configured, set the appropriate variable in [.filename]#/etc/rc.conf# to start the service during boot: @@ -2062,7 +2409,9 @@ Test the connection to the FTP server by typing: % ftp localhost .... -The ftpd daemon uses man:syslog[3] to log messages. By default, the system log daemon will write messages related to FTP in [.filename]#/var/log/xferlog#. The location of the FTP log can be modified by changing the following line in [.filename]#/etc/syslog.conf#: +The ftpd daemon uses man:syslog[3] to log messages. +By default, the system log daemon will write messages related to FTP in [.filename]#/var/log/xferlog#. +The location of the FTP log can be modified by changing the following line in [.filename]#/etc/syslog.conf#: [.programlisting] .... @@ -2072,23 +2421,34 @@ ftp.info /var/log/xferlog [NOTE] ==== -Be aware of the potential problems involved with running an anonymous FTP server. In particular, think twice about allowing anonymous users to upload files. It may turn out that the FTP site becomes a forum for the trade of unlicensed commercial software or worse. If anonymous FTP uploads are required, then verify the permissions so that these files cannot be read by other anonymous users until they have been reviewed by an administrator. +Be aware of the potential problems involved with running an anonymous FTP server. +In particular, think twice about allowing anonymous users to upload files. +It may turn out that the FTP site becomes a forum for the trade of unlicensed commercial software or worse. +If anonymous FTP uploads are required, then verify the permissions so that these files cannot be read by other anonymous users until they have been reviewed by an administrator. ==== [[network-samba]] == File and Print Services for Microsoft(R) Windows(R) Clients (Samba) -Samba is a popular open source software package that provides file and print services using the SMB/CIFS protocol. This protocol is built into Microsoft(R) Windows(R) systems. It can be added to non-Microsoft(R) Windows(R) systems by installing the Samba client libraries. The protocol allows clients to access shared data and printers. These shares can be mapped as a local disk drive and shared printers can be used as if they were local printers. +Samba is a popular open source software package that provides file and print services using the SMB/CIFS protocol. +This protocol is built into Microsoft(R) Windows(R) systems. +It can be added to non-Microsoft(R) Windows(R) systems by installing the Samba client libraries. +The protocol allows clients to access shared data and printers. +These shares can be mapped as a local disk drive and shared printers can be used as if they were local printers. -On FreeBSD, the Samba client libraries can be installed using the package:net/samba413[] port or package. The client provides the ability for a FreeBSD system to access SMB/CIFS shares in a Microsoft(R) Windows(R) network. +On FreeBSD, the Samba client libraries can be installed using the package:net/samba413[] port or package. +The client provides the ability for a FreeBSD system to access SMB/CIFS shares in a Microsoft(R) Windows(R) network. -A FreeBSD system can also be configured to act as a Samba server by installing the same package:net/samba413[] port or package. This allows the administrator to create SMB/CIFS shares on the FreeBSD system which can be accessed by clients running Microsoft(R) Windows(R) or the Samba client libraries. +A FreeBSD system can also be configured to act as a Samba server by installing the same package:net/samba413[] port or package. +This allows the administrator to create SMB/CIFS shares on the FreeBSD system which can be accessed by clients running Microsoft(R) Windows(R) or the Samba client libraries. === Server Configuration -Samba is configured in [.filename]#/usr/local/etc/smb4.conf#. This file must be created before Samba can be used. +Samba is configured in [.filename]#/usr/local/etc/smb4.conf#. +This file must be created before Samba can be used. -A simple [.filename]#smb4.conf# to share directories and printers with Windows(R) clients in a workgroup is shown here. For more complex setups involving LDAP or Active Directory, it is easier to use man:samba-tool[8] to create the initial [.filename]#smb4.conf#. +A simple [.filename]#smb4.conf# to share directories and printers with Windows(R) clients in a workgroup is shown here. +For more complex setups involving LDAP or Active Directory, it is easier to use man:samba-tool[8] to create the initial [.filename]#smb4.conf#. [.programlisting] .... @@ -2122,38 +2482,49 @@ Settings that describe the network are added in [.filename]#/usr/local/etc/smb4. The name of the workgroup to be served. `netbios name`:: -The NetBIOS name by which a Samba server is known. By default, it is the same as the first component of the host's DNS name. +The NetBIOS name by which a Samba server is known. +By default, it is the same as the first component of the host's DNS name. `server string`:: The string that will be displayed in the output of `net view` and some other networking tools that seek to display descriptive text about the server. `wins support`:: -Whether Samba will act as a WINS server. Do not enable support for WINS on more than one server on the network. +Whether Samba will act as a WINS server. +Do not enable support for WINS on more than one server on the network. ==== Security Settings -The most important settings in [.filename]#/usr/local/etc/smb4.conf# are the security model and the backend password format. These directives control the options: +The most important settings in [.filename]#/usr/local/etc/smb4.conf# are the security model and the backend password format. +These directives control the options: `security`:: -The most common settings are `security = share` and `security = user`. If the clients use usernames that are the same as their usernames on the FreeBSD machine, user level security should be used. This is the default security policy and it requires clients to first log on before they can access shared resources. +The most common settings are `security = share` and `security = user`. +If the clients use usernames that are the same as their usernames on the FreeBSD machine, user level security should be used. +This is the default security policy and it requires clients to first log on before they can access shared resources. + -In share level security, clients do not need to log onto the server with a valid username and password before attempting to connect to a shared resource. This was the default security model for older versions of Samba. +In share level security, clients do not need to log onto the server with a valid username and password before attempting to connect to a shared resource. +This was the default security model for older versions of Samba. `passdb backend`:: -Samba has several different backend authentication models. Clients may be authenticated with LDAP, NIS+, an SQL database, or a modified password file. The recommended authentication method, `tdbsam`, is ideal for simple networks and is covered here. For larger or more complex networks, `ldapsam` is recommended. `smbpasswd` was the former default and is now obsolete. - +Samba has several different backend authentication models. +Clients may be authenticated with LDAP, NIS+, an SQL database, or a modified password file. +The recommended authentication method, `tdbsam`, is ideal for simple networks and is covered here. +For larger or more complex networks, `ldapsam` is recommended. +`smbpasswd` was the former default and is now obsolete. ==== Samba Users -FreeBSD user accounts must be mapped to the `SambaSAMAccount` database for Windows(R) clients to access the share. Map existing FreeBSD user accounts using man:pdbedit[8]: +FreeBSD user accounts must be mapped to the `SambaSAMAccount` database for Windows(R) clients to access the share. +Map existing FreeBSD user accounts using man:pdbedit[8]: [source,shell] .... # pdbedit -a username .... -This section has only mentioned the most commonly used settings. Refer to the https://wiki.samba.org[Official Samba Wiki] for additional information about the available configuration options. +This section has only mentioned the most commonly used settings. +Refer to the https://wiki.samba.org[Official Samba Wiki] for additional information about the available configuration options. === Starting Samba @@ -2174,7 +2545,9 @@ Starting nmbd. Starting smbd. .... -Samba consists of three separate daemons. Both the nmbd and smbd daemons are started by `samba_enable`. If winbind name resolution is also required, set: +Samba consists of three separate daemons. +Both the nmbd and smbd daemons are started by `samba_enable`. +If winbind name resolution is also required, set: [.programlisting] .... @@ -2188,31 +2561,46 @@ Samba can be stopped at any time by typing: # service samba_server stop .... -Samba is a complex software suite with functionality that allows broad integration with Microsoft(R) Windows(R) networks. For more information about functionality beyond the basic configuration described here, refer to https://www.samba.org[https://www.samba.org]. +Samba is a complex software suite with functionality that allows broad integration with Microsoft(R) Windows(R) networks. +For more information about functionality beyond the basic configuration described here, refer to https://www.samba.org[https://www.samba.org]. [[network-ntp]] == Clock Synchronization with NTP -Over time, a computer's clock is prone to drift. This is problematic as many network services require the computers on a network to share the same accurate time. Accurate time is also needed to ensure that file timestamps stay consistent. The Network Time Protocol (NTP) is one way to provide clock accuracy in a network. +Over time, a computer's clock is prone to drift. +This is problematic as many network services require the computers on a network to share the same accurate time. +Accurate time is also needed to ensure that file timestamps stay consistent. +The Network Time Protocol (NTP) is one way to provide clock accuracy in a network. FreeBSD includes man:ntpd[8] which can be configured to query other NTP servers to synchronize the clock on that machine or to provide time services to other computers in the network. -This section describes how to configure ntpd on FreeBSD. Further documentation can be found in [.filename]#/usr/share/doc/ntp/# in HTML format. +This section describes how to configure ntpd on FreeBSD. +Further documentation can be found in [.filename]#/usr/share/doc/ntp/# in HTML format. === NTP Configuration -On FreeBSD, the built-in ntpd can be used to synchronize a system's clock. Ntpd is configured using man:rc.conf[5] variables and [.filename]#/etc/ntp.conf#, as detailed in the following sections. +On FreeBSD, the built-in ntpd can be used to synchronize a system's clock. +Ntpd is configured using man:rc.conf[5] variables and [.filename]#/etc/ntp.conf#, as detailed in the following sections. -Ntpd communicates with its network peers using UDP packets. Any firewalls between your machine and its NTP peers must be configured to allow UDP packets in and out on port 123. +Ntpd communicates with its network peers using UDP packets. +Any firewalls between your machine and its NTP peers must be configured to allow UDP packets in and out on port 123. ==== The [.filename]#/etc/ntp.conf# file -Ntpd reads [.filename]#/etc/ntp.conf# to determine which NTP servers to query. Choosing several NTP servers is recommended in case one of the servers becomes unreachable or its clock proves unreliable. As ntpd receives responses, it favors reliable servers over the less reliable ones. The servers which are queried can be local to the network, provided by an ISP, or selected from an http://support.ntp.org/bin/view/Servers/WebHome[ online list of publicly accessible NTP servers]. When choosing a public NTP server, select one that is geographically close and review its usage policy. The `pool` configuration keyword selects one or more servers from a pool of servers. An http://support.ntp.org/bin/view/Servers/NTPPoolServers[ online list of publicly accessible NTP pools] is available, organized by geographic area. In addition, FreeBSD provides a project-sponsored pool, `0.freebsd.pool.ntp.org`. +Ntpd reads [.filename]#/etc/ntp.conf# to determine which NTP servers to query. +Choosing several NTP servers is recommended in case one of the servers becomes unreachable or its clock proves unreliable. +As ntpd receives responses, it favors reliable servers over the less reliable ones. +The servers which are queried can be local to the network, provided by an ISP, or selected from an http://support.ntp.org/bin/view/Servers/WebHome[ online list of publicly accessible NTP servers]. +When choosing a public NTP server, select one that is geographically close and review its usage policy. +The `pool` configuration keyword selects one or more servers from a pool of servers. +An http://support.ntp.org/bin/view/Servers/NTPPoolServers[ online list of publicly accessible NTP pools] is available, organized by geographic area. +In addition, FreeBSD provides a project-sponsored pool, `0.freebsd.pool.ntp.org`. .Sample [.filename]#/etc/ntp.conf# [example] ==== -This is a simple example of an [.filename]#ntp.conf# file. It can safely be used as-is; it contains the recommended `restrict` options for operation on a publicly-accessible network connection. +This is a simple example of an [.filename]#ntp.conf# file. +It can safely be used as-is; it contains the recommended `restrict` options for operation on a publicly-accessible network connection. [.programlisting] .... @@ -2239,26 +2627,41 @@ leapfile "/var/db/ntpd.leap-seconds.list" ==== -The format of this file is described in man:ntp.conf[5]. The descriptions below provide a quick overview of just the keywords used in the sample file above. +The format of this file is described in man:ntp.conf[5]. +The descriptions below provide a quick overview of just the keywords used in the sample file above. -By default, an NTP server is accessible to any network host. The `restrict` keyword controls which systems can access the server. Multiple `restrict` entries are supported, each one refining the restrictions given in previous statements. The values shown in the example grant the local system full query and control access, while allowing remote systems only the ability to query the time. For more details, refer to the `Access Control Support` subsection of man:ntp.conf[5]. +By default, an NTP server is accessible to any network host. +The `restrict` keyword controls which systems can access the server. +Multiple `restrict` entries are supported, each one refining the restrictions given in previous statements. +The values shown in the example grant the local system full query and control access, while allowing remote systems only the ability to query the time. +For more details, refer to the `Access Control Support` subsection of man:ntp.conf[5]. -The `server` keyword specifies a single server to query. The file can contain multiple server keywords, with one server listed on each line. The `pool` keyword specifies a pool of servers. Ntpd will add one or more servers from this pool as needed to reach the number of peers specified using the `tos minclock` value. The `iburst` keyword directs ntpd to perform a burst of eight quick packet exchanges with a server when contact is first established, to help quickly synchronize system time. +The `server` keyword specifies a single server to query. +The file can contain multiple server keywords, with one server listed on each line. +The `pool` keyword specifies a pool of servers. +Ntpd will add one or more servers from this pool as needed to reach the number of peers specified using the `tos minclock` value. +The `iburst` keyword directs ntpd to perform a burst of eight quick packet exchanges with a server when contact is first established, to help quickly synchronize system time. -The `leapfile` keyword specifies the location of a file containing information about leap seconds. The file is updated automatically by man:periodic[8]. The file location specified by this keyword must match the location set in the `ntp_db_leapfile` variable in [.filename]#/etc/rc.conf#. +The `leapfile` keyword specifies the location of a file containing information about leap seconds. +The file is updated automatically by man:periodic[8]. +The file location specified by this keyword must match the location set in the `ntp_db_leapfile` variable in [.filename]#/etc/rc.conf#. ==== NTP entries in [.filename]#/etc/rc.conf# -Set `ntpd_enable=YES` to start ntpd at boot time. Once `ntpd_enable=YES` has been added to [.filename]#/etc/rc.conf#, ntpd can be started immediately without rebooting the system by typing: +Set `ntpd_enable=YES` to start ntpd at boot time. +Once `ntpd_enable=YES` has been added to [.filename]#/etc/rc.conf#, ntpd can be started immediately without rebooting the system by typing: [source,shell] .... # service ntpd start .... -Only `ntpd_enable` must be set to use ntpd. The [.filename]#rc.conf# variables listed below may also be set as needed. +Only `ntpd_enable` must be set to use ntpd. +The [.filename]#rc.conf# variables listed below may also be set as needed. -Set `ntpd_sync_on_start=YES` to allow ntpd to step the clock any amount, one time at startup. Normally ntpd will log an error message and exit if the clock is off by more than 1000 seconds. This option is especially useful on systems without a battery-backed realtime clock. +Set `ntpd_sync_on_start=YES` to allow ntpd to step the clock any amount, one time at startup. +Normally ntpd will log an error message and exit if the clock is off by more than 1000 seconds. +This option is especially useful on systems without a battery-backed realtime clock. Set `ntpd_oomprotect=YES` to protect the ntpd daemon from being killed by the system attempting to recover from an Out Of Memory (OOM) condition. @@ -2272,7 +2675,11 @@ Set `ntpd_flags=` to contain any other ntpd flags as needed, but avoid using the ==== Ntpd and the unpriveleged `ntpd` user -Ntpd on FreeBSD can start and run as an unpriveleged user. Doing so requires the man:mac_ntpd[4] policy module. The [.filename]#/etc/rc.d/ntpd# startup script first examines the NTP configuration. If possible, it loads the `mac_ntpd` module, then starts ntpd as unpriveleged user `ntpd` (user id 123). To avoid problems with file and directory access, the startup script will not automatically start ntpd as `ntpd` when the configuration contains any file-related options. +Ntpd on FreeBSD can start and run as an unpriveleged user. +Doing so requires the man:mac_ntpd[4] policy module. +The [.filename]#/etc/rc.d/ntpd# startup script first examines the NTP configuration. +If possible, it loads the `mac_ntpd` module, then starts ntpd as unpriveleged user `ntpd` (user id 123). +To avoid problems with file and directory access, the startup script will not automatically start ntpd as `ntpd` when the configuration contains any file-related options. The presence of any of the following in `ntpd_flags` requires manual configuration as described below to run as the `ntpd` user: @@ -2296,10 +2703,11 @@ To manually configure ntpd to run as user `ntpd` you must: * Arrange for the `mac_ntpd` module to be loaded or compiled into the kernel. See man:mac_ntpd[4] for details. * Set `ntpd_user="ntpd"` in [.filename]#/etc/rc.conf# - === Using NTP with a PPP Connection -ntpd does not need a permanent connection to the Internet to function properly. However, if a PPP connection is configured to dial out on demand, NTP traffic should be prevented from triggering a dial out or keeping the connection alive. This can be configured with `filter` directives in [.filename]#/etc/ppp/ppp.conf#. For example: +ntpd does not need a permanent connection to the Internet to function properly. +However, if a PPP connection is configured to dial out on demand, NTP traffic should be prevented from triggering a dial out or keeping the connection alive. +This can be configured with `filter` directives in [.filename]#/etc/ppp/ppp.conf#. For example: [.programlisting] .... @@ -2317,28 +2725,33 @@ For more details, refer to the `PACKET FILTERING` section in man:ppp[8] and the [NOTE] ==== - Some Internet access providers block low-numbered ports, preventing NTP from functioning since replies never reach the machine. ==== - [[network-iscsi]] == iSCSI Initiator and Target Configuration -iSCSI is a way to share storage over a network. Unlike NFS, which works at the file system level, iSCSI works at the block device level. +iSCSI is a way to share storage over a network. +Unlike NFS, which works at the file system level, iSCSI works at the block device level. -In iSCSI terminology, the system that shares the storage is known as the _target_. The storage can be a physical disk, or an area representing multiple disks or a portion of a physical disk. For example, if the disk(s) are formatted with ZFS, a zvol can be created to use as the iSCSI storage. +In iSCSI terminology, the system that shares the storage is known as the _target_. +The storage can be a physical disk, or an area representing multiple disks or a portion of a physical disk. +For example, if the disk(s) are formatted with ZFS, a zvol can be created to use as the iSCSI storage. -The clients which access the iSCSI storage are called _initiators_. To initiators, the storage available through iSCSI appears as a raw, unformatted disk known as a LUN. Device nodes for the disk appear in [.filename]#/dev/# and the device must be separately formatted and mounted. +The clients which access the iSCSI storage are called _initiators_. +To initiators, the storage available through iSCSI appears as a raw, unformatted disk known as a LUN. +Device nodes for the disk appear in [.filename]#/dev/# and the device must be separately formatted and mounted. -FreeBSD provides a native, kernel-based iSCSI target and initiator. This section describes how to configure a FreeBSD system as a target or an initiator. +FreeBSD provides a native, kernel-based iSCSI target and initiator. +This section describes how to configure a FreeBSD system as a target or an initiator. [[network-iscsi-target]] === Configuring an iSCSI Target To configure an iSCSI target, create the [.filename]#/etc/ctl.conf# configuration file, add a line to [.filename]#/etc/rc.conf# to make sure the man:ctld[8] daemon is automatically started at boot, and then start the daemon. -The following is an example of a simple [.filename]#/etc/ctl.conf# configuration file. Refer to man:ctl.conf[5] for a more complete description of this file's available options. +The following is an example of a simple [.filename]#/etc/ctl.conf# configuration file. +Refer to man:ctl.conf[5] for a more complete description of this file's available options. [.programlisting] .... @@ -2359,15 +2772,31 @@ target iqn.2012-06.com.example:target0 { } .... -The first entry defines the `pg0` portal group. Portal groups define which network addresses the man:ctld[8] daemon will listen on. The `discovery-auth-group no-authentication` entry indicates that any initiator is allowed to perform iSCSI target discovery without authentication. Lines three and four configure man:ctld[8] to listen on all IPv4 (`listen 0.0.0.0`) and IPv6 (`listen [::]`) addresses on the default port of 3260. +The first entry defines the `pg0` portal group. +Portal groups define which network addresses the man:ctld[8] daemon will listen on. +The `discovery-auth-group no-authentication` entry indicates that any initiator is allowed to perform iSCSI target discovery without authentication. +Lines three and four configure man:ctld[8] to listen on all IPv4 (`listen 0.0.0.0`) and IPv6 (`listen [::]`) addresses on the default port of 3260. -It is not necessary to define a portal group as there is a built-in portal group called `default`. In this case, the difference between `default` and `pg0` is that with `default`, target discovery is always denied, while with `pg0`, it is always allowed. +It is not necessary to define a portal group as there is a built-in portal group called `default`. +In this case, the difference between `default` and `pg0` is that with `default`, target discovery is always denied, while with `pg0`, it is always allowed. -The second entry defines a single target. Target has two possible meanings: a machine serving iSCSI or a named group of LUNs. This example uses the latter meaning, where `iqn.2012-06.com.example:target0` is the target name. This target name is suitable for testing purposes. For actual use, change `com.example` to the real domain name, reversed. The `2012-06` represents the year and month of acquiring control of that domain name, and `target0` can be any value. Any number of targets can be defined in this configuration file. +The second entry defines a single target. +Target has two possible meanings: a machine serving iSCSI or a named group of LUNs. +This example uses the latter meaning, where `iqn.2012-06.com.example:target0` is the target name. +This target name is suitable for testing purposes. +For actual use, change `com.example` to the real domain name, reversed. +The `2012-06` represents the year and month of acquiring control of that domain name, and `target0` can be any value. +Any number of targets can be defined in this configuration file. The `auth-group no-authentication` line allows all initiators to connect to the specified target and `portal-group pg0` makes the target reachable through the `pg0` portal group. -The next section defines the LUN. To the initiator, each LUN will be visible as a separate disk device. Multiple LUNs can be defined for each target. Each LUN is identified by a number, where LUN 0 is mandatory. The `path /data/target0-0` line defines the full path to a file or zvol backing the LUN. That path must exist before starting man:ctld[8]. The second line is optional and specifies the size of the LUN. +The next section defines the LUN. +To the initiator, each LUN will be visible as a separate disk device. +Multiple LUNs can be defined for each target. +Each LUN is identified by a number, where LUN 0 is mandatory. +The `path /data/target0-0` line defines the full path to a file or zvol backing the LUN. +That path must exist before starting man:ctld[8]. +The second line is optional and specifies the size of the LUN. Next, to make sure the man:ctld[8] daemon is started at boot, add this line to [.filename]#/etc/rc.conf#: @@ -2383,7 +2812,8 @@ To start man:ctld[8] now, run this command: # service ctld start .... -As the man:ctld[8] daemon is started, it reads [.filename]#/etc/ctl.conf#. If this file is edited after the daemon starts, use this command so that the changes take effect immediately: +As the man:ctld[8] daemon is started, it reads [.filename]#/etc/ctl.conf#. +If this file is edited after the daemon starts, use this command so that the changes take effect immediately: [source,shell] .... @@ -2393,7 +2823,8 @@ As the man:ctld[8] daemon is started, it reads [.filename]#/etc/ctl.conf#. If th ==== Authentication -The previous example is inherently insecure as it uses no authentication, granting anyone full access to all targets. To require a username and password to access targets, modify the configuration as follows: +The previous example is inherently insecure as it uses no authentication, granting anyone full access to all targets. +To require a username and password to access targets, modify the configuration as follows: [.programlisting] .... @@ -2418,9 +2849,13 @@ target iqn.2012-06.com.example:target0 { } .... -The `auth-group` section defines username and password pairs. An initiator trying to connect to `iqn.2012-06.com.example:target0` must first specify a defined username and secret. However, target discovery is still permitted without authentication. To require target discovery authentication, set `discovery-auth-group` to a defined `auth-group` name instead of `no-authentication`. +The `auth-group` section defines username and password pairs. +An initiator trying to connect to `iqn.2012-06.com.example:target0` must first specify a defined username and secret. +However, target discovery is still permitted without authentication. +To require target discovery authentication, set `discovery-auth-group` to a defined `auth-group` name instead of `no-authentication`. -It is common to define a single exported target for every initiator. As a shorthand for the syntax above, the username and password can be specified directly in the target entry: +It is common to define a single exported target for every initiator. +As a shorthand for the syntax above, the username and password can be specified directly in the target entry: [.programlisting] .... @@ -2441,11 +2876,13 @@ target iqn.2012-06.com.example:target0 { [NOTE] ==== - -The iSCSI initiator described in this section is supported starting with FreeBSD 10.0-RELEASE. To use the iSCSI initiator available in older versions, refer to man:iscontrol[8]. +The iSCSI initiator described in this section is supported starting with FreeBSD 10.0-RELEASE. +To use the iSCSI initiator available in older versions, refer to man:iscontrol[8]. ==== -The iSCSI initiator requires that the man:iscsid[8] daemon is running. This daemon does not use a configuration file. To start it automatically at boot, add this line to [.filename]#/etc/rc.conf#: +The iSCSI initiator requires that the man:iscsid[8] daemon is running. +This daemon does not use a configuration file. +To start it automatically at boot, add this line to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -2459,7 +2896,8 @@ To start man:iscsid[8] now, run this command: # service iscsid start .... -Connecting to a target can be done with or without an [.filename]#/etc/iscsi.conf# configuration file. This section demonstrates both types of connections. +Connecting to a target can be done with or without an [.filename]#/etc/iscsi.conf# configuration file. +This section demonstrates both types of connections. ==== Connecting to a Target Without a Configuration File @@ -2470,7 +2908,8 @@ To connect an initiator to a single target, specify the IP address of the portal # iscsictl -A -p 10.10.10.10 -t iqn.2012-06.com.example:target0 .... -To verify if the connection succeeded, run `iscsictl` without any arguments. The output should look similar to this: +To verify if the connection succeeded, run `iscsictl` without any arguments. +The output should look similar to this: [.programlisting] .... @@ -2478,14 +2917,16 @@ Target name Target portal State iqn.2012-06.com.example:target0 10.10.10.10 Connected: da0 .... -In this example, the iSCSI session was successfully established, with [.filename]#/dev/da0# representing the attached LUN. If the `iqn.2012-06.com.example:target0` target exports more than one LUN, multiple device nodes will be shown in that section of the output: +In this example, the iSCSI session was successfully established, with [.filename]#/dev/da0# representing the attached LUN. +If the `iqn.2012-06.com.example:target0` target exports more than one LUN, multiple device nodes will be shown in that section of the output: [source,shell] .... Connected: da0 da1 da2. .... -Any errors will be reported in the output, as well as the system logs. For example, this message usually means that the man:iscsid[8] daemon is not running: +Any errors will be reported in the output, as well as the system logs. +For example, this message usually means that the man:iscsid[8] daemon is not running: [.programlisting] .... @@ -2540,7 +2981,11 @@ t0 { } .... -The `t0` specifies a nickname for the configuration file section. It will be used by the initiator to specify which configuration to use. The other lines specify the parameters to use during connection. The `TargetAddress` and `TargetName` are mandatory, whereas the other options are optional. In this example, the CHAP username and secret are shown. +The `t0` specifies a nickname for the configuration file section. +It will be used by the initiator to specify which configuration to use. +The other lines specify the parameters to use during connection. +The `TargetAddress` and `TargetName` are mandatory, whereas the other options are optional. +In this example, the CHAP username and secret are shown. To connect to the defined target, specify the nickname: diff --git a/documentation/content/en/books/handbook/parti.adoc b/documentation/content/en/books/handbook/parti.adoc index ba83f3a301..82e96af93b 100644 --- a/documentation/content/en/books/handbook/parti.adoc +++ b/documentation/content/en/books/handbook/parti.adoc @@ -7,7 +7,8 @@ next: books/handbook/introduction [[getting-started]] = Getting Started -This part of the handbook is for users and administrators who are new to FreeBSD. These chapters: +This part of the handbook is for users and administrators who are new to FreeBSD. +These chapters: * Introduce FreeBSD. * Guide readers through the installation process. diff --git a/documentation/content/en/books/handbook/partii.adoc b/documentation/content/en/books/handbook/partii.adoc index 5af3c53d23..8948169299 100644 --- a/documentation/content/en/books/handbook/partii.adoc +++ b/documentation/content/en/books/handbook/partii.adoc @@ -7,7 +7,8 @@ next: books/handbook/desktop [[common-tasks]] = Common Tasks -Now that the basics have been covered, this part of the book discusses some frequently used features of FreeBSD. These chapters: +Now that the basics have been covered, this part of the book discusses some frequently used features of FreeBSD. +These chapters: * Introduce popular and useful desktop applications: browsers, productivity tools, document viewers, and more. * Introduce a number of multimedia tools available for FreeBSD. diff --git a/documentation/content/en/books/handbook/partiii.adoc b/documentation/content/en/books/handbook/partiii.adoc index 1a4864fdcb..c2227bc7b0 100644 --- a/documentation/content/en/books/handbook/partiii.adoc +++ b/documentation/content/en/books/handbook/partiii.adoc @@ -7,8 +7,11 @@ next: books/handbook/config [[system-administration]] = System Administration -The remaining chapters cover all aspects of FreeBSD system administration. Each chapter starts by describing what will be learned as a result of reading the chapter, and also details what the reader is expected to know before tackling the material. +The remaining chapters cover all aspects of FreeBSD system administration. +Each chapter starts by describing what will be learned as a result of reading the chapter, +and also details what the reader is expected to know before tackling the material. -These chapters are designed to be read as the information is needed. They do not need to be read in any particular order, nor must all of them be read before beginning to use FreeBSD. +These chapters are designed to be read as the information is needed. +They do not need to be read in any particular order, nor must all of them be read before beginning to use FreeBSD. include::content/en/books/handbook/toc-3.adoc[] diff --git a/documentation/content/en/books/handbook/partiv.adoc b/documentation/content/en/books/handbook/partiv.adoc index c005c05a82..46ca1c5725 100644 --- a/documentation/content/en/books/handbook/partiv.adoc +++ b/documentation/content/en/books/handbook/partiv.adoc @@ -7,7 +7,8 @@ next: books/handbook/serialcomms [[network-communication]] = Network Communication -FreeBSD is one of the most widely deployed operating systems for high performance network servers. The chapters in this part cover: +FreeBSD is one of the most widely deployed operating systems for high performance network servers. +The chapters in this part cover: * Serial communication * `PPP` and `PPP` over Ethernet @@ -16,6 +17,7 @@ FreeBSD is one of the most widely deployed operating systems for high performanc * Firewalls * Other Advanced Networking Topics -These chapters are designed to be read when the information is needed. They do not need to be read in any particular order, nor is it necessary to read all of them before using FreeBSD in a network environment. +These chapters are designed to be read when the information is needed. +They do not need to be read in any particular order, nor is it necessary to read all of them before using FreeBSD in a network environment. include::content/en/books/handbook/toc-4.adoc[] diff --git a/documentation/content/en/books/handbook/pgpkeys/_index.adoc b/documentation/content/en/books/handbook/pgpkeys/_index.adoc index ff7404be9a..a9833f66c1 100644 --- a/documentation/content/en/books/handbook/pgpkeys/_index.adoc +++ b/documentation/content/en/books/handbook/pgpkeys/_index.adoc @@ -30,7 +30,10 @@ include::shared/en/urls.adoc[] :pgpkeys-path: -The OpenPGP keys of the `FreeBSD.org` officers are shown here. These keys can be used to verify a signature or send encrypted email to one of the officers. A full list of FreeBSD OpenPGP keys is available in the link:{pgpkeys}[PGP Keys] article. The complete keyring can be downloaded at link:https://docs.FreeBSD.org/pgpkeys/pgpkeys.txt[pgpkeyring.txt]. +The OpenPGP keys of the `FreeBSD.org` officers are shown here. +These keys can be used to verify a signature or send encrypted email to one of the officers. +A full list of FreeBSD OpenPGP keys is available in the link:{pgpkeys}[PGP Keys] article. +The complete keyring can be downloaded at link:https://docs.FreeBSD.org/pgpkeys/pgpkeys.txt[pgpkeyring.txt]. [[pgpkeys-officers]] == Officers diff --git a/documentation/content/en/books/handbook/ports/_index.adoc b/documentation/content/en/books/handbook/ports/_index.adoc index b263d8d3e5..abb1380d72 100644 --- a/documentation/content/en/books/handbook/ports/_index.adoc +++ b/documentation/content/en/books/handbook/ports/_index.adoc @@ -46,7 +46,10 @@ toc::[] [[ports-synopsis]] == Synopsis -FreeBSD is bundled with a rich collection of system tools as part of the base system. In addition, FreeBSD provides two complementary technologies for installing third-party software: the FreeBSD Ports Collection, for installing from source, and packages, for installing from pre-built binaries. Either method may be used to install software from local media or from the network. +FreeBSD is bundled with a rich collection of system tools as part of the base system. +In addition, FreeBSD provides two complementary technologies for installing third-party software: the FreeBSD Ports Collection, +for installing from source, and packages, for installing from pre-built binaries. +Either method may be used to install software from local media or from the network. After reading this chapter, you will know: @@ -69,19 +72,24 @@ The typical steps for installing third-party software on a UNIX(R) system includ . If the software was distributed in source format, compile it. This may involve editing a [.filename]#Makefile# or running a `configure` script. . Test and install the software. -A FreeBSD _port_ is a collection of files designed to automate the process of compiling an application from source code. The files that comprise a port contain all the necessary information to automatically download, extract, patch, compile, and install the application. +A FreeBSD _port_ is a collection of files designed to automate the process of compiling an application from source code. +The files that comprise a port contain all the necessary information to automatically download, extract, patch, compile, and install the application. If the software has not already been adapted and tested on FreeBSD, the source code might need editing in order for it to install and run properly. -However, over link:https://www.FreeBSD.org/ports/[{numports}] third-party applications have already been ported to FreeBSD. When feasible, these applications are made available for download as pre-compiled _packages_. +However, over link:https://www.FreeBSD.org/ports/[{numports}] third-party applications have already been ported to FreeBSD. +When feasible, these applications are made available for download as pre-compiled _packages_. Packages can be manipulated with the FreeBSD package management commands. -Both packages and ports understand dependencies. If a package or port is used to install an application and a dependent library is not already installed, the library will automatically be installed first. +Both packages and ports understand dependencies. +If a package or port is used to install an application and a dependent library is not already installed, the library will automatically be installed first. -A FreeBSD package contains pre-compiled copies of all the commands for an application, as well as any configuration files and documentation. A package can be manipulated with the man:pkg[8] commands, such as `pkg install`. +A FreeBSD package contains pre-compiled copies of all the commands for an application, as well as any configuration files and documentation. +A package can be manipulated with the man:pkg[8] commands, such as `pkg install`. -While the two technologies are similar, packages and ports each have their own strengths. Select the technology that meets your requirements for installing a particular application. +While the two technologies are similar, packages and ports each have their own strengths. +Select the technology that meets your requirements for installing a particular application. .Package Benefits * A compressed package tarball is typically smaller than the compressed tarball containing the source code for the application. @@ -110,7 +118,8 @@ The remainder of this chapter explains how to use packages and ports to install [[ports-finding-applications]] == Finding Software -FreeBSD's list of available applications is growing all the time. There are a number of ways to find software to install: +FreeBSD's list of available applications is growing all the time. +There are a number of ways to find software to install: * The FreeBSD web site maintains an up-to-date searchable list of all the available applications, at link:https://www.FreeBSD.org/ports/[https://www.FreeBSD.org/ports/]. The ports can be searched by application name or by software category. * Dan Langille maintains http://www.FreshPorts.org/[FreshPorts.org] which provides a comprehensive search utility and also tracks changes to the applications in the Ports Collection. Registered users can create a customized watch list in order to receive an automated email when their watched ports are updated. @@ -133,7 +142,12 @@ subversion16-1.6.23_4 subversion17-1.7.16_2 .... + -Package names include the version number and, in the case of ports based on python, the version number of the version of python the package was built with. Some ports also have multiple versions available. In the case of Subversion, there are different versions available, as well as different compile options. In this case, the statically linked version of Subversion. When indicating which package to install, it is best to specify the application by the port origin, which is the path in the ports tree. Repeat the `pkg search` with `-o` to list the origin of each package: +Package names include the version number and, in the case of ports based on python, the version number of the version of python the package was built with. +Some ports also have multiple versions available. +In the case of Subversion, there are different versions available, as well as different compile options. +In this case, the statically linked version of Subversion. +When indicating which package to install, it is best to specify the application by the port origin, which is the path in the ports tree. +Repeat the `pkg search` with `-o` to list the origin of each package: + [source,shell] .... @@ -151,7 +165,8 @@ devel/subversion-book devel/subversion-static .... + -Searching by shell globs, regular expressions, exact match, by description, or any other field in the repository database is also supported by `pkg search`. After installing package:ports-mgmt/pkg[] or package:ports-mgmt/pkg-devel[], see man:pkg-search[8] for more details. +Searching by shell globs, regular expressions, exact match, by description, or any other field in the repository database is also supported by `pkg search`. +After installing package:ports-mgmt/pkg[] or package:ports-mgmt/pkg-devel[], see man:pkg-search[8] for more details. * If the Ports Collection is already installed, there are several methods to query the local version of the ports tree. To find out which category a port is in, type `whereis _file_`, where _file_ is the program to be installed: + [source,shell] @@ -186,8 +201,9 @@ R-deps: + [TIP] ==== - -The built-in search mechanism uses a file of index information. If a message indicates that the [.filename]#INDEX# is required, run `make fetchindex` to download the current index file. With the [.filename]#INDEX# present, `make search` will be able to perform the requested search. +The built-in search mechanism uses a file of index information. +If a message indicates that the [.filename]#INDEX# is required, run `make fetchindex` to download the current index file. +With the [.filename]#INDEX# present, `make search` will be able to perform the requested search. ==== + The "Path:" line indicates where to find the port. @@ -203,9 +219,11 @@ Path: /usr/ports/sysutils/lsof Info: Lists information about open files (similar to fstat(1)) .... + -For more in-depth searching, use `make search key=_string_` or `make quicksearch key=_string_`, where _string_ is some text to search for. The text can be in comments, descriptions, or dependencies in order to find ports which relate to a particular subject when the name of the program is unknown. +For more in-depth searching, use `make search key=_string_` or `make quicksearch key=_string_`, where _string_ is some text to search for. +The text can be in comments, descriptions, or dependencies in order to find ports which relate to a particular subject when the name of the program is unknown. + -When using `search` or `quicksearch`, the search string is case-insensitive. Searching for "LSOF" will yield the same results as searching for "lsof". +When using `search` or `quicksearch`, the search string is case-insensitive. +Searching for "LSOF" will yield the same results as searching for "lsof". [[pkgng-intro]] == Using pkg for Binary Package Management @@ -216,16 +234,20 @@ For sites wishing to only use prebuilt binary packages from the FreeBSD mirrors, However, for those sites building from source or using their own repositories, a separate <<ports-upgrading-tools,port management tool>> will be needed. -Since pkg only works with binary packages, it is not a replacement for such tools. Those tools can be used to install software from both binary packages and the Ports Collection, while pkg installs only binary packages. +Since pkg only works with binary packages, it is not a replacement for such tools. +Those tools can be used to install software from both binary packages and the Ports Collection, while pkg installs only binary packages. [[pkgng-initial-setup]] === Getting Started with pkg -FreeBSD includes a bootstrap utility which can be used to download and install pkg and its manual pages. This utility is designed to work with versions of FreeBSD starting with 10._X_. +FreeBSD includes a bootstrap utility which can be used to download and install pkg and its manual pages. +This utility is designed to work with versions of FreeBSD starting with 10._X_. [NOTE] ==== -Not all FreeBSD versions and architectures support this bootstrap process. The current list is at https://pkg.freebsd.org/[]. For other cases, pkg must instead be installed from the Ports Collection or as a binary package. +Not all FreeBSD versions and architectures support this bootstrap process. +The current list is at https://pkg.freebsd.org/[]. +For other cases, pkg must instead be installed from the Ports Collection or as a binary package. ==== To bootstrap the system, run: @@ -246,7 +268,9 @@ Otherwise, to install the port, run: # make install clean .... -When upgrading an existing system that originally used the older pkg_* tools, the database must be converted to the new format, so that the new tools are aware of the already installed packages. Once pkg has been installed, the package database must be converted from the traditional format to the new format by running this command: +When upgrading an existing system that originally used the older pkg_* tools, +the database must be converted to the new format, so that the new tools are aware of the already installed packages. +Once pkg has been installed, the package database must be converted from the traditional format to the new format by running this command: [source,shell] .... @@ -260,28 +284,35 @@ This step is not required for new installations that do not yet have any third-p [IMPORTANT] ==== -This step is not reversible. Once the package database has been converted to the pkg format, the traditional `pkg_*` tools should no longer be used. +This step is not reversible. +Once the package database has been converted to the pkg format, the traditional `pkg_*` tools should no longer be used. ==== [NOTE] ==== -The package database conversion may emit errors as the contents are converted to the new version. Generally, these errors can be safely ignored. However, a list of software that was not successfully converted is shown after `pkg2ng` finishes. These applications must be manually reinstalled. +The package database conversion may emit errors as the contents are converted to the new version. +Generally, these errors can be safely ignored. +However, a list of software that was not successfully converted is shown after `pkg2ng` finishes. +These applications must be manually reinstalled. ==== -To ensure that the Ports Collection registers new software with pkg instead of the traditional packages database, FreeBSD versions earlier than 10._X_ require this line in [.filename]#/etc/make.conf#: +To ensure that the Ports Collection registers new software with pkg instead of the traditional packages database, +FreeBSD versions earlier than 10._X_ require this line in [.filename]#/etc/make.conf#: [.programlisting] .... WITH_PKGNG= yes .... -By default, pkg uses the binary packages from the FreeBSD package mirrors (the _repository_). For information about building a custom package repository, see <<ports-poudriere>>. +By default, pkg uses the binary packages from the FreeBSD package mirrors (the _repository_). +For information about building a custom package repository, see <<ports-poudriere>>. Additional pkg configuration options are described in man:pkg.conf[5]. Usage information for pkg is available in the man:pkg[8] manual page or by running `pkg` without additional arguments. -Each pkg command argument is documented in a command-specific manual page. To read the manual page for `pkg install`, for example, run either of these commands: +Each pkg command argument is documented in a command-specific manual page. +To read the manual page for `pkg install`, for example, run either of these commands: [source,shell] .... @@ -293,12 +324,20 @@ Each pkg command argument is documented in a command-specific manual page. To re # man pkg-install .... -The rest of this section demonstrates common binary package management tasks which can be performed using pkg. Each demonstrated command provides many switches to customize its use. Refer to a command's help or man page for details and more examples. +The rest of this section demonstrates common binary package management tasks which can be performed using pkg. +Each demonstrated command provides many switches to customize its use. +Refer to a command's help or man page for details and more examples. [[quarterly-latest-branch]] === Quarterly and Latest Ports Branches -The `Quarterly` branch provides users with a more predictable and stable experience for port and package installation and upgrades. This is done essentially by only allowing non-feature updates. Quarterly branches aim to receive security fixes (that may be version updates, or backports of commits), bug fixes and ports compliance or framework changes. The Quarterly branch is cut from HEAD at the beginning of every (yearly) quarter in January, April, July, and October. Branches are named according to the year (YYYY) and quarter (Q1-4) they are created in. For example, the quarterly branch created in January 2016, is named 2016Q1. And the `Latest` branch provides the latest versions of the packages to the users. +The `Quarterly` branch provides users with a more predictable and stable experience for port and package installation and upgrades. +This is done essentially by only allowing non-feature updates. +Quarterly branches aim to receive security fixes (that may be version updates, or backports of commits), bug fixes and ports compliance or framework changes. +The Quarterly branch is cut from HEAD at the beginning of every (yearly) quarter in January, April, July, and October. +Branches are named according to the year (YYYY) and quarter (Q1-4) they are created in. +For example, the quarterly branch created in January 2016, is named 2016Q1. +And the `Latest` branch provides the latest versions of the packages to the users. To switch from quarterly to latest run the following commands: @@ -333,7 +372,8 @@ And finally run this command to update from the new (latest) repository metadata [[pkgng-pkg-info]] === Obtaining Information About Installed Packages -Information about the packages installed on a system can be viewed by running `pkg info` which, when run without any switches, will list the package version for either all installed packages or the specified package. +Information about the packages installed on a system can be viewed by running `pkg info` which, when run without any switches, +will list the package version for either all installed packages or the specified package. For example, to see which version of pkg is installed, run: @@ -353,7 +393,8 @@ To install a binary package use the following command, where _packagename_ is th # pkg install packagename .... -This command uses repository data to determine which version of the software to install and if it has any uninstalled dependencies. For example, to install curl: +This command uses repository data to determine which version of the software to install and if it has any uninstalled dependencies. +For example, to install curl: [source,shell] .... @@ -390,7 +431,8 @@ curl-7.31.0_1 Non-interactive tool to get files from FTP, GOPHER, HTTP(S) server pkg-1.1.4_6 New generation package manager .... -Packages that are no longer needed can be removed with `pkg delete`. For example: +Packages that are no longer needed can be removed with `pkg delete`. +For example: [source,shell] .... @@ -420,7 +462,9 @@ This command will compare the installed versions with those available in the rep [[pkgng-auditing]] === Auditing Installed Packages -Software vulnerabilities are regularly discovered in third-party applications. To address this, pkg includes a built-in auditing mechanism. To determine if there are any known vulnerabilities for the software installed on the system, run: +Software vulnerabilities are regularly discovered in third-party applications. +To address this, pkg includes a built-in auditing mechanism. +To determine if there are any known vulnerabilities for the software installed on the system, run: [source,shell] .... @@ -430,7 +474,8 @@ Software vulnerabilities are regularly discovered in third-party applications. T [[pkgng-autoremove]] === Automatically Removing Unused Packages -Removing a package may leave behind dependencies which are no longer required. Unneeded packages that were installed as dependencies (leaf packages) can be automatically detected and removed using: +Removing a package may leave behind dependencies which are no longer required. +Unneeded packages that were installed as dependencies (leaf packages) can be automatically detected and removed using: [source,shell] .... @@ -444,7 +489,8 @@ Proceed with autoremoval of packages [y/N]: y Deinstalling ca_root_nss-3.15.1_1... done .... -Packages installed as dependencies are called _automatic_ packages. Non-automatic packages, i.e the packages that were explicity installed not as a dependency to another package, can be listed using: +Packages installed as dependencies are called _automatic_ packages. +Non-automatic packages, i.e the packages that were explicity installed not as a dependency to another package, can be listed using: [source,shell] .... @@ -454,7 +500,9 @@ openvpn sudo .... -`pkg prime-list` is an alias command declared in [.filename]#/usr/local/etc/pkg.conf#. There are many others that can be used to query the package database of the system. For instance, command `pkg prime-origins` can be used to get the origin port directory of the list mentioned above: +`pkg prime-list` is an alias command declared in [.filename]#/usr/local/etc/pkg.conf#. +There are many others that can be used to query the package database of the system. +For instance, command `pkg prime-origins` can be used to get the origin port directory of the list mentioned above: [source,shell] .... @@ -485,15 +533,16 @@ Marking an installed package as _not_ automatic can be done using: [[pkgng-backup]] === Restoring the Package Database -Unlike the traditional package management system, pkg includes its own package database backup mechanism. This functionality is enabled by default. +Unlike the traditional package management system, pkg includes its own package database backup mechanism. +This functionality is enabled by default. [TIP] ==== - To disable the periodic script from backing up the package database, set `daily_backup_pkgdb_enable="NO"` in man:periodic.conf[5]. ==== -To restore the contents of a previous package database backup, run the following command replacing _/path/to/pkg.sql_ with the location of the backup: +To restore the contents of a previous package database backup, +run the following command replacing _/path/to/pkg.sql_ with the location of the backup: [source,shell] .... @@ -505,7 +554,8 @@ To restore the contents of a previous package database backup, run the following If restoring a backup taken by the periodic script, it must be decompressed prior to being restored. ==== -To run a manual backup of the pkg database, run the following command, replacing _/path/to/pkg.sql_ with a suitable file name and location: +To run a manual backup of the pkg database, run the following command, +replacing _/path/to/pkg.sql_ with a suitable file name and location: [source,shell] .... @@ -515,7 +565,9 @@ To run a manual backup of the pkg database, run the following command, replacing [[pkgng-clean]] === Removing Stale Packages -By default, pkg stores binary packages in a cache directory defined by `PKG_CACHEDIR` in man:pkg.conf[5]. Only copies of the latest installed packages are kept. Older versions of pkg kept all previous packages. To remove these outdated binary packages, run: +By default, pkg stores binary packages in a cache directory defined by `PKG_CACHEDIR` in man:pkg.conf[5]. +Only copies of the latest installed packages are kept. Older versions of pkg kept all previous packages. +To remove these outdated binary packages, run: [source,shell] .... @@ -532,7 +584,9 @@ The entire cache may be cleared by running: [[pkgng-set]] === Modifying Package Metadata -Software within the FreeBSD Ports Collection can undergo major version number changes. To address this, pkg has a built-in command to update package origins. This can be useful, for example, if package:lang/php5[] is renamed to package:lang/php53[] so that package:lang/php5[] can now represent version `5.4`. +Software within the FreeBSD Ports Collection can undergo major version number changes. +To address this, pkg has a built-in command to update package origins. +This can be useful, for example, if package:lang/php5[] is renamed to package:lang/php53[] so that package:lang/php5[] can now represent version `5.4`. To change the package origin for the above example, run: @@ -557,7 +611,8 @@ As a final example, to change the origin of the [.filename]#libglut# shared libr [NOTE] ==== -When changing package origins, it is important to reinstall packages that are dependent on the package with the modified origin. To force a reinstallation of dependent packages, run: +When changing package origins, it is important to reinstall packages that are dependent on the package with the modified origin. +To force a reinstallation of dependent packages, run: [source,shell] .... @@ -569,19 +624,23 @@ When changing package origins, it is important to reinstall packages that are de [[ports-using]] == Using the Ports Collection -The Ports Collection is a set of [.filename]##Makefile##s, patches, and description files. Each set of these files is used to compile and install an individual application on FreeBSD, and is called a _port_. +The Ports Collection is a set of [.filename]##Makefile##s, patches, and description files. +Each set of these files is used to compile and install an individual application on FreeBSD, and is called a _port_. By default, the Ports Collection itself is stored as a subdirectory of [.filename]#/usr/ports#. [WARNING] ==== - Before installing and using the Ports Collection, please be aware that it is generally ill-advised to use the Ports Collection in conjunction with the binary packages provided via pkg to install software. -pkg, by default, tracks quarterly branch-releases of the ports tree and not HEAD. Dependencies could be different for a port in HEAD compared to its counterpart in a quarterly branch release and this could result in conflicts between dependencies installed by pkg and those from the Ports Collection. +pkg, by default, tracks quarterly branch-releases of the ports tree and not HEAD. +Dependencies could be different for a port in HEAD compared to its counterpart in a quarterly branch release and this could result in conflicts between dependencies installed by pkg and those from the Ports Collection. If the Ports Collection and pkg must be used in conjunction, then be sure that your Ports Collection and pkg are on the same branch release of the ports tree. ==== -The Ports Collection contains directories for software categories. Inside each category are subdirectories for individual applications. Each application subdirectory contains a set of files that tells FreeBSD how to compile and install that program, called a _ports skeleton_. Each port skeleton includes these files and directories: +The Ports Collection contains directories for software categories. +Inside each category are subdirectories for individual applications. +Each application subdirectory contains a set of files that tells FreeBSD how to compile and install that program, called a _ports skeleton_. +Each port skeleton includes these files and directories: * [.filename]#Makefile#: contains statements that specify how the application should be compiled and where its components should be installed. * [.filename]#distinfo#: contains the names and checksums of the files that must be downloaded to build the port. @@ -589,21 +648,27 @@ The Ports Collection contains directories for software categories. Inside each c * [.filename]#pkg-descr#: provides a more detailed description of the program. * [.filename]#pkg-plist#: a list of all the files that will be installed by the port. It also tells the ports system which files to remove upon deinstallation. -Some ports include [.filename]#pkg-message# or other files to handle special situations. For more details on these files, and on ports in general, refer to the link:{porters-handbook}[FreeBSD Porter's Handbook]. +Some ports include [.filename]#pkg-message# or other files to handle special situations. +For more details on these files, and on ports in general, refer to the link:{porters-handbook}[FreeBSD Porter's Handbook]. -The port does not include the actual source code, also known as a [.filename]#distfile#. The extract portion of building a port will automatically save the downloaded source to [.filename]#/usr/ports/distfiles#. +The port does not include the actual source code, also known as a [.filename]#distfile#. +The extract portion of building a port will automatically save the downloaded source to [.filename]#/usr/ports/distfiles#. [[ports-using-installation-methods]] === Installing the Ports Collection -Before an application can be compiled using a port, the Ports Collection must first be installed. If it was not installed during the installation of FreeBSD, use one of the following methods to install it: +Before an application can be compiled using a port, the Ports Collection must first be installed. +If it was not installed during the installation of FreeBSD, use one of the following methods to install it: [[ports-using-portsnap-method]] [.procedure] **** *Procedure: Portsnap Method* -The base system of FreeBSD includes Portsnap. This is a fast and user-friendly tool for retrieving the Ports Collection and is the recommended choice for most users not running FreeBSD-CURRENT. This utility connects to a FreeBSD site, verifies the secure key, and downloads a new copy of the Ports Collection. The key is used to verify the integrity of all downloaded files. +The base system of FreeBSD includes Portsnap. +This is a fast and user-friendly tool for retrieving the Ports Collection and is the recommended choice for most users not running FreeBSD-CURRENT. +This utility connects to a FreeBSD site, verifies the secure key, and downloads a new copy of the Ports Collection. +The key is used to verify the integrity of all downloaded files. . To download a compressed snapshot of the Ports Collection into [.filename]#/var/db/portsnap#: + @@ -640,7 +705,9 @@ When using `fetch`, the `extract` or the `update` operation may be run consecuti **** *Procedure: Git Method* -If more control over the ports tree is needed or if local changes need to be maintained, or if running FreeBSD-CURRENT, Git can be used to obtain the Ports Collection. Refer to link:{committers-guide}#git-primer[the Git Primer] for a detailed description of Git. +If more control over the ports tree is needed or if local changes need to be maintained, or if running FreeBSD-CURRENT, +Git can be used to obtain the Ports Collection. +Refer to link:{committers-guide}#git-primer[the Git Primer] for a detailed description of Git. . Git must be installed before it can be used to check out the ports tree. If a copy of the ports tree is already present, install Git like this: + @@ -688,17 +755,23 @@ If the ports tree is not available, or pkg is being used to manage packages, Git === Installing Ports -This section provides basic instructions on using the Ports Collection to install or remove software. The detailed description of available `make` targets and environment variables is available in man:ports[7]. +This section provides basic instructions on using the Ports Collection to install or remove software. +The detailed description of available `make` targets and environment variables is available in man:ports[7]. [WARNING] ==== -Before compiling any port, be sure to update the Ports Collection as described in the previous section. Since the installation of any third-party software can introduce security vulnerabilities, it is recommended to first check https://vuxml.freebsd.org/[] for known security issues related to the port. Alternately, run `pkg audit -F` before installing a new port. This command can be configured to automatically perform a security audit and an update of the vulnerability database during the daily security system check. For more information, refer to man:pkg-audit[8] and man:periodic[8]. +Before compiling any port, be sure to update the Ports Collection as described in the previous section. +Since the installation of any third-party software can introduce security vulnerabilities, it is recommended to first check https://vuxml.freebsd.org/[] for known security issues related to the port. +Alternately, run `pkg audit -F` before installing a new port. +This command can be configured to automatically perform a security audit and an update of the vulnerability database during the daily security system check. For more information, refer to man:pkg-audit[8] and man:periodic[8]. ==== -Using the Ports Collection assumes a working Internet connection. It also requires superuser privilege. +Using the Ports Collection assumes a working Internet connection. +It also requires superuser privilege. -To compile and install the port, change to the directory of the port to be installed, then type `make install` at the prompt. Messages will indicate the progress: +To compile and install the port, change to the directory of the port to be installed, then type `make install` at the prompt. +Messages will indicate the progress: [source,shell] .... @@ -736,11 +809,16 @@ To compile and install the port, change to the directory of the port to be insta # .... -Since `lsof` is a program that runs with increased privileges, a security warning is displayed as it is installed. Once the installation is complete, the prompt will be returned. +Since `lsof` is a program that runs with increased privileges, a security warning is displayed as it is installed. +Once the installation is complete, the prompt will be returned. -Some shells keep a cache of the commands that are available in the directories listed in the `PATH` environment variable, to speed up lookup operations for the executable file of these commands. Users of the `tcsh` shell should type `rehash` so that a newly installed command can be used without specifying its full path. Use `hash -r` instead for the `sh` shell. Refer to the documentation for the shell for more information. +Some shells keep a cache of the commands that are available in the directories listed in the `PATH` environment variable, to speed up lookup operations for the executable file of these commands. +Users of the `tcsh` shell should type `rehash` so that a newly installed command can be used without specifying its full path. +Use `hash -r` instead for the `sh` shell. +Refer to the documentation for the shell for more information. -During installation, a working subdirectory is created which contains all the temporary files used during compilation. Removing this directory saves disk space and minimizes the chance of problems later when upgrading to the newer version of the port: +During installation, a working subdirectory is created which contains all the temporary files used during compilation. +Removing this directory saves disk space and minimizes the chance of problems later when upgrading to the newer version of the port: [source,shell] .... @@ -756,21 +834,37 @@ To save this extra step, instead use `make install clean` when compiling the por ==== Customizing Ports Installation -Some ports provide build options which can be used to enable or disable application components, provide security options, or allow for other customizations. Examples include package:www/firefox[], package:security/gpgme[], and package:mail/sylpheed-claws[]. If the port depends upon other ports which have configurable options, it may pause several times for user interaction as the default behavior is to prompt the user to select options from a menu. To avoid this and do all of the configuration in one batch, run `make config-recursive` within the port skeleton. Then, run `make install [clean]` to compile and install the port. +Some ports provide build options which can be used to enable or disable application components, provide security options, or allow for other customizations. +Examples include package:www/firefox[], package:security/gpgme[], and package:mail/sylpheed-claws[]. +If the port depends upon other ports which have configurable options, +it may pause several times for user interaction as the default behavior is to prompt the user to select options from a menu. +To avoid this and do all of the configuration in one batch, run `make config-recursive` within the port skeleton. +Then, run `make install [clean]` to compile and install the port. [TIP] ==== - -When using `config-recursive`, the list of ports to configure are gathered by the `all-depends-list` target. It is recommended to run `make config-recursive` until all dependent ports options have been defined, and ports options screens no longer appear, to be certain that all dependency options have been configured. +When using `config-recursive`, the list of ports to configure are gathered by the `all-depends-list` target. +It is recommended to run `make config-recursive` until all dependent ports options have been defined, +and ports options screens no longer appear, to be certain that all dependency options have been configured. ==== -There are several ways to revisit a port's build options menu in order to add, remove, or change these options after a port has been built. One method is to `cd` into the directory containing the port and type `make config`. Another option is to use `make showconfig`. Another option is to execute `make rmconfig` which will remove all selected options and allow you to start over. All of these options, and others, are explained in great detail in man:ports[7]. +There are several ways to revisit a port's build options menu in order to add, remove, or change these options after a port has been built. +One method is to `cd` into the directory containing the port and type `make config`. +Another option is to use `make showconfig`. +Another option is to execute `make rmconfig` which will remove all selected options and allow you to start over. +All of these options, and others, are explained in great detail in man:ports[7]. -The ports system uses man:fetch[1] to download the source files, which supports various environment variables. The `FTP_PASSIVE_MODE`, `FTP_PROXY`, and `FTP_PASSWORD` variables may need to be set if the FreeBSD system is behind a firewall or FTP/HTTP proxy. See man:fetch[3] for the complete list of supported variables. +The ports system uses man:fetch[1] to download the source files, which supports various environment variables. +The `FTP_PASSIVE_MODE`, `FTP_PROXY`, and `FTP_PASSWORD` variables may need to be set if the FreeBSD system is behind a firewall or FTP/HTTP proxy. +See man:fetch[3] for the complete list of supported variables. -For users who cannot be connected to the Internet all the time, `make fetch` can be run within [.filename]#/usr/ports#, to fetch all distfiles, or within a category, such as [.filename]#/usr/ports/net#, or within the specific port skeleton. Note that if a port has any dependencies, running this command in a category or ports skeleton will _not_ fetch the distfiles of ports from another category. Instead, use `make fetch-recursive` to also fetch the distfiles for all the dependencies of a port. +For users who cannot be connected to the Internet all the time, `make fetch` can be run within [.filename]#/usr/ports#, +to fetch all distfiles, or within a category, such as [.filename]#/usr/ports/net#, or within the specific port skeleton. +Note that if a port has any dependencies, running this command in a category or ports skeleton will _not_ fetch the distfiles of ports from another category. +Instead, use `make fetch-recursive` to also fetch the distfiles for all the dependencies of a port. -In rare cases, such as when an organization has a local distfiles repository, the `MASTER_SITES` variable can be used to override the download locations specified in the [.filename]#Makefile#. When using, specify the alternate location: +In rare cases, such as when an organization has a local distfiles repository, the `MASTER_SITES` variable can be used to override the download locations specified in the [.filename]#Makefile#. +When using, specify the alternate location: [source,shell] .... @@ -802,12 +896,14 @@ will compile the port in [.filename]#/usr/ports# and install it in [.filename]#/ will combine the two. -These can also be set as environmental variables. Refer to the manual page for your shell for instructions on how to set an environmental variable. +These can also be set as environmental variables. +Refer to the manual page for your shell for instructions on how to set an environmental variable. [[ports-removing]] === Removing Installed Ports -Installed ports can be uninstalled using `pkg delete`. Examples for using this command can be found in the man:pkg-delete[8] manual page. +Installed ports can be uninstalled using `pkg delete`. +Examples for using this command can be found in the man:pkg-delete[8] manual page. Alternately, `make deinstall` can be run in the port's directory: @@ -825,14 +921,19 @@ The deinstallation will free 229 kB [1/1] Deleting lsof-4.88.d,8... done .... -It is recommended to read the messages as the port is uninstalled. If the port has any applications that depend upon it, this information will be displayed but the uninstallation will proceed. In such cases, it may be better to reinstall the application in order to prevent broken dependencies. +It is recommended to read the messages as the port is uninstalled. +If the port has any applications that depend upon it, this information will be displayed but the uninstallation will proceed. +In such cases, it may be better to reinstall the application in order to prevent broken dependencies. [[ports-upgrading]] === Upgrading Ports -Over time, newer versions of software become available in the Ports Collection. This section describes how to determine which software can be upgraded and how to perform the upgrade. +Over time, newer versions of software become available in the Ports Collection. +This section describes how to determine which software can be upgraded and how to perform the upgrade. -To determine if newer versions of installed ports are available, ensure that the latest version of the ports tree is installed, using the updating command described in either <<ports-using-portsnap-method, “Portsnap Method”>> or <<ports-using-git-method, “Git Method”>>. On FreeBSD 10 and later, or if the system has been converted to pkg, the following command will list the installed ports which are out of date: +To determine if newer versions of installed ports are available, ensure that the latest version of the ports tree is installed, +using the updating command described in either <<ports-using-portsnap-method, “Portsnap Method”>> or <<ports-using-git-method, “Git Method”>>. +On FreeBSD 10 and later, or if the system has been converted to pkg, the following command will list the installed ports which are out of date: [source,shell] .... @@ -848,25 +949,32 @@ For FreeBSD 9._X_ and lower, the following command will list the installed ports [IMPORTANT] ==== -Before attempting an upgrade, read [.filename]#/usr/ports/UPDATING# from the top of the file to the date closest to the last time ports were upgraded or the system was installed. This file describes various issues and additional steps users may encounter and need to perform when updating a port, including such things as file format changes, changes in locations of configuration files, or any incompatibilities with previous versions. Make note of any instructions which match any of the ports that need upgrading and follow these instructions when performing the upgrade. +Before attempting an upgrade, read [.filename]#/usr/ports/UPDATING# from the top of the file to the date closest to the last time ports were upgraded or the system was installed. +This file describes various issues and additional steps users may encounter and need to perform when updating a port, including such things as file format changes, changes in locations of configuration files, or any incompatibilities with previous versions. +Make note of any instructions which match any of the ports that need upgrading and follow these instructions when performing the upgrade. ==== [[ports-upgrading-tools]] ==== Tools to Upgrade and Manage Ports -The Ports Collection contains several utilities to perform the actual upgrade. Each has its strengths and weaknesses. +The Ports Collection contains several utilities to perform the actual upgrade. +Each has its strengths and weaknesses. -Historically, most installations used either Portmaster or Portupgrade. Synth is a newer alternative. +Historically, most installations used either Portmaster or Portupgrade. +Synth is a newer alternative. [NOTE] ==== -The choice of which tool is best for a particular system is up to the system administrator. It is recommended practice to back up your data before using any of these tools. +The choice of which tool is best for a particular system is up to the system administrator. +It is recommended practice to back up your data before using any of these tools. ==== [[portmaster]] ==== Upgrading Ports Using Portmaster -package:ports-mgmt/portmaster[] is a very small utility for upgrading installed ports. It is designed to use the tools installed with the FreeBSD base system without depending on other ports or databases. To install this utility as a port: +package:ports-mgmt/portmaster[] is a very small utility for upgrading installed ports. +It is designed to use the tools installed with the FreeBSD base system without depending on other ports or databases. +To install this utility as a port: [source,shell] .... @@ -917,7 +1025,12 @@ This command is used to upgrade all outdated ports: [NOTE] ==== -By default, Portmaster makes a backup package before deleting the existing port. If the installation of the new version is successful, Portmaster deletes the backup. Using `-b` instructs Portmaster not to automatically delete the backup. Adding `-i` starts Portmaster in interactive mode, prompting for confirmation before upgrading each port. Many other options are available. Read through the manual page for man:portmaster[8] for details regarding their usage. +By default, Portmaster makes a backup package before deleting the existing port. +If the installation of the new version is successful, Portmaster deletes the backup. +Using `-b` instructs Portmaster not to automatically delete the backup. +Adding `-i` starts Portmaster in interactive mode, prompting for confirmation before upgrading each port. +Many other options are available. +Read through the manual page for man:portmaster[8] for details regarding their usage. ==== If errors are encountered during the upgrade process, add `-f` to upgrade and rebuild all ports: @@ -927,7 +1040,8 @@ If errors are encountered during the upgrade process, add `-f` to upgrade and re # portmaster -af .... -Portmaster can also be used to install new ports on the system, upgrading all dependencies before building and installing the new port. To use this function, specify the location of the port in the Ports Collection: +Portmaster can also be used to install new ports on the system, upgrading all dependencies before building and installing the new port. +To use this function, specify the location of the port in the Ports Collection: [source,shell] .... @@ -939,7 +1053,9 @@ More information about package:ports-mgmt/portmaster[] may be found in its [.fil [[portupgrade]] ==== Upgrading Ports Using Portupgrade -package:ports-mgmt/portupgrade[] is another utility that can be used to upgrade ports. It installs a suite of applications which can be used to manage ports. However, it is dependent upon Ruby. To install the port: +package:ports-mgmt/portupgrade[] is another utility that can be used to upgrade ports. +It installs a suite of applications which can be used to manage ports. +However, it is dependent upon Ruby. To install the port: [source,shell] .... @@ -949,42 +1065,53 @@ package:ports-mgmt/portupgrade[] is another utility that can be used to upgrade Before performing an upgrade using this utility, it is recommended to scan the list of installed ports using `pkgdb -F` and to fix all the inconsistencies it reports. -To upgrade all the outdated ports installed on the system, use `portupgrade -a`. Alternately, include `-i` to be asked for confirmation of every individual upgrade: +To upgrade all the outdated ports installed on the system, use `portupgrade -a`. +Alternately, include `-i` to be asked for confirmation of every individual upgrade: [source,shell] .... # portupgrade -ai .... -To upgrade only a specified application instead of all available ports, use `portupgrade _pkgname_`. It is very important to include `-R` to first upgrade all the ports required by the given application: +To upgrade only a specified application instead of all available ports, use `portupgrade _pkgname_`. +It is very important to include `-R` to first upgrade all the ports required by the given application: [source,shell] .... # portupgrade -R firefox .... -If `-P` is included, Portupgrade searches for available packages in the local directories listed in `PKG_PATH`. If none are available locally, it then fetches packages from a remote site. If packages can not be found locally or fetched remotely, Portupgrade will use ports. To avoid using ports entirely, specify `-PP`. This last set of options tells Portupgrade to abort if no packages are available: +If `-P` is included, Portupgrade searches for available packages in the local directories listed in `PKG_PATH`. +If none are available locally, it then fetches packages from a remote site. +If packages can not be found locally or fetched remotely, Portupgrade will use ports. +To avoid using ports entirely, specify `-PP`. +This last set of options tells Portupgrade to abort if no packages are available: [source,shell] .... # portupgrade -PP gnome3 .... -To just fetch the port distfiles, or packages, if `-P` is specified, without building or installing anything, use `-F`. For further information on all of the available switches, refer to the manual page for `portupgrade`. +To just fetch the port distfiles, or packages, if `-P` is specified, without building or installing anything, use `-F`. +For further information on all of the available switches, refer to the manual page for `portupgrade`. More information about package:ports-mgmt/portupgrade[] may be found in its [.filename]#pkg-descr#. [[ports-disk-space]] === Ports and Disk Space -Using the Ports Collection will use up disk space over time. After building and installing a port, running `make clean` within the ports skeleton will clean up the temporary [.filename]#work# directory. If Portmaster is used to install a port, it will automatically remove this directory unless `-K` is specified. If Portupgrade is installed, this command will remove all [.filename]#work# directories found within the local copy of the Ports Collection: +Using the Ports Collection will use up disk space over time. +After building and installing a port, running `make clean` within the ports skeleton will clean up the temporary [.filename]#work# directory. +If Portmaster is used to install a port, it will automatically remove this directory unless `-K` is specified. +If Portupgrade is installed, this command will remove all [.filename]#work# directories found within the local copy of the Ports Collection: [source,shell] .... # portsclean -C .... -In addition, outdated source distribution files accumulate in [.filename]#/usr/ports/distfiles# over time. To use Portupgrade to delete all the distfiles that are no longer referenced by any ports: +In addition, outdated source distribution files accumulate in [.filename]#/usr/ports/distfiles# over time. +To use Portupgrade to delete all the distfiles that are no longer referenced by any ports: [source,shell] .... @@ -1012,18 +1139,34 @@ In addition to these commands, package:ports-mgmt/pkg_cutleaves[] automates the [[ports-poudriere]] == Building Packages with Poudriere -Poudriere is a `BSD`-licensed utility for creating and testing FreeBSD packages. It uses FreeBSD jails to set up isolated compilation environments. These jails can be used to build packages for versions of FreeBSD that are different from the system on which it is installed, and also to build packages for i386 if the host is an amd64 system. Once the packages are built, they are in a layout identical to the official mirrors. These packages are usable by man:pkg[8] and other package management tools. +Poudriere is a `BSD`-licensed utility for creating and testing FreeBSD packages. +It uses FreeBSD jails to set up isolated compilation environments. +These jails can be used to build packages for versions of FreeBSD that are different from the system on which it is installed, and also to build packages for i386 if the host is an amd64 system. +Once the packages are built, they are in a layout identical to the official mirrors. +These packages are usable by man:pkg[8] and other package management tools. -Poudriere is installed using the package:ports-mgmt/poudriere[] package or port. The installation includes a sample configuration file [.filename]#/usr/local/etc/poudriere.conf.sample#. Copy this file to [.filename]#/usr/local/etc/poudriere.conf#. Edit the copied file to suit the local configuration. +Poudriere is installed using the package:ports-mgmt/poudriere[] package or port. +The installation includes a sample configuration file [.filename]#/usr/local/etc/poudriere.conf.sample#. +Copy this file to [.filename]#/usr/local/etc/poudriere.conf#. +Edit the copied file to suit the local configuration. -While `ZFS` is not required on the system running poudriere, it is beneficial. When `ZFS` is used, `ZPOOL` must be specified in [.filename]#/usr/local/etc/poudriere.conf# and `FREEBSD_HOST` should be set to a nearby mirror. Defining `CCACHE_DIR` enables the use of package:devel/ccache[] to cache compilation and reduce build times for frequently-compiled code. It may be convenient to put poudriere datasets in an isolated tree mounted at [.filename]#/poudriere#. Defaults for the other configuration values are adequate. +While `ZFS` is not required on the system running poudriere, it is beneficial. +When `ZFS` is used, `ZPOOL` must be specified in [.filename]#/usr/local/etc/poudriere.conf# and `FREEBSD_HOST` should be set to a nearby mirror. +Defining `CCACHE_DIR` enables the use of package:devel/ccache[] to cache compilation and reduce build times for frequently-compiled code. +It may be convenient to put poudriere datasets in an isolated tree mounted at [.filename]#/poudriere#. +Defaults for the other configuration values are adequate. -The number of processor cores detected is used to define how many builds will run in parallel. Supply enough virtual memory, either with `RAM` or swap space. If virtual memory runs out, the compilation jails will stop and be torn down, resulting in weird error messages. +The number of processor cores detected is used to define how many builds will run in parallel. +Supply enough virtual memory, either with `RAM` or swap space. +If virtual memory runs out, the compilation jails will stop and be torn down, resulting in weird error messages. [[poudriere-initialization]] === Initialize Jails and Port Trees -After configuration, initialize poudriere so that it installs a jail with the required FreeBSD tree and a ports tree. Specify a name for the jail using `-j` and the FreeBSD version with `-v`. On systems running FreeBSD/amd64, the architecture can be set with `-a` to either `i386` or `amd64`. The default is the architecture shown by `uname`. +After configuration, initialize poudriere so that it installs a jail with the required FreeBSD tree and a ports tree. +Specify a name for the jail using `-j` and the FreeBSD version with `-v`. +On systems running FreeBSD/amd64, the architecture can be set with `-a` to either `i386` or `amd64`. +The default is the architecture shown by `uname`. [source,shell] .... @@ -1080,9 +1223,13 @@ Scanning //usr/share/certs/trusted for certificates... [00:00:00] Checking out the ports tree... done .... -On a single computer, poudriere can build ports with multiple configurations, in multiple jails, and from different port trees. Custom configurations for these combinations are called _sets_. See the CUSTOMIZATION section of man:poudriere[8] for details after package:ports-mgmt/poudriere[] or package:ports-mgmt/poudriere-devel[] is installed. +On a single computer, poudriere can build ports with multiple configurations, in multiple jails, and from different port trees. +Custom configurations for these combinations are called _sets_. +See the CUSTOMIZATION section of man:poudriere[8] for details after package:ports-mgmt/poudriere[] or package:ports-mgmt/poudriere-devel[] is installed. -The basic configuration shown here puts a single jail-, port-, and set-specific [.filename]#make.conf# in [.filename]#/usr/local/etc/poudriere.d#. The filename in this example is created by combining the jail name, port name, and set name: [.filename]#11amd64-local-workstation-make.conf#. The system [.filename]#make.conf# and this new file are combined at build time to create the [.filename]#make.conf# used by the build jail. +The basic configuration shown here puts a single jail-, port-, and set-specific [.filename]#make.conf# in [.filename]#/usr/local/etc/poudriere.d#. +The filename in this example is created by combining the jail name, port name, and set name: [.filename]#11amd64-local-workstation-make.conf#. +The system [.filename]#make.conf# and this new file are combined at build time to create the [.filename]#make.conf# used by the build jail. Packages to be built are entered in [.filename]#11amd64-local-workstation-pkglist#: @@ -1108,7 +1255,8 @@ Finally, packages are built and a package repository is created: # poudriere bulk -j 11amd64 -p local -z workstation -f 11amd64-local-workstation-pkglist .... -While running, pressing kbd:[Ctrl+t] displays the current state of the build. Poudriere also builds files in [.filename]#/poudriere/logs/bulk/jailname# that can be used with a web server to display build information. +While running, pressing kbd:[Ctrl+t] displays the current state of the build. +Poudriere also builds files in [.filename]#/poudriere/logs/bulk/jailname# that can be used with a web server to display build information. After completion, the new packages are now available for installation from the poudriere repository. @@ -1116,7 +1264,9 @@ For more information on using poudriere, see man:poudriere[8] and the main web s === Configuring pkg Clients to Use a Poudriere Repository -While it is possible to use both a custom repository along side of the official repository, sometimes it is useful to disable the official repository. This is done by creating a configuration file that overrides and disables the official configuration file. Create [.filename]#/usr/local/etc/pkg/repos/FreeBSD.conf# that contains the following: +While it is possible to use both a custom repository along side of the official repository, sometimes it is useful to disable the official repository. +This is done by creating a configuration file that overrides and disables the official configuration file. +Create [.filename]#/usr/local/etc/pkg/repos/FreeBSD.conf# that contains the following: [.programlisting] .... @@ -1125,9 +1275,11 @@ FreeBSD: { } .... -Usually it is easiest to serve a poudriere repository to the client machines via HTTP. Set up a webserver to serve up the package directory, for instance: [.filename]#/usr/local/poudriere/data/packages/11amd64#, where [.filename]#11amd64# is the name of the build. +Usually it is easiest to serve a poudriere repository to the client machines via HTTP. +Set up a webserver to serve up the package directory, for instance: [.filename]#/usr/local/poudriere/data/packages/11amd64#, where [.filename]#11amd64# is the name of the build. -If the URL to the package repository is: `http://pkg.example.com/11amd64`, then the repository configuration file in [.filename]#/usr/local/etc/pkg/repos/custom.conf# would look like: +If the URL to the package repository is: `http://pkg.example.com/11amd64`, +then the repository configuration file in [.filename]#/usr/local/etc/pkg/repos/custom.conf# would look like: [.programlisting] .... @@ -1140,7 +1292,8 @@ custom: { [[ports-nextsteps]] == Post-Installation Considerations -Regardless of whether the software was installed from a binary package or port, most third-party applications require some level of configuration after installation. The following commands and locations can be used to help determine what was installed with the application. +Regardless of whether the software was installed from a binary package or port, most third-party applications require some level of configuration after installation. +The following commands and locations can be used to help determine what was installed with the application. * Most applications install at least one default configuration file in [.filename]#/usr/local/etc#. In cases where an application has a large number of configuration files, a subdirectory will be created to hold them. Often, sample configuration files are installed which end with a suffix such as [.filename]#.sample#. The configuration files should be reviewed and possibly edited to meet the system's needs. To edit a sample file, first copy it without the [.filename]#.sample# extension. * Applications which provide documentation will install it into [.filename]#/usr/local/share/doc# and many applications also install manual pages. This documentation should be consulted before continuing. @@ -1148,7 +1301,8 @@ Regardless of whether the software was installed from a binary package or port, + [NOTE] ==== -By design, applications do not run their startup script upon installation, nor do they run their stop script upon deinstallation or upgrade. This decision is left to the individual system administrator. +By design, applications do not run their startup script upon installation, nor do they run their stop script upon deinstallation or upgrade. +This decision is left to the individual system administrator. ==== * Users of man:csh[1] should run `rehash` to rebuild the known binary list in the shells `PATH`. @@ -1164,9 +1318,12 @@ When a port does not build or install, try the following: + [NOTE] ==== -Some ports are not maintained by an individual but instead by a group maintainer represented by a link:{mailing-list-faq}[mailing list]. Many, but not all, of these addresses look like mailto:freebsd-listname@FreeBSD.org[freebsd-listname@FreeBSD.org]. Please take this into account when sending an email. +Some ports are not maintained by an individual but instead by a group maintainer represented by a link:{mailing-list-faq}[mailing list]. +Many, but not all, of these addresses look like mailto:freebsd-listname@FreeBSD.org[freebsd-listname@FreeBSD.org]. +Please take this into account when sending an email. -In particular, ports maintained by mailto:ports@FreeBSD.org[ports@FreeBSD.org] are not maintained by a specific individual. Instead, any fixes and support come from the general community who subscribe to that mailing list. More volunteers are always needed! +In particular, ports maintained by mailto:ports@FreeBSD.org[ports@FreeBSD.org] are not maintained by a specific individual. +Instead, any fixes and support come from the general community who subscribe to that mailing list. More volunteers are always needed! ==== + If there is no response to the email, use Bugzilla to submit a bug report using the instructions in link:{problem-reports}[Writing FreeBSD Problem Reports]. diff --git a/documentation/content/en/books/handbook/ppp-and-slip/_index.adoc b/documentation/content/en/books/handbook/ppp-and-slip/_index.adoc index 4eb0bf8ca3..887f9088e0 100644 --- a/documentation/content/en/books/handbook/ppp-and-slip/_index.adoc +++ b/documentation/content/en/books/handbook/ppp-and-slip/_index.adoc @@ -46,7 +46,8 @@ toc::[] [[ppp-and-slip-synopsis]] == Synopsis -FreeBSD supports the Point-to-Point (PPP) protocol which can be used to establish a network or Internet connection using a dial-up modem. This chapter describes how to configure modem-based communication services in FreeBSD. +FreeBSD supports the Point-to-Point (PPP) protocol which can be used to establish a network or Internet connection using a dial-up modem. +This chapter describes how to configure modem-based communication services in FreeBSD. After reading this chapter, you will know: @@ -62,7 +63,10 @@ Before reading this chapter, you should: [[userppp]] == Configuring PPP -FreeBSD provides built-in support for managing dial-up PPP connections using man:ppp[8]. The default FreeBSD kernel provides support for [.filename]#tun# which is used to interact with a modem hardware. Configuration is performed by editing at least one configuration file, and configuration files containing examples are provided. Finally, `ppp` is used to start and manage connections. +FreeBSD provides built-in support for managing dial-up PPP connections using man:ppp[8]. +The default FreeBSD kernel provides support for [.filename]#tun# which is used to interact with a modem hardware. +Configuration is performed by editing at least one configuration file, and configuration files containing examples are provided. +Finally, `ppp` is used to start and manage connections. In order to use a PPP connection, the following items are needed: @@ -82,19 +86,23 @@ The following information may be supplied by the ISP, but is not necessary: + If the ISP has assigned a static IP address and hostname, it should be input into the configuration file. Otherwise, this information will be automatically provided during connection setup. -The rest of this section demonstrates how to configure FreeBSD for common PPP connection scenarios. The required configuration file is [.filename]#/etc/ppp/ppp.conf# and additional files and examples are available in [.filename]#/usr/share/examples/ppp/#. +The rest of this section demonstrates how to configure FreeBSD for common PPP connection scenarios. +The required configuration file is [.filename]#/etc/ppp/ppp.conf# and additional files and examples are available in [.filename]#/usr/share/examples/ppp/#. [NOTE] ==== -Throughout this section, many of the file examples display line numbers. These line numbers have been added to make it easier to follow the discussion and are not meant to be placed in the actual file. +Throughout this section, many of the file examples display line numbers. +These line numbers have been added to make it easier to follow the discussion and are not meant to be placed in the actual file. -When editing a configuration file, proper indentation is important. Lines that end in a `:` start in the first column (beginning of the line) while all other lines should be indented as shown using spaces or tabs. +When editing a configuration file, proper indentation is important. +Lines that end in a `:` start in the first column (beginning of the line) while all other lines should be indented as shown using spaces or tabs. ==== [[userppp-staticIP]] === Basic Configuration -In order to configure a PPP connection, first edit [.filename]#/etc/ppp/ppp.conf# with the dial-in information for the ISP. This file is described as follows: +In order to configure a PPP connection, first edit [.filename]#/etc/ppp/ppp.conf# with the dial-in information for the ISP. +This file is described as follows: [.programlisting] .... @@ -118,10 +126,12 @@ In order to configure a PPP connection, first edit [.filename]#/etc/ppp/ppp.conf .... Line 1::: -Identifies the `default` entry. Commands in this entry (lines 2 through 9) are executed automatically when `ppp` is run. +Identifies the `default` entry. +Commands in this entry (lines 2 through 9) are executed automatically when `ppp` is run. Line 2::: -Enables verbose logging parameters for testing the connection. Once the configuration is working satisfactorily, this line should be reduced to: +Enables verbose logging parameters for testing the connection. +Once the configuration is working satisfactorily, this line should be reduced to: + [.programlisting] .... @@ -135,40 +145,54 @@ Line 4::: Identifies the device to which the modem is connected, where [.filename]#COM1# is [.filename]#/dev/cuau0# and [.filename]#COM2# is [.filename]#/dev/cuau1#. Line 5::: -Sets the connection speed. If `115200` does not work on an older modem, try `38400` instead. +Sets the connection speed. +If `115200` does not work on an older modem, try `38400` instead. Lines 6 & 7::: -The dial string written as an expect-send syntax. Refer to man:chat[8] for more information. +The dial string written as an expect-send syntax. +Refer to man:chat[8] for more information. + -Note that this command continues onto the next line for readability. Any command in [.filename]#ppp.conf# may do this if the last character on the line is `\`. +Note that this command continues onto the next line for readability. +Any command in [.filename]#ppp.conf# may do this if the last character on the line is `\`. Line 8::: Sets the idle timeout for the link in seconds. Line 9::: -Instructs the peer to confirm the DNS settings. If the local network is running its own DNS server, this line should be commented out, by adding a `#` at the beginning of the line, or removed. +Instructs the peer to confirm the DNS settings. +If the local network is running its own DNS server, this line should be commented out, by adding a `#` at the beginning of the line, or removed. Line 10::: A blank line for readability. Blank lines are ignored by man:ppp[8]. Line 11::: -Identifies an entry called `provider`. This could be changed to the name of the ISP so that `load _ISP_` can be used to start the connection. +Identifies an entry called `provider`. +This could be changed to the name of the ISP so that `load _ISP_` can be used to start the connection. Line 12::: -Use the phone number for the ISP. Multiple phone numbers may be specified using the colon (`:`) or pipe character (`|`) as a separator. To rotate through the numbers, use a colon. To always attempt to dial the first number first and only use the other numbers if the first number fails, use the pipe character. Always enclose the entire set of phone numbers between quotation marks (`"`) to prevent dialing failures. +Use the phone number for the ISP. +Multiple phone numbers may be specified using the colon (`:`) or pipe character (`|`) as a separator. +To rotate through the numbers, use a colon. +To always attempt to dial the first number first and only use the other numbers if the first number fails, use the pipe character. +Always enclose the entire set of phone numbers between quotation marks (`"`) to prevent dialing failures. Lines 13 & 14::: Use the user name and password for the ISP. Line 15::: -Sets the default idle timeout in seconds for the connection. In this example, the connection will be closed automatically after 300 seconds of inactivity. To prevent a timeout, set this value to zero. +Sets the default idle timeout in seconds for the connection. +In this example, the connection will be closed automatically after 300 seconds of inactivity. +To prevent a timeout, set this value to zero. Line 16::: -Sets the interface addresses. The values used depend upon whether a static IP address has been obtained from the ISP or if it instead negotiates a dynamic IP address during connection. +Sets the interface addresses. +The values used depend upon whether a static IP address has been obtained from the ISP or if it instead negotiates a dynamic IP address during connection. + -If the ISP has allocated a static IP address and default gateway, replace _x.x.x.x_ with the static IP address and replace _y.y.y.y_ with the IP address of the default gateway. If the ISP has only provided a static IP address without a gateway address, replace _y.y.y.y_ with `10.0.0.2/0`. +If the ISP has allocated a static IP address and default gateway, replace _x.x.x.x_ with the static IP address and replace _y.y.y.y_ with the IP address of the default gateway. +If the ISP has only provided a static IP address without a gateway address, replace _y.y.y.y_ with `10.0.0.2/0`. + -If the IP address changes whenever a connection is made, change this line to the following value. This tells man:ppp[8] to use the IP Configuration Protocol (IPCP) to negotiate a dynamic IP address: +If the IP address changes whenever a connection is made, change this line to the following value. +This tells man:ppp[8] to use the IP Configuration Protocol (IPCP) to negotiate a dynamic IP address: + [.programlisting] .... @@ -176,9 +200,15 @@ set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 0.0.0.0 .... Line 17::: -Keep this line as-is as it adds a default route to the gateway. The `HISADDR` will automatically be replaced with the gateway address specified on line 16. It is important that this line appears after line 16. +Keep this line as-is as it adds a default route to the gateway. +The `HISADDR` will automatically be replaced with the gateway address specified on line 16. +It is important that this line appears after line 16. -Depending upon whether man:ppp[8] is started manually or automatically, a [.filename]#/etc/ppp/ppp.linkup# may also need to be created which contains the following lines. This file is required when running `ppp` in `-auto` mode. This file is used after the connection has been established. At this point, the IP address will have been assigned and it is now possible to add the routing table entries. When creating this file, make sure that _provider_ matches the value demonstrated in line 11 of [.filename]#ppp.conf#. +Depending upon whether man:ppp[8] is started manually or automatically, a [.filename]#/etc/ppp/ppp.linkup# may also need to be created which contains the following lines. +This file is required when running `ppp` in `-auto` mode. +This file is used after the connection has been established. +At this point, the IP address will have been assigned and it is now possible to add the routing table entries. +When creating this file, make sure that _provider_ matches the value demonstrated in line 11 of [.filename]#ppp.conf#. [.programlisting] .... @@ -186,11 +216,15 @@ provider: add default HISADDR .... -This file is also needed when the default gateway address is "guessed" in a static IP address configuration. In this case, remove line 17 from [.filename]#ppp.conf# and create [.filename]#/etc/ppp/ppp.linkup# with the above two lines. More examples for this file can be found in [.filename]#/usr/share/examples/ppp/#. +This file is also needed when the default gateway address is "guessed" in a static IP address configuration. +In this case, remove line 17 from [.filename]#ppp.conf# and create [.filename]#/etc/ppp/ppp.linkup# with the above two lines. +More examples for this file can be found in [.filename]#/usr/share/examples/ppp/#. -By default, `ppp` must be run as `root`. To change this default, add the account of the user who should run `ppp` to the `network` group in [.filename]#/etc/group#. +By default, `ppp` must be run as `root`. +To change this default, add the account of the user who should run `ppp` to the `network` group in [.filename]#/etc/group#. -Then, give the user access to one or more entries in [.filename]#/etc/ppp/ppp.conf# with `allow`. For example, to give `fred` and `mary` permission to only the `provider:` entry, add this line to the `provider:` section: +Then, give the user access to one or more entries in [.filename]#/etc/ppp/ppp.conf# with `allow`. +For example, to give `fred` and `mary` permission to only the `provider:` entry, add this line to the `provider:` section: [.programlisting] .... @@ -228,9 +262,11 @@ In version 2 and above, if the `set dns` line is omitted, PPP will use the value [[userppp-PAPnCHAP]] ==== PAP and CHAP Authentication -Some ISPs set their system up so that the authentication part of the connection is done using either of the PAP or CHAP authentication mechanisms. If this is the case, the ISP will not give a `login:` prompt at connection, but will start talking PPP immediately. +Some ISPs set their system up so that the authentication part of the connection is done using either of the PAP or CHAP authentication mechanisms. +If this is the case, the ISP will not give a `login:` prompt at connection, but will start talking PPP immediately. -PAP is less secure than CHAP, but security is not normally an issue here as passwords, although being sent as plain text with PAP, are being transmitted down a serial line only. There is not much room for crackers to "eavesdrop". +PAP is less secure than CHAP, but security is not normally an issue here as passwords, although being sent as plain text with PAP, are being transmitted down a serial line only. +There is not much room for crackers to "eavesdrop". The following alterations must be made: @@ -242,10 +278,12 @@ The following alterations must be made: .... Line 13::: -This line specifies the PAP/CHAP user name. Insert the correct value for _MyUserName_. +This line specifies the PAP/CHAP user name.Insert the correct value for _MyUserName_. Line 14::: -This line specifies the PAP/CHAP password. Insert the correct value for _MyPassword_. You may want to add an additional line, such as: +This line specifies the PAP/CHAP password. +Insert the correct value for _MyPassword_. +You may want to add an additional line, such as: + [.programlisting] .... @@ -262,19 +300,22 @@ or to make it obvious that this is the intention, but PAP and CHAP are both accepted by default. Line 15::: -The ISP will not normally require a login to the server when using PAP or CHAP. Therefore, disable the "set login" string. +The ISP will not normally require a login to the server when using PAP or CHAP. +Therefore, disable the "set login" string. [[userppp-nat]] ==== Using PPP Network Address Translation Capability -PPP has ability to use internal NAT without kernel diverting capabilities. This functionality may be enabled by the following line in [.filename]#/etc/ppp/ppp.conf#: +PPP has ability to use internal NAT without kernel diverting capabilities. +This functionality may be enabled by the following line in [.filename]#/etc/ppp/ppp.conf#: [.programlisting] .... nat enable yes .... -Alternatively, NAT may be enabled by command-line option `-nat`. There is also [.filename]#/etc/rc.conf# knob named `ppp_nat`, which is enabled by default. +Alternatively, NAT may be enabled by command-line option `-nat`. +There is also [.filename]#/etc/rc.conf# knob named `ppp_nat`, which is enabled by default. When using this feature, it may be useful to include the following [.filename]#/etc/ppp/ppp.conf# options to enable incoming connections forwarding: @@ -305,7 +346,8 @@ hostname="foo.example.com" If the ISP has supplied a static IP address and name, use this name as the host name. -Look for the `network_interfaces` variable. To configure the system to dial the ISP on demand, make sure the [.filename]#tun0# device is added to the list, otherwise remove it. +Look for the `network_interfaces` variable. +To configure the system to dial the ISP on demand, make sure the [.filename]#tun0# device is added to the list, otherwise remove it. [.programlisting] .... @@ -315,14 +357,16 @@ ifconfig_tun0= [NOTE] ==== -The `ifconfig_tun0` variable should be empty, and a file called [.filename]#/etc/start_if.tun0# should be created. This file should contain the line: +The `ifconfig_tun0` variable should be empty, and a file called [.filename]#/etc/start_if.tun0# should be created. +This file should contain the line: [.programlisting] .... ppp -auto mysystem .... -This script is executed at network configuration time, starting the ppp daemon in automatic mode. If this machine acts as a gateway, consider including `-alias`. Refer to the manual page for further details. +This script is executed at network configuration time, starting the ppp daemon in automatic mode. +If this machine acts as a gateway, consider including `-alias`. Refer to the manual page for further details. ==== Make sure that the router program is set to `NO` with the following line in [.filename]#/etc/rc.conf#: @@ -334,14 +378,16 @@ router_enable="NO" It is important that the `routed` daemon is not started, as `routed` tends to delete the default routing table entries created by `ppp`. -It is probably a good idea to ensure that the `sendmail_flags` line does not include the `-q` option, otherwise `sendmail` will attempt to do a network lookup every now and then, possibly causing your machine to dial out. You may try: +It is probably a good idea to ensure that the `sendmail_flags` line does not include the `-q` option, otherwise `sendmail` will attempt to do a network lookup every now and then, possibly causing your machine to dial out. +You may try: [.programlisting] .... sendmail_flags="-bd" .... -The downside is that `sendmail` is forced to re-examine the mail queue whenever the ppp link. To automate this, include `!bg` in [.filename]#ppp.linkup#: +The downside is that `sendmail` is forced to re-examine the mail queue whenever the ppp link. +To automate this, include `!bg` in [.filename]#ppp.linkup#: [.programlisting] .... @@ -351,11 +397,13 @@ The downside is that `sendmail` is forced to re-examine the mail queue whenever 4 !bg sendmail -bd -q30m .... -An alternative is to set up a "dfilter" to block SMTP traffic. Refer to the sample files for further details. +An alternative is to set up a "dfilter" to block SMTP traffic. +Refer to the sample files for further details. === Using `ppp` -All that is left is to reboot the machine. After rebooting, either type: +All that is left is to reboot the machine. +After rebooting, either type: [source,shell] .... @@ -369,14 +417,16 @@ and then `dial provider` to start the PPP session, or, to configure `ppp` to est # ppp -auto provider .... -It is possible to talk to the `ppp` program while it is running in the background, but only if a suitable diagnostic port has been set up. To do this, add the following line to the configuration: +It is possible to talk to the `ppp` program while it is running in the background, but only if a suitable diagnostic port has been set up. +To do this, add the following line to the configuration: [.programlisting] .... set server /var/run/ppp-tun%d DiagnosticPassword 0177 .... -This will tell PPP to listen to the specified UNIX(R) domain socket, asking clients for the specified password before allowing access. The `%d` in the name is replaced with the [.filename]#tun# device number that is in use. +This will tell PPP to listen to the specified UNIX(R) domain socket, asking clients for the specified password before allowing access. +The `%d` in the name is replaced with the [.filename]#tun# device number that is in use. Once a socket has been set up, the man:pppctl[8] program may be used in scripts that wish to manipulate the running program. @@ -393,7 +443,8 @@ Later versions of `mgetty` (from 0.99beta onwards) also support the automatic de Refer to http://mgetty.greenie.net/doc/mgetty_toc.html[http://mgetty.greenie.net/doc/mgetty_toc.html] for more information on `mgetty`. -By default the package:comms/mgetty+sendfax[] port comes with the `AUTO_PPP` option enabled allowing `mgetty` to detect the LCP phase of PPP connections and automatically spawn off a ppp shell. However, since the default login/password sequence does not occur it is necessary to authenticate users using either PAP or CHAP. +By default the package:comms/mgetty+sendfax[] port comes with the `AUTO_PPP` option enabled allowing `mgetty` to detect the LCP phase of PPP connections and automatically spawn off a ppp shell. +However, since the default login/password sequence does not occur it is necessary to authenticate users using either PAP or CHAP. This section assumes the user has successfully compiled, and installed the package:comms/mgetty+sendfax[] port on his system. @@ -414,7 +465,8 @@ Create an executable file called [.filename]#/etc/ppp/ppp-pap-dialup# containing exec /usr/sbin/ppp -direct pap$IDENT .... -For each dial-up line enabled in [.filename]#/etc/ttys#, create a corresponding entry in [.filename]#/etc/ppp/ppp.conf#. This will happily co-exist with the definitions we created above. +For each dial-up line enabled in [.filename]#/etc/ttys#, create a corresponding entry in [.filename]#/etc/ppp/ppp.conf#. +This will happily co-exist with the definitions we created above. [.programlisting] .... @@ -431,12 +483,16 @@ Each user logging in with this method will need to have a username/password in [ enable passwdauth .... -To assign some users a static IP number, specify the number as the third argument in [.filename]#/etc/ppp/ppp.secret#. See [.filename]#/usr/share/examples/ppp/ppp.secret.sample# for examples. +To assign some users a static IP number, specify the number as the third argument in [.filename]#/etc/ppp/ppp.secret#. +See [.filename]#/usr/share/examples/ppp/ppp.secret.sample# for examples. [[ppp-troubleshoot]] == Troubleshooting PPP Connections -This section covers a few issues which may arise when using PPP over a modem connection. Some ISPs present the `ssword` prompt while others present `password`. If the `ppp` script is not written accordingly, the login attempt will fail. The most common way to debug `ppp` connections is by connecting manually as described in this section. +This section covers a few issues which may arise when using PPP over a modem connection. +Some ISPs present the `ssword` prompt while others present `password`. +If the `ppp` script is not written accordingly, the login attempt will fail. +The most common way to debug `ppp` connections is by connecting manually as described in this section. === Check the Device Nodes @@ -447,18 +503,26 @@ When using a custom kernel, make sure to include the following line in the kerne device uart .... -The [.filename]#uart# device is already included in the `GENERIC` kernel, so no additional steps are necessary in this case. Just check the `dmesg` output for the modem device with: +The [.filename]#uart# device is already included in the `GENERIC` kernel, so no additional steps are necessary in this case. +Just check the `dmesg` output for the modem device with: [source,shell] .... # dmesg | grep uart .... -This should display some pertinent output about the [.filename]#uart# devices. These are the COM ports we need. If the modem acts like a standard serial port, it should be listed on [.filename]#uart1#, or [.filename]#COM2#. If so, a kernel rebuild is not required. When matching up, if the modem is on [.filename]#uart1#, the modem device would be [.filename]#/dev/cuau1#. +This should display some pertinent output about the [.filename]#uart# devices. +These are the COM ports we need. +If the modem acts like a standard serial port, it should be listed on [.filename]#uart1#, or [.filename]#COM2#. +If so, a kernel rebuild is not required. +When matching up, if the modem is on [.filename]#uart1#, the modem device would be [.filename]#/dev/cuau1#. === Connecting Manually -Connecting to the Internet by manually controlling `ppp` is quick, easy, and a great way to debug a connection or just get information on how the ISP treats `ppp` client connections. Lets start PPP from the command line. Note that in all of our examples we will use _example_ as the hostname of the machine running PPP. To start `ppp`: +Connecting to the Internet by manually controlling `ppp` is quick, easy, and a great way to debug a connection or just get information on how the ISP treats `ppp` client connections. +Lets start PPP from the command line. +Note that in all of our examples we will use _example_ as the hostname of the machine running PPP. +To start `ppp`: [source,shell] .... @@ -484,7 +548,8 @@ This sets the connection speed to 115,200 kbps. ppp ON example> enable dns .... -This tells `ppp` to configure the resolver and add the nameserver lines to [.filename]#/etc/resolv.conf#. If `ppp` cannot determine the hostname, it can manually be set later. +This tells `ppp` to configure the resolver and add the nameserver lines to [.filename]#/etc/resolv.conf#. +If `ppp` cannot determine the hostname, it can manually be set later. [source,shell] .... @@ -527,21 +592,25 @@ At this prompt, return the prompt with the username that was provided by the ISP ISP Pass:mypassword .... -At this prompt, reply with the password that was provided by the ISP. Just like logging into FreeBSD, the password will not echo. +At this prompt, reply with the password that was provided by the ISP. +Just like logging into FreeBSD, the password will not echo. [source,shell] .... Shell or PPP:ppp .... -Depending on the ISP, this prompt might not appear. If it does, it is asking whether to use a shell on the provider or to start `ppp`. In this example, `ppp` was selected in order to establish an Internet connection. +Depending on the ISP, this prompt might not appear. +If it does, it is asking whether to use a shell on the provider or to start `ppp`. +In this example, `ppp` was selected in order to establish an Internet connection. [source,shell] .... Ppp ON example> .... -Notice that in this example the first `p` has been capitalized. This shows that we have successfully connected to the ISP. +Notice that in this example the first `p` has been capitalized. +This shows that we have successfully connected to the ISP. [source,shell] .... @@ -562,19 +631,30 @@ We have made an agreement on an IP address and successfully completed our connec PPP ON example>add default HISADDR .... -Here we add our default route, we need to do this before we can talk to the outside world as currently the only established connection is with the peer. If this fails due to existing routes, put a bang character `!` in front of the `add`. Alternatively, set this before making the actual connection and it will negotiate a new route accordingly. +Here we add our default route, we need to do this before we can talk to the outside world as currently the only established connection is with the peer. +If this fails due to existing routes, put a bang character `!` in front of the `add`. +Alternatively, set this before making the actual connection and it will negotiate a new route accordingly. -If everything went good we should now have an active connection to the Internet, which could be thrown into the background using kbd:[CTRL+z]. If `PPP` returns to `ppp` the connection has been lost. This is good to know because it shows the connection status. Capital P's represent a connection to the ISP and lowercase p's show that the connection has been lost. +If everything went good we should now have an active connection to the Internet, which could be thrown into the background using kbd:[CTRL+z]. +If `PPP` returns to `ppp` the connection has been lost. +This is good to know because it shows the connection status. +Capital P's represent a connection to the ISP and lowercase p's show that the connection has been lost. === Debugging -If a connection cannot be established, turn hardware flow CTS/RTS to off using `set ctsrts off`. This is mainly the case when connected to some PPP-capable terminal servers, where PPP hangs when it tries to write data to the communication link, and waits for a Clear To Send (CTS) signal which may never come. When using this option, include `set accmap` as it may be required to defeat hardware dependent on passing certain characters from end to end, most of the time XON/XOFF. Refer to man:ppp[8] for more information on this option and how it is used. +If a connection cannot be established, turn hardware flow CTS/RTS to off using `set ctsrts off`. +This is mainly the case when connected to some PPP-capable terminal servers, where PPP hangs when it tries to write data to the communication link, and waits for a Clear To Send (CTS) signal which may never come. +When using this option, include `set accmap` as it may be required to defeat hardware dependent on passing certain characters from end to end, most of the time XON/XOFF. +Refer to man:ppp[8] for more information on this option and how it is used. -An older modem may need `set parity even`. Parity is set at none be default, but is used for error checking with a large increase in traffic, on older modems. +An older modem may need `set parity even`. +Parity is set at none be default, but is used for error checking with a large increase in traffic, on older modems. -PPP may not return to the command mode, which is usually a negotiation error where the ISP is waiting for negotiating to begin. At this point, using `~p` will force ppp to start sending the configuration information. +PPP may not return to the command mode, which is usually a negotiation error where the ISP is waiting for negotiating to begin. +At this point, using `~p` will force ppp to start sending the configuration information. -If a login prompt never appears, PAP or CHAP authentication is most likely required. To use PAP or CHAP, add the following options to PPP before going into terminal mode: +If a login prompt never appears, PAP or CHAP authentication is most likely required. +To use PAP or CHAP, add the following options to PPP before going into terminal mode: [source,shell] .... @@ -590,7 +670,11 @@ ppp ON example> set authkey mypassword Where _mypassword_ should be replaced with the password that was assigned by the ISP. -If a connection is established, but cannot seem to find any domain name, try to man:ping[8] an IP address. If there is 100 percent (100%) packet loss, it is likely that a default route was not assigned. Double check that `add default HISADDR` was set during the connection. If a connection can be made to a remote IP address, it is possible that a resolver address has not been added to [.filename]#/etc/resolv.conf#. This file should look like: +If a connection is established, but cannot seem to find any domain name, try to man:ping[8] an IP address. +If there is 100 percent (100%) packet loss, it is likely that a default route was not assigned. +Double check that `add default HISADDR` was set during the connection. +If a connection can be made to a remote IP address, it is possible that a resolver address has not been added to [.filename]#/etc/resolv.conf#. +This file should look like: [.programlisting] .... @@ -650,13 +734,20 @@ ppp_profile="name_of_service_provider" === Using a PPPoE Service Tag -Sometimes it will be necessary to use a service tag to establish the connection. Service tags are used to distinguish between different PPPoE servers attached to a given network. +Sometimes it will be necessary to use a service tag to establish the connection. +Service tags are used to distinguish between different PPPoE servers attached to a given network. Any required service tag information should be in the documentation provided by the ISP. -As a last resort, one could try installing the package:net/rr-pppoe[] package or port. Bear in mind however, this may de-program your modem and render it useless, so think twice before doing it. Simply install the program shipped with the modem. Then, access the menu:System[] menu from the program. The name of the profile should be listed there. It is usually _ISP_. +As a last resort, one could try installing the package:net/rr-pppoe[] package or port. +Bear in mind however, this may de-program your modem and render it useless, so think twice before doing it. +Simply install the program shipped with the modem. +Then, access the menu:System[] menu from the program. +The name of the profile should be listed there. +It is usually _ISP_. -The profile name (service tag) will be used in the PPPoE configuration entry in [.filename]#ppp.conf# as the provider part for `set device`. Refer to man:ppp[8] for full details. It should look like this: +The profile name (service tag) will be used in the PPPoE configuration entry in [.filename]#ppp.conf# as the provider part for `set device`. +Refer to man:ppp[8] for full details. It should look like this: [.programlisting] .... @@ -674,7 +765,8 @@ For additional information, refer to http://renaud.waldura.com/doc/freebsd/pppoe This modem does not follow the PPPoE specification defined in http://www.faqs.org/rfcs/rfc2516.html[RFC 2516]. -In order to make FreeBSD capable of communicating with this device, a sysctl must be set. This can be done automatically at boot time by updating [.filename]#/etc/sysctl.conf#: +In order to make FreeBSD capable of communicating with this device, a sysctl must be set. +This can be done automatically at boot time by updating [.filename]#/etc/sysctl.conf#: [.programlisting] .... @@ -693,13 +785,20 @@ Unfortunately, because this is a system-wide setting, it is not possible to talk [[pppoa]] == Using PPP over ATM (PPPoA) -The following describes how to set up PPP over ATM (PPPoA). PPPoA is a popular choice among European DSL providers. +The following describes how to set up PPP over ATM (PPPoA). +PPPoA is a popular choice among European DSL providers. === Using mpd -The mpd application can be used to connect to a variety of services, in particular PPTP services. It can be installed using the package:net/mpd5[] package or port. Many ADSL modems require that a PPTP tunnel is created between the modem and computer. +The mpd application can be used to connect to a variety of services, in particular PPTP services. +It can be installed using the package:net/mpd5[] package or port. +Many ADSL modems require that a PPTP tunnel is created between the modem and computer. -Once installed, configure mpd to suit the provider's settings. The port places a set of sample configuration files which are well documented in [.filename]#/usr/local/etc/mpd/#. A complete guide to configure mpd is available in HTML format in [.filename]#/usr/ports/shared/doc/mpd/#. Here is a sample configuration for connecting to an ADSL service with mpd. The configuration is spread over two files, first the [.filename]#mpd.conf#: +Once installed, configure mpd to suit the provider's settings. +The port places a set of sample configuration files which are well documented in [.filename]#/usr/local/etc/mpd/#. +A complete guide to configure mpd is available in HTML format in [.filename]#/usr/ports/shared/doc/mpd/#. +Here is a sample configuration for connecting to an ADSL service with mpd. +The configuration is spread over two files, first the [.filename]#mpd.conf#: [NOTE] ==== @@ -736,7 +835,8 @@ adsl: <.> The username used to authenticate with your ISP. <.> The password used to authenticate with your ISP. -Information about the link, or links, to establish is found in [.filename]#mpd.links#. An example [.filename]#mpd.links# to accompany the above example is given beneath: +Information about the link, or links, to establish is found in [.filename]#mpd.links#. +An example [.filename]#mpd.links# to accompany the above example is given beneath: [.programlisting] .... @@ -773,7 +873,9 @@ Using mpd is the recommended way to connect to an ADSL service with FreeBSD. It is also possible to use FreeBSD to connect to other PPPoA services using package:net/pptpclient[]. -To use package:net/pptpclient[] to connect to a DSL service, install the port or package, then edit [.filename]#/etc/ppp/ppp.conf#. An example section of [.filename]#ppp.conf# is given below. For further information on [.filename]#ppp.conf# options consult man:ppp[8]. +To use package:net/pptpclient[] to connect to a DSL service, install the port or package, then edit [.filename]#/etc/ppp/ppp.conf#. +An example section of [.filename]#ppp.conf# is given below. +For further information on [.filename]#ppp.conf# options consult man:ppp[8]. [.programlisting] .... @@ -803,7 +905,11 @@ Since the account's password is added to [.filename]#ppp.conf# in plain text for ==== -This will open a tunnel for a PPP session to the DSL router. Ethernet DSL modems have a preconfigured LAN IP address to connect to. In the case of the Alcatel SpeedTouch(TM) Home, this address is `10.0.0.138`. The router's documentation should list the address the device uses. To open the tunnel and start a PPP session: +This will open a tunnel for a PPP session to the DSL router. +Ethernet DSL modems have a preconfigured LAN IP address to connect to. +In the case of the Alcatel SpeedTouch(TM) Home, this address is `10.0.0.138`. +The router's documentation should list the address the device uses. +To open the tunnel and start a PPP session: [source,shell] .... @@ -816,7 +922,8 @@ This will open a tunnel for a PPP session to the DSL router. Ethernet DSL modems If an ampersand ("&") is added to the end of this command, pptp will return the prompt. ==== -A [.filename]#tun# virtual tunnel device will be created for interaction between the pptp and ppp processes. Once the prompt is returned, or the pptp process has confirmed a connection, examine the tunnel: +A [.filename]#tun# virtual tunnel device will be created for interaction between the pptp and ppp processes. +Once the prompt is returned, or the pptp process has confirmed a connection, examine the tunnel: [source,shell] .... @@ -826,4 +933,5 @@ tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 Opened by PID 918 .... -If the connection fails, check the configuration of the router, which is usually accessible using a web browser. Also, examine the output of `pptp` and the contents of the log file, [.filename]#/var/log/ppp.log# for clues. +If the connection fails, check the configuration of the router, which is usually accessible using a web browser. +Also, examine the output of `pptp` and the contents of the log file, [.filename]#/var/log/ppp.log# for clues. diff --git a/documentation/content/en/books/handbook/preface/_index.adoc b/documentation/content/en/books/handbook/preface/_index.adoc index 26bfdbdca7..0285b89f5f 100644 --- a/documentation/content/en/books/handbook/preface/_index.adoc +++ b/documentation/content/en/books/handbook/preface/_index.adoc @@ -23,16 +23,19 @@ tags: ["preface", "audience", "organization", "conventions", "acknowledgments"] [[preface-audience]] == Intended Audience -The FreeBSD newcomer will find that the first section of this book guides the user through the FreeBSD installation process and gently introduces the concepts and conventions that underpin UNIX(R). Working through this section requires little more than the desire to explore, and the ability to take on board new concepts as they are introduced. +The FreeBSD newcomer will find that the first section of this book guides the user through the FreeBSD installation process and gently introduces the concepts and conventions that underpin UNIX(R). +Working through this section requires little more than the desire to explore, and the ability to take on board new concepts as they are introduced. -Once you have traveled this far, the second, far larger, section of the Handbook is a comprehensive reference to all manner of topics of interest to FreeBSD system administrators. Some of these chapters may recommend that you do some prior reading, and this is noted in the synopsis at the beginning of each chapter. +Once you have traveled this far, the second, far larger, section of the Handbook is a comprehensive reference to all manner of topics of interest to FreeBSD system administrators. +Some of these chapters may recommend that you do some prior reading, and this is noted in the synopsis at the beginning of each chapter. For a list of additional sources of information, please see crossref:bibliography[bibliography,Bibliography]. [[preface-changes-from3]] == Changes from the Third Edition -The current online version of the Handbook represents the cumulative effort of many hundreds of contributors over the past 10 years. The following are some of the significant changes since the two volume third edition was published in 2004: +The current online version of the Handbook represents the cumulative effort of many hundreds of contributors over the past 10 years. +The following are some of the significant changes since the two volume third edition was published in 2004: * crossref:wine[wine,WINE] has been added with information about how to run Windows(R) applications on FreeBSD.</para> * crossref:dtrace[dtrace,DTrace] has been added with information about the powerful DTrace performance analysis tool. @@ -44,7 +47,9 @@ The current online version of the Handbook represents the cumulative effort of m [[preface-changes-from2]] == Changes from the Second Edition (2004) -The third edition was the culmination of over two years of work by the dedicated members of the FreeBSD Documentation Project. The printed edition grew to such a size that it was necessary to publish as two separate volumes. The following are the major changes in this new edition: +The third edition was the culmination of over two years of work by the dedicated members of the FreeBSD Documentation Project. +The printed edition grew to such a size that it was necessary to publish as two separate volumes. +The following are the major changes in this new edition: * crossref:config[config-tuning,Configuration and Tuning] has been expanded with new information about the ACPI power and resource management, the `cron` system utility, and more kernel tuning options. * crossref:security[security,Security] has been expanded with new information about virtual private networks (VPNs), file system access control lists (ACLs), and security advisories. @@ -60,7 +65,8 @@ The third edition was the culmination of over two years of work by the dedicated [[preface-changes]] == Changes from the First Edition (2001) -The second edition was the culmination of over two years of work by the dedicated members of the FreeBSD Documentation Project. The following were the major changes in this edition: +The second edition was the culmination of over two years of work by the dedicated members of the FreeBSD Documentation Project. +The following were the major changes in this edition: * A complete Index has been added. * All ASCII figures have been replaced by graphical diagrams. @@ -84,7 +90,16 @@ The second edition was the culmination of over two years of work by the dedicate [[preface-overview]] == Organization of This Book -This book is split into five logically distinct sections. The first section, _Getting Started_, covers the installation and basic usage of FreeBSD. It is expected that the reader will follow these chapters in sequence, possibly skipping chapters covering familiar topics. The second section, _Common Tasks_, covers some frequently used features of FreeBSD. This section, and all subsequent sections, can be read out of order. Each chapter begins with a succinct synopsis that describes what the chapter covers and what the reader is expected to already know. This is meant to allow the casual reader to skip around to find chapters of interest. The third section, _System Administration_, covers administration topics. The fourth section, _Network Communication_, covers networking and server topics. The fifth section contains appendices of reference information. +This book is split into five logically distinct sections. +The first section, _Getting Started_, covers the installation and basic usage of FreeBSD. +It is expected that the reader will follow these chapters in sequence, possibly skipping chapters covering familiar topics. +The second section, _Common Tasks_, covers some frequently used features of FreeBSD. +This section, and all subsequent sections, can be read out of order. +Each chapter begins with a succinct synopsis that describes what the chapter covers and what the reader is expected to already know. +This is meant to allow the casual reader to skip around to find chapters of interest. +The third section, _System Administration_, covers administration topics. +The fourth section, _Network Communication_, covers networking and server topics. +The fifth section contains appendices of reference information. _crossref:introduction[introduction,Introduction]_:: Introduces FreeBSD to a new user. It describes the history of the FreeBSD Project, its goals and development model. @@ -205,7 +220,8 @@ A *bold* font is used for applications, commands, and keys. [[preface-conv-commands]] === User Input -Keys are shown in *bold* to stand out from other text. Key combinations that are meant to be typed simultaneously are shown with `+` between the keys, such as: +Keys are shown in *bold* to stand out from other text. +Key combinations that are meant to be typed simultaneously are shown with `+` between the keys, such as: kbd:[Ctrl+Alt+Del] @@ -220,21 +236,24 @@ Would mean that the user is expected to type the kbd:[Ctrl] and kbd:[X] keys sim [[preface-conv-examples]] === Examples -Examples starting with [.filename]#C:\># indicate a MS-DOS(R) command. Unless otherwise noted, these commands may be executed from a "Command Prompt" window in a modern Microsoft(R) Windows(R) environment. +Examples starting with [.filename]#C:\># indicate a MS-DOS(R) command. +Unless otherwise noted, these commands may be executed from a "Command Prompt" window in a modern Microsoft(R) Windows(R) environment. [source,shell] .... C:\> tools\fdimage floppies\kern.flp A: .... -Examples starting with # indicate a command that must be invoked as the superuser in FreeBSD. You can login as `root` to type the command, or login as your normal account and use man:su[1] to gain superuser privileges. +Examples starting with # indicate a command that must be invoked as the superuser in FreeBSD. +You can login as `root` to type the command, or login as your normal account and use man:su[1] to gain superuser privileges. [source,shell] .... # dd if=kern.flp of=/dev/fd0 .... -Examples starting with % indicate a command that should be invoked from a normal user account. Unless otherwise noted, C-shell syntax is used for setting environment variables and other shell commands. +Examples starting with % indicate a command that should be invoked from a normal user account. +Unless otherwise noted, C-shell syntax is used for setting environment variables and other shell commands. [source,shell] .... @@ -244,6 +263,11 @@ Examples starting with % indicate a command that should be invoked from a normal [[preface-acknowledgements]] == Acknowledgments -The book you are holding represents the efforts of many hundreds of people around the world. Whether they sent in fixes for typos, or submitted complete chapters, all the contributions have been useful. +The book you are holding represents the efforts of many hundreds of people around the world. +Whether they sent in fixes for typos, or submitted complete chapters, all the contributions have been useful. -Several companies have supported the development of this document by paying authors to work on it full-time, paying for publication, etc. In particular, BSDi (subsequently acquired by http://www.windriver.com[Wind River Systems]) paid members of the FreeBSD Documentation Project to work on improving this book full time leading up to the publication of the first printed edition in March 2000 (ISBN 1-57176-241-8). Wind River Systems then paid several additional authors to make a number of improvements to the print-output infrastructure and to add additional chapters to the text. This work culminated in the publication of the second printed edition in November 2001 (ISBN 1-57176-303-1). In 2003-2004, http://www.freebsdmall.com[FreeBSD Mall, Inc], paid several contributors to improve the Handbook in preparation for the third printed edition. +Several companies have supported the development of this document by paying authors to work on it full-time, paying for publication, etc. +In particular, BSDi (subsequently acquired by http://www.windriver.com[Wind River Systems]) paid members of the FreeBSD Documentation Project to work on improving this book full time leading up to the publication of the first printed edition in March 2000 (ISBN 1-57176-241-8). +Wind River Systems then paid several additional authors to make a number of improvements to the print-output infrastructure and to add additional chapters to the text. +This work culminated in the publication of the second printed edition in November 2001 (ISBN 1-57176-303-1). +In 2003-2004, http://www.freebsdmall.com[FreeBSD Mall, Inc], paid several contributors to improve the Handbook in preparation for the third printed edition. diff --git a/documentation/content/en/books/handbook/printing/_index.adoc b/documentation/content/en/books/handbook/printing/_index.adoc index 87f618fb40..a4465b38c0 100644 --- a/documentation/content/en/books/handbook/printing/_index.adoc +++ b/documentation/content/en/books/handbook/printing/_index.adoc @@ -43,12 +43,16 @@ include::shared/en/urls.adoc[] toc::[] -Putting information on paper is a vital function, despite many attempts to eliminate it. Printing has two basic components. The data must be delivered to the printer, and must be in a form that the printer can understand. +Putting information on paper is a vital function, despite many attempts to eliminate it. +Printing has two basic components. +The data must be delivered to the printer, and must be in a form that the printer can understand. [[printing-quick-start]] == Quick Start -Basic printing can be set up quickly. The printer must be capable of printing plain `ASCII` text. For printing to other types of files, see <<printing-lpd-filters>>. +Basic printing can be set up quickly. +The printer must be capable of printing plain `ASCII` text. +For printing to other types of files, see <<printing-lpd-filters>>. [.procedure] **** @@ -115,11 +119,11 @@ Starting lpd. + [TIP] ==== - If both lines do not start at the left border, but "stairstep" instead, see <<printing-lpd-filters-stairstep>>. ==== + -Text files can now be printed with `lpr`. Give the filename on the command line, or pipe output directly into `lpr`. +Text files can now be printed with `lpr`. +Give the filename on the command line, or pipe output directly into `lpr`. + [source,shell] .... @@ -131,7 +135,11 @@ Text files can now be printed with `lpr`. Give the filename on the command line, [[printing-connections]] == Printer Connections -Printers are connected to computer systems in a variety of ways. Small desktop printers are usually connected directly to a computer's `USB` port. Older printers are connected to a parallel or "printer" port. Some printers are directly connected to a network, making it easy for multiple computers to share them. A few printers use a rare serial port connection. +Printers are connected to computer systems in a variety of ways. +Small desktop printers are usually connected directly to a computer's `USB` port. +Older printers are connected to a parallel or "printer" port. +Some printers are directly connected to a network, making it easy for multiple computers to share them. +A few printers use a rare serial port connection. FreeBSD can communicate with all of these types of printers. @@ -139,62 +147,109 @@ FreeBSD can communicate with all of these types of printers. `USB`:: `USB` printers can be connected to any available `USB` port on the computer. + -When FreeBSD detects a `USB` printer, two device entries are created: [.filename]#/dev/ulpt0# and [.filename]#/dev/unlpt0#. Data sent to either device will be relayed to the printer. After each print job, [.filename]#ulpt0# resets the `USB` port. Resetting the port can cause problems with some printers, so the [.filename]#unlpt0# device is usually used instead. [.filename]#unlpt0# does not reset the USB port at all. +When FreeBSD detects a `USB` printer, two device entries are created: [.filename]#/dev/ulpt0# and [.filename]#/dev/unlpt0#. +Data sent to either device will be relayed to the printer. +After each print job, [.filename]#ulpt0# resets the `USB` port. +Resetting the port can cause problems with some printers, so the [.filename]#unlpt0# device is usually used instead. +[.filename]#unlpt0# does not reset the USB port at all. + [[printing-connections-parallel]] Parallel (`IEEE`-1284):: -The parallel port device is [.filename]#/dev/lpt0#. This device appears whether a printer is attached or not, it is not autodetected. +The parallel port device is [.filename]#/dev/lpt0#. +This device appears whether a printer is attached or not, it is not autodetected. + -Vendors have largely moved away from these "legacy" ports, and many computers no longer have them. Adapters can be used to connect a parallel printer to a `USB` port. With such an adapter, the printer can be treated as if it were actually a `USB` printer. Devices called _print servers_ can also be used to connect parallel printers directly to a network. +Vendors have largely moved away from these "legacy" ports, and many computers no longer have them. +Adapters can be used to connect a parallel printer to a `USB` port. +With such an adapter, the printer can be treated as if it were actually a `USB` printer. +Devices called _print servers_ can also be used to connect parallel printers directly to a network. + [[printing-connections-serial]] Serial (RS-232):: -Serial ports are another legacy port, rarely used for printers except in certain niche applications. Cables, connectors, and required wiring vary widely. +Serial ports are another legacy port, rarely used for printers except in certain niche applications. +Cables, connectors, and required wiring vary widely. + -For serial ports built into a motherboard, the serial device name is [.filename]#/dev/cuau0# or [.filename]#/dev/cuau1#. Serial `USB` adapters can also be used, and these will appear as [.filename]#/dev/cuaU0#. +For serial ports built into a motherboard, the serial device name is [.filename]#/dev/cuau0# or [.filename]#/dev/cuau1#. +Serial `USB` adapters can also be used, and these will appear as [.filename]#/dev/cuaU0#. + -Several communication parameters must be known to communicate with a serial printer. The most important are _baud rate_ or `BPS` (Bits Per Second) and _parity_. Values vary, but typical serial printers use a baud rate of 9600 and no parity. +Several communication parameters must be known to communicate with a serial printer. +The most important are _baud rate_ or `BPS` (Bits Per Second) and _parity_. +Values vary, but typical serial printers use a baud rate of 9600 and no parity. + [[printing-connections-network]] Network:: Network printers are connected directly to the local computer network. + -The `DNS` hostname of the printer must be known. If the printer is assigned a dynamic address by `DHCP`, `DNS` should be dynamically updated so that the host name always has the correct `IP` address. Network printers are often given static `IP` addresses to avoid this problem. +The `DNS` hostname of the printer must be known. +If the printer is assigned a dynamic address by `DHCP`, `DNS` should be dynamically updated so that the host name always has the correct `IP` address. +Network printers are often given static `IP` addresses to avoid this problem. + -Most network printers understand print jobs sent with the LPD protocol. A print queue name can also be specified. Some printers process data differently depending on which queue is used. For example, a `raw` queue prints the data unchanged, while the `text` queue adds carriage returns to plain text. +Most network printers understand print jobs sent with the LPD protocol. +A print queue name can also be specified. +Some printers process data differently depending on which queue is used. +For example, a `raw` queue prints the data unchanged, while the `text` queue adds carriage returns to plain text. + Many network printers can also print data sent directly to port 9100. [[printing-connections-summary]] === Summary -Wired network connections are usually the easiest to set up and give the fastest printing. For direct connection to the computer, `USB` is preferred for speed and simplicity. Parallel connections work but have limitations on cable length and speed. Serial connections are more difficult to configure. Cable wiring differs between models, and communication parameters like baud rate and parity bits must add to the complexity. Fortunately, serial printers are rare. +Wired network connections are usually the easiest to set up and give the fastest printing. +For direct connection to the computer, `USB` is preferred for speed and simplicity. +Parallel connections work but have limitations on cable length and speed. +Serial connections are more difficult to configure. +Cable wiring differs between models, and communication parameters like baud rate and parity bits must add to the complexity. +Fortunately, serial printers are rare. [[printing-pdls]] == Common Page Description Languages -Data sent to a printer must be in a language that the printer can understand. These languages are called Page Description Languages, or PDLs. +Data sent to a printer must be in a language that the printer can understand. +These languages are called Page Description Languages, or PDLs. + [[print-pdls-ascii]] `ASCII`:: -Plain `ASCII` text is the simplest way to send data to a printer. Characters correspond one to one with what will be printed: an `A` in the data prints an `A` on the page. Very little formatting is available. There is no way to select a font or proportional spacing. The forced simplicity of plain `ASCII` means that text can be printed straight from the computer with little or no encoding or translation. The printed output corresponds directly with what was sent. +Plain `ASCII` text is the simplest way to send data to a printer. +Characters correspond one to one with what will be printed: an `A` in the data prints an `A` on the page. +Very little formatting is available. +There is no way to select a font or proportional spacing. +The forced simplicity of plain `ASCII` means that text can be printed straight from the computer with little or no encoding or translation. +The printed output corresponds directly with what was sent. + -Some inexpensive printers cannot print plain `ASCII` text. This makes them more difficult to set up, but it is usually still possible. +Some inexpensive printers cannot print plain `ASCII` text. +This makes them more difficult to set up, but it is usually still possible. + [[print-pdls-postscript]] PostScript(R):: -PostScript(R) is almost the opposite of `ASCII`. Rather than simple text, a PostScript(R) program is a set of instructions that draw the final document. Different fonts and graphics can be used. However, this power comes at a price. The program that draws the page must be written. Usually this program is generated by application software, so the process is invisible to the user. +PostScript(R) is almost the opposite of `ASCII`. +Rather than simple text, a PostScript(R) program is a set of instructions that draw the final document. +Different fonts and graphics can be used. +However, this power comes at a price. +The program that draws the page must be written. +Usually this program is generated by application software, so the process is invisible to the user. + Inexpensive printers sometimes leave out PostScript(R) compatibility as a cost-saving measure. [[print-pdls-pcl]] `PCL` (Printer Command Language):: -`PCL` is an extension of `ASCII`, adding escape sequences for formatting, font selection, and printing graphics. Many printers provide `PCL5` support. Some support the newer `PCL6` or `PCLXL`. These later versions are supersets of `PCL5` and can provide faster printing. +`PCL` is an extension of `ASCII`, adding escape sequences for formatting, font selection, and printing graphics. +Many printers provide `PCL5` support. +Some support the newer `PCL6` or `PCLXL`. +These later versions are supersets of `PCL5` and can provide faster printing. + [[print-pdls-host-based]] Host-Based:: -Manufacturers can reduce the cost of a printer by giving it a simple processor and very little memory. These printers are not capable of printing plain text. Instead, bitmaps of text and graphics are drawn by a driver on the host computer and then sent to the printer. These are called _host-based_ printers. +Manufacturers can reduce the cost of a printer by giving it a simple processor and very little memory. +These printers are not capable of printing plain text. +Instead, bitmaps of text and graphics are drawn by a driver on the host computer and then sent to the printer. +These are called _host-based_ printers. + Communication between the driver and a host-based printer is often through proprietary or undocumented protocols, making them functional only on the most common operating systems. [[print-pdls-table]] === Converting PostScript(R) to Other PDLs -Many applications from the Ports Collection and FreeBSD utilities produce PostScript(R) output. This table shows the utilities available to convert that into other common PDLs: +Many applications from the Ports Collection and FreeBSD utilities produce PostScript(R) output. +This table shows the utilities available to convert that into other common PDLs: [[print-pdls-ps-to-other-tbl]] .Output PDLs @@ -224,18 +279,28 @@ Many applications from the Ports Collection and FreeBSD utilities produce PostSc [[print-pdls-summary]] === Summary -For the easiest printing, choose a printer that supports PostScript(R). Printers that support `PCL` are the next preferred. With package:print/ghostscript9-base[], these printers can be used as if they understood PostScript(R) natively. Printers that support PostScript(R) or `PCL` directly almost always support direct printing of plain `ASCII` text files also. +For the easiest printing, choose a printer that supports PostScript(R). +Printers that support `PCL` are the next preferred. +With package:print/ghostscript9-base[], these printers can be used as if they understood PostScript(R) natively. +Printers that support PostScript(R) or `PCL` directly almost always support direct printing of plain `ASCII` text files also. -Line-based printers like typical inkjets usually do not support PostScript(R) or `PCL`. They often can print plain `ASCII` text files. package:print/ghostscript9-base[] supports the PDLs used by some of these printers. However, printing an entire graphic-based page on these printers is often very slow due to the large amount of data to be transferred and printed. +Line-based printers like typical inkjets usually do not support PostScript(R) or `PCL`. +They often can print plain `ASCII` text files. +package:print/ghostscript9-base[] supports the PDLs used by some of these printers. +However, printing an entire graphic-based page on these printers is often very slow due to the large amount of data to be transferred and printed. -Host-based printers are often more difficult to set up. Some cannot be used at all because of proprietary PDLs. Avoid these printers when possible. +Host-based printers are often more difficult to set up. +Some cannot be used at all because of proprietary PDLs. +Avoid these printers when possible. -Descriptions of many PDLs can be found at http://www.undocprint.org/formats/page_description_languages[]. The particular `PDL` used by various models of printers can be found at http://www.openprinting.org/printers[]. +Descriptions of many PDLs can be found at http://www.undocprint.org/formats/page_description_languages[]. +The particular `PDL` used by various models of printers can be found at http://www.openprinting.org/printers[]. [[printing-direct]] == Direct Printing -For occasional printing, files can be sent directly to a printer device without any setup. For example, a file called [.filename]#sample.txt# can be sent to a `USB` printer: +For occasional printing, files can be sent directly to a printer device without any setup. +For example, a file called [.filename]#sample.txt# can be sent to a `USB` printer: [source,shell] .... @@ -252,9 +317,11 @@ Direct printing to network printers depends on the abilities of the printer, but [[printing-lpd]] == LPD (Line Printer Daemon) -Printing a file in the background is called _spooling_. A spooler allows the user to continue with other programs on the computer without waiting for the printer to slowly complete the print job. +Printing a file in the background is called _spooling_. +A spooler allows the user to continue with other programs on the computer without waiting for the printer to slowly complete the print job. -FreeBSD includes a spooler called man:lpd[8]. Print jobs are submitted with man:lpr[1]. +FreeBSD includes a spooler called man:lpd[8]. +Print jobs are submitted with man:lpr[1]. [[printing-lpd-setup]] === Initial Setup @@ -268,7 +335,9 @@ A directory for storing print jobs is created, ownership is set, and the permiss # chmod 770 /var/spool/lpd/lp .... -Printers are defined in [.filename]#/etc/printcap#. An entry for each printer includes details like a name, the port where it is attached, and various other settings. Create [.filename]#/etc/printcap# with these contents: +Printers are defined in [.filename]#/etc/printcap#. +An entry for each printer includes details like a name, the port where it is attached, and various other settings. +Create [.filename]#/etc/printcap# with these contents: [.programlisting] .... @@ -318,7 +387,9 @@ Start the service: [[printing-lpd-lpr]] === Printing with man:lpr[1] -Documents are sent to the printer with `lpr`. A file to be printed can be named on the command line or piped into `lpr`. These two commands are equivalent, sending the contents of [.filename]#doc.txt# to the default printer: +Documents are sent to the printer with `lpr`. +A file to be printed can be named on the command line or piped into `lpr`. +These two commands are equivalent, sending the contents of [.filename]#doc.txt# to the default printer: [source,shell] .... @@ -326,7 +397,8 @@ Documents are sent to the printer with `lpr`. A file to be printed can be named % cat doc.txt | lpr .... -Printers can be selected with `-P`. To print to a printer called _laser_: +Printers can be selected with `-P`. +To print to a printer called _laser_: [source,shell] .... @@ -336,15 +408,21 @@ Printers can be selected with `-P`. To print to a printer called _laser_: [[printing-lpd-filters]] === Filters -The examples shown so far have sent the contents of a text file directly to the printer. As long as the printer understands the content of those files, output will be printed correctly. +The examples shown so far have sent the contents of a text file directly to the printer. +As long as the printer understands the content of those files, output will be printed correctly. Some printers are not capable of printing plain text, and the input file might not even be plain text. -_Filters_ allow files to be translated or processed. The typical use is to translate one type of input, like plain text, into a form that the printer can understand, like PostScript(R) or `PCL`. Filters can also be used to provide additional features, like adding page numbers or highlighting source code to make it easier to read. +_Filters_ allow files to be translated or processed. +The typical use is to translate one type of input, like plain text, into a form that the printer can understand, like PostScript(R) or `PCL`. +Filters can also be used to provide additional features, like adding page numbers or highlighting source code to make it easier to read. -The filters discussed here are _input filters_ or _text filters_. These filters convert the incoming file into different forms. Use man:su[1] to become `root` before creating the files. +The filters discussed here are _input filters_ or _text filters_. +These filters convert the incoming file into different forms. +Use man:su[1] to become `root` before creating the files. -Filters are specified in [.filename]#/etc/printcap# with the `if=` identifier. To use [.filename]#/usr/local/libexec/lf2crlf# as a filter, modify [.filename]#/etc/printcap# like this: +Filters are specified in [.filename]#/etc/printcap# with the `if=` identifier. +To use [.filename]#/usr/local/libexec/lf2crlf# as a filter, modify [.filename]#/etc/printcap# like this: [.programlisting] .... @@ -361,8 +439,8 @@ lp:\ [TIP] ==== - -The backslash _line continuation_ characters at the end of the lines in [.filename]#printcap# entries reveal that an entry for a printer is really just one long line with entries delimited by colon characters. An earlier example can be rewritten as a single less-readable line: +The backslash _line continuation_ characters at the end of the lines in [.filename]#printcap# entries reveal that an entry for a printer is really just one long line with entries delimited by colon characters. +An earlier example can be rewritten as a single less-readable line: [.programlisting] .... @@ -374,7 +452,8 @@ lp:lp=/dev/unlpt0:sh:mx#0:sd=/var/spool/lpd/lp:if=/usr/local/libexec/lf2crlf:lf= [[printing-lpd-filters-stairstep]] ==== Preventing Stairstepping on Plain Text Printers -Typical FreeBSD text files contain only a single line feed character at the end of each line. These lines will "stairstep" on a standard printer: +Typical FreeBSD text files contain only a single line feed character at the end of each line. +These lines will "stairstep" on a standard printer: [.programlisting] .... @@ -383,7 +462,9 @@ A printed file looks scattered by the wind .... -A filter can convert the newline characters into carriage returns and newlines. The carriage returns make the printer return to the left after each line. Create [.filename]#/usr/local/libexec/lf2crlf# with these contents: +A filter can convert the newline characters into carriage returns and newlines. +The carriage returns make the printer return to the left after each line. +Create [.filename]#/usr/local/libexec/lf2crlf# with these contents: [.programlisting] .... @@ -406,12 +487,15 @@ Modify [.filename]#/etc/printcap# to use the new filter: :if=/usr/local/libexec/lf2crlf:\ .... -Test the filter by printing the same plain text file. The carriage returns will cause each line to start at the left side of the page. +Test the filter by printing the same plain text file. +The carriage returns will cause each line to start at the left side of the page. [[printing-lpd-filters-enscript]] ==== Fancy Plain Text on PostScript(R) Printers with package:print/enscript[] -GNUEnscript converts plain text files into nicely-formatted PostScript(R) for printing on PostScript(R) printers. It adds page numbers, wraps long lines, and provides numerous other features to make printed text files easier to read. Depending on the local paper size, install either package:print/enscript-letter[] or package:print/enscript-a4[] from the Ports Collection. +GNUEnscript converts plain text files into nicely-formatted PostScript(R) for printing on PostScript(R) printers. +It adds page numbers, wraps long lines, and provides numerous other features to make printed text files easier to read. +Depending on the local paper size, install either package:print/enscript-letter[] or package:print/enscript-a4[] from the Ports Collection. Create [.filename]#/usr/local/libexec/enscript# with these contents: @@ -440,7 +524,9 @@ Test the filter by printing a plain text file. [[printing-lpd-filters-ps2pcl]] ==== Printing PostScript(R) to `PCL` Printers -Many programs produce PostScript(R) documents. However, inexpensive printers often only understand plain text or `PCL`. This filter converts PostScript(R) files to `PCL` before sending them to the printer. +Many programs produce PostScript(R) documents. +However, inexpensive printers often only understand plain text or `PCL`. +This filter converts PostScript(R) files to `PCL` before sending them to the printer. Install the Ghostscript PostScript(R) interpreter, package:print/ghostscript9-base[], from the Ports Collection. @@ -479,7 +565,12 @@ Test the filter by sending a small PostScript(R) program to it: [[printing-lpd-filters-smart]] ==== Smart Filters -A filter that detects the type of input and automatically converts it to the correct format for the printer can be very convenient. The first two characters of a PostScript(R) file are usually `%!`. A filter can detect those two characters. PostScript(R) files can be sent on to a PostScript(R) printer unchanged. Text files can be converted to PostScript(R) with Enscript as shown earlier. Create [.filename]#/usr/local/libexec/psif# with these contents: +A filter that detects the type of input and automatically converts it to the correct format for the printer can be very convenient. +The first two characters of a PostScript(R) file are usually `%!`. +A filter can detect those two characters. +PostScript(R) files can be sent on to a PostScript(R) printer unchanged. +Text files can be converted to PostScript(R) with Enscript as shown earlier. +Create [.filename]#/usr/local/libexec/psif# with these contents: [.programlisting] .... @@ -523,14 +614,20 @@ Test the filter by printing PostScript(R) and plain text files. [[printing-lpd-filters-othersmart]] ==== Other Smart Filters -Writing a filter that detects many different types of input and formats them correctly is challenging. package:print/apsfilter[] from the Ports Collection is a smart "magic" filter that detects dozens of file types and automatically converts them to the `PDL` understood by the printer. See http://www.apsfilter.org[] for more details. +Writing a filter that detects many different types of input and formats them correctly is challenging. +package:print/apsfilter[] from the Ports Collection is a smart "magic" filter that detects dozens of file types and automatically converts them to the `PDL` understood by the printer. +See http://www.apsfilter.org[] for more details. [[printing-lpd-queues]] === Multiple Queues -The entries in [.filename]#/etc/printcap# are really definitions of _queues_. There can be more than one queue for a single printer. When combined with filters, multiple queues provide users more control over how their jobs are printed. +The entries in [.filename]#/etc/printcap# are really definitions of _queues_. +There can be more than one queue for a single printer. +When combined with filters, multiple queues provide users more control over how their jobs are printed. -As an example, consider a networked PostScript(R) laser printer in an office. Most users want to print plain text, but a few advanced users want to be able to print PostScript(R) files directly. Two entries can be created for the same printer in [.filename]#/etc/printcap#: +As an example, consider a networked PostScript(R) laser printer in an office. +Most users want to print plain text, but a few advanced users want to be able to print PostScript(R) files directly. +Two entries can be created for the same printer in [.filename]#/etc/printcap#: [.programlisting] .... @@ -550,9 +647,11 @@ psprinter:\ :lf=/var/log/lpd-errs: .... -Documents sent to `textprinter` will be formatted by the [.filename]#/usr/local/libexec/enscript# filter shown in an earlier example. Advanced users can print PostScript(R) files on `psprinter`, where no filtering is done. +Documents sent to `textprinter` will be formatted by the [.filename]#/usr/local/libexec/enscript# filter shown in an earlier example. +Advanced users can print PostScript(R) files on `psprinter`, where no filtering is done. -This multiple queue technique can be used to provide direct access to all kinds of printer features. A printer with a duplexer could use two queues, one for ordinary single-sided printing, and one with a filter that sends the command sequence to enable double-sided printing and then sends the incoming file. +This multiple queue technique can be used to provide direct access to all kinds of printer features. +A printer with a duplexer could use two queues, one for ordinary single-sided printing, and one with a filter that sends the command sequence to enable double-sided printing and then sends the incoming file. [[printing-lpd-monitor]] === Monitoring and Controlling Printing @@ -562,7 +661,8 @@ Several utilities are available to monitor print jobs and check and control prin [[printing-lpd-monitor-lpq]] ==== man:lpq[1] -man:lpq[1] shows the status of a user's print jobs. Print jobs from other users are not shown. +man:lpq[1] shows the status of a user's print jobs. +Print jobs from other users are not shown. Show the current user's pending jobs on a single printer: @@ -590,7 +690,9 @@ Rank Owner Job Files Total Size [[printing-lpd-monitor-lprm]] ==== man:lprm[1] -man:lprm[1] is used to remove print jobs. Normal users are only allowed to remove their own jobs. `root` can remove any or all jobs. +man:lprm[1] is used to remove print jobs. +Normal users are only allowed to remove their own jobs. +`root` can remove any or all jobs. Remove all pending jobs from a printer: @@ -605,7 +707,8 @@ dfA004smithy dequeued cfA004smithy dequeued .... -Remove a single job from a printer. man:lpq[1] is used to find the job number. +Remove a single job from a printer. +man:lpq[1] is used to find the job number. [source,shell] .... @@ -621,7 +724,11 @@ cfA005smithy dequeued [[printing-lpd-monitor-lpc]] ==== man:lpc[8] -man:lpc[8] is used to check and modify printer status. `lpc` is followed by a command and an optional printer name. `all` can be used instead of a specific printer name, and the command will be applied to all printers. Normal users can view status with man:lpc[8]. Only `root` can use commands which modify printer status. +man:lpc[8] is used to check and modify printer status. +`lpc` is followed by a command and an optional printer name. +`all` can be used instead of a specific printer name, and the command will be applied to all printers. +Normal users can view status with man:lpc[8]. +Only `root` can use commands which modify printer status. Show the status of all printers: @@ -652,7 +759,8 @@ lp: queuing enabled .... -Stop printing, but continue to accept new jobs. Then begin printing again: +Stop printing, but continue to accept new jobs. +Then begin printing again: [source,shell] .... @@ -701,19 +809,23 @@ See man:lpc[8] for more commands and options. [[printing-lpd-shared]] === Shared Printers -Printers are often shared by multiple users in businesses and schools. Additional features are provided to make sharing printers more convenient. +Printers are often shared by multiple users in businesses and schools. +Additional features are provided to make sharing printers more convenient. [[printing-shared-aliases]] ==== Aliases -The printer name is set in the first line of the entry in [.filename]#/etc/printcap#. Additional names, or _aliases_, can be added after that name. Aliases are separated from the name and each other by vertical bars: +The printer name is set in the first line of the entry in [.filename]#/etc/printcap#. +Additional names, or _aliases_, can be added after that name. +Aliases are separated from the name and each other by vertical bars: [.programlisting] .... lp|repairsprinter|salesprinter:\ .... -Aliases can be used in place of the printer name. For example, users in the Sales department print to their printer with +Aliases can be used in place of the printer name. +For example, users in the Sales department print to their printer with [source,shell] .... @@ -727,18 +839,28 @@ Users in the Repairs department print to _their_ printer with % lpr -Prepairsprinter repairs-report.txt .... -All of the documents print on that single printer. When the Sales department grows enough to need their own printer, the alias can be removed from the shared printer entry and used as the name of a new printer. Users in both departments continue to use the same commands, but the Sales documents are sent to the new printer. +All of the documents print on that single printer. +When the Sales department grows enough to need their own printer, the alias can be removed from the shared printer entry and used as the name of a new printer. +Users in both departments continue to use the same commands, but the Sales documents are sent to the new printer. [[printing-shared-headers]] ==== Header Pages -It can be difficult for users to locate their documents in the stack of pages produced by a busy shared printer. _Header pages_ were created to solve this problem. A header page with the user name and document name is printed before each print job. These pages are also sometimes called _banner_ or _separator_ pages. +It can be difficult for users to locate their documents in the stack of pages produced by a busy shared printer. +_Header pages_ were created to solve this problem. +A header page with the user name and document name is printed before each print job. +These pages are also sometimes called _banner_ or _separator_ pages. Enabling header pages differs depending on whether the printer is connected directly to the computer with a `USB`, parallel, or serial cable, or is connected remotely over a network. -Header pages on directly-connected printers are enabled by removing the `:sh:\` (Suppress Header) line from the entry in [.filename]#/etc/printcap#. These header pages only use line feed characters for new lines. Some printers will need the [.filename]#/usr/share/examples/printing/hpif# filter to prevent stairstepped text. The filter configures `PCL` printers to print both carriage returns and line feeds when a line feed is received. +Header pages on directly-connected printers are enabled by removing the `:sh:\` (Suppress Header) line from the entry in [.filename]#/etc/printcap#. +These header pages only use line feed characters for new lines. +Some printers will need the [.filename]#/usr/share/examples/printing/hpif# filter to prevent stairstepped text. +The filter configures `PCL` printers to print both carriage returns and line feeds when a line feed is received. -Header pages for network printers must be configured on the printer itself. Header page entries in [.filename]#/etc/printcap# are ignored. Settings are usually available from the printer front panel or a configuration web page accessible with a web browser. +Header pages for network printers must be configured on the printer itself. +Header page entries in [.filename]#/etc/printcap# are ignored. +Settings are usually available from the printer front panel or a configuration web page accessible with a web browser. [[printing-lpd-references]] === References @@ -752,12 +874,14 @@ Manual pages: man:printcap[5], man:lpd[8], man:lpr[1], man:lpc[8], man:lprm[1], [[printing-other]] == Other Printing Systems -Several other printing systems are available in addition to the built-in man:lpd[8]. These systems offer support for other protocols or additional features. +Several other printing systems are available in addition to the built-in man:lpd[8]. +These systems offer support for other protocols or additional features. [[printing-other-cups]] === CUPS (Common UNIX(R) Printing System) -CUPS is a popular printing system available on many operating systems. Using CUPS on FreeBSD is documented in a separate article: link:{cups}[CUPS] +CUPS is a popular printing system available on many operating systems. +Using CUPS on FreeBSD is documented in a separate article: link:{cups}[CUPS] [[printing-other-hplip]] === HPLIP @@ -771,4 +895,6 @@ Configuration information is shown at https://developers.hp.com/hp-linux-imaging [[printing-other-lprng]] === LPRng -LPRng was developed as an enhanced alternative to man:lpd[8]. The port is package:sysutils/LPRng[]. For details and documentation, see http://www.lprng.com/[]. +LPRng was developed as an enhanced alternative to man:lpd[8]. +The port is package:sysutils/LPRng[]. +For details and documentation, see http://www.lprng.com/[]. diff --git a/documentation/content/en/books/handbook/security/_index.adoc b/documentation/content/en/books/handbook/security/_index.adoc index 6c576267c8..1d9d764b47 100644 --- a/documentation/content/en/books/handbook/security/_index.adoc +++ b/documentation/content/en/books/handbook/security/_index.adoc @@ -46,9 +46,11 @@ toc::[] [[security-synopsis]] == Synopsis -Security, whether physical or virtual, is a topic so broad that an entire industry has evolved around it. Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must. +Security, whether physical or virtual, is a topic so broad that an entire industry has evolved around it. +Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must. -In this chapter, several fundamentals and techniques will be discussed. The FreeBSD system comes with multiple layers of security, and many more third party utilities may be added to enhance security. +In this chapter, several fundamentals and techniques will be discussed. +The FreeBSD system comes with multiple layers of security, and many more third party utilities may be added to enhance security. After reading this chapter, you will know: @@ -69,38 +71,59 @@ Before reading this chapter, you should: * Understand basic FreeBSD and Internet concepts. -Additional security topics are covered elsewhere in this Handbook. For example, Mandatory Access Control is discussed in crossref:mac[mac,Mandatory Access Control] and Internet firewalls are discussed in crossref:firewalls[firewalls,Firewalls]. +Additional security topics are covered elsewhere in this Handbook. +For example, Mandatory Access Control is discussed in crossref:mac[mac,Mandatory Access Control] and Internet firewalls are discussed in crossref:firewalls[firewalls,Firewalls]. [[security-intro]] == Introduction -Security is everyone's responsibility. A weak entry point in any system could allow intruders to gain access to critical information and cause havoc on an entire network. One of the core principles of information security is the CIA triad, which stands for the Confidentiality, Integrity, and Availability of information systems. +Security is everyone's responsibility. +A weak entry point in any system could allow intruders to gain access to critical information and cause havoc on an entire network. +One of the core principles of information security is the CIA triad, which stands for the Confidentiality, Integrity, and Availability of information systems. -The CIA triad is a bedrock concept of computer security as customers and users expect their data to be protected. For example, a customer expects that their credit card information is securely stored (confidentiality), that their orders are not changed behind the scenes (integrity), and that they have access to their order information at all times (availablility). +The CIA triad is a bedrock concept of computer security as customers and users expect their data to be protected. +For example, a customer expects that their credit card information is securely stored (confidentiality), that their orders are not changed behind the scenes (integrity), and that they have access to their order information at all times (availablility). -To provide CIA, security professionals apply a defense in depth strategy. The idea of defense in depth is to add several layers of security to prevent one single layer failing and the entire security system collapsing. For example, a system administrator cannot simply turn on a firewall and consider the network or system secure. One must also audit accounts, check the integrity of binaries, and ensure malicious tools are not installed. To implement an effective security strategy, one must understand threats and how to defend against them. +To provide CIA, security professionals apply a defense in depth strategy. +The idea of defense in depth is to add several layers of security to prevent one single layer failing and the entire security system collapsing. +For example, a system administrator cannot simply turn on a firewall and consider the network or system secure. +One must also audit accounts, check the integrity of binaries, and ensure malicious tools are not installed. +To implement an effective security strategy, one must understand threats and how to defend against them. -What is a threat as it pertains to computer security? Threats are not limited to remote attackers who attempt to access a system without permission from a remote location. Threats also include employees, malicious software, unauthorized network devices, natural disasters, security vulnerabilities, and even competing corporations. +What is a threat as it pertains to computer security? Threats are not limited to remote attackers who attempt to access a system without permission from a remote location. +Threats also include employees, malicious software, unauthorized network devices, natural disasters, security vulnerabilities, and even competing corporations. -Systems and networks can be accessed without permission, sometimes by accident, or by remote attackers, and in some cases, via corporate espionage or former employees. As a user, it is important to prepare for and admit when a mistake has led to a security breach and report possible issues to the security team. As an administrator, it is important to know of the threats and be prepared to mitigate them. +Systems and networks can be accessed without permission, sometimes by accident, or by remote attackers, and in some cases, via corporate espionage or former employees. +As a user, it is important to prepare for and admit when a mistake has led to a security breach and report possible issues to the security team. +As an administrator, it is important to know of the threats and be prepared to mitigate them. -When applying security to systems, it is recommended to start by securing the basic accounts and system configuration, and then to secure the network layer so that it adheres to the system policy and the organization's security procedures. Many organizations already have a security policy that covers the configuration of technology devices. The policy should include the security configuration of workstations, desktops, mobile devices, phones, production servers, and development servers. In many cases, standard operating procedures (SOPs) already exist. When in doubt, ask the security team. +When applying security to systems, it is recommended to start by securing the basic accounts and system configuration, and then to secure the network layer so that it adheres to the system policy and the organization's security procedures. +Many organizations already have a security policy that covers the configuration of technology devices. +The policy should include the security configuration of workstations, desktops, mobile devices, phones, production servers, and development servers. +In many cases, standard operating procedures (SOPs) already exist. +When in doubt, ask the security team. -The rest of this introduction describes how some of these basic security configurations are performed on a FreeBSD system. The rest of this chapter describes some specific tools which can be used when implementing a security policy on a FreeBSD system. +The rest of this introduction describes how some of these basic security configurations are performed on a FreeBSD system. +The rest of this chapter describes some specific tools which can be used when implementing a security policy on a FreeBSD system. [[security-accounts]] === Preventing Logins -In securing a system, a good starting point is an audit of accounts. Ensure that `root` has a strong password and that this password is not shared. Disable any accounts that do not need login access. +In securing a system, a good starting point is an audit of accounts. +Ensure that `root` has a strong password and that this password is not shared. +Disable any accounts that do not need login access. -To deny login access to accounts, two methods exist. The first is to lock the account. This example locks the `toor` account: +To deny login access to accounts, two methods exist. +The first is to lock the account. +This example locks the `toor` account: [source,shell] .... # pw lock toor .... -The second method is to prevent login access by changing the shell to [.filename]#/usr/sbin/nologin#. Only the superuser can change the shell for other users: +The second method is to prevent login access by changing the shell to [.filename]#/usr/sbin/nologin#. +Only the superuser can change the shell for other users: [source,shell] .... @@ -112,11 +135,19 @@ The [.filename]#/usr/sbin/nologin# shell prevents the system from assigning a sh [[security-accountmgmt]] === Permitted Account Escalation -In some cases, system administration needs to be shared with other users. FreeBSD has two methods to handle this. The first one, which is not recommended, is a shared root password used by members of the `wheel` group. With this method, a user types `su` and enters the password for `wheel` whenever superuser access is needed. The user should then type `exit` to leave privileged access after finishing the commands that required administrative access. To add a user to this group, edit [.filename]#/etc/group# and add the user to the end of the `wheel` entry. The user must be separated by a comma character with no space. +In some cases, system administration needs to be shared with other users. +FreeBSD has two methods to handle this. +The first one, which is not recommended, is a shared root password used by members of the `wheel` group. +With this method, a user types `su` and enters the password for `wheel` whenever superuser access is needed. +The user should then type `exit` to leave privileged access after finishing the commands that required administrative access. +To add a user to this group, edit [.filename]#/etc/group# and add the user to the end of the `wheel` entry. +The user must be separated by a comma character with no space. -The second, and recommended, method to permit privilege escalation is to install the package:security/sudo[] package or port. This software provides additional auditing, more fine-grained user control, and can be configured to lock users into running only the specified privileged commands. +The second, and recommended, method to permit privilege escalation is to install the package:security/sudo[] package or port. +This software provides additional auditing, more fine-grained user control, and can be configured to lock users into running only the specified privileged commands. -After installation, use `visudo` to edit [.filename]#/usr/local/etc/sudoers#. This example creates a new `webadmin` group, adds the `trhodes` account to that group, and configures that group access to restart package:apache24[]: +After installation, use `visudo` to edit [.filename]#/usr/local/etc/sudoers#. +This example creates a new `webadmin` group, adds the `trhodes` account to that group, and configures that group access to restart package:apache24[]: [source,shell] .... @@ -128,14 +159,25 @@ After installation, use `visudo` to edit [.filename]#/usr/local/etc/sudoers#. Th [[security-passwords]] === Password Hashes -Passwords are a necessary evil of technology. When they must be used, they should be complex and a powerful hash mechanism should be used to encrypt the version that is stored in the password database. FreeBSD supports the DES, MD5, SHA256, SHA512, and Blowfish hash algorithms in its `crypt()` library. The default of SHA512 should not be changed to a less secure hashing algorithm, but can be changed to the more secure Blowfish algorithm. +Passwords are a necessary evil of technology. +When they must be used, they should be complex and a powerful hash mechanism should be used to encrypt the version that is stored in the password database. +FreeBSD supports the DES, MD5, SHA256, SHA512, and Blowfish hash algorithms in its `crypt()` library. +The default of SHA512 should not be changed to a less secure hashing algorithm, but can be changed to the more secure Blowfish algorithm. [NOTE] ==== -Blowfish is not part of AES and is not considered compliant with any Federal Information Processing Standards (FIPS). Its use may not be permitted in some environments. +Blowfish is not part of AES and is not considered compliant with any Federal Information Processing Standards (FIPS). +Its use may not be permitted in some environments. ==== -To determine which hash algorithm is used to encrypt a user's password, the superuser can view the hash for the user in the FreeBSD password database. Each hash starts with a symbol which indicates the type of hash mechanism used to encrypt the password. If DES is used, there is no beginning symbol. For MD5, the symbol is `$`. For SHA256 and SHA512, the symbol is `$6$`. For Blowfish, the symbol is `$2a$`. In this example, the password for `dru` is hashed using the default SHA512 algorithm as the hash starts with `$6$`. Note that the encrypted hash, not the password itself, is stored in the password database: +To determine which hash algorithm is used to encrypt a user's password, the superuser can view the hash for the user in the FreeBSD password database. +Each hash starts with a symbol which indicates the type of hash mechanism used to encrypt the password. +If DES is used, there is no beginning symbol. +For MD5, the symbol is `$`. +For SHA256 and SHA512, the symbol is `$6$`. +For Blowfish, the symbol is `$2a$`. +In this example, the password for `dru` is hashed using the default SHA512 algorithm as the hash starts with `$6$`. +Note that the encrypted hash, not the password itself, is stored in the password database: [source,shell] .... @@ -143,7 +185,8 @@ To determine which hash algorithm is used to encrypt a user's password, the supe dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:dru:/usr/home/dru:/bin/csh .... -The hash mechanism is set in the user's login class. For this example, the user is in the `default` login class and the hash algorithm is set with this line in [.filename]#/etc/login.conf#: +The hash mechanism is set in the user's login class. +For this example, the user is in the `default` login class and the hash algorithm is set with this line in [.filename]#/etc/login.conf#: [.programlisting] .... @@ -157,27 +200,45 @@ To change the algorithm to Blowfish, modify that line to look like this: :passwd_format=blf:\ .... -Then run `cap_mkdb /etc/login.conf` as described in <<users-limiting>>. Note that this change will not affect any existing password hashes. This means that all passwords should be re-hashed by asking users to run `passwd` in order to change their password. +Then run `cap_mkdb /etc/login.conf` as described in <<users-limiting>>. +Note that this change will not affect any existing password hashes. +This means that all passwords should be re-hashed by asking users to run `passwd` in order to change their password. -For remote logins, two-factor authentication should be used. An example of two-factor authentication is "something you have", such as a key, and "something you know", such as the passphrase for that key. Since OpenSSH is part of the FreeBSD base system, all network logins should be over an encrypted connection and use key-based authentication instead of passwords. For more information, refer to <<openssh>>. Kerberos users may need to make additional changes to implement OpenSSH in their network. These changes are described in <<kerberos5>>. +For remote logins, two-factor authentication should be used. +An example of two-factor authentication is "something you have", such as a key, and "something you know", such as the passphrase for that key. +Since OpenSSH is part of the FreeBSD base system, all network logins should be over an encrypted connection and use key-based authentication instead of passwords. +For more information, refer to <<openssh>>. +Kerberos users may need to make additional changes to implement OpenSSH in their network. +These changes are described in <<kerberos5>>. [[security-pwpolicy]] === Password Policy Enforcement -Enforcing a strong password policy for local accounts is a fundamental aspect of system security. In FreeBSD, password length, password strength, and password complexity can be implemented using built-in Pluggable Authentication Modules (PAM). +Enforcing a strong password policy for local accounts is a fundamental aspect of system security. +In FreeBSD, password length, password strength, and password complexity can be implemented using built-in Pluggable Authentication Modules (PAM). -This section demonstrates how to configure the minimum and maximum password length and the enforcement of mixed characters using the [.filename]#pam_passwdqc.so# module. This module is enforced when a user changes their password. +This section demonstrates how to configure the minimum and maximum password length and the enforcement of mixed characters using the [.filename]#pam_passwdqc.so# module. +This module is enforced when a user changes their password. -To configure this module, become the superuser and uncomment the line containing `pam_passwdqc.so` in [.filename]#/etc/pam.d/passwd#. Then, edit that line to match the password policy: +To configure this module, become the superuser and uncomment the line containing `pam_passwdqc.so` in [.filename]#/etc/pam.d/passwd#. +Then, edit that line to match the password policy: [.programlisting] .... password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users .... -This example sets several requirements for new passwords. The `min` setting controls the minimum password length. It has five values because this module defines five different types of passwords based on their complexity. Complexity is defined by the type of characters that must exist in a password, such as letters, numbers, symbols, and case. The types of passwords are described in man:pam_passwdqc[8]. In this example, the first three types of passwords are disabled, meaning that passwords that meet those complexity requirements will not be accepted, regardless of their length. The `12` sets a minimum password policy of at least twelve characters, if the password also contains characters with three types of complexity. The `10` sets the password policy to also allow passwords of at least ten characters, if the password contains characters with four types of complexity. +This example sets several requirements for new passwords. +The `min` setting controls the minimum password length. +It has five values because this module defines five different types of passwords based on their complexity. +Complexity is defined by the type of characters that must exist in a password, such as letters, numbers, symbols, and case. +The types of passwords are described in man:pam_passwdqc[8]. +In this example, the first three types of passwords are disabled, meaning that passwords that meet those complexity requirements will not be accepted, regardless of their length. +The `12` sets a minimum password policy of at least twelve characters, if the password also contains characters with three types of complexity. +The `10` sets the password policy to also allow passwords of at least ten characters, if the password contains characters with four types of complexity. -The `similar` setting denies passwords that are similar to the user's previous password. The `retry` setting provides a user with three opportunities to enter a new password. +The `similar` setting denies passwords that are similar to the user's previous password. +The `retry` setting provides a user with three opportunities to enter a new password. Once this file is saved, a user changing their password will see a message similar to the following: @@ -201,7 +262,9 @@ Enter new password: If a password that does not match the policy is entered, it will be rejected with a warning and the user will have an opportunity to try again, up to the configured number of retries. -Most password policies require passwords to expire after so many days. To set a password age time in FreeBSD, set `passwordtime` for the user's login class in [.filename]#/etc/login.conf#. The `default` login class contains an example: +Most password policies require passwords to expire after so many days. +To set a password age time in FreeBSD, set `passwordtime` for the user's login class in [.filename]#/etc/login.conf#. +The `default` login class contains an example: [.programlisting] .... @@ -217,34 +280,54 @@ To set the expiration on individual users, pass an expiration date or the number # pw usermod -p 30-apr-2015 -n trhodes .... -As seen here, an expiration date is set in the form of day, month, and year. For more information, see man:pw[8]. +As seen here, an expiration date is set in the form of day, month, and year. +For more information, see man:pw[8]. [[security-rkhunter]] === Detecting Rootkits -A _rootkit_ is any unauthorized software that attempts to gain `root` access to a system. Once installed, this malicious software will normally open up another avenue of entry for an attacker. Realistically, once a system has been compromised by a rootkit and an investigation has been performed, the system should be reinstalled from scratch. There is tremendous risk that even the most prudent security or systems engineer will miss something an attacker left behind. +A _rootkit_ is any unauthorized software that attempts to gain `root` access to a system. +Once installed, this malicious software will normally open up another avenue of entry for an attacker. +Realistically, once a system has been compromised by a rootkit and an investigation has been performed, the system should be reinstalled from scratch. +There is tremendous risk that even the most prudent security or systems engineer will miss something an attacker left behind. -A rootkit does do one thing useful for administrators: once detected, it is a sign that a compromise happened at some point. But, these types of applications tend to be very well hidden. This section demonstrates a tool that can be used to detect rootkits, package:security/rkhunter[]. +A rootkit does do one thing useful for administrators: once detected, it is a sign that a compromise happened at some point. +But, these types of applications tend to be very well hidden. +This section demonstrates a tool that can be used to detect rootkits, package:security/rkhunter[]. -After installation of this package or port, the system may be checked using the following command. It will produce a lot of information and will require some manual pressing of kbd:[ENTER]: +After installation of this package or port, the system may be checked using the following command. +It will produce a lot of information and will require some manual pressing of kbd:[ENTER]: [source,shell] .... # rkhunter -c .... -After the process completes, a status message will be printed to the screen. This message will include the amount of files checked, suspect files, possible rootkits, and more. During the check, some generic security warnings may be produced about hidden files, the OpenSSH protocol selection, and known vulnerable versions of installed software. These can be handled now or after a more detailed analysis has been performed. +After the process completes, a status message will be printed to the screen. +This message will include the amount of files checked, suspect files, possible rootkits, and more. +During the check, some generic security warnings may be produced about hidden files, the OpenSSH protocol selection, and known vulnerable versions of installed software. +These can be handled now or after a more detailed analysis has been performed. -Every administrator should know what is running on the systems they are responsible for. Third-party tools like rkhunter and package:sysutils/lsof[], and native commands such as `netstat` and `ps`, can show a great deal of information on the system. Take notes on what is normal, ask questions when something seems out of place, and be paranoid. While preventing a compromise is ideal, detecting a compromise is a must. +Every administrator should know what is running on the systems they are responsible for. +Third-party tools like rkhunter and package:sysutils/lsof[], and native commands such as `netstat` and `ps`, can show a great deal of information on the system. +Take notes on what is normal, ask questions when something seems out of place, and be paranoid. +While preventing a compromise is ideal, detecting a compromise is a must. [[security-ids]] === Binary Verification -Verification of system files and binaries is important because it provides the system administration and security teams information about system changes. A software application that monitors the system for changes is called an Intrusion Detection System (IDS). +Verification of system files and binaries is important because it provides the system administration and security teams information about system changes. +A software application that monitors the system for changes is called an Intrusion Detection System (IDS). -FreeBSD provides native support for a basic IDS system. While the nightly security emails will notify an administrator of changes, the information is stored locally and there is a chance that a malicious user could modify this information in order to hide their changes to the system. As such, it is recommended to create a separate set of binary signatures and store them on a read-only, root-owned directory or, preferably, on a removable USB disk or remote rsync server. +FreeBSD provides native support for a basic IDS system. +While the nightly security emails will notify an administrator of changes, the information is stored locally and there is a chance that a malicious user could modify this information in order to hide their changes to the system. +As such, it is recommended to create a separate set of binary signatures and store them on a read-only, root-owned directory or, preferably, on a removable USB disk or remote rsync server. -The built-in `mtree` utility can be used to generate a specification of the contents of a directory. A seed, or a numeric constant, is used to generate the specification and is required to check that the specification has not changed. This makes it possible to determine if a file or binary has been modified. Since the seed value is unknown by an attacker, faking or checking the checksum values of files will be difficult to impossible. The following example generates a set of SHA256 hashes, one for each system binary in [.filename]#/bin#, and saves those values to a hidden file in ``root``'s home directory, [.filename]#/root/.bin_chksum_mtree#: +The built-in `mtree` utility can be used to generate a specification of the contents of a directory. +A seed, or a numeric constant, is used to generate the specification and is required to check that the specification has not changed. +This makes it possible to determine if a file or binary has been modified. +Since the seed value is unknown by an attacker, faking or checking the checksum values of files will be difficult to impossible. +The following example generates a set of SHA256 hashes, one for each system binary in [.filename]#/bin#, and saves those values to a hidden file in ``root``'s home directory, [.filename]#/root/.bin_chksum_mtree#: [source,shell] .... @@ -252,7 +335,8 @@ The built-in `mtree` utility can be used to generate a specification of the cont # mtree: /bin checksum: 3427012225 .... -The _3483151339707503_ represents the seed. This value should be remembered, but not shared. +The _3483151339707503_ represents the seed. +This value should be remembered, but not shared. Viewing [.filename]#/root/.bin_cksum_mtree# should yield output similar to the following: @@ -280,9 +364,11 @@ Viewing [.filename]#/root/.bin_cksum_mtree# should yield output similar to the f sha256digest=a435972263bf814ad8df082c0752aa2a7bdd8b74ff01431ccbd52ed1e490bbe7 .... -The machine's hostname, the date and time the specification was created, and the name of the user who created the specification are included in this report. There is a checksum, size, time, and SHA256 digest for each binary in the directory. +The machine's hostname, the date and time the specification was created, and the name of the user who created the specification are included in this report. +There is a checksum, size, time, and SHA256 digest for each binary in the directory. -To verify that the binary signatures have not changed, compare the current contents of the directory to the previously generated specification, and save the results to a file. This command requires the seed that was used to generate the original specification: +To verify that the binary signatures have not changed, compare the current contents of the directory to the previously generated specification, and save the results to a file. +This command requires the seed that was used to generate the original specification: [source,shell] .... @@ -290,7 +376,9 @@ To verify that the binary signatures have not changed, compare the current conte # mtree: /bin checksum: 3427012225 .... -This should produce the same checksum for [.filename]#/bin# that was produced when the specification was created. If no changes have occurred to the binaries in this directory, the [.filename]#/root/.bin_chksum_output# output file will be empty. To simulate a change, change the date on [.filename]#/bin/cat# using `touch` and run the verification command again: +This should produce the same checksum for [.filename]#/bin# that was produced when the specification was created. +If no changes have occurred to the binaries in this directory, the [.filename]#/root/.bin_chksum_output# output file will be empty. +To simulate a change, change the date on [.filename]#/bin/cat# using `touch` and run the verification command again: [source,shell] .... @@ -301,50 +389,93 @@ cat changed modification time expected Fri Sep 27 06:32:55 2013 found Mon Feb 3 10:28:43 2014 .... -It is recommended to create specifications for the directories which contain binaries and configuration files, as well as any directories containing sensitive data. Typically, specifications are created for [.filename]#/bin#, [.filename]#/sbin#, [.filename]#/usr/bin#, [.filename]#/usr/sbin#, [.filename]#/usr/local/bin#, [.filename]#/etc#, and [.filename]#/usr/local/etc#. +It is recommended to create specifications for the directories which contain binaries and configuration files, as well as any directories containing sensitive data. +Typically, specifications are created for [.filename]#/bin#, [.filename]#/sbin#, [.filename]#/usr/bin#, [.filename]#/usr/sbin#, [.filename]#/usr/local/bin#, [.filename]#/etc#, and [.filename]#/usr/local/etc#. -More advanced IDS systems exist, such as package:security/aide[]. In most cases, `mtree` provides the functionality administrators need. It is important to keep the seed value and the checksum output hidden from malicious users. More information about `mtree` can be found in man:mtree[8]. +More advanced IDS systems exist, such as package:security/aide[]. +In most cases, `mtree` provides the functionality administrators need. +It is important to keep the seed value and the checksum output hidden from malicious users. +More information about `mtree` can be found in man:mtree[8]. [[security-tuning]] === System Tuning for Security -In FreeBSD, many system features can be tuned using `sysctl`. A few of the security features which can be tuned to prevent Denial of Service (DoS) attacks will be covered in this section. More information about using `sysctl`, including how to temporarily change values and how to make the changes permanent after testing, can be found in crossref:config[configtuning-sysctl,“Tuning with sysctl(8)”]. +In FreeBSD, many system features can be tuned using `sysctl`. +A few of the security features which can be tuned to prevent Denial of Service (DoS) attacks will be covered in this section. +More information about using `sysctl`, including how to temporarily change values and how to make the changes permanent after testing, can be found in crossref:config[configtuning-sysctl,“Tuning with sysctl(8)”]. [NOTE] ==== -Any time a setting is changed with `sysctl`, the chance to cause undesired harm is increased, affecting the availability of the system. All changes should be monitored and, if possible, tried on a testing system before being used on a production system. +Any time a setting is changed with `sysctl`, the chance to cause undesired harm is increased, affecting the availability of the system. +All changes should be monitored and, if possible, tried on a testing system before being used on a production system. ==== -By default, the FreeBSD kernel boots with a security level of `-1`. This is called "insecure mode" because immutable file flags may be turned off and all devices may be read from or written to. The security level will remain at `-1` unless it is altered through `sysctl` or by a setting in the startup scripts. The security level may be increased during system startup by setting `kern_securelevel_enable` to `YES` in [.filename]#/etc/rc.conf#, and the value of `kern_securelevel` to the desired security level. See man:security[7] and man:init[8] for more information on these settings and the available security levels. +By default, the FreeBSD kernel boots with a security level of `-1`. +This is called "insecure mode" because immutable file flags may be turned off and all devices may be read from or written to. +The security level will remain at `-1` unless it is altered through `sysctl` or by a setting in the startup scripts. +The security level may be increased during system startup by setting `kern_securelevel_enable` to `YES` in [.filename]#/etc/rc.conf#, and the value of `kern_securelevel` to the desired security level. +See man:security[7] and man:init[8] for more information on these settings and the available security levels. [WARNING] ==== - -Increasing the `securelevel` can break Xorg and cause other issues. Be prepared to do some debugging. +Increasing the `securelevel` can break Xorg and cause other issues. +Be prepared to do some debugging. ==== -The `net.inet.tcp.blackhole` and `net.inet.udp.blackhole` settings can be used to drop incoming SYN packets on closed ports without sending a return RST response. The default behavior is to return an RST to show a port is closed. Changing the default provides some level of protection against ports scans, which are used to determine which applications are running on a system. Set `net.inet.tcp.blackhole` to `2` and `net.inet.udp.blackhole` to `1`. Refer to man:blackhole[4] for more information about these settings. +The `net.inet.tcp.blackhole` and `net.inet.udp.blackhole` settings can be used to drop incoming SYN packets on closed ports without sending a return RST response. +The default behavior is to return an RST to show a port is closed. +Changing the default provides some level of protection against ports scans, which are used to determine which applications are running on a system. +Set `net.inet.tcp.blackhole` to `2` and `net.inet.udp.blackhole` to `1`. +Refer to man:blackhole[4] for more information about these settings. -The `net.inet.icmp.drop_redirect` and `net.inet.ip.redirect` settings help prevent against _redirect attacks_. A redirect attack is a type of DoS which sends mass numbers of ICMP type 5 packets. Since these packets are not required, set `net.inet.icmp.drop_redirect` to `1` and set `net.inet.ip.redirect` to `0`. +The `net.inet.icmp.drop_redirect` and `net.inet.ip.redirect` settings help prevent against _redirect attacks_. +A redirect attack is a type of DoS which sends mass numbers of ICMP type 5 packets. +Since these packets are not required, set `net.inet.icmp.drop_redirect` to `1` and set `net.inet.ip.redirect` to `0`. -Source routing is a method for detecting and accessing non-routable addresses on the internal network. This should be disabled as non-routable addresses are normally not routable on purpose. To disable this feature, set `net.inet.ip.sourceroute` and `net.inet.ip.accept_sourceroute` to `0`. +Source routing is a method for detecting and accessing non-routable addresses on the internal network. +This should be disabled as non-routable addresses are normally not routable on purpose. +To disable this feature, set `net.inet.ip.sourceroute` and `net.inet.ip.accept_sourceroute` to `0`. -When a machine on the network needs to send messages to all hosts on a subnet, an ICMP echo request message is sent to the broadcast address. However, there is no reason for an external host to perform such an action. To reject all external broadcast requests, set `net.inet.icmp.bmcastecho` to `0`. +When a machine on the network needs to send messages to all hosts on a subnet, an ICMP echo request message is sent to the broadcast address. +However, there is no reason for an external host to perform such an action. +To reject all external broadcast requests, set `net.inet.icmp.bmcastecho` to `0`. Some additional settings are documented in man:security[7]. [[one-time-passwords]] == One-time Passwords -By default, FreeBSD includes support for One-time Passwords In Everything (OPIE). OPIE is designed to prevent replay attacks, in which an attacker discovers a user's password and uses it to access a system. Since a password is only used once in OPIE, a discovered password is of little use to an attacker. OPIE uses a secure hash and a challenge/response system to manage passwords. The FreeBSD implementation uses the MD5 hash by default. - -OPIE uses three different types of passwords. The first is the usual UNIX(R) or Kerberos password. The second is the one-time password which is generated by `opiekey`. The third type of password is the "secret password" which is used to generate one-time passwords. The secret password has nothing to do with, and should be different from, the UNIX(R) password. - -There are two other pieces of data that are important to OPIE. One is the "seed" or "key", consisting of two letters and five digits. The other is the "iteration count", a number between 1 and 100. OPIE creates the one-time password by concatenating the seed and the secret password, applying the MD5 hash as many times as specified by the iteration count, and turning the result into six short English words which represent the one-time password. The authentication system keeps track of the last one-time password used, and the user is authenticated if the hash of the user-provided password is equal to the previous password. Since a one-way hash is used, it is impossible to generate future one-time passwords if a successfully used password is captured. The iteration count is decremented after each successful login to keep the user and the login program in sync. When the iteration count gets down to `1`, OPIE must be reinitialized. - -There are a few programs involved in this process. A one-time password, or a consecutive list of one-time passwords, is generated by passing an iteration count, a seed, and a secret password to man:opiekey[1]. In addition to initializing OPIE, man:opiepasswd[1] is used to change passwords, iteration counts, or seeds. The relevant credential files in [.filename]#/etc/opiekeys# are examined by man:opieinfo[1] which prints out the invoking user's current iteration count and seed. - -This section describes four different sorts of operations. The first is how to set up one-time-passwords for the first time over a secure connection. The second is how to use `opiepasswd` over an insecure connection. The third is how to log in over an insecure connection. The fourth is how to generate a number of keys which can be written down or printed out to use at insecure locations. +By default, FreeBSD includes support for One-time Passwords In Everything (OPIE). +OPIE is designed to prevent replay attacks, in which an attacker discovers a user's password and uses it to access a system. +Since a password is only used once in OPIE, a discovered password is of little use to an attacker. +OPIE uses a secure hash and a challenge/response system to manage passwords. +The FreeBSD implementation uses the MD5 hash by default. + +OPIE uses three different types of passwords. +The first is the usual UNIX(R) or Kerberos password. +The second is the one-time password which is generated by `opiekey`. +The third type of password is the "secret password" which is used to generate one-time passwords. +The secret password has nothing to do with, and should be different from, the UNIX(R) password. + +There are two other pieces of data that are important to OPIE. +One is the "seed" or "key", consisting of two letters and five digits. +The other is the "iteration count", a number between 1 and 100. +OPIE creates the one-time password by concatenating the seed and the secret password, applying the MD5 hash as many times as specified by the iteration count, and turning the result into six short English words which represent the one-time password. +The authentication system keeps track of the last one-time password used, and the user is authenticated if the hash of the user-provided password is equal to the previous password. +Since a one-way hash is used, it is impossible to generate future one-time passwords if a successfully used password is captured. +The iteration count is decremented after each successful login to keep the user and the login program in sync. +When the iteration count gets down to `1`, OPIE must be reinitialized. + +There are a few programs involved in this process. +A one-time password, or a consecutive list of one-time passwords, is generated by passing an iteration count, a seed, and a secret password to man:opiekey[1]. +In addition to initializing OPIE, man:opiepasswd[1] is used to change passwords, iteration counts, or seeds. +The relevant credential files in [.filename]#/etc/opiekeys# are examined by man:opieinfo[1] which prints out the invoking user's current iteration count and seed. + +This section describes four different sorts of operations. +The first is how to set up one-time-passwords for the first time over a secure connection. +The second is how to use `opiepasswd` over an insecure connection. +The third is how to log in over an insecure connection. +The fourth is how to generate a number of keys which can be written down or printed out to use at insecure locations. === Initializing OPIE @@ -367,13 +498,21 @@ MOS MALL GOAT ARM AVID COED The `-c` sets console mode which assumes that the command is being run from a secure location, such as a computer under the user's control or an SSH session to a computer under the user's control. -When prompted, enter the secret password which will be used to generate the one-time login keys. This password should be difficult to guess and should be different than the password which is associated with the user's login account. It must be between 10 and 127 characters long. Remember this password. +When prompted, enter the secret password which will be used to generate the one-time login keys. +This password should be difficult to guess and should be different than the password which is associated with the user's login account. +It must be between 10 and 127 characters long. Remember this password. -The `ID` line lists the login name (`unfurl`), default iteration count (`499`), and default seed (`to4268`). When logging in, the system will remember these parameters and display them, meaning that they do not have to be memorized. The last line lists the generated one-time password which corresponds to those parameters and the secret password. At the next login, use this one-time password. +The `ID` line lists the login name (`unfurl`), default iteration count (`499`), and default seed (`to4268`). +When logging in, the system will remember these parameters and display them, meaning that they do not have to be memorized. +The last line lists the generated one-time password which corresponds to those parameters and the secret password. +At the next login, use this one-time password. === Insecure Connection Initialization -To initialize or change the secret password on an insecure system, a secure connection is needed to some place where `opiekey` can be run. This might be a shell prompt on a trusted machine. An iteration count is needed, where 100 is probably a good value, and the seed can either be specified or the randomly-generated one used. On the insecure connection, the machine being initialized, use man:opiepasswd[1]: +To initialize or change the secret password on an insecure system, a secure connection is needed to some place where `opiekey` can be run. +This might be a shell prompt on a trusted machine. +An iteration count is needed, where 100 is probably a good value, and the seed can either be specified or the randomly-generated one used. +On the insecure connection, the machine being initialized, use man:opiepasswd[1]: [source,shell] .... @@ -392,7 +531,8 @@ ID mark OTP key is 499 gr4269 LINE PAP MILK NELL BUOY TROY .... -To accept the default seed, press kbd:[Return]. Before entering an access password, move over to the secure connection and give it the same parameters: +To accept the default seed, press kbd:[Return]. +Before entering an access password, move over to the secure connection and give it the same parameters: [source,shell] .... @@ -423,9 +563,15 @@ otp-md5 498 gr4269 ext Password: .... -The OPIE prompts provides a useful feature. If kbd:[Return] is pressed at the password prompt, the prompt will turn echo on and display what is typed. This can be useful when attempting to type in a password by hand from a printout. +The OPIE prompts provides a useful feature. +If kbd:[Return] is pressed at the password prompt, the prompt will turn echo on and display what is typed. +This can be useful when attempting to type in a password by hand from a printout. -At this point, generate the one-time password to answer this login prompt. This must be done on a trusted system where it is safe to run man:opiekey[1]. There are versions of this command for Windows(R), Mac OS(R) and FreeBSD. This command needs the iteration count and the seed as command line options. Use cut-and-paste from the login prompt on the machine being logged in to. +At this point, generate the one-time password to answer this login prompt. +This must be done on a trusted system where it is safe to run man:opiekey[1]. +There are versions of this command for Windows(R), Mac OS(R) and FreeBSD. +This command needs the iteration count and the seed as command line options. +Use cut-and-paste from the login prompt on the machine being logged in to. On the trusted system: @@ -442,7 +588,8 @@ Once the one-time password is generated, continue to log in. === Generating Multiple One-time Passwords -Sometimes there is no access to a trusted machine or secure connection. In this case, it is possible to use man:opiekey[1] to generate a number of one-time passwords beforehand. For example: +Sometimes there is no access to a trusted machine or secure connection. +In this case, it is possible to use man:opiekey[1] to generate a number of one-time passwords beforehand. For example: [source,shell] .... @@ -457,11 +604,17 @@ Enter secret pass phrase: <secret password> 30: GREW JIVE SAN GIRD BOIL PHI .... -The `-n 5` requests five keys in sequence, and `30` specifies what the last iteration number should be. Note that these are printed out in _reverse_ order of use. The really paranoid might want to write the results down by hand; otherwise, print the list. Each line shows both the iteration count and the one-time password. Scratch off the passwords as they are used. +The `-n 5` requests five keys in sequence, and `30` specifies what the last iteration number should be. +Note that these are printed out in _reverse_ order of use. +The really paranoid might want to write the results down by hand; otherwise, print the list. +Each line shows both the iteration count and the one-time password. +Scratch off the passwords as they are used. === Restricting Use of UNIX(R) Passwords -OPIE can restrict the use of UNIX(R) passwords based on the IP address of a login session. The relevant file is [.filename]#/etc/opieaccess#, which is present by default. Refer to man:opieaccess[5] for more information on this file and which security considerations to be aware of when using it. +OPIE can restrict the use of UNIX(R) passwords based on the IP address of a login session. +The relevant file is [.filename]#/etc/opieaccess#, which is present by default. +Refer to man:opieaccess[5] for more information on this file and which security considerations to be aware of when using it. Here is a sample [.filename]#opieaccess#: @@ -477,9 +630,12 @@ If no rules in [.filename]#opieaccess# are matched, the default is to deny non-O [[tcpwrappers]] == TCP Wrapper -TCP Wrapper is a host-based access control system which extends the abilities of crossref:network-servers[network-inetd,“The inetd Super-Server”]. It can be configured to provide logging support, return messages, and connection restrictions for the server daemons under the control of inetd. Refer to man:tcpd[8] for more information about TCP Wrapper and its features. +TCP Wrapper is a host-based access control system which extends the abilities of crossref:network-servers[network-inetd,“The inetd Super-Server”]. +It can be configured to provide logging support, return messages, and connection restrictions for the server daemons under the control of inetd. +Refer to man:tcpd[8] for more information about TCP Wrapper and its features. -TCP Wrapper should not be considered a replacement for a properly configured firewall. Instead, TCP Wrapper should be used in conjunction with a firewall and other security enhancements in order to provide another layer of protection in the implementation of a security policy. +TCP Wrapper should not be considered a replacement for a properly configured firewall. +Instead, TCP Wrapper should be used in conjunction with a firewall and other security enhancements in order to provide another layer of protection in the implementation of a security policy. === Initial Configuration @@ -495,12 +651,16 @@ Then, properly configure [.filename]#/etc/hosts.allow#. [NOTE] ==== -Unlike other implementations of TCP Wrapper, the use of [.filename]#hosts.deny# is deprecated in FreeBSD. All configuration options should be placed in [.filename]#/etc/hosts.allow#. +Unlike other implementations of TCP Wrapper, the use of [.filename]#hosts.deny# is deprecated in FreeBSD. +All configuration options should be placed in [.filename]#/etc/hosts.allow#. ==== -In the simplest configuration, daemon connection policies are set to either permit or block, depending on the options in [.filename]#/etc/hosts.allow#. The default configuration in FreeBSD is to allow all connections to the daemons started with inetd. +In the simplest configuration, daemon connection policies are set to either permit or block, depending on the options in [.filename]#/etc/hosts.allow#. +The default configuration in FreeBSD is to allow all connections to the daemons started with inetd. -Basic configuration usually takes the form of `daemon : address : action`, where `daemon` is the daemon which inetd started, `address` is a valid hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and `action` is either `allow` or `deny`. TCP Wrapper uses a first rule match semantic, meaning that the configuration file is scanned from the beginning for a matching rule. When a match is found, the rule is applied and the search process stops. +Basic configuration usually takes the form of `daemon : address : action`, where `daemon` is the daemon which inetd started, `address` is a valid hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and `action` is either `allow` or `deny`. +TCP Wrapper uses a first rule match semantic, meaning that the configuration file is scanned from the beginning for a matching rule. +When a match is found, the rule is applied and the search process stops. For example, to allow POP3 connections via the package:mail/qpopper[] daemon, the following lines should be appended to [.filename]#hosts.allow#: @@ -519,9 +679,16 @@ Whenever this file is edited, restart inetd: === Advanced Configuration -TCP Wrapper provides advanced options to allow more control over the way connections are handled. In some cases, it may be appropriate to return a comment to certain hosts or daemon connections. In other cases, a log entry should be recorded or an email sent to the administrator. Other situations may require the use of a service for local connections only. This is all possible through the use of configuration options known as wildcards, expansion characters, and external command execution. +TCP Wrapper provides advanced options to allow more control over the way connections are handled. +In some cases, it may be appropriate to return a comment to certain hosts or daemon connections. +In other cases, a log entry should be recorded or an email sent to the administrator. +Other situations may require the use of a service for local connections only. +This is all possible through the use of configuration options known as wildcards, expansion characters, and external command execution. -Suppose that a situation occurs where a connection should be denied yet a reason should be sent to the host who attempted to establish that connection. That action is possible with `twist`. When a connection attempt is made, `twist` executes a shell command or script. An example exists in [.filename]#hosts.allow#: +Suppose that a situation occurs where a connection should be denied yet a reason should be sent to the host who attempted to establish that connection. +That action is possible with `twist`. +When a connection attempt is made, `twist` executes a shell command or script. +An example exists in [.filename]#hosts.allow#: [.programlisting] .... @@ -531,15 +698,20 @@ ALL : ALL \ : twist /bin/echo "You are not welcome to use %d from %h." .... -In this example, the message "You are not allowed to use _daemon name_ from _hostname_." will be returned for any daemon not configured in [.filename]#hosts.allow#. This is useful for sending a reply back to the connection initiator right after the established connection is dropped. Any message returned _must_ be wrapped in quote (`"`) characters. +In this example, the message "You are not allowed to use _daemon name_ from _hostname_." +will be returned for any daemon not configured in [.filename]#hosts.allow#. +This is useful for sending a reply back to the connection initiator right after the established connection is dropped. +Any message returned _must_ be wrapped in quote (`"`) characters. [WARNING] ==== - It may be possible to launch a denial of service attack on the server if an attacker floods these daemons with connection requests. ==== -Another possibility is to use `spawn`. Like `twist`, `spawn` implicitly denies the connection and may be used to run external shell commands or scripts. Unlike `twist`, `spawn` will not send a reply back to the host who established the connection. For example, consider the following configuration: +Another possibility is to use `spawn`. +Like `twist`, `spawn` implicitly denies the connection and may be used to run external shell commands or scripts. +Unlike `twist`, `spawn` will not send a reply back to the host who established the connection. +For example, consider the following configuration: [.programlisting] .... @@ -550,9 +722,13 @@ ALL : .example.com \ : deny .... -This will deny all connection attempts from `*.example.com` and log the hostname, IP address, and the daemon to which access was attempted to [.filename]#/var/log/connections.log#. This example uses the substitution characters `%a` and `%h`. Refer to man:hosts_access[5] for the complete list. +This will deny all connection attempts from `*.example.com` and log the hostname, IP address, and the daemon to which access was attempted to [.filename]#/var/log/connections.log#. +This example uses the substitution characters `%a` and `%h`. +Refer to man:hosts_access[5] for the complete list. -To match every instance of a daemon, domain, or IP address, use `ALL`. Another wildcard is `PARANOID` which may be used to match any host which provides an IP address that may be forged because the IP address differs from its resolved hostname. In this example, all connection requests to Sendmail which have an IP address that varies from its hostname will be denied: +To match every instance of a daemon, domain, or IP address, use `ALL`. +Another wildcard is `PARANOID` which may be used to match any host which provides an IP address that may be forged because the IP address differs from its resolved hostname. +In this example, all connection requests to Sendmail which have an IP address that varies from its hostname will be denied: [.programlisting] .... @@ -562,7 +738,6 @@ sendmail : PARANOID : deny [CAUTION] ==== - Using the `PARANOID` wildcard will result in denied connections if the client or server has a broken DNS setup. ==== @@ -576,13 +751,25 @@ When adding new configuration lines, make sure that any unneeded entries for tha [[kerberos5]] == Kerberos -Kerberos is a network authentication protocol which was originally created by the Massachusetts Institute of Technology (MIT) as a way to securely provide authentication across a potentially hostile network. The Kerberos protocol uses strong cryptography so that both a client and server can prove their identity without sending any unencrypted secrets over the network. Kerberos can be described as an identity-verifying proxy system and as a trusted third-party authentication system. After a user authenticates with Kerberos, their communications can be encrypted to assure privacy and data integrity. +Kerberos is a network authentication protocol which was originally created by the Massachusetts Institute of Technology (MIT) as a way to securely provide authentication across a potentially hostile network. +The Kerberos protocol uses strong cryptography so that both a client and server can prove their identity without sending any unencrypted secrets over the network. +Kerberos can be described as an identity-verifying proxy system and as a trusted third-party authentication system. +After a user authenticates with Kerberos, their communications can be encrypted to assure privacy and data integrity. -The only function of Kerberos is to provide the secure authentication of users and servers on the network. It does not provide authorization or auditing functions. It is recommended that Kerberos be used with other security methods which provide authorization and audit services. +The only function of Kerberos is to provide the secure authentication of users and servers on the network. +It does not provide authorization or auditing functions. +It is recommended that Kerberos be used with other security methods which provide authorization and audit services. -The current version of the protocol is version 5, described in RFC 4120. Several free implementations of this protocol are available, covering a wide range of operating systems. MIT continues to develop their Kerberos package. It is commonly used in the US as a cryptography product, and has historically been subject to US export regulations. In FreeBSD, MITKerberos is available as the package:security/krb5[] package or port. The Heimdal Kerberos implementation was explicitly developed outside of the US to avoid export regulations. The Heimdal Kerberos distribution is included in the base FreeBSD installation, and another distribution with more configurable options is available as package:security/heimdal[] in the Ports Collection. +The current version of the protocol is version 5, described in RFC 4120. +Several free implementations of this protocol are available, covering a wide range of operating systems. +MIT continues to develop their Kerberos package. +It is commonly used in the US as a cryptography product, and has historically been subject to US export regulations. +In FreeBSD, MITKerberos is available as the package:security/krb5[] package or port. +The Heimdal Kerberos implementation was explicitly developed outside of the US to avoid export regulations. +The Heimdal Kerberos distribution is included in the base FreeBSD installation, and another distribution with more configurable options is available as package:security/heimdal[] in the Ports Collection. -In Kerberos users and services are identified as "principals" which are contained within an administrative grouping, called a "realm". A typical user principal would be of the form `_user_@_REALM_` (realms are traditionally uppercase). +In Kerberos users and services are identified as "principals" which are contained within an administrative grouping, called a "realm". +A typical user principal would be of the form `_user_@_REALM_` (realms are traditionally uppercase). This section provides a guide on how to set up Kerberos using the Heimdal distribution included in FreeBSD. @@ -593,12 +780,16 @@ For purposes of demonstrating a Kerberos installation, the name spaces will be a [NOTE] ==== -Use real domain names when setting up Kerberos, even if it will run internally. This avoids DNS problems and assures inter-operation with other Kerberos realms. +Use real domain names when setting up Kerberos, even if it will run internally. +This avoids DNS problems and assures inter-operation with other Kerberos realms. ==== === Setting up a Heimdal KDC -The Key Distribution Center (KDC) is the centralized authentication service that Kerberos provides, the "trusted third party" of the system. It is the computer that issues Kerberos tickets, which are used for clients to authenticate to servers. As the KDC is considered trusted by all other computers in the Kerberos realm, it has heightened security concerns. Direct access to the KDC should be limited. +The Key Distribution Center (KDC) is the centralized authentication service that Kerberos provides, the "trusted third party" of the system. +It is the computer that issues Kerberos tickets, which are used for clients to authenticate to servers. +As the KDC is considered trusted by all other computers in the Kerberos realm, it has heightened security concerns. +Direct access to the KDC should be limited. While running a KDC requires few computing resources, a dedicated machine acting only as a KDC is recommended for security reasons. @@ -632,9 +823,11 @@ Next, edit [.filename]#/etc/krb5.conf# as follows: .example.org = EXAMPLE.ORG .... -In this example, the KDC will use the fully-qualified hostname `kerberos.example.org`. The hostname of the KDC must be resolvable in the DNS. +In this example, the KDC will use the fully-qualified hostname `kerberos.example.org`. +The hostname of the KDC must be resolvable in the DNS. -Kerberos can also use the DNS to locate KDCs, instead of a `[realms]` section in [.filename]#/etc/krb5.conf#. For large organizations that have their own DNS servers, the above example could be trimmed to: +Kerberos can also use the DNS to locate KDCs, instead of a `[realms]` section in [.filename]#/etc/krb5.conf#. +For large organizations that have their own DNS servers, the above example could be trimmed to: [.programlisting] .... @@ -657,10 +850,13 @@ _kerberos IN TXT EXAMPLE.ORG [NOTE] ==== -In order for clients to be able to find the Kerberos services, they _must_ have either a fully configured [.filename]#/etc/krb5.conf# or a minimally configured [.filename]#/etc/krb5.conf#_and_ a properly configured DNS server. +In order for clients to be able to find the Kerberos services, they _must_ have either a fully configured [.filename]#/etc/krb5.conf# or a minimally configured [.filename]#/etc/krb5.conf# _and_ a properly configured DNS server. ==== -Next, create the Kerberos database which contains the keys of all principals (users and hosts) encrypted with a master password. It is not required to remember this password as it will be stored in [.filename]#/var/heimdal/m-key#; it would be reasonable to use a 45-character random password for this purpose. To create the master key, run `kstash` and enter a password: +Next, create the Kerberos database which contains the keys of all principals (users and hosts) encrypted with a master password. +It is not required to remember this password as it will be stored in [.filename]#/var/heimdal/m-key#; +it would be reasonable to use a 45-character random password for this purpose. +To create the master key, run `kstash` and enter a password: [source,shell] .... @@ -669,7 +865,10 @@ Master key: xxxxxxxxxxxxxxxxxxxxxxx Verifying password - Master key: xxxxxxxxxxxxxxxxxxxxxxx .... -Once the master key has been created, the database should be initialized. The Kerberos administrative tool man:kadmin[8] can be used on the KDC in a mode that operates directly on the database, without using the man:kadmind[8] network service, as `kadmin -l`. This resolves the chicken-and-egg problem of trying to connect to the database before it is created. At the `kadmin` prompt, use `init` to create the realm's initial database: +Once the master key has been created, the database should be initialized. +The Kerberos administrative tool man:kadmin[8] can be used on the KDC in a mode that operates directly on the database, without using the man:kadmind[8] network service, as `kadmin -l`. +This resolves the chicken-and-egg problem of trying to connect to the database before it is created. +At the `kadmin` prompt, use `init` to create the realm's initial database: [source,shell] .... @@ -678,7 +877,9 @@ kadmin> init EXAMPLE.ORG Realm max ticket life [unlimited]: .... -Lastly, while still in `kadmin`, create the first principal using `add`. Stick to the default options for the principal for now, as these can be changed later with `modify`. Type `?` at the prompt to see the available options. +Lastly, while still in `kadmin`, create the first principal using `add`. +Stick to the default options for the principal for now, as these can be changed later with `modify`. +Type `?` at the prompt to see the available options. [source,shell] .... @@ -729,13 +930,25 @@ The temporary ticket can be destroyed when the test is finished: === Configuring a Server to Use Kerberos -The first step in configuring a server to use Kerberos authentication is to ensure that it has the correct configuration in [.filename]#/etc/krb5.conf#. The version from the KDC can be used as-is, or it can be regenerated on the new system. +The first step in configuring a server to use Kerberos authentication is to ensure that it has the correct configuration in [.filename]#/etc/krb5.conf#. +The version from the KDC can be used as-is, or it can be regenerated on the new system. -Next, create [.filename]#/etc/krb5.keytab# on the server. This is the main part of "Kerberizing" a service - it corresponds to generating a secret shared between the service and the KDC. The secret is a cryptographic key, stored in a "keytab". The keytab contains the server's host key, which allows it and the KDC to verify each others' identity. It must be transmitted to the server in a secure fashion, as the security of the server can be broken if the key is made public. Typically, the [.filename]#keytab# is generated on an administrator's trusted machine using `kadmin`, then securely transferred to the server, e.g., with man:scp[1]; it can also be created directly on the server if that is consistent with the desired security policy. It is very important that the keytab is transmitted to the server in a secure fashion: if the key is known by some other party, that party can impersonate any user to the server! Using `kadmin` on the server directly is convenient, because the entry for the host principal in the KDC database is also created using `kadmin`. +Next, create [.filename]#/etc/krb5.keytab# on the server. +This is the main part of "Kerberizing" a service - it corresponds to generating a secret shared between the service and the KDC. +The secret is a cryptographic key, stored in a "keytab". +The keytab contains the server's host key, which allows it and the KDC to verify each others' identity. +It must be transmitted to the server in a secure fashion, as the security of the server can be broken if the key is made public. +Typically, the [.filename]#keytab# is generated on an administrator's trusted machine using `kadmin`, then securely transferred to the server, e.g., +with man:scp[1]; it can also be created directly on the server if that is consistent with the desired security policy. +It is very important that the keytab is transmitted to the server in a secure fashion: if the key is known by some other party, that party can impersonate any user to the server! Using `kadmin` on the server directly is convenient, because the entry for the host principal in the KDC database is also created using `kadmin`. -Of course, `kadmin` is a kerberized service; a Kerberos ticket is needed to authenticate to the network service, but to ensure that the user running `kadmin` is actually present (and their session has not been hijacked), `kadmin` will prompt for the password to get a fresh ticket. The principal authenticating to the kadmin service must be permitted to use the `kadmin` interface, as specified in [.filename]#/var/heimdal/kadmind.acl#. See the section titled "Remote administration" in `info heimdal` for details on designing access control lists. Instead of enabling remote `kadmin` access, the administrator could securely connect to the KDC via the local console or man:ssh[1], and perform administration locally using `kadmin -l`. +Of course, `kadmin` is a kerberized service; a Kerberos ticket is needed to authenticate to the network service, but to ensure that the user running `kadmin` is actually present (and their session has not been hijacked), `kadmin` will prompt for the password to get a fresh ticket. +The principal authenticating to the kadmin service must be permitted to use the `kadmin` interface, as specified in [.filename]#/var/heimdal/kadmind.acl#. See the section titled "Remote administration" in `info heimdal` for details on designing access control lists. +Instead of enabling remote `kadmin` access, the administrator could securely connect to the KDC via the local console or man:ssh[1], and perform administration locally using `kadmin -l`. -After installing [.filename]#/etc/krb5.conf#, use `add --random-key` in `kadmin`. This adds the server's host principal to the database, but does not extract a copy of the host principal key to a keytab. To generate the keytab, use `ext` to extract the server's host principal key to its own keytab: +After installing [.filename]#/etc/krb5.conf#, use `add --random-key` in `kadmin`. +This adds the server's host principal to the database, but does not extract a copy of the host principal key to a keytab. +To generate the keytab, use `ext` to extract the server's host principal key to its own keytab: [source,shell] .... @@ -750,7 +963,8 @@ kadmin> ext_keytab host/myserver.example.org kadmin> exit .... -Note that `ext_keytab` stores the extracted key in [.filename]#/etc/krb5.keytab# by default. This is good when being run on the server being kerberized, but the `--keytab _path/to/file_` argument should be used when the keytab is being extracted elsewhere: +Note that `ext_keytab` stores the extracted key in [.filename]#/etc/krb5.keytab# by default. +This is good when being run on the server being kerberized, but the `--keytab _path/to/file_` argument should be used when the keytab is being extracted elsewhere: [source,shell] .... @@ -759,9 +973,13 @@ kadmin> ext_keytab --keytab=/tmp/example.keytab host/myserver.example.org kadmin> exit .... -The keytab can then be securely copied to the server using man:scp[1] or a removable media. Be sure to specify a non-default keytab name to avoid inserting unneeded keys into the system's keytab. +The keytab can then be securely copied to the server using man:scp[1] or a removable media. +Be sure to specify a non-default keytab name to avoid inserting unneeded keys into the system's keytab. -At this point, the server can read encrypted messages from the KDC using its shared key, stored in [.filename]#krb5.keytab#. It is now ready for the Kerberos-using services to be enabled. One of the most common such services is man:sshd[8], which supports Kerberos via the GSS-API. In [.filename]#/etc/ssh/sshd_config#, add the line: +At this point, the server can read encrypted messages from the KDC using its shared key, stored in [.filename]#krb5.keytab#. +It is now ready for the Kerberos-using services to be enabled. +One of the most common such services is man:sshd[8], which supports Kerberos via the GSS-API. +In [.filename]#/etc/ssh/sshd_config#, add the line: [.programlisting] .... @@ -772,17 +990,26 @@ After making this change, man:sshd[8] must be restarted for the new configuratio === Configuring a Client to Use Kerberos -As it was for the server, the client requires configuration in [.filename]#/etc/krb5.conf#. Copy the file in place (securely) or re-enter it as needed. +As it was for the server, the client requires configuration in [.filename]#/etc/krb5.conf#. +Copy the file in place (securely) or re-enter it as needed. -Test the client by using `kinit`, `klist`, and `kdestroy` from the client to obtain, show, and then delete a ticket for an existing principal. Kerberos applications should also be able to connect to Kerberos enabled servers. If that does not work but obtaining a ticket does, the problem is likely with the server and not with the client or the KDC. In the case of kerberized man:ssh[1], GSS-API is disabled by default, so test using `ssh -o GSSAPIAuthentication=yes _hostname_`. +Test the client by using `kinit`, `klist`, and `kdestroy` from the client to obtain, show, and then delete a ticket for an existing principal. +Kerberos applications should also be able to connect to Kerberos enabled servers. +If that does not work but obtaining a ticket does, the problem is likely with the server and not with the client or the KDC. +In the case of kerberized man:ssh[1], GSS-API is disabled by default, so test using `ssh -o GSSAPIAuthentication=yes _hostname_`. When testing a Kerberized application, try using a packet sniffer such as `tcpdump` to confirm that no sensitive information is sent in the clear. -Various Kerberos client applications are available. With the advent of a bridge so that applications using SASL for authentication can use GSS-API mechanisms as well, large classes of client applications can use Kerberos for authentication, from Jabber clients to IMAP clients. +Various Kerberos client applications are available. +With the advent of a bridge so that applications using SASL for authentication can use GSS-API mechanisms as well, large classes of client applications can use Kerberos for authentication, from Jabber clients to IMAP clients. -Users within a realm typically have their Kerberos principal mapped to a local user account. Occasionally, one needs to grant access to a local user account to someone who does not have a matching Kerberos principal. For example, `tillman@EXAMPLE.ORG` may need access to the local user account `webdevelopers`. Other principals may also need access to that local account. +Users within a realm typically have their Kerberos principal mapped to a local user account. +Occasionally, one needs to grant access to a local user account to someone who does not have a matching Kerberos principal. +For example, `tillman@EXAMPLE.ORG` may need access to the local user account `webdevelopers`. +Other principals may also need access to that local account. -The [.filename]#.k5login# and [.filename]#.k5users# files, placed in a user's home directory, can be used to solve this problem. For example, if the following [.filename]#.k5login# is placed in the home directory of `webdevelopers`, both principals listed will have access to that account without requiring a shared password: +The [.filename]#.k5login# and [.filename]#.k5users# files, placed in a user's home directory, can be used to solve this problem. +For example, if the following [.filename]#.k5login# is placed in the home directory of `webdevelopers`, both principals listed will have access to that account without requiring a shared password: [.programlisting] .... @@ -794,9 +1021,12 @@ Refer to man:ksu[1] for more information about [.filename]#.k5users#. === MIT Differences -The major difference between the MIT and Heimdal implementations is that `kadmin` has a different, but equivalent, set of commands and uses a different protocol. If the KDC is MIT, the Heimdal version of `kadmin` cannot be used to administer the KDC remotely, and vice versa. +The major difference between the MIT and Heimdal implementations is that `kadmin` has a different, but equivalent, set of commands and uses a different protocol. +If the KDC is MIT, the Heimdal version of `kadmin` cannot be used to administer the KDC remotely, and vice versa. -Client applications may also use slightly different command line options to accomplish the same tasks. Following the instructions at http://web.mit.edu/Kerberos/www/[http://web.mit.edu/Kerberos/www/] is recommended. Be careful of path issues: the MIT port installs into [.filename]#/usr/local/# by default, and the FreeBSD system applications run instead of the MIT versions if `PATH` lists the system directories first. +Client applications may also use slightly different command line options to accomplish the same tasks. +Following the instructions at http://web.mit.edu/Kerberos/www/[http://web.mit.edu/Kerberos/www/] is recommended. +Be careful of path issues: the MIT port installs into [.filename]#/usr/local/# by default, and the FreeBSD system applications run instead of the MIT versions if `PATH` lists the system directories first. When using MIT Kerberos as a KDC on FreeBSD, the following edits should also be made to [.filename]#rc.conf#: @@ -825,15 +1055,26 @@ When configuring and troubleshooting Kerberos, keep the following points in mind === Mitigating Kerberos Limitations -Since Kerberos is an all or nothing approach, every service enabled on the network must either be modified to work with Kerberos or be otherwise secured against network attacks. This is to prevent user credentials from being stolen and re-used. An example is when Kerberos is enabled on all remote shells but the non-Kerberized POP3 mail server sends passwords in plain text. +Since Kerberos is an all or nothing approach, every service enabled on the network must either be modified to work with Kerberos or be otherwise secured against network attacks. +This is to prevent user credentials from being stolen and re-used. +An example is when Kerberos is enabled on all remote shells but the non-Kerberized POP3 mail server sends passwords in plain text. -The KDC is a single point of failure. By design, the KDC must be as secure as its master password database. The KDC should have absolutely no other services running on it and should be physically secure. The danger is high because Kerberos stores all passwords encrypted with the same master key which is stored as a file on the KDC. +The KDC is a single point of failure. +By design, the KDC must be as secure as its master password database. +The KDC should have absolutely no other services running on it and should be physically secure. +The danger is high because Kerberos stores all passwords encrypted with the same master key which is stored as a file on the KDC. -A compromised master key is not quite as bad as one might fear. The master key is only used to encrypt the Kerberos database and as a seed for the random number generator. As long as access to the KDC is secure, an attacker cannot do much with the master key. +A compromised master key is not quite as bad as one might fear. +The master key is only used to encrypt the Kerberos database and as a seed for the random number generator. +As long as access to the KDC is secure, an attacker cannot do much with the master key. -If the KDC is unavailable, network services are unusable as authentication cannot be performed. This can be alleviated with a single master KDC and one or more slaves, and with careful implementation of secondary or fall-back authentication using PAM. +If the KDC is unavailable, network services are unusable as authentication cannot be performed. +This can be alleviated with a single master KDC and one or more slaves, and with careful implementation of secondary or fall-back authentication using PAM. -Kerberos allows users, hosts and services to authenticate between themselves. It does not have a mechanism to authenticate the KDC to the users, hosts, or services. This means that a trojaned `kinit` could record all user names and passwords. File system integrity checking tools like package:security/tripwire[] can alleviate this. +Kerberos allows users, hosts and services to authenticate between themselves. +It does not have a mechanism to authenticate the KDC to the users, hosts, or services. +This means that a trojaned `kinit` could record all user names and passwords. +File system integrity checking tools like package:security/tripwire[] can alleviate this. === Resources and Further Information @@ -846,26 +1087,40 @@ Kerberos allows users, hosts and services to authenticate between themselves. It [[openssl]] == OpenSSL -OpenSSL is an open source implementation of the SSL and TLS protocols. It provides an encryption transport layer on top of the normal communications layer, allowing it to be intertwined with many network applications and services. +OpenSSL is an open source implementation of the SSL and TLS protocols. +It provides an encryption transport layer on top of the normal communications layer, allowing it to be intertwined with many network applications and services. -The version of OpenSSL included in FreeBSD supports the Secure Sockets Layer 3.0 (SSLv3) and Transport Layer Security 1.0/1.1/1.2 (TLSv1/TLSv1.1/TLSv1.2) network security protocols and can be used as a general cryptographic library. In FreeBSD 12.0-RELEASE and above, OpenSSL also supports Transport Layer Security 1.3 (TLSv1.3). +The version of OpenSSL included in FreeBSD supports the Secure Sockets Layer 3.0 (SSLv3) and Transport Layer Security 1.0/1.1/1.2 (TLSv1/TLSv1.1/TLSv1.2) network security protocols and can be used as a general cryptographic library. +In FreeBSD 12.0-RELEASE and above, OpenSSL also supports Transport Layer Security 1.3 (TLSv1.3). -OpenSSL is often used to encrypt authentication of mail clients and to secure web based transactions such as credit card payments. Some ports, such as package:www/apache24[] and package:databases/postgresql11-server[], include a compile option for building with OpenSSL. If selected, the port will add support using OpenSSL from the base system. To instead have the port compile against OpenSSL from the package:security/openssl[] port, add the following to [.filename]#/etc/make.conf#: +OpenSSL is often used to encrypt authentication of mail clients and to secure web based transactions such as credit card payments. +Some ports, such as package:www/apache24[] and package:databases/postgresql11-server[], include a compile option for building with OpenSSL. +If selected, the port will add support using OpenSSL from the base system. +To instead have the port compile against OpenSSL from the package:security/openssl[] port, add the following to [.filename]#/etc/make.conf#: [.programlisting] .... DEFAULT_VERSIONS+= ssl=openssl .... -Another common use of OpenSSL is to provide certificates for use with software applications. Certificates can be used to verify the credentials of a company or individual. If a certificate has not been signed by an external _Certificate Authority_ (CA), such as http://www.verisign.com[http://www.verisign.com], the application that uses the certificate will produce a warning. There is a cost associated with obtaining a signed certificate and using a signed certificate is not mandatory as certificates can be self-signed. However, using an external authority will prevent warnings and can put users at ease. +Another common use of OpenSSL is to provide certificates for use with software applications. +Certificates can be used to verify the credentials of a company or individual. +If a certificate has not been signed by an external _Certificate Authority_ (CA), such as http://www.verisign.com[http://www.verisign.com], +the application that uses the certificate will produce a warning. +There is a cost associated with obtaining a signed certificate and using a signed certificate is not mandatory as certificates can be self-signed. +However, using an external authority will prevent warnings and can put users at ease. -This section demonstrates how to create and use certificates on a FreeBSD system. Refer to crossref:network-servers[ldap-config,“Configuring an LDAP Server”] for an example of how to create a CA for signing one's own certificates. +This section demonstrates how to create and use certificates on a FreeBSD system. +Refer to crossref:network-servers[ldap-config,“Configuring an LDAP Server”] for an example of how to create a CA for signing one's own certificates. For more information about SSL, read the free https://www.feistyduck.com/books/openssl-cookbook/[OpenSSL Cookbook]. === Generating Certificates -To generate a certificate that will be signed by an external CA, issue the following command and input the information requested at the prompts. This input information will be written to the certificate. At the `Common Name` prompt, input the fully qualified name for the system that will use the certificate. If this name does not match the server, the application verifying the certificate will issue a warning to the user, rendering the verification provided by the certificate as useless. +To generate a certificate that will be signed by an external CA, issue the following command and input the information requested at the prompts. +This input information will be written to the certificate. +At the `Common Name` prompt, input the fully qualified name for the system that will use the certificate. +If this name does not match the server, the application verifying the certificate will issue a warning to the user, rendering the verification provided by the certificate as useless. [source,shell] .... @@ -896,11 +1151,16 @@ A challenge password []: An optional company name []:Another Name .... -Other options, such as the expire time and alternate encryption algorithms, are available when creating a certificate. A complete list of options is described in man:openssl[1]. +Other options, such as the expire time and alternate encryption algorithms, are available when creating a certificate. +A complete list of options is described in man:openssl[1]. -This command will create two files in the current directory. The certificate request, [.filename]#req.pem#, can be sent to a CA who will validate the entered credentials, sign the request, and return the signed certificate. The second file, [.filename]#cert.key#, is the private key for the certificate and should be stored in a secure location. If this falls in the hands of others, it can be used to impersonate the user or the server. +This command will create two files in the current directory. +The certificate request, [.filename]#req.pem#, can be sent to a CA who will validate the entered credentials, sign the request, and return the signed certificate. +The second file, [.filename]#cert.key#, is the private key for the certificate and should be stored in a secure location. +If this falls in the hands of others, it can be used to impersonate the user or the server. -Alternately, if a signature from a CA is not required, a self-signed certificate can be created. First, generate the RSA key: +Alternately, if a signature from a CA is not required, a self-signed certificate can be created. +First, generate the RSA key: [source,shell] .... @@ -933,7 +1193,9 @@ Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org Email Address []:trhodes@FreeBSD.org .... -This will create two new files in the current directory: a private key file [.filename]#cert.key#, and the certificate itself, [.filename]#cert.crt#. These should be placed in a directory, preferably under [.filename]#/etc/ssl/#, which is readable only by `root`. Permissions of `0700` are appropriate for these files and can be set using `chmod`. +This will create two new files in the current directory: a private key file [.filename]#cert.key#, and the certificate itself, [.filename]#cert.crt#. +These should be placed in a directory, preferably under [.filename]#/etc/ssl/#, which is readable only by `root`. +Permissions of `0700` are appropriate for these files and can be set using `chmod`. === Using Certificates @@ -941,10 +1203,12 @@ One use for a certificate is to encrypt connections to the Sendmail mail server [NOTE] ==== -Some mail clients will display an error if the user has not installed a local copy of the certificate. Refer to the documentation included with the software for more information on certificate installation. +Some mail clients will display an error if the user has not installed a local copy of the certificate. +Refer to the documentation included with the software for more information on certificate installation. ==== -In FreeBSD 10.0-RELEASE and above, it is possible to create a self-signed certificate for Sendmail automatically. To enable this, add the following lines to [.filename]#/etc/rc.conf#: +In FreeBSD 10.0-RELEASE and above, it is possible to create a self-signed certificate for Sendmail automatically. +To enable this, add the following lines to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -953,14 +1217,17 @@ sendmail_cert_create="YES" sendmail_cert_cn="localhost.example.org" .... -This will automatically create a self-signed certificate, [.filename]#/etc/mail/certs/host.cert#, a signing key, [.filename]#/etc/mail/certs/host.key#, and a CA certificate, [.filename]#/etc/mail/certs/cacert.pem#. The certificate will use the `Common Name` specified in `sendmail_cert_cn`. After saving the edits, restart Sendmail: +This will automatically create a self-signed certificate, [.filename]#/etc/mail/certs/host.cert#, a signing key, [.filename]#/etc/mail/certs/host.key#, and a CA certificate, [.filename]#/etc/mail/certs/cacert.pem#. +The certificate will use the `Common Name` specified in `sendmail_cert_cn`. +After saving the edits, restart Sendmail: [source,shell] .... # service sendmail restart .... -If all went well, there will be no error messages in [.filename]#/var/log/maillog#. For a simple test, connect to the mail server's listening port using `telnet`: +If all went well, there will be no error messages in [.filename]#/var/log/maillog#. +For a simple test, connect to the mail server's listening port using `telnet`: [source,shell] .... @@ -991,7 +1258,9 @@ If the `STARTTLS` line appears in the output, everything is working correctly. [[ipsec]] == VPN over IPsec -Internet Protocol Security (IPsec) is a set of protocols which sit on top of the Internet Protocol (IP) layer. It allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. The FreeBSD IPsec network stack is based on the http://www.kame.net/[http://www.kame.net/] implementation and supports both IPv4 and IPv6 sessions. +Internet Protocol Security (IPsec) is a set of protocols which sit on top of the Internet Protocol (IP) layer. +It allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. +The FreeBSD IPsec network stack is based on the http://www.kame.net/[http://www.kame.net/] implementation and supports both IPv4 and IPv6 sessions. IPsec is comprised of the following sub-protocols: @@ -1001,9 +1270,13 @@ IPsec is comprised of the following sub-protocols: These protocols can either be used together or separately, depending on the environment. -IPsec supports two modes of operation. The first mode, _Transport Mode_, protects communications between two hosts. The second mode, _Tunnel Mode_, is used to build virtual tunnels, commonly known as Virtual Private Networks (VPNs). Consult man:ipsec[4] for detailed information on the IPsec subsystem in FreeBSD. +IPsec supports two modes of operation. +The first mode, _Transport Mode_, protects communications between two hosts. +The second mode, _Tunnel Mode_, is used to build virtual tunnels, commonly known as Virtual Private Networks (VPNs). +Consult man:ipsec[4] for detailed information on the IPsec subsystem in FreeBSD. -IPsec support is enabled by default on FreeBSD 11 and later. For previous versions of FreeBSD, add these options to a custom kernel configuration file and rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]: +IPsec support is enabled by default on FreeBSD 11 and later. +For previous versions of FreeBSD, add these options to a custom kernel configuration file and rebuild the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]: [source,shell] .... @@ -1018,7 +1291,8 @@ If IPsec debugging support is desired, the following kernel option should also b options IPSEC_DEBUG debug for IP security .... -This rest of this chapter demonstrates the process of setting up an IPsecVPN between a home network and a corporate network. In the example scenario: +This rest of this chapter demonstrates the process of setting up an IPsecVPN between a home network and a corporate network. +In the example scenario: * Both sites are connected to the Internet through a gateway that is running FreeBSD. * The gateway on each network has at least one external IP address. In this example, the corporate LAN's external IP address is `172.16.5.4` and the home LAN's external IP address is `192.168.1.12`. @@ -1026,9 +1300,11 @@ This rest of this chapter demonstrates the process of setting up an IPsecVPN bet === Configuring a VPN on FreeBSD -To begin, package:security/ipsec-tools[] must be installed from the Ports Collection. This software provides a number of applications which support the configuration. +To begin, package:security/ipsec-tools[] must be installed from the Ports Collection. +This software provides a number of applications which support the configuration. -The next requirement is to create two man:gif[4] pseudo-devices which will be used to tunnel packets and allow both networks to communicate properly. As `root`, run the following commands, replacing _internal_ and _external_ with the real IP addresses of the internal and external interfaces of the two gateways: +The next requirement is to create two man:gif[4] pseudo-devices which will be used to tunnel packets and allow both networks to communicate properly. +As `root`, run the following commands, replacing _internal_ and _external_ with the real IP addresses of the internal and external interfaces of the two gateways: [source,shell] .... @@ -1037,7 +1313,8 @@ The next requirement is to create two man:gif[4] pseudo-devices which will be us # ifconfig gif0 tunnel external1 external2 .... -Verify the setup on each gateway, using `ifconfig`. Here is the output from Gateway 1: +Verify the setup on each gateway, using `ifconfig`. +Here is the output from Gateway 1: [.programlisting] .... @@ -1083,7 +1360,9 @@ PING 10.246.38.1 (10.246.38.1): 56 data bytes round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms .... -As expected, both sides have the ability to send and receive ICMP packets from the privately configured addresses. Next, both gateways must be told how to route packets in order to correctly send traffic from either network. The following commands will achieve this goal: +As expected, both sides have the ability to send and receive ICMP packets from the privately configured addresses. +Next, both gateways must be told how to route packets in order to correctly send traffic from either network. +The following commands will achieve this goal: [source,shell] .... @@ -1093,7 +1372,8 @@ priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 priv-net# route add host 10.246.38.0: gateway 10.246.38.1 .... -At this point, internal machines should be reachable from each gateway as well as from machines behind the gateways. Again, use man:ping[8] to confirm: +At this point, internal machines should be reachable from each gateway as well as from machines behind the gateways. +Again, use man:ping[8] to confirm: [source,shell] .... @@ -1120,7 +1400,9 @@ PING 10.246.38.1 (10.246.38.107): 56 data bytes round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms .... -Setting up the tunnels is the easy part. Configuring a secure link is a more in depth process. The following configuration uses pre-shared (PSK) RSA keys. Other than the IP addresses, the [.filename]#/usr/local/etc/racoon/racoon.conf# on both gateways will be identical and look similar to: +Setting up the tunnels is the easy part. Configuring a secure link is a more in depth process. +The following configuration uses pre-shared (PSK) RSA keys. +Other than the IP addresses, the [.filename]#/usr/local/etc/racoon/racoon.conf# on both gateways will be identical and look similar to: [.programlisting] .... @@ -1187,7 +1469,8 @@ For descriptions of each available option, refer to the manual page for [.filena The Security Policy Database (SPD) needs to be configured so that FreeBSD and racoon are able to encrypt and decrypt network traffic between the hosts. -This can be achieved with a shell script, similar to the following, on the corporate gateway. This file will be used during system initialization and should be saved as [.filename]#/usr/local/etc/racoon/setkey.conf#. +This can be achieved with a shell script, similar to the following, on the corporate gateway. +This file will be used during system initialization and should be saved as [.filename]#/usr/local/etc/racoon/setkey.conf#. [.programlisting] .... @@ -1223,14 +1506,16 @@ Foreground mode. 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66) .... -To ensure the tunnel is working properly, switch to another console and use man:tcpdump[1] to view network traffic using the following command. Replace `em0` with the network interface card as required: +To ensure the tunnel is working properly, switch to another console and use man:tcpdump[1] to view network traffic using the following command. +Replace `em0` with the network interface card as required: [source,shell] .... # tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12 .... -Data similar to the following should appear on the console. If not, there is an issue and debugging the returned data will be required. +Data similar to the following should appear on the console. +If not, there is an issue and debugging the returned data will be required. [.programlisting] .... @@ -1239,7 +1524,10 @@ Data similar to the following should appear on the console. If not, there is an 01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc) .... -At this point, both networks should be available and seem to be part of the same network. Most likely both networks are protected by a firewall. To allow traffic to flow between them, rules need to be added to pass packets. For the man:ipfw[8] firewall, add the following lines to the firewall configuration file: +At this point, both networks should be available and seem to be part of the same network. +Most likely both networks are protected by a firewall. +To allow traffic to flow between them, rules need to be added to pass packets. +For the man:ipfw[8] firewall, add the following lines to the firewall configuration file: [.programlisting] .... @@ -1283,17 +1571,25 @@ racoon_enable="yes" [[openssh]] == OpenSSH -OpenSSH is a set of network connectivity tools used to provide secure access to remote machines. Additionally, TCP/IP connections can be tunneled or forwarded securely through SSH connections. OpenSSH encrypts all traffic to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. +OpenSSH is a set of network connectivity tools used to provide secure access to remote machines. +Additionally, TCP/IP connections can be tunneled or forwarded securely through SSH connections. +OpenSSH encrypts all traffic to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. -OpenSSH is maintained by the OpenBSD project and is installed by default in FreeBSD. It is compatible with both SSH version 1 and 2 protocols. +OpenSSH is maintained by the OpenBSD project and is installed by default in FreeBSD. +It is compatible with both SSH version 1 and 2 protocols. -When data is sent over the network in an unencrypted form, network sniffers anywhere in between the client and server can steal user/password information or data transferred during the session. OpenSSH offers a variety of authentication and encryption methods to prevent this from happening. More information about OpenSSH is available from http://www.openssh.com/[http://www.openssh.com/]. +When data is sent over the network in an unencrypted form, network sniffers anywhere in between the client and server can steal user/password information or data transferred during the session. +OpenSSH offers a variety of authentication and encryption methods to prevent this from happening. +More information about OpenSSH is available from http://www.openssh.com/[http://www.openssh.com/]. -This section provides an overview of the built-in client utilities to securely access other systems and securely transfer files from a FreeBSD system. It then describes how to configure a SSH server on a FreeBSD system. More information is available in the man pages mentioned in this chapter. +This section provides an overview of the built-in client utilities to securely access other systems and securely transfer files from a FreeBSD system. +It then describes how to configure a SSH server on a FreeBSD system. +More information is available in the man pages mentioned in this chapter. === Using the SSH Client Utilities -To log into a SSH server, use `ssh` and specify a username that exists on that server and the IP address or hostname of the server. If this is the first time a connection has been made to the specified server, the user will be prompted to first verify the server's fingerprint: +To log into a SSH server, use `ssh` and specify a username that exists on that server and the IP address or hostname of the server. +If this is the first time a connection has been made to the specified server, the user will be prompted to first verify the server's fingerprint: [source,shell] .... @@ -1305,11 +1601,18 @@ Permanently added 'example.com' (ECDSA) to the list of known hosts. Password for user@example.com: user_password .... -SSH utilizes a key fingerprint system to verify the authenticity of the server when the client connects. When the user accepts the key's fingerprint by typing `yes` when connecting for the first time, a copy of the key is saved to [.filename]#.ssh/known_hosts# in the user's home directory. Future attempts to login are verified against the saved key and `ssh` will display an alert if the server's key does not match the saved key. If this occurs, the user should first verify why the key has changed before continuing with the connection. +SSH utilizes a key fingerprint system to verify the authenticity of the server when the client connects. +When the user accepts the key's fingerprint by typing `yes` when connecting for the first time, a copy of the key is saved to [.filename]#.ssh/known_hosts# in the user's home directory. +Future attempts to login are verified against the saved key and `ssh` will display an alert if the server's key does not match the saved key. +If this occurs, the user should first verify why the key has changed before continuing with the connection. -By default, recent versions of OpenSSH only accept SSHv2 connections. By default, the client will use version 2 if possible and will fall back to version 1 if the server does not support version 2. To force `ssh` to only use the specified protocol, include `-1` or `-2`. Additional options are described in man:ssh[1]. +By default, recent versions of OpenSSH only accept SSHv2 connections. +By default, the client will use version 2 if possible and will fall back to version 1 if the server does not support version 2. +To force `ssh` to only use the specified protocol, include `-1` or `-2`. +Additional options are described in man:ssh[1]. -Use man:scp[1] to securely copy a file to or from a remote machine. This example copies [.filename]#COPYRIGHT# on the remote system to a file of the same name in the current directory of the local system: +Use man:scp[1] to securely copy a file to or from a remote machine. +This example copies [.filename]#COPYRIGHT# on the remote system to a file of the same name in the current directory of the local system: [source,shell] .... @@ -1322,14 +1625,21 @@ COPYRIGHT 100% |*****************************| 4735 Since the fingerprint was already verified for this host, the server's key is automatically checked before prompting for the user's password. -The arguments passed to `scp` are similar to `cp`. The file or files to copy is the first argument and the destination to copy to is the second. Since the file is fetched over the network, one or more of the file arguments takes the form `user@host:<path_to_remote_file>`. Be aware when copying directories recursively that `scp` uses `-r`, whereas `cp` uses `-R`. +The arguments passed to `scp` are similar to `cp`. +The file or files to copy is the first argument and the destination to copy to is the second. +Since the file is fetched over the network, one or more of the file arguments takes the form `user@host:<path_to_remote_file>`. +Be aware when copying directories recursively that `scp` uses `-r`, whereas `cp` uses `-R`. -To open an interactive session for copying files, use `sftp`. Refer to man:sftp[1] for a list of available commands while in an `sftp` session. +To open an interactive session for copying files, use `sftp`. +Refer to man:sftp[1] for a list of available commands while in an `sftp` session. [[security-ssh-keygen]] ==== Key-based Authentication -Instead of using passwords, a client can be configured to connect to the remote machine using keys. To generate RSA authentication keys, use `ssh-keygen`. To generate a public and private key pair, specify the type of key and follow the prompts. It is recommended to protect the keys with a memorable, but hard to guess passphrase. +Instead of using passwords, a client can be configured to connect to the remote machine using keys. +To generate RSA authentication keys, use `ssh-keygen`. +To generate a public and private key pair, specify the type of key and follow the prompts. +It is recommended to protect the keys with a memorable, but hard to guess passphrase. [source,shell] .... @@ -1359,21 +1669,32 @@ The key's randomart image is: <.> Type a passphrase here. It can contain spaces and symbols. <.> Retype the passphrase to verify it. -The private key is stored in [.filename]#~/.ssh/id_rsa# and the public key is stored in [.filename]#~/.ssh/id_rsa.pub#. The _public_ key must be copied to [.filename]#~/.ssh/authorized_keys# on the remote machine for key-based authentication to work. +The private key is stored in [.filename]#~/.ssh/id_rsa# and the public key is stored in [.filename]#~/.ssh/id_rsa.pub#. +The _public_ key must be copied to [.filename]#~/.ssh/authorized_keys# on the remote machine for key-based authentication to work. [WARNING] ==== - -Many users believe that keys are secure by design and will use a key without a passphrase. This is _dangerous_ behavior. An administrator can verify that a key pair is protected by a passphrase by viewing the private key manually. If the private key file contains the word `ENCRYPTED`, the key owner is using a passphrase. In addition, to better secure end users, `from` may be placed in the public key file. For example, adding `from="192.168.10.5"` in front of the `ssh-rsa` prefix will only allow that specific user to log in from that IP address. +Many users believe that keys are secure by design and will use a key without a passphrase. +This is _dangerous_ behavior. +An administrator can verify that a key pair is protected by a passphrase by viewing the private key manually. +If the private key file contains the word `ENCRYPTED`, the key owner is using a passphrase. +In addition, to better secure end users, `from` may be placed in the public key file. +For example, adding `from="192.168.10.5"` in front of the `ssh-rsa` prefix will only allow that specific user to log in from that IP address. ==== -The options and files vary with different versions of OpenSSH. To avoid problems, consult man:ssh-keygen[1]. +The options and files vary with different versions of OpenSSH. +To avoid problems, consult man:ssh-keygen[1]. -If a passphrase is used, the user is prompted for the passphrase each time a connection is made to the server. To load SSH keys into memory and remove the need to type the passphrase each time, use man:ssh-agent[1] and man:ssh-add[1]. +If a passphrase is used, the user is prompted for the passphrase each time a connection is made to the server. +To load SSH keys into memory and remove the need to type the passphrase each time, use man:ssh-agent[1] and man:ssh-add[1]. -Authentication is handled by `ssh-agent`, using the private keys that are loaded into it. `ssh-agent` can be used to launch another application like a shell or a window manager. +Authentication is handled by `ssh-agent`, using the private keys that are loaded into it. +`ssh-agent` can be used to launch another application like a shell or a window manager. -To use `ssh-agent` in a shell, start it with a shell as an argument. Add the identity by running `ssh-add` and entering the passphrase for the private key. The user will then be able to `ssh` to any host that has the corresponding public key installed. For example: +To use `ssh-agent` in a shell, start it with a shell as an argument. +Add the identity by running `ssh-add` and entering the passphrase for the private key. +The user will then be able to `ssh` to any host that has the corresponding public key installed. +For example: [source,shell] .... @@ -1386,14 +1707,17 @@ Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/user/.ssh/id_rsa) <.> Enter the passphrase for the key. -To use `ssh-agent` in Xorg, add an entry for it in [.filename]#~/.xinitrc#. This provides the `ssh-agent` services to all programs launched in Xorg. An example [.filename]#~/.xinitrc# might look like this: +To use `ssh-agent` in Xorg, add an entry for it in [.filename]#~/.xinitrc#. +This provides the `ssh-agent` services to all programs launched in Xorg. +An example [.filename]#~/.xinitrc# might look like this: [.programlisting] .... exec ssh-agent startxfce4 .... -This launches `ssh-agent`, which in turn launches XFCE, every time Xorg starts. Once Xorg has been restarted so that the changes can take effect, run `ssh-add` to load all of the SSH keys. +This launches `ssh-agent`, which in turn launches XFCE, every time Xorg starts. +Once Xorg has been restarted so that the changes can take effect, run `ssh-add` to load all of the SSH keys. [[security-ssh-tunneling]] ==== SSH Tunneling @@ -1414,7 +1738,8 @@ This example uses the following options: Forces `ssh` to use version 2 to connect to the server. `-N`:: -Indicates no command, or tunnel only. If omitted, `ssh` initiates a normal session. +Indicates no command, or tunnel only. +If omitted, `ssh` initiates a normal session. `-f`:: Forces `ssh` to run in the background. @@ -1425,7 +1750,10 @@ Indicates a local tunnel in _localport:remotehost:remoteport_ format. `user@foo.example.com`:: The login name to use on the specified remote SSH server. -An SSH tunnel works by creating a listen socket on `localhost` on the specified `localport`. It then forwards any connections received on `localport` via the SSH connection to the specified `remotehost:remoteport`. In the example, port `5023` on the client is forwarded to port `23` on the remote machine. Since port 23 is used by telnet, this creates an encrypted telnet session through an SSH tunnel. +An SSH tunnel works by creating a listen socket on `localhost` on the specified `localport`. +It then forwards any connections received on `localport` via the SSH connection to the specified `remotehost:remoteport`. +In the example, port `5023` on the client is forwarded to port `23` on the remote machine. +Since port 23 is used by telnet, this creates an encrypted telnet session through an SSH tunnel. This method can be used to wrap any number of insecure TCP protocols such as SMTP, POP3, and FTP, as seen in the following examples. @@ -1443,13 +1771,16 @@ Connected to localhost. Escape character is '^]'. 220 mailserver.example.com ESMTP .... -This can be used in conjunction with `ssh-keygen` and additional user accounts to create a more seamless SSH tunneling environment. Keys can be used in place of typing a password, and the tunnels can be run as a separate user. +This can be used in conjunction with `ssh-keygen` and additional user accounts to create a more seamless SSH tunneling environment. +Keys can be used in place of typing a password, and the tunnels can be run as a separate user. ==== .Secure Access of a POP3 Server [example] ==== -In this example, there is an SSH server that accepts connections from the outside. On the same network resides a mail server running a POP3 server. To check email in a secure manner, create an SSH connection to the SSH server and tunnel through to the mail server: +In this example, there is an SSH server that accepts connections from the outside. +On the same network resides a mail server running a POP3 server. +To check email in a secure manner, create an SSH connection to the SSH server and tunnel through to the mail server: [source,shell] .... @@ -1457,13 +1788,16 @@ In this example, there is an SSH server that accepts connections from the outsid user@ssh-server.example.com's password: ****** .... -Once the tunnel is up and running, point the email client to send POP3 requests to `localhost` on port 2110. This connection will be forwarded securely across the tunnel to `mail.example.com`. +Once the tunnel is up and running, point the email client to send POP3 requests to `localhost` on port 2110. +This connection will be forwarded securely across the tunnel to `mail.example.com`. ==== .Bypassing a Firewall [example] ==== -Some firewalls filter both incoming and outgoing connections. For example, a firewall might limit access from remote machines to ports 22 and 80 to only allow SSH and web surfing. This prevents access to any other service which uses a port other than 22 or 80. +Some firewalls filter both incoming and outgoing connections. +For example, a firewall might limit access from remote machines to ports 22 and 80 to only allow SSH and web surfing. +This prevents access to any other service which uses a port other than 22 or 80. The solution is to create an SSH connection to a machine outside of the network's firewall and use it to tunnel to the desired service: @@ -1501,7 +1835,8 @@ This will start sshd, the daemon program for OpenSSH, the next time the system b # service sshd start .... -The first time sshd starts on a FreeBSD system, the system's host keys will be automatically created and the fingerprint will be displayed on the console. Provide users with the fingerprint so that they can verify it the first time they connect to the server. +The first time sshd starts on a FreeBSD system, the system's host keys will be automatically created and the fingerprint will be displayed on the console. +Provide users with the fingerprint so that they can verify it the first time they connect to the server. Refer to man:sshd[8] for the list of available options when starting sshd and a more complete discussion about authentication, the login process, and the various configuration files. @@ -1509,9 +1844,11 @@ At this point, the sshd should be available to all users with a username and pas === SSH Server Security -While sshd is the most widely used remote administration facility for FreeBSD, brute force and drive by attacks are common to any system exposed to public networks. Several additional parameters are available to prevent the success of these attacks and will be described in this section. +While sshd is the most widely used remote administration facility for FreeBSD, brute force and drive by attacks are common to any system exposed to public networks. +Several additional parameters are available to prevent the success of these attacks and will be described in this section. -It is a good idea to limit which users can log into the SSH server and from where using the `AllowUsers` keyword in the OpenSSH server configuration file. For example, to only allow `root` to log in from `192.168.1.32`, add this line to [.filename]#/etc/ssh/sshd_config#: +It is a good idea to limit which users can log into the SSH server and from where using the `AllowUsers` keyword in the OpenSSH server configuration file. +For example, to only allow `root` to log in from `192.168.1.32`, add this line to [.filename]#/etc/ssh/sshd_config#: [.programlisting] .... @@ -1541,10 +1878,18 @@ After making changes to [.filename]#/etc/ssh/sshd_config#, tell sshd to reload i [NOTE] ==== -When this keyword is used, it is important to list each user that needs to log into this machine. Any user that is not specified in that line will be locked out. Also, the keywords used in the OpenSSH server configuration file are case-sensitive. If the keyword is not spelled correctly, including its case, it will be ignored. Always test changes to this file to make sure that the edits are working as expected. Refer to man:sshd_config[5] to verify the spelling and use of the available keywords. +When this keyword is used, it is important to list each user that needs to log into this machine. +Any user that is not specified in that line will be locked out. +Also, the keywords used in the OpenSSH server configuration file are case-sensitive. +If the keyword is not spelled correctly, including its case, it will be ignored. +Always test changes to this file to make sure that the edits are working as expected. +Refer to man:sshd_config[5] to verify the spelling and use of the available keywords. ==== -In addition, users may be forced to use two factor authentication via the use of a public and private key. When required, the user may generate a key pair through the use of man:ssh-keygen[1] and send the administrator the public key. This key file will be placed in the [.filename]#authorized_keys# as described above in the client section. To force the users to use keys only, the following option may be configured: +In addition, users may be forced to use two factor authentication via the use of a public and private key. +When required, the user may generate a key pair through the use of man:ssh-keygen[1] and send the administrator the public key. +This key file will be placed in the [.filename]#authorized_keys# as described above in the client section. +To force the users to use keys only, the following option may be configured: [.programlisting] .... @@ -1554,35 +1899,43 @@ AuthenticationMethods publickey [TIP] ==== -Do not confuse [.filename]#/etc/ssh/sshd_config# with [.filename]#/etc/ssh/ssh_config# (note the extra `d` in the first filename). The first file configures the server and the second file configures the client. Refer to man:ssh_config[5] for a listing of the available client settings. +Do not confuse [.filename]#/etc/ssh/sshd_config# with [.filename]#/etc/ssh/ssh_config# (note the extra `d` in the first filename). +The first file configures the server and the second file configures the client. +Refer to man:ssh_config[5] for a listing of the available client settings. ==== [[fs-acl]] == Access Control Lists -Access Control Lists (ACLs) extend the standard UNIX(R) permission model in a POSIX(R).1e compatible way. This permits an administrator to take advantage of a more fine-grained permissions model. +Access Control Lists (ACLs) extend the standard UNIX(R) permission model in a POSIX(R).1e compatible way. +This permits an administrator to take advantage of a more fine-grained permissions model. -The FreeBSD [.filename]#GENERIC# kernel provides ACL support for UFS file systems. Users who prefer to compile a custom kernel must include the following option in their custom kernel configuration file: +The FreeBSD [.filename]#GENERIC# kernel provides ACL support for UFS file systems. +Users who prefer to compile a custom kernel must include the following option in their custom kernel configuration file: [.programlisting] .... options UFS_ACL .... -If this option is not compiled in, a warning message will be displayed when attempting to mount a file system with ACL support. ACLs rely on extended attributes which are natively supported in UFS2. +If this option is not compiled in, a warning message will be displayed when attempting to mount a file system with ACL support. +ACLs rely on extended attributes which are natively supported in UFS2. This chapter describes how to enable ACL support and provides some usage examples. === Enabling ACL Support -ACLs are enabled by the mount-time administrative flag, `acls`, which may be added to [.filename]#/etc/fstab#. The mount-time flag can also be automatically set in a persistent manner using man:tunefs[8] to modify a superblock ACLs flag in the file system header. In general, it is preferred to use the superblock flag for several reasons: +ACLs are enabled by the mount-time administrative flag, `acls`, which may be added to [.filename]#/etc/fstab#. +The mount-time flag can also be automatically set in a persistent manner using man:tunefs[8] to modify a superblock ACLs flag in the file system header. +In general, it is preferred to use the superblock flag for several reasons: * The superblock flag cannot be changed by a remount using `mount -u` as it requires a complete `umount` and fresh `mount`. This means that ACLs cannot be enabled on the root file system after boot. It also means that ACL support on a file system cannot be changed while the system is in use. * Setting the superblock flag causes the file system to always be mounted with ACLs enabled, even if there is not an [.filename]#fstab# entry or if the devices re-order. This prevents accidental mounting of the file system without ACL support. [NOTE] ==== -It is desirable to discourage accidental mounting without ACLs enabled because nasty things can happen if ACLs are enabled, then disabled, then re-enabled without flushing the extended attributes. In general, once ACLs are enabled on a file system, they should not be disabled, as the resulting file protections may not be compatible with those intended by the users of the system, and re-enabling ACLs may re-attach the previous ACLs to files that have since had their permissions changed, resulting in unpredictable behavior. +It is desirable to discourage accidental mounting without ACLs enabled because nasty things can happen if ACLs are enabled, then disabled, then re-enabled without flushing the extended attributes. +In general, once ACLs are enabled on a file system, they should not be disabled, as the resulting file protections may not be compatible with those intended by the users of the system, and re-enabling ACLs may re-attach the previous ACLs to files that have since had their permissions changed, resulting in unpredictable behavior. ==== File systems with ACLs enabled will show a plus (`+`) sign in their permission settings: @@ -1600,7 +1953,8 @@ In this example, [.filename]#directory1#, [.filename]#directory2#, and [.filenam === Using ACLs -File system ACLs can be viewed using `getfacl`. For instance, to view the ACL settings on [.filename]#test#: +File system ACLs can be viewed using `getfacl`. +For instance, to view the ACL settings on [.filename]#test#: [source,shell] .... @@ -1613,7 +1967,9 @@ File system ACLs can be viewed using `getfacl`. For instance, to view the ACL se other::r-- .... -To change the ACL settings on this file, use `setfacl`. To remove all of the currently defined ACLs from a file or file system, include `-k`. However, the preferred method is to use `-b` as it leaves the basic fields required for ACLs to work. +To change the ACL settings on this file, use `setfacl`. +To remove all of the currently defined ACLs from a file or file system, include `-k`. +However, the preferred method is to use `-b` as it leaves the basic fields required for ACLs to work. [source,shell] .... @@ -1627,22 +1983,31 @@ To modify the default ACL entries, use `-m`: % setfacl -m u:trhodes:rwx,group:web:r--,o::--- test .... -In this example, there were no pre-defined entries, as they were removed by the previous command. This command restores the default options and assigns the options listed. If a user or group is added which does not exist on the system, an `Invalid argument` error will be displayed. +In this example, there were no pre-defined entries, as they were removed by the previous command. +This command restores the default options and assigns the options listed. +If a user or group is added which does not exist on the system, an `Invalid argument` error will be displayed. Refer to man:getfacl[1] and man:setfacl[1] for more information about the options available for these commands. [[security-pkg]] == Monitoring Third Party Security Issues -In recent years, the security world has made many improvements to how vulnerability assessment is handled. The threat of system intrusion increases as third party utilities are installed and configured for virtually any operating system available today. +In recent years, the security world has made many improvements to how vulnerability assessment is handled. +The threat of system intrusion increases as third party utilities are installed and configured for virtually any operating system available today. -Vulnerability assessment is a key factor in security. While FreeBSD releases advisories for the base system, doing so for every third party utility is beyond the FreeBSD Project's capability. There is a way to mitigate third party vulnerabilities and warn administrators of known security issues. A FreeBSD add on utility known as pkg includes options explicitly for this purpose. +Vulnerability assessment is a key factor in security. +While FreeBSD releases advisories for the base system, doing so for every third party utility is beyond the FreeBSD Project's capability. +There is a way to mitigate third party vulnerabilities and warn administrators of known security issues. +A FreeBSD add on utility known as pkg includes options explicitly for this purpose. -pkg polls a database for security issues. The database is updated and maintained by the FreeBSD Security Team and ports developers. +pkg polls a database for security issues. +The database is updated and maintained by the FreeBSD Security Team and ports developers. Please refer to crossref:ports[pkgng-intro,instructions] for installing pkg. -Installation provides man:periodic[8] configuration files for maintaining the pkg audit database, and provides a programmatic method of keeping it updated. This functionality is enabled if `daily_status_security_pkgaudit_enable` is set to `YES` in man:periodic.conf[5]. Ensure that daily security run emails, which are sent to ``root``'s email account, are being read. +Installation provides man:periodic[8] configuration files for maintaining the pkg audit database, and provides a programmatic method of keeping it updated. +This functionality is enabled if `daily_status_security_pkgaudit_enable` is set to `YES` in man:periodic.conf[5]. +Ensure that daily security run emails, which are sent to ``root``'s email account, are being read. After installation, and to audit third party utilities as part of the Ports Collection at any time, an administrator may choose to update the database and view known vulnerabilities of installed packages by invoking: @@ -1664,16 +2029,21 @@ Reference: <https://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001 You are advised to update or deinstall the affected package(s) immediately. .... -By pointing a web browser to the displayed URL, an administrator may obtain more information about the vulnerability. This will include the versions affected, by FreeBSD port version, along with other web sites which may contain security advisories. +By pointing a web browser to the displayed URL, an administrator may obtain more information about the vulnerability. +This will include the versions affected, by FreeBSD port version, along with other web sites which may contain security advisories. pkg is a powerful utility and is extremely useful when coupled with package:ports-mgmt/portmaster[]. [[security-advisories]] == FreeBSD Security Advisories -Like many producers of quality operating systems, the FreeBSD Project has a security team which is responsible for determining the End-of-Life (EoL) date for each FreeBSD release and to provide security updates for supported releases which have not yet reached their EoL. More information about the FreeBSD security team and the supported releases is available on the link:https://www.FreeBSD.org/security[FreeBSD security page]. +Like many producers of quality operating systems, the FreeBSD Project has a security team which is responsible for determining the End-of-Life (EoL) date for each FreeBSD release and to provide security updates for supported releases which have not yet reached their EoL. +More information about the FreeBSD security team and the supported releases is available on the link:https://www.FreeBSD.org/security[FreeBSD security page]. -One task of the security team is to respond to reported security vulnerabilities in the FreeBSD operating system. Once a vulnerability is confirmed, the security team verifies the steps necessary to fix the vulnerability and updates the source code with the fix. It then publishes the details as a "Security Advisory". Security advisories are published on the link:https://www.FreeBSD.org/security/advisories/[FreeBSD website] and mailed to the {freebsd-security-notifications}, {freebsd-security}, and {freebsd-announce} mailing lists. +One task of the security team is to respond to reported security vulnerabilities in the FreeBSD operating system. +Once a vulnerability is confirmed, the security team verifies the steps necessary to fix the vulnerability and updates the source code with the fix. +It then publishes the details as a "Security Advisory". +Security advisories are published on the link:https://www.FreeBSD.org/security/advisories/[FreeBSD website] and mailed to the {freebsd-security-notifications}, {freebsd-security}, and {freebsd-announce} mailing lists. This section describes the format of a FreeBSD security advisory. @@ -1851,7 +2221,10 @@ Every security advisory uses the following format: Process accounting is a security method in which an administrator may keep track of system resources used and their allocation among users, provide for system monitoring, and minimally track a user's commands. -Process accounting has both positive and negative points. One of the positives is that an intrusion may be narrowed down to the point of entry. A negative is the amount of logs generated by process accounting, and the disk space they may require. This section walks an administrator through the basics of process accounting. +Process accounting has both positive and negative points. +One of the positives is that an intrusion may be narrowed down to the point of entry. +A negative is the amount of logs generated by process accounting, and the disk space they may require. +This section walks an administrator through the basics of process accounting. [NOTE] ==== @@ -1868,11 +2241,18 @@ Before using process accounting, it must be enabled using the following commands # service accounting start .... -The accounting information is stored in files located in [.filename]#/var/account#, which is automatically created, if necessary, the first time the accounting service starts. These files contain sensitive information, including all the commands issued by all users. Write access to the files is limited to `root`, and read access is limited to `root` and members of the `wheel` group. To also prevent members of `wheel` from reading the files, change the mode of the [.filename]#/var/account# directory to allow access only by `root`. +The accounting information is stored in files located in [.filename]#/var/account#, which is automatically created, if necessary, the first time the accounting service starts. +These files contain sensitive information, including all the commands issued by all users. +Write access to the files is limited to `root`, and read access is limited to `root` and members of the `wheel` group. +To also prevent members of `wheel` from reading the files, change the mode of the [.filename]#/var/account# directory to allow access only by `root`. -Once enabled, accounting will begin to track information such as CPU statistics and executed commands. All accounting logs are in a non-human readable format which can be viewed using `sa`. If issued without any options, `sa` prints information relating to the number of per-user calls, the total elapsed time in minutes, total CPU and user time in minutes, and the average number of I/O operations. Refer to man:sa[8] for the list of available options which control the output. +Once enabled, accounting will begin to track information such as CPU statistics and executed commands. +All accounting logs are in a non-human readable format which can be viewed using `sa`. +If issued without any options, `sa` prints information relating to the number of per-user calls, the total elapsed time in minutes, total CPU and user time in minutes, and the average number of I/O operations. +Refer to man:sa[8] for the list of available options which control the output. -To display the commands issued by users, use `lastcomm`. For example, this command prints out all usage of `ls` by `trhodes` on the `ttyp1` terminal: +To display the commands issued by users, use `lastcomm`. +For example, this command prints out all usage of `ls` by `trhodes` on the `ttyp1` terminal: [source,shell] .... @@ -1884,18 +2264,27 @@ Many other useful options exist and are explained in man:lastcomm[1], man:acct[5 [[security-resourcelimits]] == Resource Limits -FreeBSD provides several methods for an administrator to limit the amount of system resources an individual may use. Disk quotas limit the amount of disk space available to users. Quotas are discussed in crossref:disks[quotas,"Disk Quotas"]. +FreeBSD provides several methods for an administrator to limit the amount of system resources an individual may use. +Disk quotas limit the amount of disk space available to users. +Quotas are discussed in crossref:disks[quotas,"Disk Quotas"]. -Limits to other resources, such as CPU and memory, can be set using either a flat file or a command to configure a resource limits database. The traditional method defines login classes by editing [.filename]#/etc/login.conf#. While this method is still supported, any changes require a multi-step process of editing this file, rebuilding the resource database, making necessary changes to [.filename]#/etc/master.passwd#, and rebuilding the password database. This can become time consuming, depending upon the number of users to configure. +Limits to other resources, such as CPU and memory, can be set using either a flat file or a command to configure a resource limits database. +The traditional method defines login classes by editing [.filename]#/etc/login.conf#. +While this method is still supported, any changes require a multi-step process of editing this file, rebuilding the resource database, making necessary changes to [.filename]#/etc/master.passwd#, and rebuilding the password database. +This can become time consuming, depending upon the number of users to configure. -`rctl` can be used to provide a more fine-grained method for controlling resource limits. This command supports more than user limits as it can also be used to set resource constraints on processes and jails. +`rctl` can be used to provide a more fine-grained method for controlling resource limits. +This command supports more than user limits as it can also be used to set resource constraints on processes and jails. This section demonstrates both methods for controlling resources, beginning with the traditional method. [[users-limiting]] === Configuring Login Classes -In the traditional method, login classes and the resource limits to apply to a login class are defined in [.filename]#/etc/login.conf#. Each user account can be assigned to a login class, where `default` is the default login class. Each login class has a set of login capabilities associated with it. A login capability is a `_name_=_value_` pair, where _name_ is a well-known identifier and _value_ is an arbitrary string which is processed accordingly depending on the _name_. +In the traditional method, login classes and the resource limits to apply to a login class are defined in [.filename]#/etc/login.conf#. +Each user account can be assigned to a login class, where `default` is the default login class. +Each login class has a set of login capabilities associated with it. +A login capability is a `_name_=_value_` pair, where _name_ is a well-known identifier and _value_ is an arbitrary string which is processed accordingly depending on the _name_. [NOTE] ==== @@ -1908,9 +2297,15 @@ Whenever [.filename]#/etc/login.conf# is edited, the [.filename]#/etc/login.conf ==== -Resource limits differ from the default login capabilities in two ways. First, for every limit, there is a _soft_ and _hard_ limit. A soft limit may be adjusted by the user or application, but may not be set higher than the hard limit. The hard limit may be lowered by the user, but can only be raised by the superuser. Second, most resource limits apply per process to a specific user. +Resource limits differ from the default login capabilities in two ways. +First, for every limit, there is a _soft_ and _hard_ limit. +A soft limit may be adjusted by the user or application, but may not be set higher than the hard limit. +The hard limit may be lowered by the user, but can only be raised by the superuser. +Second, most resource limits apply per process to a specific user. + +<<resource-limits>> lists the most commonly used resource limits. +All of the available resource limits and capabilities are described in detail in man:login.conf[5]. -<<resource-limits>> lists the most commonly used resource limits. All of the available resource limits and capabilities are described in detail in man:login.conf[5]. [[resource-limits]] .Login Class Resource Limits [cols="20%,80%", frame="none", options="header"] @@ -1957,7 +2352,8 @@ For further information on resource limits and login classes and capabilities in === Enabling and Configuring Resource Limits -The `kern.racct.enable` tunable must be set to a non-zero value. Custom kernels require specific configuration: +The `kern.racct.enable` tunable must be set to a non-zero value. +Custom kernels require specific configuration: [.programlisting] .... @@ -1974,9 +2370,13 @@ Rule syntax is controlled through the use of a subject, subject-id, resource, an user:trhodes:maxproc:deny=10/user .... -In this rule, the subject is `user`, the subject-id is `trhodes`, the resource, `maxproc`, is the maximum number of processes, and the action is `deny`, which blocks any new processes from being created. This means that the user, `trhodes`, will be constrained to no greater than `10` processes. Other possible actions include logging to the console, passing a notification to man:devd[8], or sending a sigterm to the process. +In this rule, the subject is `user`, the subject-id is `trhodes`, the resource, `maxproc`, is the maximum number of processes, and the action is `deny`, which blocks any new processes from being created. +This means that the user, `trhodes`, will be constrained to no greater than `10` processes. +Other possible actions include logging to the console, passing a notification to man:devd[8], or sending a sigterm to the process. -Some care must be taken when adding rules. Since this user is constrained to `10` processes, this example will prevent the user from performing other tasks after logging in and executing a `screen` session. Once a resource limit has been hit, an error will be printed, as in this example: +Some care must be taken when adding rules. +Since this user is constrained to `10` processes, this example will prevent the user from performing other tasks after logging in and executing a `screen` session. +Once a resource limit has been hit, an error will be printed, as in this example: [source,shell] .... @@ -1985,14 +2385,16 @@ Some care must be taken when adding rules. Since this user is constrained to `10 eval: Cannot fork: Resource temporarily unavailable .... -As another example, a jail can be prevented from exceeding a memory limit. This rule could be written as: +As another example, a jail can be prevented from exceeding a memory limit. +This rule could be written as: [source,shell] .... # rctl -a jail:httpd:memoryuse:deny=2G/jail .... -Rules will persist across reboots if they have been added to [.filename]#/etc/rctl.conf#. The format is a rule, without the preceding command. For example, the previous rule could be added as: +Rules will persist across reboots if they have been added to [.filename]#/etc/rctl.conf#. +The format is a rule, without the preceding command. For example, the previous rule could be added as: [.programlisting] .... @@ -2007,32 +2409,47 @@ To remove a rule, use `rctl` to remove it from the list: # rctl -r user:trhodes:maxproc:deny=10/user .... -A method for removing all rules is documented in man:rctl[8]. However, if removing all rules for a single user is required, this command may be issued: +A method for removing all rules is documented in man:rctl[8]. +However, if removing all rules for a single user is required, this command may be issued: [source,shell] .... # rctl -r user:trhodes .... -Many other resources exist which can be used to exert additional control over various `subjects`. See man:rctl[8] to learn about them. +Many other resources exist which can be used to exert additional control over various `subjects`. +See man:rctl[8] to learn about them. [[security-sudo]] == Shared Administration with Sudo -System administrators often need the ability to grant enhanced permissions to users so they may perform privileged tasks. The idea that team members are provided access to a FreeBSD system to perform their specific tasks opens up unique challenges to every administrator. These team members only need a subset of access beyond normal end user levels; however, they almost always tell management they are unable to perform their tasks without superuser access. Thankfully, there is no reason to provide such access to end users because tools exist to manage this exact requirement. +System administrators often need the ability to grant enhanced permissions to users so they may perform privileged tasks. +The idea that team members are provided access to a FreeBSD system to perform their specific tasks opens up unique challenges to every administrator. +These team members only need a subset of access beyond normal end user levels; however, they almost always tell management they are unable to perform their tasks without superuser access. +Thankfully, there is no reason to provide such access to end users because tools exist to manage this exact requirement. -Up to this point, the security chapter has covered permitting access to authorized users and attempting to prevent unauthorized access. Another problem arises once authorized users have access to the system resources. In many cases, some users may need access to application startup scripts, or a team of administrators need to maintain the system. Traditionally, the standard users and groups, file permissions, and even the man:su[1] command would manage this access. And as applications required more access, as more users needed to use system resources, a better solution was required. The most used application is currently Sudo. +Up to this point, the security chapter has covered permitting access to authorized users and attempting to prevent unauthorized access. +Another problem arises once authorized users have access to the system resources. +In many cases, some users may need access to application startup scripts, or a team of administrators need to maintain the system. +Traditionally, the standard users and groups, file permissions, and even the man:su[1] command would manage this access. +And as applications required more access, as more users needed to use system resources, a better solution was required. +The most used application is currently Sudo. -Sudo allows administrators to configure more rigid access to system commands and provide for some advanced logging features. As a tool, it is available from the Ports Collection as package:security/sudo[] or by use of the man:pkg[8] utility. To use the man:pkg[8] tool: +Sudo allows administrators to configure more rigid access to system commands and provide for some advanced logging features. +As a tool, it is available from the Ports Collection as package:security/sudo[] or by use of the man:pkg[8] utility. +To use the man:pkg[8] tool: [source,shell] .... # pkg install sudo .... -After the installation is complete, the installed `visudo` will open the configuration file with a text editor. Using `visudo` is highly recommended as it comes with a built in syntax checker to verify there are no errors before the file is saved. +After the installation is complete, the installed `visudo` will open the configuration file with a text editor. +Using `visudo` is highly recommended as it comes with a built in syntax checker to verify there are no errors before the file is saved. -The configuration file is made up of several small sections which allow for extensive configuration. In the following example, web application maintainer, user1, needs to start, stop, and restart the web application known as _webservice_. To grant this user permission to perform these tasks, add this line to the end of [.filename]#/usr/local/etc/sudoers#: +The configuration file is made up of several small sections which allow for extensive configuration. +In the following example, web application maintainer, user1, needs to start, stop, and restart the web application known as _webservice_. +To grant this user permission to perform these tasks, add this line to the end of [.filename]#/usr/local/etc/sudoers#: [.programlisting] .... @@ -2046,7 +2463,10 @@ The user may now start _webservice_ using this command: % sudo /usr/sbin/service webservice start .... -While this configuration allows a single user access to the webservice service; however, in most organizations, there is an entire web team in charge of managing the service. A single line can also give access to an entire group. These steps will create a web group, add a user to this group, and allow all members of the group to manage the service: +While this configuration allows a single user access to the webservice service; +however, in most organizations, there is an entire web team in charge of managing the service. +A single line can also give access to an entire group. +These steps will create a web group, add a user to this group, and allow all members of the group to manage the service: [source,shell] .... @@ -2067,14 +2487,21 @@ Finally, this line in [.filename]#/usr/local/etc/sudoers# allows any member of t %webteam ALL=(ALL) /usr/sbin/service webservice * .... -Unlike man:su[1], Sudo only requires the end user password. This adds an advantage where users will not need shared passwords, a finding in most security audits and just bad all the way around. +Unlike man:su[1], Sudo only requires the end user password. +This adds an advantage where users will not need shared passwords, +a finding in most security audits and just bad all the way around. -Users permitted to run applications with Sudo only enter their own passwords. This is more secure and gives better control than man:su[1], where the `root` password is entered and the user acquires all `root` permissions. +Users permitted to run applications with Sudo only enter their own passwords. +This is more secure and gives better control than man:su[1], +where the `root` password is entered and the user acquires all `root` permissions. [TIP] ==== -Most organizations are moving or have moved toward a two factor authentication model. In these cases, the user may not have a password to enter. Sudo provides for these cases with the `NOPASSWD` variable. Adding it to the configuration above will allow all members of the _webteam_ group to manage the service without the password requirement: +Most organizations are moving or have moved toward a two factor authentication model. +In these cases, the user may not have a password to enter. +Sudo provides for these cases with the `NOPASSWD` variable. +Adding it to the configuration above will allow all members of the _webteam_ group to manage the service without the password requirement: [.programlisting] .... @@ -2086,7 +2513,11 @@ Most organizations are moving or have moved toward a two factor authentication m [[security-sudo-loggin]] === Logging Output -An advantage to implementing Sudo is the ability to enable session logging. Using the built in log mechanisms and the included sudoreplay command, all commands initiated through Sudo are logged for later verification. To enable this feature, add a default log directory entry, this example uses a user variable. Several other log filename conventions exist, consult the manual page for sudoreplay for additional information. +An advantage to implementing Sudo is the ability to enable session logging. +Using the built in log mechanisms and the included sudoreplay command, +all commands initiated through Sudo are logged for later verification. +To enable this feature, add a default log directory entry, this example uses a user variable. +Several other log filename conventions exist, consult the manual page for sudoreplay for additional information. [.programlisting] .... @@ -2096,24 +2527,30 @@ Defaults iolog_dir=/var/log/sudo-io/%{user} [TIP] ==== -This directory will be created automatically after the logging is configured. It is best to let the system create directory with default permissions just to be safe. In addition, this entry will also log administrators who use the sudoreplay command. To change this behavior, read and uncomment the logging options inside [.filename]#sudoers#. +This directory will be created automatically after the logging is configured. +It is best to let the system create directory with default permissions just to be safe. +In addition, this entry will also log administrators who use the sudoreplay command. +To change this behavior, read and uncomment the logging options inside [.filename]#sudoers#. ==== -Once this directive has been added to the [.filename]#sudoers# file, any user configuration can be updated with the request to log access. In the example shown, the updated _webteam_ entry would have the following additional changes: +Once this directive has been added to the [.filename]#sudoers# file, any user configuration can be updated with the request to log access. +In the example shown, the updated _webteam_ entry would have the following additional changes: [.programlisting] .... %webteam ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: /usr/sbin/service webservice * .... -From this point on, all _webteam_ members altering the status of the _webservice_ application will be logged. The list of previous and current sessions can be displayed with: +From this point on, all _webteam_ members altering the status of the _webservice_ application will be logged. +The list of previous and current sessions can be displayed with: [source,shell] .... # sudoreplay -l .... -In the output, to replay a specific session, search for the `TSID=` entry, and pass that to sudoreplay with no other options to replay the session at normal speed. For example: +In the output, to replay a specific session, search for the `TSID=` entry, and pass that to sudoreplay with no other options to replay the session at normal speed. +For example: [source,shell] .... @@ -2123,10 +2560,12 @@ In the output, to replay a specific session, search for the `TSID=` entry, and p [WARNING] ==== -While sessions are logged, any administrator is able to remove sessions and leave only a question of why they had done so. It is worthwhile to add a daily check through an intrusion detection system (IDS) or similar software so that other administrators are alerted to manual alterations. +While sessions are logged, any administrator is able to remove sessions and leave only a question of why they had done so. +It is worthwhile to add a daily check through an intrusion detection system (IDS) or similar software so that other administrators are alerted to manual alterations. ==== -The `sudoreplay` is extremely extendable. Consult the documentation for more information. +The `sudoreplay` is extremely extendable. +Consult the documentation for more information. [[security-doas]] == Using doas as an alternative to sudo diff --git a/documentation/content/en/books/handbook/serialcomms/_index.adoc b/documentation/content/en/books/handbook/serialcomms/_index.adoc index bfd4bb1aee..631beb9749 100644 --- a/documentation/content/en/books/handbook/serialcomms/_index.adoc +++ b/documentation/content/en/books/handbook/serialcomms/_index.adoc @@ -46,7 +46,9 @@ toc::[] [[serial-synopsis]] == Synopsis -UNIX(R) has always had support for serial communications as the very first UNIX(R) machines relied on serial lines for user input and output. Things have changed a lot from the days when the average terminal consisted of a 10-character-per-second serial printer and a keyboard. This chapter covers some of the ways serial communications can be used on FreeBSD. +UNIX(R) has always had support for serial communications as the very first UNIX(R) machines relied on serial lines for user input and output. +Things have changed a lot from the days when the average terminal consisted of a 10-character-per-second serial printer and a keyboard. +This chapter covers some of the ways serial communications can be used on FreeBSD. After reading this chapter, you will know: @@ -70,28 +72,43 @@ bps:: Bits per Second (bps) is the rate at which data is transmitted. DTE:: -Data Terminal Equipment (DTE) is one of two endpoints in a serial communication. An example would be a computer. +Data Terminal Equipment (DTE) is one of two endpoints in a serial communication. +An example would be a computer. DCE:: -Data Communications Equipment (DTE) is the other endpoint in a serial communication. Typically, it is a modem or serial terminal. +Data Communications Equipment (DTE) is the other endpoint in a serial communication. +Typically, it is a modem or serial terminal. RS-232:: -The original standard which defined hardware serial communications. It has since been renamed to TIA-232. +The original standard which defined hardware serial communications. +It has since been renamed to TIA-232. -When referring to communication data rates, this section does not use the term _baud_. Baud refers to the number of electrical state transitions made in a period of time, while bps is the correct term to use. +When referring to communication data rates, this section does not use the term _baud_. +Baud refers to the number of electrical state transitions made in a period of time, while bps is the correct term to use. -To connect a serial terminal to a FreeBSD system, a serial port on the computer and the proper cable to connect to the serial device are needed. Users who are already familiar with serial hardware and cabling can safely skip this section. +To connect a serial terminal to a FreeBSD system, a serial port on the computer and the proper cable to connect to the serial device are needed. +Users who are already familiar with serial hardware and cabling can safely skip this section. [[term-cables-null]] === Serial Cables and Ports -There are several different kinds of serial cables. The two most common types are null-modem cables and standard RS-232 cables. The documentation for the hardware should describe the type of cable required. +There are several different kinds of serial cables. +The two most common types are null-modem cables and standard RS-232 cables. +The documentation for the hardware should describe the type of cable required. -These two types of cables differ in how the wires are connected to the connector. Each wire represents a signal, with the defined signals summarized in <<serialcomms-signal-names>>. A standard serial cable passes all of the RS-232C signals straight through. For example, the "Transmitted Data" pin on one end of the cable goes to the "Transmitted Data" pin on the other end. This is the type of cable used to connect a modem to the FreeBSD system, and is also appropriate for some terminals. +These two types of cables differ in how the wires are connected to the connector. +Each wire represents a signal, with the defined signals summarized in <<serialcomms-signal-names>>. +A standard serial cable passes all of the RS-232C signals straight through. +For example, the "Transmitted Data" pin on one end of the cable goes to the "Transmitted Data" pin on the other end. +This is the type of cable used to connect a modem to the FreeBSD system, and is also appropriate for some terminals. -A null-modem cable switches the "Transmitted Data" pin of the connector on one end with the "Received Data" pin on the other end. The connector can be either a DB-25 or a DB-9. +A null-modem cable switches the "Transmitted Data" pin of the connector on one end with the "Received Data" pin on the other end. +The connector can be either a DB-25 or a DB-9. -A null-modem cable can be constructed using the pin connections summarized in <<nullmodem-db25>>, <<nullmodem-db9>>, and <<nullmodem-db9-25>>. While the standard calls for a straight-through pin 1 to pin 1 "Protective Ground" line, it is often omitted. Some terminals work using only pins 2, 3, and 7, while others require different configurations. When in doubt, refer to the documentation for the hardware. +A null-modem cable can be constructed using the pin connections summarized in <<nullmodem-db25>>, <<nullmodem-db9>>, and <<nullmodem-db9-25>>. +While the standard calls for a straight-through pin 1 to pin 1 "Protective Ground" line, it is often omitted. +Some terminals work using only pins 2, 3, and 7, while others require different configurations. +When in doubt, refer to the documentation for the hardware. [[serialcomms-signal-names]] .RS-232C Signal Names @@ -325,21 +342,32 @@ A null-modem cable can be constructed using the pin connections summarized in << When one pin at one end connects to a pair of pins at the other end, it is usually implemented with one short wire between the pair of pins in their connector and a long wire to the other single pin. ==== -Serial ports are the devices through which data is transferred between the FreeBSD host computer and the terminal. Several kinds of serial ports exist. Before purchasing or constructing a cable, make sure it will fit the ports on the terminal and on the FreeBSD system. +Serial ports are the devices through which data is transferred between the FreeBSD host computer and the terminal. +Several kinds of serial ports exist. +Before purchasing or constructing a cable, make sure it will fit the ports on the terminal and on the FreeBSD system. -Most terminals have DB-25 ports. Personal computers may have DB-25 or DB-9 ports. A multiport serial card may have RJ-12 or RJ-45/ ports. See the documentation that accompanied the hardware for specifications on the kind of port or visually verify the type of port. +Most terminals have DB-25 ports. +Personal computers may have DB-25 or DB-9 ports. +A multiport serial card may have RJ-12 or RJ-45/ ports. +See the documentation that accompanied the hardware for specifications on the kind of port or visually verify the type of port. -In FreeBSD, each serial port is accessed through an entry in [.filename]#/dev#. There are two different kinds of entries: +In FreeBSD, each serial port is accessed through an entry in [.filename]#/dev#. +There are two different kinds of entries: * Call-in ports are named [.filename]#/dev/ttyuN# where _N_ is the port number, starting from zero. If a terminal is connected to the first serial port ([.filename]#COM1#), use [.filename]#/dev/ttyu0# to refer to the terminal. If the terminal is on the second serial port ([.filename]#COM2#), use [.filename]#/dev/ttyu1#, and so forth. Generally, the call-in port is used for terminals. Call-in ports require that the serial line assert the "Data Carrier Detect" signal to work correctly. * Call-out ports are named [.filename]#/dev/cuauN# on FreeBSD versions 8.X and higher and [.filename]#/dev/cuadN# on FreeBSD versions 7.X and lower. Call-out ports are usually not used for terminals, but are used for modems. The call-out port can be used if the serial cable or the terminal does not support the "Data Carrier Detect" signal. -FreeBSD also provides initialization devices ([.filename]#/dev/ttyuN.init# and [.filename]#/dev/cuauN.init# or [.filename]#/dev/cuadN.init#) and locking devices ([.filename]#/dev/ttyuN.lock# and [.filename]#/dev/cuauN.lock# or [.filename]#/dev/cuadN.lock#). The initialization devices are used to initialize communications port parameters each time a port is opened, such as `crtscts` for modems which use `RTS/CTS` signaling for flow control. The locking devices are used to lock flags on ports to prevent users or programs changing certain parameters. Refer to man:termios[4], man:sio[4], and man:stty[1] for information on terminal settings, locking and initializing devices, and setting terminal options, respectively. +FreeBSD also provides initialization devices ([.filename]#/dev/ttyuN.init# and [.filename]#/dev/cuauN.init# or [.filename]#/dev/cuadN.init#) and locking devices ([.filename]#/dev/ttyuN.lock# and [.filename]#/dev/cuauN.lock# or [.filename]#/dev/cuadN.lock#). +The initialization devices are used to initialize communications port parameters each time a port is opened, such as `crtscts` for modems which use `RTS/CTS` signaling for flow control. +The locking devices are used to lock flags on ports to prevent users or programs changing certain parameters. +Refer to man:termios[4], man:sio[4], and man:stty[1] for information on terminal settings, locking and initializing devices, and setting terminal options, respectively. [[serial-hw-config]] === Serial Port Configuration -By default, FreeBSD supports four serial ports which are commonly known as [.filename]#COM1#, [.filename]#COM2#, [.filename]#COM3#, and [.filename]#COM4#. FreeBSD also supports dumb multi-port serial interface cards, such as the BocaBoard 1008 and 2016, as well as more intelligent multi-port cards such as those made by Digiboard. However, the default kernel only looks for the standard [.filename]#COM# ports. +By default, FreeBSD supports four serial ports which are commonly known as [.filename]#COM1#, [.filename]#COM2#, [.filename]#COM3#, and [.filename]#COM4#. +FreeBSD also supports dumb multi-port serial interface cards, such as the BocaBoard 1008 and 2016, as well as more intelligent multi-port cards such as those made by Digiboard. +However, the default kernel only looks for the standard [.filename]#COM# ports. To see if the system recognizes the serial ports, look for system boot messages that start with `uart`: @@ -348,23 +376,33 @@ To see if the system recognizes the serial ports, look for system boot messages # grep uart /var/run/dmesg.boot .... -If the system does not recognize all of the needed serial ports, additional entries can be added to [.filename]#/boot/device.hints#. This file already contains `hint.uart.0.\*` entries for [.filename]#COM1# and `hint.uart.1.*` entries for [.filename]#COM2#. When adding a port entry for [.filename]#COM3# use `0x3E8`, and for [.filename]#COM4# use `0x2E8`. Common IRQ addresses are `5` for [.filename]#COM3# and `9` for [.filename]#COM4#. +If the system does not recognize all of the needed serial ports, additional entries can be added to [.filename]#/boot/device.hints#. +This file already contains `hint.uart.0.\*` entries for [.filename]#COM1# and `hint.uart.1.*` entries for [.filename]#COM2#. +When adding a port entry for [.filename]#COM3# use `0x3E8`, and for [.filename]#COM4# use `0x2E8`. +Common IRQ addresses are `5` for [.filename]#COM3# and `9` for [.filename]#COM4#. -To determine the default set of terminal I/O settings used by the port, specify its device name. This example determines the settings for the call-in port on [.filename]#COM2#: +To determine the default set of terminal I/O settings used by the port, specify its device name. +This example determines the settings for the call-in port on [.filename]#COM2#: [source,shell] .... # stty -a -f /dev/ttyu1 .... -System-wide initialization of serial devices is controlled by [.filename]#/etc/rc.d/serial#. This file affects the default settings of serial devices. To change the settings for a device, use `stty`. By default, the changed settings are in effect until the device is closed and when the device is reopened, it goes back to the default set. To permanently change the default set, open and adjust the settings of the initialization device. For example, to turn on `CLOCAL` mode, 8 bit communication, and `XON/XOFF` flow control for [.filename]#ttyu5#, type: +System-wide initialization of serial devices is controlled by [.filename]#/etc/rc.d/serial#. +This file affects the default settings of serial devices. +To change the settings for a device, use `stty`. +By default, the changed settings are in effect until the device is closed and when the device is reopened, it goes back to the default set. +To permanently change the default set, open and adjust the settings of the initialization device. +For example, to turn on `CLOCAL` mode, 8 bit communication, and `XON/XOFF` flow control for [.filename]#ttyu5#, type: [source,shell] .... # stty -f /dev/ttyu5.init clocal cs8 ixon ixoff .... -To prevent certain settings from being changed by an application, make adjustments to the locking device. For example, to lock the speed of [.filename]#ttyu5# to 57600 bps, type: +To prevent certain settings from being changed by an application, make adjustments to the locking device. +For example, to lock the speed of [.filename]#ttyu5# to 57600 bps, type: [source,shell] .... @@ -376,27 +414,37 @@ Now, any application that opens [.filename]#ttyu5# and tries to change the speed [[term]] == Terminals -Terminals provide a convenient and low-cost way to access a FreeBSD system when not at the computer's console or on a connected network. This section describes how to use terminals with FreeBSD. +Terminals provide a convenient and low-cost way to access a FreeBSD system when not at the computer's console or on a connected network. +This section describes how to use terminals with FreeBSD. -The original UNIX(R) systems did not have consoles. Instead, users logged in and ran programs through terminals that were connected to the computer's serial ports. +The original UNIX(R) systems did not have consoles. +Instead, users logged in and ran programs through terminals that were connected to the computer's serial ports. -The ability to establish a login session on a serial port still exists in nearly every UNIX(R)-like operating system today, including FreeBSD. By using a terminal attached to an unused serial port, a user can log in and run any text program that can normally be run on the console or in an `xterm` window. +The ability to establish a login session on a serial port still exists in nearly every UNIX(R)-like operating system today, including FreeBSD. +By using a terminal attached to an unused serial port, a user can log in and run any text program that can normally be run on the console or in an `xterm` window. -Many terminals can be attached to a FreeBSD system. An older spare computer can be used as a terminal wired into a more powerful computer running FreeBSD. This can turn what might otherwise be a single-user computer into a powerful multiple-user system. +Many terminals can be attached to a FreeBSD system. +An older spare computer can be used as a terminal wired into a more powerful computer running FreeBSD. +This can turn what might otherwise be a single-user computer into a powerful multiple-user system. FreeBSD supports three types of terminals: Dumb terminals:: -Dumb terminals are specialized hardware that connect to computers over serial lines. They are called "dumb" because they have only enough computational power to display, send, and receive text. No programs can be run on these devices. Instead, dumb terminals connect to a computer that runs the needed programs. +Dumb terminals are specialized hardware that connect to computers over serial lines. +They are called "dumb" because they have only enough computational power to display, send, and receive text. +No programs can be run on these devices. Instead, dumb terminals connect to a computer that runs the needed programs. + -There are hundreds of kinds of dumb terminals made by many manufacturers, and just about any kind will work with FreeBSD. Some high-end terminals can even display graphics, but only certain software packages can take advantage of these advanced features. +There are hundreds of kinds of dumb terminals made by many manufacturers, and just about any kind will work with FreeBSD. +Some high-end terminals can even display graphics, but only certain software packages can take advantage of these advanced features. + Dumb terminals are popular in work environments where workers do not need access to graphical applications. Computers Acting as Terminals:: -Since a dumb terminal has just enough ability to display, send, and receive text, any spare computer can be a dumb terminal. All that is needed is the proper cable and some _terminal emulation_ software to run on the computer. +Since a dumb terminal has just enough ability to display, send, and receive text, any spare computer can be a dumb terminal. +All that is needed is the proper cable and some _terminal emulation_ software to run on the computer. + -This configuration can be useful. For example, if one user is busy working at the FreeBSD system's console, another user can do some text-only work at the same time from a less powerful personal computer hooked up as a terminal to the FreeBSD system. +This configuration can be useful. +For example, if one user is busy working at the FreeBSD system's console, another user can do some text-only work at the same time from a less powerful personal computer hooked up as a terminal to the FreeBSD system. + There are at least two utilities in the base-system of FreeBSD that can be used to work through a serial connection: man:cu[1] and man:tip[1]. + @@ -407,21 +455,31 @@ For example, to connect from a client system that runs FreeBSD to the serial con # cu -l /dev/cuauN .... + -Ports are numbered starting from zero. This means that [.filename]#COM1# is [.filename]#/dev/cuau0#. +Ports are numbered starting from zero. +This means that [.filename]#COM1# is [.filename]#/dev/cuau0#. + Additional programs are available through the Ports Collection, such as package:comms/minicom[]. X Terminals:: -X terminals are the most sophisticated kind of terminal available. Instead of connecting to a serial port, they usually connect to a network like Ethernet. Instead of being relegated to text-only applications, they can display any Xorg application. +X terminals are the most sophisticated kind of terminal available. +Instead of connecting to a serial port, they usually connect to a network like Ethernet. +Instead of being relegated to text-only applications, they can display any Xorg application. + This chapter does not cover the setup, configuration, or use of X terminals. [[term-config]] === Terminal Configuration -This section describes how to configure a FreeBSD system to enable a login session on a serial terminal. It assumes that the system recognizes the serial port to which the terminal is connected and that the terminal is connected with the correct cable. +This section describes how to configure a FreeBSD system to enable a login session on a serial terminal. +It assumes that the system recognizes the serial port to which the terminal is connected and that the terminal is connected with the correct cable. -In FreeBSD, `init` reads [.filename]#/etc/ttys# and starts a `getty` process on the available terminals. The `getty` process is responsible for reading a login name and starting the `login` program. The ports on the FreeBSD system which allow logins are listed in [.filename]#/etc/ttys#. For example, the first virtual console, [.filename]#ttyv0#, has an entry in this file, allowing logins on the console. This file also contains entries for the other virtual consoles, serial ports, and pseudo-ttys. For a hardwired terminal, the serial port's [.filename]#/dev# entry is listed without the `/dev` part. For example, [.filename]#/dev/ttyv0# is listed as `ttyv0`. +In FreeBSD, `init` reads [.filename]#/etc/ttys# and starts a `getty` process on the available terminals. +The `getty` process is responsible for reading a login name and starting the `login` program. +The ports on the FreeBSD system which allow logins are listed in [.filename]#/etc/ttys#. +For example, the first virtual console, [.filename]#ttyv0#, has an entry in this file, allowing logins on the console. +This file also contains entries for the other virtual consoles, serial ports, and pseudo-ttys. +For a hardwired terminal, the serial port's [.filename]#/dev# entry is listed without the `/dev` part. +For example, [.filename]#/dev/ttyv0# is listed as `ttyv0`. The default [.filename]#/etc/ttys# configures support for the first four serial ports, [.filename]#ttyu0# through [.filename]#ttyu3#: @@ -433,9 +491,13 @@ ttyu2 "/usr/libexec/getty std.9600" dialup off secure ttyu3 "/usr/libexec/getty std.9600" dialup off secure .... -When attaching a terminal to one of those ports, modify the default entry to set the required speed and terminal type, to turn the device `on` and, if needed, to change the port's `secure` setting. If the terminal is connected to another port, add an entry for the port. +When attaching a terminal to one of those ports, modify the default entry to set the required speed and terminal type, to turn the device `on` and, if needed, to change the port's `secure` setting. +If the terminal is connected to another port, add an entry for the port. -<<ex-etc-ttys>> configures two terminals in [.filename]#/etc/ttys#. The first entry configures a Wyse-50 connected to [.filename]#COM2#. The second entry configures an old computer running Procomm terminal software emulating a VT-100 terminal. The computer is connected to the sixth serial port on a multi-port serial card. +<<ex-etc-ttys>> configures two terminals in [.filename]#/etc/ttys#. +The first entry configures a Wyse-50 connected to [.filename]#COM2#. +The second entry configures an old computer running Procomm terminal software emulating a VT-100 terminal. +The computer is connected to the sixth serial port on a multi-port serial card. [example] [[ex-etc-ttys]] @@ -450,13 +512,29 @@ ttyu5 "/usr/libexec/getty std.19200" vt100 on insecure The first field specifies the device name of the serial terminal. -The second field tells `getty` to initialize and open the line, set the line speed, prompt for a user name, and then execute the `login` program. The optional _getty type_ configures characteristics on the terminal line, like bps rate and parity. The available getty types are listed in [.filename]#/etc/gettytab#. In almost all cases, the getty types that start with `std` will work for hardwired terminals as these entries ignore parity. There is a `std` entry for each bps rate from 110 to 115200. Refer to man:gettytab[5] for more information.When setting the getty type, make sure to match the communications settings used by the terminal. For this example, the Wyse-50 uses no parity and connects at 38400 bps. The computer uses no parity and connects at 19200 bps. - -The third field is the type of terminal. For dial-up ports, `unknown` or `dialup` is typically used since users may dial up with practically any type of terminal or software. Since the terminal type does not change for hardwired terminals, a real terminal type from [.filename]#/etc/termcap# can be specified. For this example, the Wyse-50 uses the real terminal type while the computer running Procomm is set to emulate a VT-100. - -The fourth field specifies if the port should be enabled. To enable logins on this port, this field must be set to `on`. - -The final field is used to specify whether the port is secure. Marking a port as `secure` means that it is trusted enough to allow `root` to login from that port. Insecure ports do not allow `root` logins. On an insecure port, users must login from unprivileged accounts and then use `su` or a similar mechanism to gain superuser privileges, as described in crossref:basics[users-superuser,“The Superuser Account”]. For security reasons, it is recommended to change this setting to `insecure`. +The second field tells `getty` to initialize and open the line, set the line speed, prompt for a user name, and then execute the `login` program. +The optional _getty type_ configures characteristics on the terminal line, like bps rate and parity. +The available getty types are listed in [.filename]#/etc/gettytab#. +In almost all cases, the getty types that start with `std` will work for hardwired terminals as these entries ignore parity. +There is a `std` entry for each bps rate from 110 to 115200. +Refer to man:gettytab[5] for more information. +When setting the getty type, make sure to match the communications settings used by the terminal. +For this example, the Wyse-50 uses no parity and connects at 38400 bps. +The computer uses no parity and connects at 19200 bps. + +The third field is the type of terminal. +For dial-up ports, `unknown` or `dialup` is typically used since users may dial up with practically any type of terminal or software. +Since the terminal type does not change for hardwired terminals, a real terminal type from [.filename]#/etc/termcap# can be specified. +For this example, the Wyse-50 uses the real terminal type while the computer running Procomm is set to emulate a VT-100. + +The fourth field specifies if the port should be enabled. +To enable logins on this port, this field must be set to `on`. + +The final field is used to specify whether the port is secure. +Marking a port as `secure` means that it is trusted enough to allow `root` to login from that port. +Insecure ports do not allow `root` logins. +On an insecure port, users must login from unprivileged accounts and then use `su` or a similar mechanism to gain superuser privileges, as described in crossref:basics[users-superuser,“The Superuser Account”]. +For security reasons, it is recommended to change this setting to `insecure`. ==== After making any changes to [.filename]#/etc/ttys#, send a SIGHUP (hangup) signal to the `init` process to force it to re-read its configuration file: @@ -473,15 +551,21 @@ If everything is set up correctly, all cables are in place, and the terminals ar [[term-debug]] === Troubleshooting the Connection -Even with the most meticulous attention to detail, something could still go wrong while setting up a terminal. Here is a list of common symptoms and some suggested fixes. +Even with the most meticulous attention to detail, something could still go wrong while setting up a terminal. +Here is a list of common symptoms and some suggested fixes. -If no login prompt appears, make sure the terminal is plugged in and powered up. If it is a personal computer acting as a terminal, make sure it is running terminal emulation software on the correct serial port. +If no login prompt appears, make sure the terminal is plugged in and powered up. +If it is a personal computer acting as a terminal, make sure it is running terminal emulation software on the correct serial port. -Make sure the cable is connected firmly to both the terminal and the FreeBSD computer. Make sure it is the right kind of cable. +Make sure the cable is connected firmly to both the terminal and the FreeBSD computer. +Make sure it is the right kind of cable. -Make sure the terminal and FreeBSD agree on the bps rate and parity settings. For a video display terminal, make sure the contrast and brightness controls are turned up. If it is a printing terminal, make sure paper and ink are in good supply. +Make sure the terminal and FreeBSD agree on the bps rate and parity settings. +For a video display terminal, make sure the contrast and brightness controls are turned up. +If it is a printing terminal, make sure paper and ink are in good supply. -Use `ps` to make sure that a `getty` process is running and serving the terminal. For example, the following listing shows that a `getty` is running on the second serial port, [.filename]#ttyu1#, and is using the `std.38400` entry in [.filename]#/etc/gettytab#: +Use `ps` to make sure that a `getty` process is running and serving the terminal. +For example, the following listing shows that a `getty` is running on the second serial port, [.filename]#ttyu1#, and is using the `std.38400` entry in [.filename]#/etc/gettytab#: [source,shell] .... @@ -489,43 +573,77 @@ Use `ps` to make sure that a `getty` process is running and serving the terminal 22189 d1 Is+ 0:00.03 /usr/libexec/getty std.38400 ttyu1 .... -If no `getty` process is running, make sure the port is enabled in [.filename]#/etc/ttys#. Remember to run `kill -HUP 1` after modifying [.filename]#/etc/ttys#. +If no `getty` process is running, make sure the port is enabled in [.filename]#/etc/ttys#. +Remember to run `kill -HUP 1` after modifying [.filename]#/etc/ttys#. -If the `getty` process is running but the terminal still does not display a login prompt, or if it displays a prompt but will not accept typed input, the terminal or cable may not support hardware handshaking. Try changing the entry in [.filename]#/etc/ttys# from `std.38400` to `3wire.38400`, then run `kill -HUP 1` after modifying [.filename]#/etc/ttys#. The `3wire` entry is similar to `std`, but ignores hardware handshaking. The bps may also need to be reduced or software flow control enabled when using `3wire` to prevent buffer overflows. +If the `getty` process is running but the terminal still does not display a login prompt, or if it displays a prompt but will not accept typed input, the terminal or cable may not support hardware handshaking. +Try changing the entry in [.filename]#/etc/ttys# from `std.38400` to `3wire.38400`, then run `kill -HUP 1` after modifying [.filename]#/etc/ttys#. +The `3wire` entry is similar to `std`, but ignores hardware handshaking. +The bps may also need to be reduced or software flow control enabled when using `3wire` to prevent buffer overflows. -If garbage appears instead of a login prompt, make sure the terminal and FreeBSD agree on the bps rate and parity settings. Check the `getty` processes to make sure the correct _getty_ type is in use. If not, edit [.filename]#/etc/ttys# and run `kill -HUP 1`. +If garbage appears instead of a login prompt, make sure the terminal and FreeBSD agree on the bps rate and parity settings. +Check the `getty` processes to make sure the correct _getty_ type is in use. +If not, edit [.filename]#/etc/ttys# and run `kill -HUP 1`. If characters appear doubled and the password appears when typed, switch the terminal, or the terminal emulation software, from "half duplex" or "local echo" to "full duplex." [[dialup]] == Dial-in Service -Configuring a FreeBSD system for dial-in service is similar to configuring terminals, except that modems are used instead of terminal devices. FreeBSD supports both external and internal modems. +Configuring a FreeBSD system for dial-in service is similar to configuring terminals, except that modems are used instead of terminal devices. +FreeBSD supports both external and internal modems. External modems are more convenient because they often can be configured via parameters stored in non-volatile RAM and they usually provide lighted indicators that display the state of important RS-232 signals, indicating whether the modem is operating properly. -Internal modems usually lack non-volatile RAM, so their configuration may be limited to setting DIP switches. If the internal modem has any signal indicator lights, they are difficult to view when the system's cover is in place. +Internal modems usually lack non-volatile RAM, so their configuration may be limited to setting DIP switches. +If the internal modem has any signal indicator lights, they are difficult to view when the system's cover is in place. -When using an external modem, a proper cable is needed. A standard RS-232C serial cable should suffice. +When using an external modem, a proper cable is needed. +A standard RS-232C serial cable should suffice. -FreeBSD needs the RTS and CTS signals for flow control at speeds above 2400 bps, the CD signal to detect when a call has been answered or the line has been hung up, and the DTR signal to reset the modem after a session is complete. Some cables are wired without all of the needed signals, so if a login session does not go away when the line hangs up, there may be a problem with the cable. Refer to <<term-cables-null>> for more information about these signals. +FreeBSD needs the RTS and CTS signals for flow control at speeds above 2400 bps, the CD signal to detect when a call has been answered or the line has been hung up, and the DTR signal to reset the modem after a session is complete. +Some cables are wired without all of the needed signals, so if a login session does not go away when the line hangs up, there may be a problem with the cable. +Refer to <<term-cables-null>> for more information about these signals. -Like other UNIX(R)-like operating systems, FreeBSD uses the hardware signals to find out when a call has been answered or a line has been hung up and to hangup and reset the modem after a call. FreeBSD avoids sending commands to the modem or watching for status reports from the modem. +Like other UNIX(R)-like operating systems, FreeBSD uses the hardware signals to find out when a call has been answered or a line has been hung up and to hangup and reset the modem after a call. +FreeBSD avoids sending commands to the modem or watching for status reports from the modem. -FreeBSD supports the NS8250, NS16450, NS16550, and NS16550A-based RS-232C (CCITT V.24) communications interfaces. The 8250 and 16450 devices have single-character buffers. The 16550 device provides a 16-character buffer, which allows for better system performance. Bugs in plain 16550 devices prevent the use of the 16-character buffer, so use 16550A devices if possible. As single-character-buffer devices require more work by the operating system than the 16-character-buffer devices, 16550A-based serial interface cards are preferred. If the system has many active serial ports or will have a heavy load, 16550A-based cards are better for low-error-rate communications. +FreeBSD supports the NS8250, NS16450, NS16550, and NS16550A-based RS-232C (CCITT V.24) communications interfaces. +The 8250 and 16450 devices have single-character buffers. +The 16550 device provides a 16-character buffer, which allows for better system performance. +Bugs in plain 16550 devices prevent the use of the 16-character buffer, so use 16550A devices if possible. +As single-character-buffer devices require more work by the operating system than the 16-character-buffer devices, 16550A-based serial interface cards are preferred. +If the system has many active serial ports or will have a heavy load, 16550A-based cards are better for low-error-rate communications. The rest of this section demonstrates how to configure a modem to receive incoming connections, how to communicate with the modem, and offers some troubleshooting tips. [[dialup-ttys]] === Modem Configuration -As with terminals, `init` spawns a `getty` process for each configured serial port used for dial-in connections. When a user dials the modem's line and the modems connect, the "Carrier Detect" signal is reported by the modem. The kernel notices that the carrier has been detected and instructs `getty` to open the port and display a `login:` prompt at the specified initial line speed. In a typical configuration, if garbage characters are received, usually due to the modem's connection speed being different than the configured speed, `getty` tries adjusting the line speeds until it receives reasonable characters. After the user enters their login name, `getty` executes `login`, which completes the login process by asking for the user's password and then starting the user's shell. - -There are two schools of thought regarding dial-up modems. One configuration method is to set the modems and systems so that no matter at what speed a remote user dials in, the dial-in RS-232 interface runs at a locked speed. The benefit of this configuration is that the remote user always sees a system login prompt immediately. The downside is that the system does not know what a user's true data rate is, so full-screen programs like Emacs will not adjust their screen-painting methods to make their response better for slower connections. - -The second method is to configure the RS-232 interface to vary its speed based on the remote user's connection speed. As `getty` does not understand any particular modem's connection speed reporting, it gives a `login:` message at an initial speed and watches the characters that come back in response. If the user sees junk, they should press kbd:[Enter] until they see a recognizable prompt. If the data rates do not match, `getty` sees anything the user types as junk, tries the next speed, and gives the `login:` prompt again. This procedure normally only takes a keystroke or two before the user sees a good prompt. This login sequence does not look as clean as the locked-speed method, but a user on a low-speed connection should receive better interactive response from full-screen programs. - -When locking a modem's data communications rate at a particular speed, no changes to [.filename]#/etc/gettytab# should be needed. However, for a matching-speed configuration, additional entries may be required in order to define the speeds to use for the modem. This example configures a 14.4 Kbps modem with a top interface speed of 19.2 Kbps using 8-bit, no parity connections. It configures `getty` to start the communications rate for a V.32bis connection at 19.2 Kbps, then cycles through 9600 bps, 2400 bps, 1200 bps, 300 bps, and back to 19.2 Kbps. Communications rate cycling is implemented with the `nx=` (next table) capability. Each line uses a `tc=` (table continuation) entry to pick up the rest of the settings for a particular data rate. +As with terminals, `init` spawns a `getty` process for each configured serial port used for dial-in connections. +When a user dials the modem's line and the modems connect, the "Carrier Detect" signal is reported by the modem. +The kernel notices that the carrier has been detected and instructs `getty` to open the port and display a `login:` prompt at the specified initial line speed. +In a typical configuration, if garbage characters are received, usually due to the modem's connection speed being different than the configured speed, `getty` tries adjusting the line speeds until it receives reasonable characters. +After the user enters their login name, `getty` executes `login`, which completes the login process by asking for the user's password and then starting the user's shell. + +There are two schools of thought regarding dial-up modems. +One configuration method is to set the modems and systems so that no matter at what speed a remote user dials in, the dial-in RS-232 interface runs at a locked speed. +The benefit of this configuration is that the remote user always sees a system login prompt immediately. +The downside is that the system does not know what a user's true data rate is, so full-screen programs like Emacs will not adjust their screen-painting methods to make their response better for slower connections. + +The second method is to configure the RS-232 interface to vary its speed based on the remote user's connection speed. +As `getty` does not understand any particular modem's connection speed reporting, it gives a `login:` message at an initial speed and watches the characters that come back in response. +If the user sees junk, they should press kbd:[Enter] until they see a recognizable prompt. +If the data rates do not match, `getty` sees anything the user types as junk, tries the next speed, and gives the `login:` prompt again. +This procedure normally only takes a keystroke or two before the user sees a good prompt. +This login sequence does not look as clean as the locked-speed method, but a user on a low-speed connection should receive better interactive response from full-screen programs. + +When locking a modem's data communications rate at a particular speed, no changes to [.filename]#/etc/gettytab# should be needed. +However, for a matching-speed configuration, additional entries may be required in order to define the speeds to use for the modem. +This example configures a 14.4 Kbps modem with a top interface speed of 19.2 Kbps using 8-bit, no parity connections. +It configures `getty` to start the communications rate for a V.32bis connection at 19.2 Kbps, then cycles through 9600 bps, 2400 bps, 1200 bps, 300 bps, and back to 19.2 Kbps. +Communications rate cycling is implemented with the `nx=` (next table) capability. +Each line uses a `tc=` (table continuation) entry to pick up the rest of the settings for a particular data rate. [.programlisting] .... @@ -566,23 +684,27 @@ vq|VH57600|Very High Speed Modem at 57600,8-bit:\ For a slow CPU or a heavily loaded system without 16550A-based serial ports, this configuration may produce `sio` "silo" errors at 57.6 Kbps. -The configuration of [.filename]#/etc/ttys# is similar to <<ex-etc-ttys>>, but a different argument is passed to `getty` and `dialup` is used for the terminal type. Replace _xxx_ with the process `init` will run on the device: +The configuration of [.filename]#/etc/ttys# is similar to <<ex-etc-ttys>>, but a different argument is passed to `getty` and `dialup` is used for the terminal type. +Replace _xxx_ with the process `init` will run on the device: [.programlisting] .... ttyu0 "/usr/libexec/getty xxx" dialup on .... -The `dialup` terminal type can be changed. For example, setting `vt102` as the default terminal type allows users to use VT102 emulation on their remote systems. +The `dialup` terminal type can be changed. +For example, setting `vt102` as the default terminal type allows users to use VT102 emulation on their remote systems. -For a locked-speed configuration, specify the speed with a valid type listed in [.filename]#/etc/gettytab#. This example is for a modem whose port speed is locked at 19.2 Kbps: +For a locked-speed configuration, specify the speed with a valid type listed in [.filename]#/etc/gettytab#. +This example is for a modem whose port speed is locked at 19.2 Kbps: [.programlisting] .... ttyu0 "/usr/libexec/getty std.19200" dialup on .... -In a matching-speed configuration, the entry needs to reference the appropriate beginning "auto-baud" entry in [.filename]#/etc/gettytab#. To continue the example for a matching-speed modem that starts at 19.2 Kbps, use this entry: +In a matching-speed configuration, the entry needs to reference the appropriate beginning "auto-baud" entry in [.filename]#/etc/gettytab#. +To continue the example for a matching-speed modem that starts at 19.2 Kbps, use this entry: [.programlisting] .... @@ -596,7 +718,9 @@ After editing [.filename]#/etc/ttys#, wait until the modem is properly configure # kill -HUP 1 .... -High-speed modems, like V.32, V.32bis, and V.34 modems, use hardware (`RTS/CTS`) flow control. Use `stty` to set the hardware flow control flag for the modem port. This example sets the `crtscts` flag on [.filename]#COM2#'s dial-in and dial-out initialization devices: +High-speed modems, like V.32, V.32bis, and V.34 modems, use hardware (`RTS/CTS`) flow control. +Use `stty` to set the hardware flow control flag for the modem port. +This example sets the `crtscts` flag on [.filename]#COM2#'s dial-in and dial-out initialization devices: [source,shell] .... @@ -608,7 +732,9 @@ High-speed modems, like V.32, V.32bis, and V.34 modems, use hardware (`RTS/CTS`) This section provides a few tips for troubleshooting a dial-up modem that will not connect to a FreeBSD system. -Hook up the modem to the FreeBSD system and boot the system. If the modem has status indication lights, watch to see whether the modem's DTR indicator lights when the `login:` prompt appears on the system's console. If it lights up, that should mean that FreeBSD has started a `getty` process on the appropriate communications port and is waiting for the modem to accept a call. +Hook up the modem to the FreeBSD system and boot the system. +If the modem has status indication lights, watch to see whether the modem's DTR indicator lights when the `login:` prompt appears on the system's console. +If it lights up, that should mean that FreeBSD has started a `getty` process on the appropriate communications port and is waiting for the modem to accept a call. If the DTR indicator does not light, login to the FreeBSD system through the console and type `ps ax` to see if FreeBSD is running a `getty` process on the correct port: @@ -617,11 +743,17 @@ If the DTR indicator does not light, login to the FreeBSD system through the con 114 ?? I 0:00.10 /usr/libexec/getty V19200 ttyu0 .... -If the second column contains a `d0` instead of a `??` and the modem has not accepted a call yet, this means that `getty` has completed its open on the communications port. This could indicate a problem with the cabling or a misconfigured modem because `getty` should not be able to open the communications port until the carrier detect signal has been asserted by the modem. +If the second column contains a `d0` instead of a `??` and the modem has not accepted a call yet, this means that `getty` has completed its open on the communications port. +This could indicate a problem with the cabling or a misconfigured modem because `getty` should not be able to open the communications port until the carrier detect signal has been asserted by the modem. -If no `getty` processes are waiting to open the port, double-check that the entry for the port is correct in [.filename]#/etc/ttys#. Also, check [.filename]#/var/log/messages# to see if there are any log messages from `init` or `getty`. +If no `getty` processes are waiting to open the port, double-check that the entry for the port is correct in [.filename]#/etc/ttys#. +Also, check [.filename]#/var/log/messages# to see if there are any log messages from `init` or `getty`. -Next, try dialing into the system. Be sure to use 8 bits, no parity, and 1 stop bit on the remote system. If a prompt does not appear right away, or the prompt shows garbage, try pressing kbd:[Enter] about once per second. If there is still no `login:` prompt, try sending a `BREAK`. When using a high-speed modem, try dialing again after locking the dialing modem's interface speed. +Next, try dialing into the system. +Be sure to use 8 bits, no parity, and 1 stop bit on the remote system. +If a prompt does not appear right away, or the prompt shows garbage, try pressing kbd:[Enter] about once per second. +If there is still no `login:` prompt, try sending a `BREAK`. +When using a high-speed modem, try dialing again after locking the dialing modem's interface speed. If there is still no `login:` prompt, check [.filename]#/etc/gettytab# again and double-check that: @@ -629,37 +761,47 @@ If there is still no `login:` prompt, check [.filename]#/etc/gettytab# again and * Each `nx=` entry matches another [.filename]#gettytab# capability name. * Each `tc=` entry matches another [.filename]#gettytab# capability name. -If the modem on the FreeBSD system will not answer, make sure that the modem is configured to answer the phone when DTR is asserted. If the modem seems to be configured correctly, verify that the DTR line is asserted by checking the modem's indicator lights. +If the modem on the FreeBSD system will not answer, make sure that the modem is configured to answer the phone when DTR is asserted. +If the modem seems to be configured correctly, verify that the DTR line is asserted by checking the modem's indicator lights. If it still does not work, try sending an email to the {freebsd-questions} describing the modem and the problem. [[dialout]] == Dial-out Service -The following are tips for getting the host to connect over the modem to another computer. This is appropriate for establishing a terminal session with a remote host. +The following are tips for getting the host to connect over the modem to another computer. +This is appropriate for establishing a terminal session with a remote host. -This kind of connection can be helpful to get a file on the Internet if there are problems using PPP. If PPP is not working, use the terminal session to FTP the needed file. Then use zmodem to transfer it to the machine. +This kind of connection can be helpful to get a file on the Internet if there are problems using PPP. +If PPP is not working, use the terminal session to FTP the needed file. +Then use zmodem to transfer it to the machine. [[hayes-unsupported]] === Using a Stock Hayes Modem -A generic Hayes dialer is built into `tip`. Use `at=hayes` in [.filename]#/etc/remote#. +A generic Hayes dialer is built into `tip`. +Use `at=hayes` in [.filename]#/etc/remote#. -The Hayes driver is not smart enough to recognize some of the advanced features of newer modems messages like `BUSY`, `NO DIALTONE`, or `CONNECT 115200`. Turn those messages off when using `tip` with `ATX0&W`. +The Hayes driver is not smart enough to recognize some of the advanced features of newer modems messages like `BUSY`, `NO DIALTONE`, or `CONNECT 115200`. +Turn those messages off when using `tip` with `ATX0&W`. -The dial timeout for `tip` is 60 seconds. The modem should use something less, or else `tip` will think there is a communication problem. Try `ATS7=45&W`. +The dial timeout for `tip` is 60 seconds. +The modem should use something less, or else `tip` will think there is a communication problem. +Try `ATS7=45&W`. [[direct-at]] === Using `AT` Commands -Create a "direct" entry in [.filename]#/etc/remote#. For example, if the modem is hooked up to the first serial port, [.filename]#/dev/cuau0#, use the following line: +Create a "direct" entry in [.filename]#/etc/remote#. +For example, if the modem is hooked up to the first serial port, [.filename]#/dev/cuau0#, use the following line: [.programlisting] .... cuau0:dv=/dev/cuau0:br#19200:pa=none .... -Use the highest bps rate the modem supports in the `br` capability. Then, type `tip cuau0` to connect to the modem. +Use the highest bps rate the modem supports in the `br` capability. +Then, type `tip cuau0` to connect to the modem. Or, use `cu` as `root` with the following command: @@ -668,12 +810,14 @@ Or, use `cu` as `root` with the following command: # cu -lline -sspeed .... -_line_ is the serial port, such as [.filename]#/dev/cuau0#, and _speed_ is the speed, such as `57600`. When finished entering the AT commands, type `~.` to exit. +_line_ is the serial port, such as [.filename]#/dev/cuau0#, and _speed_ is the speed, such as `57600`. +When finished entering the AT commands, type `~.` to exit. [[gt-failure]] === The `@` Sign Does Not Work -The `@` sign in the phone number capability tells `tip` to look in [.filename]#/etc/phones# for a phone number. But, the `@` sign is also a special character in capability files like [.filename]#/etc/remote#, so it needs to be escaped with a backslash: +The `@` sign in the phone number capability tells `tip` to look in [.filename]#/etc/phones# for a phone number. +But, the `@` sign is also a special character in capability files like [.filename]#/etc/remote#, so it needs to be escaped with a backslash: [.programlisting] .... @@ -718,12 +862,15 @@ and type: [[set-bps]] === Setting the bps Rate -Put in an entry for `tip1200` or `cu1200`, but go ahead and use whatever bps rate is appropriate with the `br` capability. `tip` thinks a good default is 1200 bps which is why it looks for a `tip1200` entry. 1200 bps does not have to be used, though. +Put in an entry for `tip1200` or `cu1200`, but go ahead and use whatever bps rate is appropriate with the `br` capability. +`tip` thinks a good default is 1200 bps which is why it looks for a `tip1200` entry. +1200 bps does not have to be used, though. [[terminal-server]] === Accessing a Number of Hosts Through a Terminal Server -Rather than waiting until connected and typing `CONNECT _host_` each time, use ``tip``'s `cm` capability. For example, these entries in [.filename]#/etc/remote# will let you type `tip pain` or `tip muffin` to connect to the hosts `pain` or `muffin`, and `tip deep13` to connect to the terminal server. +Rather than waiting until connected and typing `CONNECT _host_` each time, use ``tip``'s `cm` capability. +For example, these entries in [.filename]#/etc/remote# will let you type `tip pain` or `tip muffin` to connect to the hosts `pain` or `muffin`, and `tip deep13` to connect to the terminal server. [.programlisting] .... @@ -760,14 +907,19 @@ big-university 5551113 big-university 5551114 .... -`tip` will try each number in the listed order, then give up. To keep retrying, run `tip` in a `while` loop. +`tip` will try each number in the listed order, then give up. +To keep retrying, run `tip` in a `while` loop. [[multi-controlp]] === Using the Force Character -kbd:[Ctrl+P] is the default "force" character, used to tell `tip` that the next character is literal data. The force character can be set to any other character with the `~s` escape, which means "set a variable." +kbd:[Ctrl+P] is the default "force" character, used to tell `tip` that the next character is literal data. +The force character can be set to any other character with the `~s` escape, which means "set a variable." -Type `~sforce=_single-char_` followed by a newline. _single-char_ is any single character. If _single-char_ is left out, then the force character is the null character, which is accessed by typing kbd:[Ctrl+2] or kbd:[Ctrl+Space]. A pretty good value for _single-char_ is kbd:[Shift+Ctrl+6], which is only used on some terminal servers. +Type `~sforce=_single-char_` followed by a newline. +_single-char_ is any single character. +If _single-char_ is left out, then the force character is the null character, which is accessed by typing kbd:[Ctrl+2] or kbd:[Ctrl+Space]. +A pretty good value for _single-char_ is kbd:[Shift+Ctrl+6], which is only used on some terminal servers. To change the force character, specify the following in [.filename]#~/.tiprc#: @@ -779,7 +931,9 @@ force=single-char [[uppercase]] === Upper Case Characters -This happens when kbd:[Ctrl+A] is pressed, which is ``tip``'s "raise character", specially designed for people with broken caps-lock keys. Use `~s` to set `raisechar` to something reasonable. It can be set to be the same as the force character, if neither feature is used. +This happens when kbd:[Ctrl+A] is pressed, which is ``tip``'s "raise character", specially designed for people with broken caps-lock keys. +Use `~s` to set `raisechar` to something reasonable. +It can be set to be the same as the force character, if neither feature is used. Here is a sample [.filename]#~/.tiprc# for Emacs users who need to type kbd:[Ctrl+2] and kbd:[Ctrl+A]: @@ -794,7 +948,8 @@ The `^^` is kbd:[Shift+Ctrl+6]. [[tip-filetransfer]] === File Transfers with `tip` -When talking to another UNIX(R)-like operating system, files can be sent and received using `~p` (put) and `~t` (take). These commands run `cat` and `echo` on the remote system to accept and send files. The syntax is: +When talking to another UNIX(R)-like operating system, files can be sent and received using `~p` (put) and `~t` (take). +These commands run `cat` and `echo` on the remote system to accept and send files. The syntax is: `~p` local-file [ remote-file ] `~t` remote-file [ local-file ] @@ -803,23 +958,29 @@ There is no error checking, so another protocol, like zmodem, should probably be [[zmodem-tip]] === Using zmodem with `tip`? -To receive files, start the sending program on the remote end. Then, type `~C rz` to begin receiving them locally. +To receive files, start the sending program on the remote end. +Then, type `~C rz` to begin receiving them locally. -To send files, start the receiving program on the remote end. Then, type `~C sz _files_` to send them to the remote system. +To send files, start the receiving program on the remote end. +Then, type `~C sz _files_` to send them to the remote system. [[serialconsole-setup]] == Setting Up the Serial Console -FreeBSD has the ability to boot a system with a dumb terminal on a serial port as a console. This configuration is useful for system administrators who wish to install FreeBSD on machines that have no keyboard or monitor attached, and developers who want to debug the kernel or device drivers. +FreeBSD has the ability to boot a system with a dumb terminal on a serial port as a console. +This configuration is useful for system administrators who wish to install FreeBSD on machines that have no keyboard or monitor attached, and developers who want to debug the kernel or device drivers. -As described in crossref:boot[boot,The FreeBSD Booting Process], FreeBSD employs a three stage bootstrap. The first two stages are in the boot block code which is stored at the beginning of the FreeBSD slice on the boot disk. The boot block then loads and runs the boot loader as the third stage code. +As described in crossref:boot[boot,The FreeBSD Booting Process], FreeBSD employs a three stage bootstrap. +The first two stages are in the boot block code which is stored at the beginning of the FreeBSD slice on the boot disk. +The boot block then loads and runs the boot loader as the third stage code. In order to set up booting from a serial console, the boot block code, the boot loader code, and the kernel need to be configured. [[serialconsole-howto-fast]] === Quick Serial Console Configuration -This section provides a fast overview of setting up the serial console. This procedure can be used when the dumb terminal is connected to [.filename]#COM1#. +This section provides a fast overview of setting up the serial console. +This procedure can be used when the dumb terminal is connected to [.filename]#COM1#. [.procedure] .Procedure: Configuring a Serial Console on [.filename]#COM1# @@ -845,51 +1006,76 @@ This section provides a more detailed explanation of the steps needed to setup a .Procedure: Configuring a Serial Console . Prepare a serial cable. + -Use either a null-modem cable or a standard serial cable and a null-modem adapter. See <<term-cables-null>> for a discussion on serial cables. +Use either a null-modem cable or a standard serial cable and a null-modem adapter. +See <<term-cables-null>> for a discussion on serial cables. . Unplug the keyboard. + -Many systems probe for the keyboard during the Power-On Self-Test (POST) and will generate an error if the keyboard is not detected. Some machines will refuse to boot until the keyboard is plugged in. +Many systems probe for the keyboard during the Power-On Self-Test (POST) and will generate an error if the keyboard is not detected. +Some machines will refuse to boot until the keyboard is plugged in. + If the computer complains about the error, but boots anyway, no further configuration is needed. + -If the computer refuses to boot without a keyboard attached, configure the BIOS so that it ignores this error. Consult the motherboard's manual for details on how to do this. +If the computer refuses to boot without a keyboard attached, configure the BIOS so that it ignores this error. +Consult the motherboard's manual for details on how to do this. + [TIP] ==== - -Try setting the keyboard to "Not installed" in the BIOS. This setting tells the BIOS not to probe for a keyboard at power-on so it should not complain if the keyboard is absent. If that option is not present in the BIOS, look for an "Halt on Error" option instead. Setting this to "All but Keyboard" or to "No Errors" will have the same effect. +Try setting the keyboard to "Not installed" in the BIOS. +This setting tells the BIOS not to probe for a keyboard at power-on so it should not complain if the keyboard is absent. +If that option is not present in the BIOS, look for an "Halt on Error" option instead. +Setting this to "All but Keyboard" or to "No Errors" will have the same effect. ==== + -If the system has a PS/2(R) mouse, unplug it as well. PS/2(R) mice share some hardware with the keyboard and leaving the mouse plugged in can fool the keyboard probe into thinking the keyboard is still there. +If the system has a PS/2(R) mouse, unplug it as well. +PS/2(R) mice share some hardware with the keyboard and leaving the mouse plugged in can fool the keyboard probe into thinking the keyboard is still there. + [NOTE] ==== -While most systems will boot without a keyboard, quite a few will not boot without a graphics adapter. Some systems can be configured to boot with no graphics adapter by changing the "graphics adapter" setting in the BIOS configuration to "Not installed". Other systems do not support this option and will refuse to boot if there is no display hardware in the system. With these machines, leave some kind of graphics card plugged in, even if it is just a junky mono board. A monitor does not need to be attached. +While most systems will boot without a keyboard, quite a few will not boot without a graphics adapter. +Some systems can be configured to boot with no graphics adapter by changing the "graphics adapter" setting in the BIOS configuration to "Not installed". +Other systems do not support this option and will refuse to boot if there is no display hardware in the system. +With these machines, leave some kind of graphics card plugged in, even if it is just a junky mono board. +A monitor does not need to be attached. ==== . Plug a dumb terminal, an old computer with a modem program, or the serial port on another UNIX(R) box into the serial port. . Add the appropriate `hint.sio.*` entries to [.filename]#/boot/device.hints# for the serial port. Some multi-port cards also require kernel configuration options. Refer to man:sio[4] for the required options and device hints for each supported serial port. . Create [.filename]#boot.config# in the root directory of the `a` partition on the boot drive. + -This file instructs the boot block code how to boot the system. In order to activate the serial console, one or more of the following options are needed. When using multiple options, include them all on the same line: +This file instructs the boot block code how to boot the system. +In order to activate the serial console, one or more of the following options are needed. +When using multiple options, include them all on the same line: + `-h`::: -Toggles between the internal and serial consoles. Use this to switch console devices. For instance, to boot from the internal (video) console, use `-h` to direct the boot loader and the kernel to use the serial port as its console device. Alternatively, to boot from the serial port, use `-h` to tell the boot loader and the kernel to use the video display as the console instead. +Toggles between the internal and serial consoles. +Use this to switch console devices. +For instance, to boot from the internal (video) console, use `-h` to direct the boot loader and the kernel to use the serial port as its console device. +Alternatively, to boot from the serial port, use `-h` to tell the boot loader and the kernel to use the video display as the console instead. `-D`::: -Toggles between the single and dual console configurations. In the single configuration, the console will be either the internal console (video display) or the serial port, depending on the state of `-h`. In the dual console configuration, both the video display and the serial port will become the console at the same time, regardless of the state of `-h`. However, the dual console configuration takes effect only while the boot block is running. Once the boot loader gets control, the console specified by `-h` becomes the only console. +Toggles between the single and dual console configurations. +In the single configuration, the console will be either the internal console (video display) or the serial port, depending on the state of `-h`. +In the dual console configuration, both the video display and the serial port will become the console at the same time, regardless of the state of `-h`. +However, the dual console configuration takes effect only while the boot block is running. +Once the boot loader gets control, the console specified by `-h` becomes the only console. `-P`::: Makes the boot block probe the keyboard. If no keyboard is found, the `-D` and `-h` options are automatically set. + [NOTE] ==== -Due to space constraints in the current version of the boot blocks, `-P` is capable of detecting extended keyboards only. Keyboards with less than 101 keys and without F11 and F12 keys may not be detected. Keyboards on some laptops may not be properly found because of this limitation. If this is the case, do not use `-P`. +Due to space constraints in the current version of the boot blocks, `-P` is capable of detecting extended keyboards only. +Keyboards with less than 101 keys and without F11 and F12 keys may not be detected. +Keyboards on some laptops may not be properly found because of this limitation. +If this is the case, do not use `-P`. ==== + -Use either `-P` to select the console automatically or `-h` to activate the serial console. Refer to man:boot[8] and man:boot.config[5] for more details. +Use either `-P` to select the console automatically or `-h` to activate the serial console. +Refer to man:boot[8] and man:boot.config[5] for more details. + -The options, except for `-P`, are passed to the boot loader. The boot loader will determine whether the internal video or the serial port should become the console by examining the state of `-h`. This means that if `-D` is specified but `-h` is not specified in [.filename]#/boot.config#, the serial port can be used as the console only during the boot block as the boot loader will use the internal video display as the console. +The options, except for `-P`, are passed to the boot loader. +The boot loader will determine whether the internal video or the serial port should become the console by examining the state of `-h`. +This means that if `-D` is specified but `-h` is not specified in [.filename]#/boot.config#, the serial port can be used as the console only during the boot block as the boot loader will use the internal video display as the console. . Boot the machine. + When FreeBSD starts, the boot blocks echo the contents of [.filename]#/boot.config# to the console. For example: @@ -900,7 +1086,8 @@ When FreeBSD starts, the boot blocks echo the contents of [.filename]#/boot.conf Keyboard: no .... + -The second line appears only if `-P` is in [.filename]#/boot.config# and indicates the presence or absence of the keyboard. These messages go to either the serial or internal console, or both, depending on the option in [.filename]#/boot.config#: +The second line appears only if `-P` is in [.filename]#/boot.config# and indicates the presence or absence of the keyboard. +These messages go to either the serial or internal console, or both, depending on the option in [.filename]#/boot.config#: + [.informaltable] [cols="1,1", frame="none", options="header"] @@ -927,9 +1114,11 @@ The second line appears only if `-P` is in [.filename]#/boot.config# and indicat |serial console |=== + -After the message, there will be a small pause before the boot blocks continue loading the boot loader and before any further messages are printed to the console. Under normal circumstances, there is no need to interrupt the boot blocks, but one can do so in order to make sure things are set up correctly. +After the message, there will be a small pause before the boot blocks continue loading the boot loader and before any further messages are printed to the console. +Under normal circumstances, there is no need to interrupt the boot blocks, but one can do so in order to make sure things are set up correctly. + -Press any key, other than kbd:[Enter], at the console to interrupt the boot process. The boot blocks will then prompt for further action: +Press any key, other than kbd:[Enter], at the console to interrupt the boot process. +The boot blocks will then prompt for further action: + [source,shell] .... @@ -938,11 +1127,15 @@ Default: 0:ad(0,a)/boot/loader boot: .... + -Verify that the above message appears on either the serial or internal console, or both, according to the options in [.filename]#/boot.config#. If the message appears in the correct console, press kbd:[Enter] to continue the boot process. +Verify that the above message appears on either the serial or internal console, or both, according to the options in [.filename]#/boot.config#. +If the message appears in the correct console, press kbd:[Enter] to continue the boot process. + -If there is no prompt on the serial terminal, something is wrong with the settings. Enter `-h` then kbd:[Enter] or kbd:[Return] to tell the boot block (and then the boot loader and the kernel) to choose the serial port for the console. Once the system is up, go back and check what went wrong. +If there is no prompt on the serial terminal, something is wrong with the settings. +Enter `-h` then kbd:[Enter] or kbd:[Return] to tell the boot block (and then the boot loader and the kernel) to choose the serial port for the console. +Once the system is up, go back and check what went wrong. -During the third stage of the boot process, one can still switch between the internal console and the serial console by setting appropriate environment variables in the boot loader. See man:loader[8] for more information. +During the third stage of the boot process, one can still switch between the internal console and the serial console by setting appropriate environment variables in the boot loader. +See man:loader[8] for more information. [NOTE] ==== @@ -955,22 +1148,26 @@ console="comconsole" That line should be the first line of [.filename]#/boot/loader.conf# so that boot messages are displayed on the serial console as early as possible. -If that line does not exist, or if it is set to `console="vidconsole"`, the boot loader and the kernel will use whichever console is indicated by `-h` in the boot block. See man:loader.conf[5] for more information. +If that line does not exist, or if it is set to `console="vidconsole"`, the boot loader and the kernel will use whichever console is indicated by `-h` in the boot block. +See man:loader.conf[5] for more information. At the moment, the boot loader has no option equivalent to `-P` in the boot block, and there is no provision to automatically select the internal console and the serial console based on the presence of the keyboard. ==== [TIP] ==== - -While it is not required, it is possible to provide a `login` prompt over the serial line. To configure this, edit the entry for the serial port in [.filename]#/etc/ttys# using the instructions in <<term-config>>. If the speed of the serial port has been changed, change `std.9600` to match the new setting. +While it is not required, it is possible to provide a `login` prompt over the serial line. +To configure this, edit the entry for the serial port in [.filename]#/etc/ttys# using the instructions in <<term-config>>. +If the speed of the serial port has been changed, change `std.9600` to match the new setting. ==== === Setting a Faster Serial Port Speed -By default, the serial port settings are 9600 baud, 8 bits, no parity, and 1 stop bit. To change the default console speed, use one of the following options: +By default, the serial port settings are 9600 baud, 8 bits, no parity, and 1 stop bit. +To change the default console speed, use one of the following options: -* Edit [.filename]#/etc/make.conf# and set `BOOT_COMCONSOLE_SPEED` to the new console speed. Then, recompile and install the boot blocks and the boot loader: +* Edit [.filename]#/etc/make.conf# and set `BOOT_COMCONSOLE_SPEED` to the new console speed. +Then, recompile and install the boot blocks and the boot loader: + [source,shell] .... @@ -1001,7 +1198,9 @@ console="comconsole,vidconsole" [[serialconsole-ddb]] === Entering the DDB Debugger from the Serial Line -To configure the ability to drop into the kernel debugger from the serial console, add the following options to a custom kernel configuration file and compile the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. Note that while this is useful for remote diagnostics, it is also dangerous if a spurious BREAK is generated on the serial port. Refer to man:ddb[4] and man:ddb[8] for more information about the kernel debugger. +To configure the ability to drop into the kernel debugger from the serial console, add the following options to a custom kernel configuration file and compile the kernel using the instructions in crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. +Note that while this is useful for remote diagnostics, it is also dangerous if a spurious BREAK is generated on the serial port. +Refer to man:ddb[4] and man:ddb[8] for more information about the kernel debugger. [.programlisting] .... diff --git a/documentation/content/en/books/handbook/usb-device-mode/_index.adoc b/documentation/content/en/books/handbook/usb-device-mode/_index.adoc index db33445835..e3e454056a 100644 --- a/documentation/content/en/books/handbook/usb-device-mode/_index.adoc +++ b/documentation/content/en/books/handbook/usb-device-mode/_index.adoc @@ -46,15 +46,28 @@ toc::[] [[usb-device-mode-synopsis]] == Synopsis -This chapter covers the use of USB Device Mode and USB On The Go (USB OTG) in FreeBSD. This includes virtual serial consoles, virtual network interfaces, and virtual USB drives. +This chapter covers the use of USB Device Mode and USB On The Go (USB OTG) in FreeBSD. +This includes virtual serial consoles, virtual network interfaces, and virtual USB drives. -When running on hardware that supports USB device mode or USB OTG, like that built into many embedded boards, the FreeBSD USB stack can run in _device mode_. Device mode makes it possible for the computer to present itself as different kinds of USB device classes, including serial ports, network adapters, and mass storage, or a combination thereof. A USB host like a laptop or desktop computer is able to access them just like physical USB devices. Device mode is sometimes called the "USB gadget mode". +When running on hardware that supports USB device mode or USB OTG, like that built into many embedded boards, the FreeBSD USB stack can run in _device mode_. +Device mode makes it possible for the computer to present itself as different kinds of USB device classes, including serial ports, network adapters, and mass storage, or a combination thereof. +A USB host like a laptop or desktop computer is able to access them just like physical USB devices. +Device mode is sometimes called the "USB gadget mode". -There are two basic ways the hardware can provide the device mode functionality: with a separate "client port", which only supports the device mode, and with a USB OTG port, which can provide both device and host mode. For USB OTG ports, the USB stack switches between host-side and device-side automatically, depending on what is connected to the port. Connecting a USB device like a memory stick to the port causes FreeBSD to switch to host mode. Connecting a USB host like a computer causes FreeBSD to switch to device mode. Single purpose "client ports" always work in device mode. +There are two basic ways the hardware can provide the device mode functionality: with a separate "client port", which only supports the device mode, and with a USB OTG port, which can provide both device and host mode. +For USB OTG ports, the USB stack switches between host-side and device-side automatically, depending on what is connected to the port. +Connecting a USB device like a memory stick to the port causes FreeBSD to switch to host mode. +Connecting a USB host like a computer causes FreeBSD to switch to device mode. +Single purpose "client ports" always work in device mode. -What FreeBSD presents to the USB host depends on the `hw.usb.template` sysctl. Some templates provide a single device, such as a serial terminal; others provide multiple ones, which can all be used at the same time. An example is the template 10, which provides a mass storage device, a serial console, and a network interface. See man:usb_template[4] for the list of available values. +What FreeBSD presents to the USB host depends on the `hw.usb.template` sysctl. +Some templates provide a single device, such as a serial terminal; others provide multiple ones, which can all be used at the same time. +An example is the template 10, which provides a mass storage device, a serial console, and a network interface. +See man:usb_template[4] for the list of available values. -Note that in some cases, depending on the hardware and the hosts operating system, for the host to notice the configuration change, it must be either physically disconnected and reconnected, or forced to rescan the USB bus in a system-specific way. When FreeBSD is running on the host, man:usbconfig[8] `reset` can be used. This also must be done after loading [.filename]#usb_template.ko# if the USB host was already connected to the USBOTG socket. +Note that in some cases, depending on the hardware and the hosts operating system, for the host to notice the configuration change, it must be either physically disconnected and reconnected, or forced to rescan the USB bus in a system-specific way. +When FreeBSD is running on the host, man:usbconfig[8] `reset` can be used. +This also must be done after loading [.filename]#usb_template.ko# if the USB host was already connected to the USBOTG socket. After reading this chapter, you will know: @@ -69,7 +82,10 @@ After reading this chapter, you will know: === Configuring USB Device Mode Serial Ports -Virtual serial port support is provided by templates number 3, 8, and 10. Note that template 3 works with Microsoft Windows 10 without the need for special drivers and INF files. Other host operating systems work with all three templates. Both man:usb_template[4] and man:umodem[4] kernel modules must be loaded. +Virtual serial port support is provided by templates number 3, 8, and 10. +Note that template 3 works with Microsoft Windows 10 without the need for special drivers and INF files. +Other host operating systems work with all three templates. +Both man:usb_template[4] and man:umodem[4] kernel modules must be loaded. To enable USB device mode serial ports, add those lines to [.filename]#/etc/ttys#: @@ -117,7 +133,10 @@ To load the module and set the template without rebooting use: === Connecting to USB Device Mode Serial Ports from FreeBSD -To connect to a board configured to provide USB device mode serial ports, connect the USB host, such as a laptop, to the boards USB OTG or USB client port. Use `pstat -t` on the host to list the terminal lines. Near the end of the list you should see a USB serial port, eg "ttyU0". To open the connection, use: +To connect to a board configured to provide USB device mode serial ports, connect the USB host, such as a laptop, to the boards USB OTG or USB client port. +Use `pstat -t` on the host to list the terminal lines. +Near the end of the list you should see a USB serial port, eg "ttyU0". +To open the connection, use: [source,shell] .... @@ -128,7 +147,8 @@ After pressing the kbd:[Enter] key a few times you will see a login prompt. === Connecting to USB Device Mode Serial Ports from macOS -To connect to a board configured to provide USB device mode serial ports, connect the USB host, such as a laptop, to the boards USB OTG or USB client port. To open the connection, use: +To connect to a board configured to provide USB device mode serial ports, connect the USB host, such as a laptop, to the boards USB OTG or USB client port. +To open the connection, use: [source,shell] .... @@ -137,7 +157,8 @@ To connect to a board configured to provide USB device mode serial ports, connec === Connecting to USB Device Mode Serial Ports from Linux -To connect to a board configured to provide USB device mode serial ports, connect the USB host, such as a laptop, to the boards USB OTG or USB client port. To open the connection, use: +To connect to a board configured to provide USB device mode serial ports, connect the USB host, such as a laptop, to the boards USB OTG or USB client port. +To open the connection, use: [source,shell] .... @@ -146,12 +167,20 @@ To connect to a board configured to provide USB device mode serial ports, connec === Connecting to USB Device Mode Serial Ports from Microsoft Windows 10 -To connect to a board configured to provide USB device mode serial ports, connect the USB host, such as a laptop, to the boards USB OTG or USB client port. To open a connection you will need a serial terminal program, such as PuTTY. To check the COM port name used by Windows, run Device Manager, expand "Ports (COM & LPT)". You will see a name similar to "USB Serial Device (COM4)". Run serial terminal program of your choice, for example PuTTY. In the PuTTY dialog set "Connection type" to "Serial", type the COMx obtained from Device Manager in the "Serial line" dialog box and click Open. +To connect to a board configured to provide USB device mode serial ports, connect the USB host, such as a laptop, to the boards USB OTG or USB client port. +To open a connection you will need a serial terminal program, such as PuTTY. +To check the COM port name used by Windows, run Device Manager, expand "Ports (COM & LPT)". +You will see a name similar to "USB Serial Device (COM4)". +Run serial terminal program of your choice, for example PuTTY. +In the PuTTY dialog set "Connection type" to "Serial", type the COMx obtained from Device Manager in the "Serial line" dialog box and click Open. [[usb-device-mode-network]] == USB Device Mode Network Interfaces -Virtual network interfaces support is provided by templates number 1, 8, and 10. Note that none of them works with Microsoft Windows. Other host operating systems work with all three templates. Both man:usb_template[4] and man:if_cdce[4] kernel modules must be loaded. +Virtual network interfaces support is provided by templates number 1, 8, and 10. +Note that none of them works with Microsoft Windows. +Other host operating systems work with all three templates. +Both man:usb_template[4] and man:if_cdce[4] kernel modules must be loaded. Make sure the necessary modules are loaded and the correct template is set at boot by adding those lines to [.filename]#/boot/loader.conf#, creating it if it does not already exist: @@ -177,11 +206,15 @@ To load the module and set the template without rebooting use: The man:cfumass[4] driver is a USB device mode driver first available in FreeBSD 12.0. ==== -Mass Storage target is provided by templates 0 and 10. Both man:usb_template[4] and man:cfumass[4] kernel modules must be loaded. man:cfumass[4] interfaces to the CTL subsystem, the same one that is used for iSCSI or Fibre Channel targets. On the host side, USB Mass Storage initiators can only access a single LUN, LUN 0. +Mass Storage target is provided by templates 0 and 10. +Both man:usb_template[4] and man:cfumass[4] kernel modules must be loaded. +man:cfumass[4] interfaces to the CTL subsystem, the same one that is used for iSCSI or Fibre Channel targets. +On the host side, USB Mass Storage initiators can only access a single LUN, LUN 0. === Configuring USB Mass Storage Target Using the cfumass Startup Script -The simplest way to set up a read-only USB storage target is to use the [.filename]#cfumass# rc script. To configure it this way, copy the files to be presented to the USB host machine into the `/var/cfumass` directory, and add this line to [.filename]#/etc/rc.conf#: +The simplest way to set up a read-only USB storage target is to use the [.filename]#cfumass# rc script. +To configure it this way, copy the files to be presented to the USB host machine into the `/var/cfumass` directory, and add this line to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -195,13 +228,20 @@ To configure the target without restarting, run this command: # service cfumass start .... -Differently from serial and network functionality, the template should not be set to 0 or 10 in [.filename]#/boot/loader.conf#. This is because the LUN must be set up before setting the template. The cfumass startup script sets the correct template number automatically when started. +Differently from serial and network functionality, the template should not be set to 0 or 10 in [.filename]#/boot/loader.conf#. +This is because the LUN must be set up before setting the template. +The cfumass startup script sets the correct template number automatically when started. === Configuring USB Mass Storage Using Other Means -The rest of this chapter provides detailed description of setting the target without using the cfumass rc file. This is necessary if eg one wants to provide a writeable LUN. +The rest of this chapter provides detailed description of setting the target without using the cfumass rc file. +This is necessary if eg one wants to provide a writeable LUN. -USB Mass Storage does not require the man:ctld[8] daemon to be running, although it can be used if desired. This is different from iSCSI. Thus, there are two ways to configure the target: man:ctladm[8], or man:ctld[8]. Both require the [.filename]#cfumass.ko# kernel module to be loaded. The module can be loaded manually: +USB Mass Storage does not require the man:ctld[8] daemon to be running, although it can be used if desired. +This is different from iSCSI. +Thus, there are two ways to configure the target: man:ctladm[8], or man:ctld[8]. +Both require the [.filename]#cfumass.ko# kernel module to be loaded. +The module can be loaded manually: [source,shell] .... @@ -222,11 +262,15 @@ A LUN can be created without the man:ctld[8] daemon: # ctladm create -b block -o file=/data/target0 .... -This presents the contents of the image file [.filename]#/data/target0# as a LUN to the USB host. The file must exist before executing the command. To configure the LUN at system startup, add the command to [.filename]#/etc/rc.local#. +This presents the contents of the image file [.filename]#/data/target0# as a LUN to the USB host. +The file must exist before executing the command. +To configure the LUN at system startup, add the command to [.filename]#/etc/rc.local#. -man:ctld[8] can also be used to manage LUNs. Create [.filename]#/etc/ctl.conf#, add a line to [.filename]#/etc/rc.conf# to make sure man:ctld[8] is automatically started at boot, and then start the daemon. +man:ctld[8] can also be used to manage LUNs. +Create [.filename]#/etc/ctl.conf#, add a line to [.filename]#/etc/rc.conf# to make sure man:ctld[8] is automatically started at boot, and then start the daemon. -This is an example of a simple [.filename]#/etc/ctl.conf# configuration file. Refer to man:ctl.conf[5] for a more complete description of the options. +This is an example of a simple [.filename]#/etc/ctl.conf# configuration file. +Refer to man:ctl.conf[5] for a more complete description of the options. [.programlisting] .... @@ -238,7 +282,11 @@ target naa.50015178f369f092 { } .... -The example creates a single target with a single LUN. The `naa.50015178f369f092` is a device identifier composed of 32 random hexadecimal digits. The `path` line defines the full path to a file or zvol backing the LUN. That file must exist before starting man:ctld[8]. The second line is optional and specifies the size of the LUN. +The example creates a single target with a single LUN. +The `naa.50015178f369f092` is a device identifier composed of 32 random hexadecimal digits. +The `path` line defines the full path to a file or zvol backing the LUN. +That file must exist before starting man:ctld[8]. +The second line is optional and specifies the size of the LUN. To make sure the man:ctld[8] daemon is started at boot, add this line to [.filename]#/etc/rc.conf#: @@ -254,7 +302,8 @@ To start man:ctld[8] now, run this command: # service ctld start .... -As the man:ctld[8] daemon is started, it reads [.filename]#/etc/ctl.conf#. If this file is edited after the daemon starts, reload the changes so they take effect immediately: +As the man:ctld[8] daemon is started, it reads [.filename]#/etc/ctl.conf#. +If this file is edited after the daemon starts, reload the changes so they take effect immediately: [source,shell] .... diff --git a/documentation/content/en/books/handbook/virtualization/_index.adoc b/documentation/content/en/books/handbook/virtualization/_index.adoc index 8d0aa08c7b..6966b6d53c 100644 --- a/documentation/content/en/books/handbook/virtualization/_index.adoc +++ b/documentation/content/en/books/handbook/virtualization/_index.adoc @@ -46,7 +46,8 @@ toc::[] [[virtualization-synopsis]] == Synopsis -Virtualization software allows multiple operating systems to run simultaneously on the same computer. Such software systems for PCs often involve a host operating system which runs the virtualization software and supports any number of guest operating systems. +Virtualization software allows multiple operating systems to run simultaneously on the same computer. +Such software systems for PCs often involve a host operating system which runs the virtualization software and supports any number of guest operating systems. After reading this chapter, you will know: @@ -66,16 +67,20 @@ Before reading this chapter, you should: [[virtualization-guest-parallels]] == FreeBSD as a Guest on Parallels for Mac OS(R) X -Parallels Desktop for Mac(R) is a commercial software product available for Intel(R) based Apple(R) Mac(R) computers running Mac OS(R) 10.4.6 or higher. FreeBSD is a fully supported guest operating system. Once Parallels has been installed on Mac OS(R) X, the user must configure a virtual machine and then install the desired guest operating system. +Parallels Desktop for Mac(R) is a commercial software product available for Intel(R) based Apple(R) Mac(R) computers running Mac OS(R) 10.4.6 or higher. +FreeBSD is a fully supported guest operating system. +Once Parallels has been installed on Mac OS(R) X, the user must configure a virtual machine and then install the desired guest operating system. [[virtualization-guest-parallels-install]] === Installing FreeBSD on Parallels/Mac OS(R) X -The first step in installing FreeBSD on Parallels is to create a new virtual machine for installing FreeBSD. Select [.guimenuitem]#FreeBSD# as the menu:Guest OS Type[] when prompted: +The first step in installing FreeBSD on Parallels is to create a new virtual machine for installing FreeBSD. +Select [.guimenuitem]#FreeBSD# as the menu:Guest OS Type[] when prompted: image::parallels-freebsd1.png[] -Choose a reasonable amount of disk and memory depending on the plans for this virtual FreeBSD instance. 4GB of disk space and 512MB of RAM work well for most uses of FreeBSD under Parallels: +Choose a reasonable amount of disk and memory depending on the plans for this virtual FreeBSD instance. +4GB of disk space and 512MB of RAM work well for most uses of FreeBSD under Parallels: image::parallels-freebsd2.png[] @@ -97,15 +102,21 @@ image::parallels-freebsd8.png[] image::parallels-freebsd9.png[] -After the FreeBSD virtual machine has been created, FreeBSD can be installed on it. This is best done with an official FreeBSD CD/DVD or with an ISO image downloaded from an official FTP site. Copy the appropriate ISO image to the local Mac(R) filesystem or insert a CD/DVD in the Mac(R)'s CD-ROM drive. Click on the disc icon in the bottom right corner of the FreeBSD Parallels window. This will bring up a window that can be used to associate the CD-ROM drive in the virtual machine with the ISO file on disk or with the real CD-ROM drive. +After the FreeBSD virtual machine has been created, FreeBSD can be installed on it. +This is best done with an official FreeBSD CD/DVD or with an ISO image downloaded from an official FTP site. +Copy the appropriate ISO image to the local Mac(R) filesystem or insert a CD/DVD in the Mac(R)'s CD-ROM drive. +Click on the disc icon in the bottom right corner of the FreeBSD Parallels window. +This will bring up a window that can be used to associate the CD-ROM drive in the virtual machine with the ISO file on disk or with the real CD-ROM drive. image::parallels-freebsd11.png[] -Once this association with the CD-ROM source has been made, reboot the FreeBSD virtual machine by clicking the reboot icon. Parallels will reboot with a special BIOS that first checks if there is a CD-ROM. +Once this association with the CD-ROM source has been made, reboot the FreeBSD virtual machine by clicking the reboot icon. +Parallels will reboot with a special BIOS that first checks if there is a CD-ROM. image::parallels-freebsd10.png[] -In this case it will find the FreeBSD installation media and begin a normal FreeBSD installation. Perform the installation, but do not attempt to configure Xorg at this time. +In this case it will find the FreeBSD installation media and begin a normal FreeBSD installation. +Perform the installation, but do not attempt to configure Xorg at this time. image::parallels-freebsd12.png[] @@ -121,30 +132,38 @@ After FreeBSD has been successfully installed on Mac OS(R) X with Parallels, the [.procedure] . Set Boot Loader Variables + -The most important step is to reduce the `kern.hz` tunable to reduce the CPU utilization of FreeBSD under the Parallels environment. This is accomplished by adding the following line to [.filename]#/boot/loader.conf#: +The most important step is to reduce the `kern.hz` tunable to reduce the CPU utilization of FreeBSD under the Parallels environment. +This is accomplished by adding the following line to [.filename]#/boot/loader.conf#: + [.programlisting] .... kern.hz=100 .... + -Without this setting, an idle FreeBSD Parallels guest will use roughly 15% of the CPU of a single processor iMac(R). After this change the usage will be closer to 5%. +Without this setting, an idle FreeBSD Parallels guest will use roughly 15% of the CPU of a single processor iMac(R). +After this change the usage will be closer to 5%. . Create a New Kernel Configuration File + -All of the SCSI, FireWire, and USB device drivers can be removed from a custom kernel configuration file. Parallels provides a virtual network adapter used by the man:ed[4] driver, so all network devices except for man:ed[4] and man:miibus[4] can be removed from the kernel. +All of the SCSI, FireWire, and USB device drivers can be removed from a custom kernel configuration file. +Parallels provides a virtual network adapter used by the man:ed[4] driver, so all network devices except for man:ed[4] and man:miibus[4] can be removed from the kernel. . Configure Networking + -The most basic networking setup uses DHCP to connect the virtual machine to the same local area network as the host Mac(R). This can be accomplished by adding `ifconfig_ed0="DHCP"` to [.filename]#/etc/rc.conf#. More advanced networking setups are described in crossref:advanced-networking[advanced-networking,Advanced Networking]. +The most basic networking setup uses DHCP to connect the virtual machine to the same local area network as the host Mac(R). +This can be accomplished by adding `ifconfig_ed0="DHCP"` to [.filename]#/etc/rc.conf#. +More advanced networking setups are described in crossref:advanced-networking[advanced-networking,Advanced Networking]. [[virtualization-guest-virtualpc]] == FreeBSD as a Guest on Virtual PC for Windows(R) -Virtual PC for Windows(R) is a Microsoft(R) software product available for free download. See this website for the http://www.microsoft.com/windows/downloads/virtualpc/sysreq.mspx[system requirements]. Once Virtual PC has been installed on Microsoft(R) Windows(R), the user can configure a virtual machine and then install the desired guest operating system. +Virtual PC for Windows(R) is a Microsoft(R) software product available for free download. +See this website for the http://www.microsoft.com/windows/downloads/virtualpc/sysreq.mspx[system requirements]. +Once Virtual PC has been installed on Microsoft(R) Windows(R), the user can configure a virtual machine and then install the desired guest operating system. [[virtualization-guest-virtualpc-install]] === Installing FreeBSD on Virtual PC -The first step in installing FreeBSD on Virtual PC is to create a new virtual machine for installing FreeBSD. Select [.guimenuitem]#Create a virtual machine# when prompted: +The first step in installing FreeBSD on Virtual PC is to create a new virtual machine for installing FreeBSD. +Select [.guimenuitem]#Create a virtual machine# when prompted: image::virtualpc-freebsd1.png[] @@ -154,7 +173,8 @@ Select [.guimenuitem]#Other# as the [.guimenuitem]#Operating system# when prompt image::virtualpc-freebsd3.png[] -Then, choose a reasonable amount of disk and memory depending on the plans for this virtual FreeBSD instance. 4GB of disk space and 512MB of RAM work well for most uses of FreeBSD under Virtual PC: +Then, choose a reasonable amount of disk and memory depending on the plans for this virtual FreeBSD instance. +4GB of disk space and 512MB of RAM work well for most uses of FreeBSD under Virtual PC: image::virtualpc-freebsd4.png[] @@ -170,21 +190,28 @@ image::virtualpc-freebsd7.png[] image::virtualpc-freebsd8.png[] -After the FreeBSD virtual machine has been created, FreeBSD can be installed on it. This is best done with an official FreeBSD CD/DVD or with an ISO image downloaded from an official FTP site. Copy the appropriate ISO image to the local Windows(R) filesystem or insert a CD/DVD in the CD drive, then double click on the FreeBSD virtual machine to boot. Then, click menu:CD[] and choose menu:Capture ISO Image...[] on the Virtual PC window. This will bring up a window where the CD-ROM drive in the virtual machine can be associated with an ISO file on disk or with the real CD-ROM drive. +After the FreeBSD virtual machine has been created, FreeBSD can be installed on it. +This is best done with an official FreeBSD CD/DVD or with an ISO image downloaded from an official FTP site. +Copy the appropriate ISO image to the local Windows(R) filesystem or insert a CD/DVD in the CD drive, then double click on the FreeBSD virtual machine to boot. +Then, click menu:CD[] and choose menu:Capture ISO Image...[] on the Virtual PC window. +This will bring up a window where the CD-ROM drive in the virtual machine can be associated with an ISO file on disk or with the real CD-ROM drive. image::virtualpc-freebsd9.png[] image::virtualpc-freebsd10.png[] -Once this association with the CD-ROM source has been made, reboot the FreeBSD virtual machine by clicking menu:Action[] and menu:Reset[]. Virtual PC will reboot with a special BIOS that first checks for a CD-ROM. +Once this association with the CD-ROM source has been made, reboot the FreeBSD virtual machine by clicking menu:Action[] and menu:Reset[]. +Virtual PC will reboot with a special BIOS that first checks for a CD-ROM. image::virtualpc-freebsd11.png[] -In this case it will find the FreeBSD installation media and begin a normal FreeBSD installation. Continue with the installation, but do not attempt to configure Xorg at this time. +In this case it will find the FreeBSD installation media and begin a normal FreeBSD installation. +Continue with the installation, but do not attempt to configure Xorg at this time. image::virtualpc-freebsd12.png[] -When the installation is finished, remember to eject the CD/DVD or release the ISO image. Finally, reboot into the newly installed FreeBSD virtual machine. +When the installation is finished, remember to eject the CD/DVD or release the ISO image. +Finally, reboot into the newly installed FreeBSD virtual machine. image::virtualpc-freebsd13.png[] @@ -196,34 +223,43 @@ After FreeBSD has been successfully installed on Microsoft(R) Windows(R) with Vi [.procedure] . Set Boot Loader Variables + -The most important step is to reduce the `kern.hz` tunable to reduce the CPU utilization of FreeBSD under the Virtual PC environment. This is accomplished by adding the following line to [.filename]#/boot/loader.conf#: +The most important step is to reduce the `kern.hz` tunable to reduce the CPU utilization of FreeBSD under the Virtual PC environment. +This is accomplished by adding the following line to [.filename]#/boot/loader.conf#: + [.programlisting] .... kern.hz=100 .... + -Without this setting, an idle FreeBSD Virtual PC guest OS will use roughly 40% of the CPU of a single processor computer. After this change, the usage will be closer to 3%. +Without this setting, an idle FreeBSD Virtual PC guest OS will use roughly 40% of the CPU of a single processor computer. +After this change, the usage will be closer to 3%. . Create a New Kernel Configuration File + -All of the SCSI, FireWire, and USB device drivers can be removed from a custom kernel configuration file. Virtual PC provides a virtual network adapter used by the man:de[4] driver, so all network devices except for man:de[4] and man:miibus[4] can be removed from the kernel. +All of the SCSI, FireWire, and USB device drivers can be removed from a custom kernel configuration file. +Virtual PC provides a virtual network adapter used by the man:de[4] driver, so all network devices except for man:de[4] and man:miibus[4] can be removed from the kernel. . Configure Networking + -The most basic networking setup uses DHCP to connect the virtual machine to the same local area network as the Microsoft(R) Windows(R) host. This can be accomplished by adding `ifconfig_de0="DHCP"` to [.filename]#/etc/rc.conf#. More advanced networking setups are described in crossref:advanced-networking[advanced-networking,Advanced Networking]. +The most basic networking setup uses DHCP to connect the virtual machine to the same local area network as the Microsoft(R) Windows(R) host. +This can be accomplished by adding `ifconfig_de0="DHCP"` to [.filename]#/etc/rc.conf#. +More advanced networking setups are described in crossref:advanced-networking[advanced-networking,Advanced Networking]. [[virtualization-guest-vmware]] == FreeBSD as a Guest on VMware Fusion for Mac OS(R) -VMware Fusion for Mac(R) is a commercial software product available for Intel(R) based Apple(R) Mac(R) computers running Mac OS(R) 10.4.9 or higher. FreeBSD is a fully supported guest operating system. Once VMware Fusion has been installed on Mac OS(R) X, the user can configure a virtual machine and then install the desired guest operating system. +VMware Fusion for Mac(R) is a commercial software product available for Intel(R) based Apple(R) Mac(R) computers running Mac OS(R) 10.4.9 or higher. +FreeBSD is a fully supported guest operating system. +Once VMware Fusion has been installed on Mac OS(R) X, the user can configure a virtual machine and then install the desired guest operating system. [[virtualization-guest-vmware-install]] === Installing FreeBSD on VMware Fusion -The first step is to start VMware Fusion which will load the Virtual Machine Library. Click [.guimenuitem]#New# to create the virtual machine: +The first step is to start VMware Fusion which will load the Virtual Machine Library. +Click [.guimenuitem]#New# to create the virtual machine: image::vmware-freebsd01.png[] -This will load the New Virtual Machine Assistant. Click [.guimenuitem]#Continue# to proceed: +This will load the New Virtual Machine Assistant. +Click [.guimenuitem]#Continue# to proceed: image::vmware-freebsd02.png[] @@ -264,11 +300,14 @@ The number of CPUs the virtual machine will have access to: image::vmware-freebsd10.png[] -The status of the CD-ROM device. Normally the CD/DVD/ISO is disconnected from the virtual machine when it is no longer needed. +The status of the CD-ROM device. +Normally the CD/DVD/ISO is disconnected from the virtual machine when it is no longer needed. image::vmware-freebsd11.png[] -The last thing to change is how the virtual machine will connect to the network. To allow connections to the virtual machine from other machines besides the host, choose [.guimenuitem]#Connect directly to the physical network (Bridged)#. Otherwise, [.guimenuitem]#Share the host's internet connection (NAT)# is preferred so that the virtual machine can have access to the Internet, but the network cannot access the virtual machine. +The last thing to change is how the virtual machine will connect to the network. +To allow connections to the virtual machine from other machines besides the host, choose [.guimenuitem]#Connect directly to the physical network (Bridged)#. +Otherwise, [.guimenuitem]#Share the host's internet connection (NAT)# is preferred so that the virtual machine can have access to the Internet, but the network cannot access the virtual machine. image::vmware-freebsd12.png[] @@ -282,25 +321,31 @@ After FreeBSD has been successfully installed on Mac OS(R) X with VMware Fusion, [.procedure] . Set Boot Loader Variables + -The most important step is to reduce the `kern.hz` tunable to reduce the CPU utilization of FreeBSD under the VMware Fusion environment. This is accomplished by adding the following line to [.filename]#/boot/loader.conf#: +The most important step is to reduce the `kern.hz` tunable to reduce the CPU utilization of FreeBSD under the VMware Fusion environment. +This is accomplished by adding the following line to [.filename]#/boot/loader.conf#: + [.programlisting] .... kern.hz=100 .... + -Without this setting, an idle FreeBSD VMware Fusion guest will use roughly 15% of the CPU of a single processor iMac(R). After this change, the usage will be closer to 5%. +Without this setting, an idle FreeBSD VMware Fusion guest will use roughly 15% of the CPU of a single processor iMac(R). +After this change, the usage will be closer to 5%. . Create a New Kernel Configuration File + -All of the FireWire, and USB device drivers can be removed from a custom kernel configuration file. VMware Fusion provides a virtual network adapter used by the man:em[4] driver, so all network devices except for man:em[4] can be removed from the kernel. +All of the FireWire, and USB device drivers can be removed from a custom kernel configuration file. +VMware Fusion provides a virtual network adapter used by the man:em[4] driver, so all network devices except for man:em[4] can be removed from the kernel. . Configure Networking + -The most basic networking setup uses DHCP to connect the virtual machine to the same local area network as the host Mac(R). This can be accomplished by adding `ifconfig_em0="DHCP"` to [.filename]#/etc/rc.conf#. More advanced networking setups are described in crossref:advanced-networking[advanced-networking,Advanced Networking]. +The most basic networking setup uses DHCP to connect the virtual machine to the same local area network as the host Mac(R). +This can be accomplished by adding `ifconfig_em0="DHCP"` to [.filename]#/etc/rc.conf#. +More advanced networking setups are described in crossref:advanced-networking[advanced-networking,Advanced Networking]. [[virtualization-guest-virtualbox]] == FreeBSD as a Guest on VirtualBox(TM) -FreeBSD works well as a guest in VirtualBox(TM). The virtualization software is available for most common operating systems, including FreeBSD itself. +FreeBSD works well as a guest in VirtualBox(TM). +The virtualization software is available for most common operating systems, including FreeBSD itself. The VirtualBox(TM) guest additions provide support for: @@ -315,7 +360,8 @@ The VirtualBox(TM) guest additions provide support for: These commands are run in the FreeBSD guest. ==== -First, install the package:emulators/virtualbox-ose-additions[] package or port in the FreeBSD guest. This will install the port: +First, install the package:emulators/virtualbox-ose-additions[] package or port in the FreeBSD guest. +This will install the port: [source,shell] .... @@ -337,7 +383,8 @@ If man:ntpd[8] or man:ntpdate[8] is used, disable host time synchronization: vboxservice_flags="--disable-timesync" .... -Xorg will automatically recognize the `vboxvideo` driver. It can also be manually entered in [.filename]#/etc/X11/xorg.conf#: +Xorg will automatically recognize the `vboxvideo` driver. +It can also be manually entered in [.filename]#/etc/X11/xorg.conf#: [.programlisting] .... @@ -397,14 +444,17 @@ HAL users should create the following [.filename]#/usr/local/etc/hal/fdi/policy/ </deviceinfo> .... -Shared folders for file transfers between host and VM are accessible by mounting them using `mount_vboxvfs`. A shared folder can be created on the host using the VirtualBox GUI or via `vboxmanage`. For example, to create a shared folder called _myshare_ under [.filename]#/mnt/bsdboxshare# for the VM named _BSDBox_, run: +Shared folders for file transfers between host and VM are accessible by mounting them using `mount_vboxvfs`. +A shared folder can be created on the host using the VirtualBox GUI or via `vboxmanage`. +For example, to create a shared folder called _myshare_ under [.filename]#/mnt/bsdboxshare# for the VM named _BSDBox_, run: [source,shell] .... # vboxmanage sharedfolder add 'BSDBox' --name myshare --hostpath /mnt/bsdboxshare .... -Note that the shared folder name must not contain spaces. Mount the shared folder from within the guest system like this: +Note that the shared folder name must not contain spaces. +Mount the shared folder from within the guest system like this: [source,shell] .... @@ -414,12 +464,18 @@ Note that the shared folder name must not contain spaces. Mount the shared folde [[virtualization-host-virtualbox]] == FreeBSD as a Host with VirtualBox(TM) -VirtualBox(TM) is an actively developed, complete virtualization package, that is available for most operating systems including Windows(R), Mac OS(R), Linux(R) and FreeBSD. It is equally capable of running Windows(R) or UNIX(R)-like guests. It is released as open source software, but with closed-source components available in a separate extension pack. These components include support for USB 2.0 devices. More information may be found on the http://www.virtualbox.org/wiki/Downloads[Downloads page of the VirtualBox(TM) wiki]. Currently, these extensions are not available for FreeBSD. +VirtualBox(TM) is an actively developed, complete virtualization package, that is available for most operating systems including Windows(R), Mac OS(R), Linux(R) and FreeBSD. +It is equally capable of running Windows(R) or UNIX(R)-like guests. +It is released as open source software, but with closed-source components available in a separate extension pack. +These components include support for USB 2.0 devices. +More information may be found on the http://www.virtualbox.org/wiki/Downloads[Downloads page of the VirtualBox(TM) wiki]. +Currently, these extensions are not available for FreeBSD. [[virtualization-virtualbox-install]] === Installing VirtualBox(TM) -VirtualBox(TM) is available as a FreeBSD package or port in package:emulators/virtualbox-ose[]. The port can be installed using these commands: +VirtualBox(TM) is available as a FreeBSD package or port in package:emulators/virtualbox-ose[]. +The port can be installed using these commands: [source,shell] .... @@ -427,9 +483,12 @@ VirtualBox(TM) is available as a FreeBSD package or port in package:emulators/vi # make install clean .... -One useful option in the port's configuration menu is the `GuestAdditions` suite of programs. These provide a number of useful features in guest operating systems, like mouse pointer integration (allowing the mouse to be shared between host and guest without the need to press a special keyboard shortcut to switch) and faster video rendering, especially in Windows(R) guests. The guest additions are available in the menu:Devices[] menu, after the installation of the guest is finished. +One useful option in the port's configuration menu is the `GuestAdditions` suite of programs. +These provide a number of useful features in guest operating systems, like mouse pointer integration (allowing the mouse to be shared between host and guest without the need to press a special keyboard shortcut to switch) and faster video rendering, especially in Windows(R) guests. +The guest additions are available in the menu:Devices[] menu, after the installation of the guest is finished. -A few configuration changes are needed before VirtualBox(TM) is started for the first time. The port installs a kernel module in [.filename]#/boot/modules# which must be loaded into the running kernel: +A few configuration changes are needed before VirtualBox(TM) is started for the first time. +The port installs a kernel module in [.filename]#/boot/modules# which must be loaded into the running kernel: [source,shell] .... @@ -450,7 +509,9 @@ To use the kernel modules that allow bridged or host-only networking, add this l vboxnet_enable="YES" .... -The `vboxusers` group is created during installation of VirtualBox(TM). All users that need access to VirtualBox(TM) will have to be added as members of this group. `pw` can be used to add new members: +The `vboxusers` group is created during installation of VirtualBox(TM). +All users that need access to VirtualBox(TM) will have to be added as members of this group. +`pw` can be used to add new members: [source,shell] .... @@ -480,12 +541,14 @@ To launch VirtualBox(TM), type from an Xorg session: % VirtualBox .... -For more information on configuring and using VirtualBox(TM), refer to the http://www.virtualbox.org[official website]. For FreeBSD-specific information and troubleshooting instructions, refer to the http://wiki.FreeBSD.org/VirtualBox[relevant page in the FreeBSD wiki]. +For more information on configuring and using VirtualBox(TM), refer to the http://www.virtualbox.org[official website]. +For FreeBSD-specific information and troubleshooting instructions, refer to the http://wiki.FreeBSD.org/VirtualBox[relevant page in the FreeBSD wiki]. [[virtualization-virtualbox-usb-support]] === VirtualBox(TM) USB Support -VirtualBox(TM) can be configured to pass USB devices through to the guest operating system. The host controller of the OSE version is limited to emulating USB 1.1 devices until the extension pack supporting USB 2.0 and 3.0 devices becomes available on FreeBSD. +VirtualBox(TM) can be configured to pass USB devices through to the guest operating system. +The host controller of the OSE version is limited to emulating USB 1.1 devices until the extension pack supporting USB 2.0 and 3.0 devices becomes available on FreeBSD. For VirtualBox(TM) to be aware of USB devices attached to the machine, the user needs to be a member of the `operator` group. @@ -521,7 +584,12 @@ Restart the login session and VirtualBox(TM) for these changes to take effect, a [[virtualization-virtualbox-host-dvd-cd-access]] === VirtualBox(TM) Host DVD/CD Access -Access to the host DVD/CD drives from guests is achieved through the sharing of the physical drives. Within VirtualBox(TM), this is set up from the Storage window in the Settings of the virtual machine. If needed, create an empty IDECD/DVD device first. Then choose the Host Drive from the popup menu for the virtual CD/DVD drive selection. A checkbox labeled `Passthrough` will appear. This allows the virtual machine to use the hardware directly. For example, audio CDs or the burner will only function if this option is selected. +Access to the host DVD/CD drives from guests is achieved through the sharing of the physical drives. +Within VirtualBox(TM), this is set up from the Storage window in the Settings of the virtual machine. +If needed, create an empty IDECD/DVD device first. +Then choose the Host Drive from the popup menu for the virtual CD/DVD drive selection. +A checkbox labeled `Passthrough` will appear. This allows the virtual machine to use the hardware directly. +For example, audio CDs or the burner will only function if this option is selected. HAL needs to run for VirtualBox(TM)DVD/CD functions to work, so enable it in [.filename]#/etc/rc.conf# and start it if it is not already running: @@ -535,7 +603,9 @@ hald_enable="YES" # service hald start .... -In order for users to be able to use VirtualBox(TM)DVD/CD functions, they need access to [.filename]#/dev/xpt0#, [.filename]#/dev/cdN#, and [.filename]#/dev/passN#. This is usually achieved by making the user a member of `operator`. Permissions to these devices have to be corrected by adding these lines to [.filename]#/etc/devfs.conf#: +In order for users to be able to use VirtualBox(TM)DVD/CD functions, they need access to [.filename]#/dev/xpt0#, [.filename]#/dev/cdN#, and [.filename]#/dev/passN#. +This is usually achieved by making the user a member of `operator`. +Permissions to these devices have to be corrected by adding these lines to [.filename]#/etc/devfs.conf#: [.programlisting] .... @@ -552,21 +622,33 @@ perm pass* 0660 [[virtualization-host-bhyve]] == FreeBSD as a Host with bhyve -The bhyveBSD-licensed hypervisor became part of the base system with FreeBSD 10.0-RELEASE. This hypervisor supports a number of guests, including FreeBSD, OpenBSD, and many Linux(R) distributions. By default, bhyve provides access to serial console and does not emulate a graphical console. Virtualization offload features of newer CPUs are used to avoid the legacy methods of translating instructions and manually managing memory mappings. +The bhyveBSD-licensed hypervisor became part of the base system with FreeBSD 10.0-RELEASE. +This hypervisor supports a number of guests, including FreeBSD, OpenBSD, and many Linux(R) distributions. +By default, bhyve provides access to serial console and does not emulate a graphical console. +Virtualization offload features of newer CPUs are used to avoid the legacy methods of translating instructions and manually managing memory mappings. -The bhyve design requires a processor that supports Intel(R) Extended Page Tables (EPT) or AMD(R) Rapid Virtualization Indexing (RVI) or Nested Page Tables (NPT). Hosting Linux(R) guests or FreeBSD guests with more than one vCPU requires VMX unrestricted mode support (UG). Most newer processors, specifically the Intel(R) Core(TM) i3/i5/i7 and Intel(R) Xeon(TM) E3/E5/E7, support these features. UG support was introduced with Intel's Westmere micro-architecture. For a complete list of Intel(R) processors that support EPT, refer to https://ark.intel.com/content/www/us/en/ark/search/featurefilter.html?productType=873&0_ExtendedPageTables=True[]. RVI is found on the third generation and later of the AMD Opteron(TM) (Barcelona) processors. The easiest way to tell if a processor supports bhyve is to run `dmesg` or look in [.filename]#/var/run/dmesg.boot# for the `POPCNT` processor feature flag on the `Features2` line for AMD(R) processors or `EPT` and `UG` on the `VT-x` line for Intel(R) processors. +The bhyve design requires a processor that supports Intel(R) Extended Page Tables (EPT) or AMD(R) Rapid Virtualization Indexing (RVI) or Nested Page Tables (NPT). +Hosting Linux(R) guests or FreeBSD guests with more than one vCPU requires VMX unrestricted mode support (UG). +Most newer processors, specifically the Intel(R) Core(TM) i3/i5/i7 and Intel(R) Xeon(TM) E3/E5/E7, support these features. +UG support was introduced with Intel's Westmere micro-architecture. +For a complete list of Intel(R) processors that support EPT, refer to https://ark.intel.com/content/www/us/en/ark/search/featurefilter.html?productType=873&0_ExtendedPageTables=True[]. +RVI is found on the third generation and later of the AMD Opteron(TM) (Barcelona) processors. +The easiest way to tell if a processor supports bhyve is to run `dmesg` or look in [.filename]#/var/run/dmesg.boot# for the `POPCNT` processor feature flag on the `Features2` line for AMD(R) processors or `EPT` and `UG` on the `VT-x` line for Intel(R) processors. [[virtualization-bhyve-prep]] === Preparing the Host -The first step to creating a virtual machine in bhyve is configuring the host system. First, load the bhyve kernel module: +The first step to creating a virtual machine in bhyve is configuring the host system. +First, load the bhyve kernel module: [source,shell] .... # kldload vmm .... -Then, create a [.filename]#tap# interface for the network device in the virtual machine to attach to. In order for the network device to participate in the network, also create a bridge interface containing the [.filename]#tap# interface and the physical interface as members. In this example, the physical interface is _igb0_: +Then, create a [.filename]#tap# interface for the network device in the virtual machine to attach to. +In order for the network device to participate in the network, also create a bridge interface containing the [.filename]#tap# interface and the physical interface as members. +In this example, the physical interface is _igb0_: [source,shell] .... @@ -581,7 +663,8 @@ net.link.tap.up_on_open: 0 -> 1 [[virtualization-bhyve-freebsd]] === Creating a FreeBSD Guest -Create a file to use as the virtual disk for the guest machine. Specify the size and name of the virtual disk: +Create a file to use as the virtual disk for the guest machine. +Specify the size and name of the virtual disk: [source,shell] .... @@ -596,16 +679,24 @@ Download an installation image of FreeBSD to install: FreeBSD-12.2-RELEASE-amd64-bootonly.iso 100% of 230 MB 570 kBps 06m17s .... -FreeBSD comes with an example script for running a virtual machine in bhyve. The script will start the virtual machine and run it in a loop, so it will automatically restart if it crashes. The script takes a number of options to control the configuration of the machine: `-c` controls the number of virtual CPUs, `-m` limits the amount of memory available to the guest, `-t` defines which [.filename]#tap# device to use, `-d` indicates which disk image to use, `-i` tells bhyve to boot from the CD image instead of the disk, and `-I` defines which CD image to use. The last parameter is the name of the virtual machine, used to track the running machines. This example starts the virtual machine in installation mode: +FreeBSD comes with an example script for running a virtual machine in bhyve. +The script will start the virtual machine and run it in a loop, so it will automatically restart if it crashes. +The script takes a number of options to control the configuration of the machine: `-c` controls the number of virtual CPUs, `-m` limits the amount of memory available to the guest, `-t` defines which [.filename]#tap# device to use, `-d` indicates which disk image to use, `-i` tells bhyve to boot from the CD image instead of the disk, and `-I` defines which CD image to use. +The last parameter is the name of the virtual machine, used to track the running machines. +This example starts the virtual machine in installation mode: [source,shell] .... # sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 1024M -t tap0 -d guest.img -i -I FreeBSD-12.2-RELEASE-amd64-bootonly.iso guestname .... -The virtual machine will boot and start the installer. After installing a system in the virtual machine, when the system asks about dropping in to a shell at the end of the installation, choose btn:[Yes]. +The virtual machine will boot and start the installer. +After installing a system in the virtual machine, when the system asks about dropping in to a shell at the end of the installation, choose btn:[Yes]. -Reboot the virtual machine. While rebooting the virtual machine causes bhyve to exit, the [.filename]#vmrun.sh# script runs `bhyve` in a loop and will automatically restart it. When this happens, choose the reboot option from the boot loader menu in order to escape the loop. Now the guest can be started from the virtual disk: +Reboot the virtual machine. +While rebooting the virtual machine causes bhyve to exit, the [.filename]#vmrun.sh# script runs `bhyve` in a loop and will automatically restart it. +When this happens, choose the reboot option from the boot loader menu in order to escape the loop. +Now the guest can be started from the virtual disk: [source,shell] .... @@ -624,7 +715,10 @@ Next, create a file to use as the virtual disk for the guest machine: # truncate -s 16G linux.img .... -Starting a virtual machine with bhyve is a two step process. First a kernel must be loaded, then the guest can be started. The Linux(R) kernel is loaded with package:sysutils/grub2-bhyve[]. Create a [.filename]#device.map# that grub will use to map the virtual devices to the files on the host system: +Starting a virtual machine with bhyve is a two step process. +First a kernel must be loaded, then the guest can be started. +The Linux(R) kernel is loaded with package:sysutils/grub2-bhyve[]. +Create a [.filename]#device.map# that grub will use to map the virtual devices to the files on the host system: [.programlisting] .... @@ -639,7 +733,9 @@ Use package:sysutils/grub2-bhyve[] to load the Linux(R) kernel from the ISO imag # grub-bhyve -m device.map -r cd0 -M 1024M linuxguest .... -This will start grub. If the installation CD contains a [.filename]#grub.cfg#, a menu will be displayed. If not, the `vmlinuz` and `initrd` files must be located and loaded manually: +This will start grub. +If the installation CD contains a [.filename]#grub.cfg#, a menu will be displayed. +If not, the `vmlinuz` and `initrd` files must be located and loaded manually: [source,shell] .... @@ -661,14 +757,18 @@ Now that the Linux(R) kernel is loaded, the guest can be started: -s 4:0,ahci-cd,./somelinux.iso -l com1,stdio -c 4 -m 1024M linuxguest .... -The system will boot and start the installer. After installing a system in the virtual machine, reboot the virtual machine. This will cause bhyve to exit. The instance of the virtual machine needs to be destroyed before it can be started again: +The system will boot and start the installer. +After installing a system in the virtual machine, reboot the virtual machine. +This will cause bhyve to exit. +The instance of the virtual machine needs to be destroyed before it can be started again: [source,shell] .... # bhyvectl --destroy --vm=linuxguest .... -Now the guest can be started directly from the virtual disk. Load the kernel: +Now the guest can be started directly from the virtual disk. +Load the kernel: [source,shell] .... @@ -693,7 +793,10 @@ Boot the virtual machine: -s 3:0,virtio-blk,./linux.img -l com1,stdio -c 4 -m 1024M linuxguest .... -Linux(R) will now boot in the virtual machine and eventually present you with the login prompt. Login and use the virtual machine. When you are finished, reboot the virtual machine to exit bhyve. Destroy the virtual machine instance: +Linux(R) will now boot in the virtual machine and eventually present you with the login prompt. +Login and use the virtual machine. +When you are finished, reboot the virtual machine to exit bhyve. +Destroy the virtual machine instance: [source,shell] .... @@ -703,11 +806,14 @@ Linux(R) will now boot in the virtual machine and eventually present you with th [[virtualization-bhyve-uefi]] === Booting bhyve Virtual Machines with UEFI Firmware -In addition to bhyveload and grub-bhyve, the bhyve hypervisor can also boot virtual machines using the UEFI userspace firmware. This option may support guest operating systems that are not supported by the other loaders. +In addition to bhyveload and grub-bhyve, the bhyve hypervisor can also boot virtual machines using the UEFI userspace firmware. +This option may support guest operating systems that are not supported by the other loaders. -In order to make use of the UEFI support in bhyve, first obtain the UEFI firmware images. This can be done by installing package:sysutils/bhyve-firmware[] port or package. +In order to make use of the UEFI support in bhyve, first obtain the UEFI firmware images. +This can be done by installing package:sysutils/bhyve-firmware[] port or package. -With the firmware in place, add the flags `-l bootrom,_/path/to/firmware_` to your bhyve command line. The actual bhyve command may look like this: +With the firmware in place, add the flags `-l bootrom,_/path/to/firmware_` to your bhyve command line. +The actual bhyve command may look like this: [source,shell] .... @@ -734,7 +840,10 @@ guest The UEFI firmware support is particularly useful with predominantly graphical guest operating systems such as Microsoft Windows(R). -Support for the UEFI-GOP framebuffer may also be enabled with the `-s 29,fbuf,tcp=_0.0.0.0:5900_` flags. The framebuffer resolution may be configured with `w=_800_` and `h=_600_`, and bhyve can be instructed to wait for a VNC connection before booting the guest by adding `wait`. The framebuffer may be accessed from the host or over the network via the VNC protocol. Additionally, `-s 30,xhci,tablet` can be added to achieve precise mouse cursor synchronization with the host. +Support for the UEFI-GOP framebuffer may also be enabled with the `-s 29,fbuf,tcp=_0.0.0.0:5900_` flags. +The framebuffer resolution may be configured with `w=_800_` and `h=_600_`, and bhyve can be instructed to wait for a VNC connection before booting the guest by adding `wait`. +The framebuffer may be accessed from the host or over the network via the VNC protocol. +Additionally, `-s 30,xhci,tablet` can be added to achieve precise mouse cursor synchronization with the host. The resulting bhyve command would look like this: @@ -754,7 +863,8 @@ Note, in BIOS emulation mode, the framebuffer will cease receiving updates once [[virtualization-bhyve-zfs]] === Using ZFS with bhyve Guests -If ZFS is available on the host machine, using ZFS volumes instead of disk image files can provide significant performance benefits for the guest VMs. A ZFS volume can be created by: +If ZFS is available on the host machine, using ZFS volumes instead of disk image files can provide significant performance benefits for the guest VMs. +A ZFS volume can be created by: [source,shell] .... @@ -772,7 +882,11 @@ When starting the VM, specify the ZFS volume as the disk drive: [[virtualization-bhyve-nmdm]] === Virtual Machine Consoles -It is advantageous to wrap the bhyve console in a session management tool such as package:sysutils/tmux[] or package:sysutils/screen[] in order to detach and reattach to the console. It is also possible to have the console of bhyve be a null modem device that can be accessed with `cu`. To do this, load the [.filename]#nmdm# kernel module and replace `-l com1,stdio` with `-l com1,/dev/nmdm0A`. The [.filename]#/dev/nmdm# devices are created automatically as needed, where each is a pair, corresponding to the two ends of the null modem cable ([.filename]#/dev/nmdm0A# and [.filename]#/dev/nmdm0B#). See man:nmdm[4] for more information. +It is advantageous to wrap the bhyve console in a session management tool such as package:sysutils/tmux[] or package:sysutils/screen[] in order to detach and reattach to the console. +It is also possible to have the console of bhyve be a null modem device that can be accessed with `cu`. +To do this, load the [.filename]#nmdm# kernel module and replace `-l com1,stdio` with `-l com1,/dev/nmdm0A`. +The [.filename]#/dev/nmdm# devices are created automatically as needed, where each is a pair, corresponding to the two ends of the null modem cable ([.filename]#/dev/nmdm0A# and [.filename]#/dev/nmdm0B#). +See man:nmdm[4] for more information. [source,shell] .... @@ -790,7 +904,8 @@ handbook login: [[virtualization-bhyve-managing]] === Managing Virtual Machines -A device node is created in [.filename]#/dev/vmm# for each virtual machine. This allows the administrator to easily see a list of the running virtual machines: +A device node is created in [.filename]#/dev/vmm# for each virtual machine. +This allows the administrator to easily see a list of the running virtual machines: [source,shell] .... @@ -835,16 +950,30 @@ kld_list="nmdm vmm" [[virtualization-host-xen]] == FreeBSD as a Xen(TM)-Host -Xen is a GPLv2-licensed https://en.wikipedia.org/wiki/Hypervisor#Classification[type 1 hypervisor] for Intel(R) and ARM(R) architectures. FreeBSD has included i386(TM) and AMD(R) 64-Bit https://wiki.xenproject.org/wiki/DomU[DomU] and https://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud[Amazon EC2] unprivileged domain (virtual machine) support since FreeBSD 8.0 and includes Dom0 control domain (host) support in FreeBSD 11.0. Support for para-virtualized (PV) domains has been removed from FreeBSD 11 in favor of hardware virtualized (HVM) domains, which provides better performance. - -Xen(TM) is a bare-metal hypervisor, which means that it is the first program loaded after the BIOS. A special privileged guest called the Domain-0 (`Dom0` for short) is then started. The Dom0 uses its special privileges to directly access the underlying physical hardware, making it a high-performance solution. It is able to access the disk controllers and network adapters directly. The Xen(TM) management tools to manage and control the Xen(TM) hypervisor are also used by the Dom0 to create, list, and destroy VMs. Dom0 provides virtual disks and networking for unprivileged domains, often called `DomU`. Xen(TM) Dom0 can be compared to the service console of other hypervisor solutions, while the DomU is where individual guest VMs are run. - -Xen(TM) can migrate VMs between different Xen(TM) servers. When the two xen hosts share the same underlying storage, the migration can be done without having to shut the VM down first. Instead, the migration is performed live while the DomU is running and there is no need to restart it or plan a downtime. This is useful in maintenance scenarios or upgrade windows to ensure that the services provided by the DomU are still provided. Many more features of Xen(TM) are listed on the https://wiki.xenproject.org/wiki/Category:Overview[Xen Wiki Overview page]. Note that not all features are supported on FreeBSD yet. +Xen is a GPLv2-licensed https://en.wikipedia.org/wiki/Hypervisor#Classification[type 1 hypervisor] for Intel(R) and ARM(R) architectures. +FreeBSD has included i386(TM) and AMD(R) 64-Bit https://wiki.xenproject.org/wiki/DomU[DomU] and https://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud[Amazon EC2] unprivileged domain (virtual machine) support since FreeBSD 8.0 and includes Dom0 control domain (host) support in FreeBSD 11.0. +Support for para-virtualized (PV) domains has been removed from FreeBSD 11 in favor of hardware virtualized (HVM) domains, which provides better performance. + +Xen(TM) is a bare-metal hypervisor, which means that it is the first program loaded after the BIOS. +A special privileged guest called the Domain-0 (`Dom0` for short) is then started. +The Dom0 uses its special privileges to directly access the underlying physical hardware, making it a high-performance solution. +It is able to access the disk controllers and network adapters directly. +The Xen(TM) management tools to manage and control the Xen(TM) hypervisor are also used by the Dom0 to create, list, and destroy VMs. +Dom0 provides virtual disks and networking for unprivileged domains, often called `DomU`. +Xen(TM) Dom0 can be compared to the service console of other hypervisor solutions, while the DomU is where individual guest VMs are run. + +Xen(TM) can migrate VMs between different Xen(TM) servers. +When the two xen hosts share the same underlying storage, the migration can be done without having to shut the VM down first. +Instead, the migration is performed live while the DomU is running and there is no need to restart it or plan a downtime. +This is useful in maintenance scenarios or upgrade windows to ensure that the services provided by the DomU are still provided. +Many more features of Xen(TM) are listed on the https://wiki.xenproject.org/wiki/Category:Overview[Xen Wiki Overview page]. +Note that not all features are supported on FreeBSD yet. [[virtualization-host-xen-requirements]] === Hardware Requirements for Xen(TM) Dom0 -To run the Xen(TM) hypervisor on a host, certain hardware functionality is required. Hardware virtualized domains require Extended Page Table (http://en.wikipedia.org/wiki/Extended_Page_Table[EPT]) and Input/Output Memory Management Unit (http://en.wikipedia.org/wiki/List_of_IOMMU-supporting_hardware[IOMMU]) support in the host processor. +To run the Xen(TM) hypervisor on a host, certain hardware functionality is required. +Hardware virtualized domains require Extended Page Table (http://en.wikipedia.org/wiki/Extended_Page_Table[EPT]) and Input/Output Memory Management Unit (http://en.wikipedia.org/wiki/List_of_IOMMU-supporting_hardware[IOMMU]) support in the host processor. [NOTE] ==== @@ -856,14 +985,19 @@ In order to run a FreeBSD Xen(TM) Dom0 the box must be booted using legacy boot Users of FreeBSD 11 should install the package:emulators/xen-kernel47[] and package:sysutils/xen-tools47[] packages that are based on Xen version 4.7. Systems running on FreeBSD-12.0 or newer can use Xen 4.11 provided by package:emulators/xen-kernel411[] and package:sysutils/xen-tools411[], respectively. -Configuration files must be edited to prepare the host for the Dom0 integration after the Xen packages are installed. An entry to [.filename]#/etc/sysctl.conf# disables the limit on how many pages of memory are allowed to be wired. Otherwise, DomU VMs with higher memory requirements will not run. +Configuration files must be edited to prepare the host for the Dom0 integration after the Xen packages are installed. +An entry to [.filename]#/etc/sysctl.conf# disables the limit on how many pages of memory are allowed to be wired. +Otherwise, DomU VMs with higher memory requirements will not run. [source,shell] .... # echo 'vm.max_wired=-1' >> /etc/sysctl.conf .... -Another memory-related setting involves changing [.filename]#/etc/login.conf#, setting the `memorylocked` option to `unlimited`. Otherwise, creating DomU domains may fail with `Cannot allocate memory` errors. After making the change to [.filename]#/etc/login.conf#, run `cap_mkdb` to update the capability database. See crossref:security[security-resourcelimits,"Resource Limits"] for details. +Another memory-related setting involves changing [.filename]#/etc/login.conf#, setting the `memorylocked` option to `unlimited`. +Otherwise, creating DomU domains may fail with `Cannot allocate memory` errors. +After making the change to [.filename]#/etc/login.conf#, run `cap_mkdb` to update the capability database. +See crossref:security[security-resourcelimits,"Resource Limits"] for details. [source,shell] .... @@ -878,7 +1012,11 @@ Add an entry for the Xen(TM) console to [.filename]#/etc/ttys#: # echo 'xc0 "/usr/libexec/getty Pc" xterm onifconsole secure' >> /etc/ttys .... -Selecting a Xen(TM) kernel in [.filename]#/boot/loader.conf# activates the Dom0. Xen(TM) also requires resources like CPU and memory from the host machine for itself and other DomU domains. How much CPU and memory depends on the individual requirements and hardware capabilities. In this example, 8 GB of memory and 4 virtual CPUs are made available for the Dom0. The serial console is also activated and logging options are defined. +Selecting a Xen(TM) kernel in [.filename]#/boot/loader.conf# activates the Dom0. +Xen(TM) also requires resources like CPU and memory from the host machine for itself and other DomU domains. +How much CPU and memory depends on the individual requirements and hardware capabilities. +In this example, 8 GB of memory and 4 virtual CPUs are made available for the Dom0. +The serial console is also activated and logging options are defined. The following command is used for Xen 4.7 packages: @@ -902,7 +1040,8 @@ For Xen versions 4.11 and higher, the following command should be used instead: [TIP] ==== -Log files that Xen(TM) creates for the DomU VMs are stored in [.filename]#/var/log/xen#. Please be sure to check the contents of that directory if experiencing issues. +Log files that Xen(TM) creates for the DomU VMs are stored in [.filename]#/var/log/xen#. +Please be sure to check the contents of that directory if experiencing issues. ==== Activate the xencommons service during system startup: @@ -912,7 +1051,10 @@ Activate the xencommons service during system startup: # sysrc xencommons_enable=yes .... -These settings are enough to start a Dom0-enabled system. However, it lacks network functionality for the DomU machines. To fix that, define a bridged interface with the main NIC of the system which the DomU VMs can use to connect to the network. Replace _em0_ with the host network interface name. +These settings are enough to start a Dom0-enabled system. +However, it lacks network functionality for the DomU machines. +To fix that, define a bridged interface with the main NIC of the system which the DomU VMs can use to connect to the network. +Replace _em0_ with the host network interface name. [source,shell] .... @@ -937,12 +1079,19 @@ Name ID Mem VCPUs State Time(s) Domain-0 0 8192 4 r----- 962.0 .... -The output confirms that the Dom0 (called `Domain-0`) has the ID `0` and is running. It also has the memory and virtual CPUs that were defined in [.filename]#/boot/loader.conf# earlier. More information can be found in the https://www.xenproject.org/help/documentation.html[Xen(TM) Documentation]. DomU guest VMs can now be created. +The output confirms that the Dom0 (called `Domain-0`) has the ID `0` and is running. +It also has the memory and virtual CPUs that were defined in [.filename]#/boot/loader.conf# earlier. +More information can be found in the https://www.xenproject.org/help/documentation.html[Xen(TM) Documentation]. +DomU guest VMs can now be created. [[virtualization-host-xen-domu-setup]] === Xen(TM) DomU Guest VM Configuration -Unprivileged domains consist of a configuration file and virtual or physical hard disks. Virtual disk storage for the DomU can be files created by man:truncate[1] or ZFS volumes as described in crossref:zfs[zfs-zfs-volume,“Creating and Destroying Volumes”]. In this example, a 20 GB volume is used. A VM is created with the ZFS volume, a FreeBSD ISO image, 1 GB of RAM and two virtual CPUs. The ISO installation file is retrieved with man:fetch[1] and saved locally in a file called [.filename]#freebsd.iso#. +Unprivileged domains consist of a configuration file and virtual or physical hard disks. +Virtual disk storage for the DomU can be files created by man:truncate[1] or ZFS volumes as described in crossref:zfs[zfs-zfs-volume,“Creating and Destroying Volumes”]. +In this example, a 20 GB volume is used. +A VM is created with the ZFS volume, a FreeBSD ISO image, 1 GB of RAM and two virtual CPUs. +The ISO installation file is retrieved with man:fetch[1] and saved locally in a file called [.filename]#freebsd.iso#. [source,shell] .... @@ -956,7 +1105,9 @@ A ZFS volume of 20 GB called [.filename]#xendisk0# is created to serve as the di # zfs create -V20G -o volmode=dev zroot/xendisk0 .... -The new DomU guest VM is defined in a file. Some specific definitions like name, keymap, and VNC connection details are also defined. The following [.filename]#freebsd.cfg# contains a minimum DomU configuration for this example: +The new DomU guest VM is defined in a file. +Some specific definitions like name, keymap, and VNC connection details are also defined. +The following [.filename]#freebsd.cfg# contains a minimum DomU configuration for this example: [source,shell] .... @@ -996,7 +1147,11 @@ After the file has been created with all the necessary options, the DomU is crea [NOTE] ==== -Each time the Dom0 is restarted, the configuration file must be passed to `xl create` again to re-create the DomU. By default, only the Dom0 is created after a reboot, not the individual VMs. The VMs can continue where they left off as they stored the operating system on the virtual disk. The virtual machine configuration can change over time (for example, when adding more memory). The virtual machine configuration files must be properly backed up and kept available to be able to re-create the guest VM when needed. +Each time the Dom0 is restarted, the configuration file must be passed to `xl create` again to re-create the DomU. +By default, only the Dom0 is created after a reboot, not the individual VMs. +The VMs can continue where they left off as they stored the operating system on the virtual disk. +The virtual machine configuration can change over time (for example, when adding more memory). +The virtual machine configuration files must be properly backed up and kept available to be able to re-create the guest VM when needed. ==== The output of `xl list` confirms that the DomU has been created. @@ -1009,7 +1164,11 @@ Domain-0 0 8192 4 r----- 1653.4 freebsd 1 1024 1 -b---- 663.9 .... -To begin the installation of the base operating system, start the VNC client, directing it to the main network address of the host or to the IP address defined on the `vnclisten` line of [.filename]#freebsd.cfg#. After the operating system has been installed, shut down the DomU and disconnect the VNC viewer. Edit [.filename]#freebsd.cfg#, removing the line with the `cdrom` definition or commenting it out by inserting a `#` character at the beginning of the line. To load this new configuration, it is necessary to remove the old DomU with `xl destroy`, passing either the name or the id as the parameter. Afterwards, recreate it using the modified [.filename]*freebsd.cfg*. +To begin the installation of the base operating system, start the VNC client, directing it to the main network address of the host or to the IP address defined on the `vnclisten` line of [.filename]#freebsd.cfg#. +After the operating system has been installed, shut down the DomU and disconnect the VNC viewer. +Edit [.filename]#freebsd.cfg#, removing the line with the `cdrom` definition or commenting it out by inserting a `#` character at the beginning of the line. +To load this new configuration, it is necessary to remove the old DomU with `xl destroy`, passing either the name or the id as the parameter. +Afterwards, recreate it using the modified [.filename]*freebsd.cfg*. [source,shell] .... @@ -1017,7 +1176,8 @@ To begin the installation of the base operating system, start the VNC client, di # xl create freebsd.cfg .... -The machine can then be accessed again using the VNC viewer. This time, it will boot from the virtual disk where the operating system has been installed and can be used as a virtual machine. +The machine can then be accessed again using the VNC viewer. +This time, it will boot from the virtual disk where the operating system has been installed and can be used as a virtual machine. [[virtualization-host-xen-troubleshooting]] === Troubleshooting @@ -1027,15 +1187,19 @@ This section contains basic information in order to help troubleshoot issues fou [[virtualization-host-xen-troubleshooting-host]] ==== Host Boot Troubleshooting -Please note that the following troubleshooting tips are intended for Xen(TM) 4.11 or newer. If you are still using Xen(TM) 4.7 and having issues consider migrating to a newer version of Xen(TM). +Please note that the following troubleshooting tips are intended for Xen(TM) 4.11 or newer. +If you are still using Xen(TM) 4.7 and having issues consider migrating to a newer version of Xen(TM). -In order to troubleshoot host boot issues you will likely need a serial cable, or a debug USB cable. Verbose Xen(TM) boot output can be obtained by adding options to the `xen_cmdline` option found in [.filename]#loader.conf#. A couple of relevant debug options are: +In order to troubleshoot host boot issues you will likely need a serial cable, or a debug USB cable. +Verbose Xen(TM) boot output can be obtained by adding options to the `xen_cmdline` option found in [.filename]#loader.conf#. +A couple of relevant debug options are: * `iommu=debug`: can be used to print additional diagnostic information about the iommu. * `dom0=verbose`: can be used to print additional diagnostic information about the dom0 build process. * `sync_console`: flag to force synchronous console output. Useful for debugging to avoid losing messages due to rate limiting. Never use this option in production environments since it can allow malicious guests to perform DoS attacks against Xen(TM) using the console. -FreeBSD should also be booted in verbose mode in order to identify any issues. To activate verbose booting, run this command: +FreeBSD should also be booted in verbose mode in order to identify any issues. +To activate verbose booting, run this command: [source,shell] .... @@ -1049,7 +1213,8 @@ If none of these options help solving the problem, please send the serial boot l Issues can also arise when creating guests, the following attempts to provide some help for those trying to diagnose guest creation issues. -The most common cause of guest creation failures is the `xl` command spitting some error and exiting with a return code different than 0. If the error provided is not enough to help identify the issue, more verbose output can also be obtained from `xl` by using the `v` option repeatedly. +The most common cause of guest creation failures is the `xl` command spitting some error and exiting with a return code different than 0. +If the error provided is not enough to help identify the issue, more verbose output can also be obtained from `xl` by using the `v` option repeatedly. [source,shell] .... @@ -1068,4 +1233,7 @@ libxl: debug: libxl_dom.c:988:libxl__load_hvm_firmware_module: Loading BIOS: /us ... .... -If the verbose output does not help diagnose the issue there are also QEMU and Xen(TM) toolstack logs in [.filename]#/var/log/xen#. Note that the name of the domain is appended to the log name, so if the domain is named `freebsd` you should find a [.filename]#/var/log/xen/xl-freebsd.log# and likely a [.filename]#/var/log/xen/qemu-dm-freebsd.log#. Both log files can contain useful information for debugging. If none of this helps solve the issue, please send the description of the issue you are facing and as much information as possible to mailto:freebsd-xen@FreeBSD.org[freebsd-xen@FreeBSD.org] and mailto:xen-devel@lists.xenproject.org[xen-devel@lists.xenproject.org] in order to get help. +If the verbose output does not help diagnose the issue there are also QEMU and Xen(TM) toolstack logs in [.filename]#/var/log/xen#. +Note that the name of the domain is appended to the log name, so if the domain is named `freebsd` you should find a [.filename]#/var/log/xen/xl-freebsd.log# and likely a [.filename]#/var/log/xen/qemu-dm-freebsd.log#. +Both log files can contain useful information for debugging. +If none of this helps solve the issue, please send the description of the issue you are facing and as much information as possible to mailto:freebsd-xen@FreeBSD.org[freebsd-xen@FreeBSD.org] and mailto:xen-devel@lists.xenproject.org[xen-devel@lists.xenproject.org] in order to get help. diff --git a/documentation/content/en/books/handbook/wine/_index.adoc b/documentation/content/en/books/handbook/wine/_index.adoc index 1951e1dd50..a29ca3407b 100644 --- a/documentation/content/en/books/handbook/wine/_index.adoc +++ b/documentation/content/en/books/handbook/wine/_index.adoc @@ -46,15 +46,27 @@ toc::[] [[wine-synopsis]] == Synopsis -https://www.winehq.org/[WINE], which stands for Wine Is Not an Emulator, is technically a software translation layer. It enables to install and run some software written for Windows(R) on FreeBSD (and other) systems. +https://www.winehq.org/[WINE], which stands for Wine Is Not an Emulator, is technically a software translation layer. +It enables to install and run some software written for Windows(R) on FreeBSD (and other) systems. -It operates by intercepting system calls, or requests from the software to the operating system, and translating them from Windows(R) calls to calls that FreeBSD understands. It will also translate any responses as needed into what the Windows(R) software is expecting. So in some ways, it _emulates_ a Windows(R) environment, in that it provides many of the resources Windows(R) applications are expecting. +It operates by intercepting system calls, or requests from the software to the operating system, and translating them from Windows(R) calls to calls that FreeBSD understands. +It will also translate any responses as needed into what the Windows(R) software is expecting. +So in some ways, it _emulates_ a Windows(R) environment, in that it provides many of the resources Windows(R) applications are expecting. -However, it is not an emulator in the traditional sense. Many of these solutions operate by constructing an entire other computer using software processes in place of hardware Virtualization (such as that provided by the package:emulators/qemu[] port) operates in this way. One of the benefits of this approach is the ability to install a full version of the OS in question to the emulator. It means that the environment will not look any different to applications than a real machine, and chances are good that everything will work on it. The downside to this approach is the fact that software acting as hardware is inherently slower than actual hardware. The computer built in software (called the _guest_) requires resources from the real machine (the _host_), and holds on to those resources for as long as it is running. +However, it is not an emulator in the traditional sense. +Many of these solutions operate by constructing an entire other computer using software processes in place of hardware Virtualization (such as that provided by the package:emulators/qemu[] port) operates in this way. +One of the benefits of this approach is the ability to install a full version of the OS in question to the emulator. +It means that the environment will not look any different to applications than a real machine, and chances are good that everything will work on it. +The downside to this approach is the fact that software acting as hardware is inherently slower than actual hardware. +The computer built in software (called the _guest_) requires resources from the real machine (the _host_), and holds on to those resources for as long as it is running. -The WINE Project, on the other hand, is much lighter on system's resources. It will translate system calls on the fly, so while it is difficult to be as fast as a real Windows(R) computer, it can come very close. On the other hand, WINE is trying to keep up with a moving target in terms of all the different system calls and other functionality it needs to support. As a result there may be applications that do not work as expected on WINE, will not work at all, or will not even install to begin with. +The WINE Project, on the other hand, is much lighter on system's resources. +It will translate system calls on the fly, so while it is difficult to be as fast as a real Windows(R) computer, it can come very close. +On the other hand, WINE is trying to keep up with a moving target in terms of all the different system calls and other functionality it needs to support. +As a result there may be applications that do not work as expected on WINE, will not work at all, or will not even install to begin with. -At the end of the day, WINE provides another option to try to get a particular Windows(R) software program running on FreeBSD. It can always serve as the first option which, if successful, offers a good experience without unnecessarily depleting the host FreeBSD system's resources. +At the end of the day, WINE provides another option to try to get a particular Windows(R) software program running on FreeBSD. +It can always serve as the first option which, if successful, offers a good experience without unnecessarily depleting the host FreeBSD system's resources. This chapter will describe: @@ -80,14 +92,14 @@ WINE is a complex system, so before running it on a FreeBSD system it is worth g [[what-is-wine]] === What is WINE? -As mentioned in the <<wine-synopsis,Synopsis>> for this chapter, WINE is a compatibility layer that allows Windows(R) applications to run on other operating systems. In theory, it means these programs should run on systems like FreeBSD, macOS, and Android. +As mentioned in the <<wine-synopsis,Synopsis>> for this chapter, WINE is a compatibility layer that allows Windows(R) applications to run on other operating systems. +In theory, it means these programs should run on systems like FreeBSD, macOS, and Android. When WINE runs a Windows(R) executable, two things occur: * Firstly, WINE implements an environment that mimics that of various versions of Windows(R). For example, if an application requests access to a resource such as RAM, WINE has a memory interface that looks and acts (as far as the application is concerned) like Windows(R). * Then, once that application makes use of that interface, WINE takes the incoming request for space in memory and translates it to something compatible with the host system. In the same way when the application retrieves that data, WINE facilitates fetching it from the host system and passing it back to the Windows(R) application. - [[wine-and-the-os-system]] === WINE and the FreeBSD System @@ -98,11 +110,12 @@ Installing WINE on a FreeBSD system will entail a few different components: * A number of Windows(R) executables, which are (or mimic) common utilities (such as [.filename]#/lib/wine/notepad.exe.so#, which provides the standard Windows(R) text editor). * Additional Windows(R) assets, in particular fonts (like the Tahoma font, which is stored in [.filename]#share/wine/fonts/tahoma.ttf# in the install root). - [[graphical-versus-text-modeterminal-programs-in-wine]] === Graphical Versus Text Mode/Terminal Programs in WINE -As an operating system where terminal utilities are "first-class citizens," it is natural to assume that WINE will contain extensive support for text-mode program. However, the majority of applications for Windows(R), especially the most popular ones, are designed with a graphical user interface (GUI) in mind. Therefore, WINE's utilities are designed by default to launch graphical programs. +As an operating system where terminal utilities are "first-class citizens," it is natural to assume that WINE will contain extensive support for text-mode program. +However, the majority of applications for Windows(R), especially the most popular ones, are designed with a graphical user interface (GUI) in mind. +Therefore, WINE's utilities are designed by default to launch graphical programs. However, there are three methods available to run these so-called Console User Interface (CUI) programs: @@ -119,24 +132,29 @@ WINE itself is a mature open source project, so it is little surprise it is used [[commercial-wine-implementations]] ==== Commercial WINE Implementations -A number of companies have taken WINE and made it a core of their own, proprietary products (WINE's LGPL license permits this). Two of the most famous of these are as follows: +A number of companies have taken WINE and made it a core of their own, proprietary products (WINE's LGPL license permits this). +Two of the most famous of these are as follows: * Codeweavers CrossOver -This solution provides a simplified "one-click" installation of WINE, which contains additional enhancements and optimizations (although the company contributes many of these back upstream to the WINE project). One area of focus for Codeweavers is to make the most popular applications install and run smoothly. +This solution provides a simplified "one-click" installation of WINE, which contains additional enhancements and optimizations (although the company contributes many of these back upstream to the WINE project). +One area of focus for Codeweavers is to make the most popular applications install and run smoothly. -While the company once produced a native FreeBSD version of their CrossOver solution, it appears to have long been abandoned. While some resources (such as a https://www.codeweavers.com/compatibility/crossover/forum/freebsd[dedicated forum]) are still present, they also have seen no activity for some time. +While the company once produced a native FreeBSD version of their CrossOver solution, it appears to have long been abandoned. +While some resources (such as a https://www.codeweavers.com/compatibility/crossover/forum/freebsd[dedicated forum]) are still present, they also have seen no activity for some time. * Steam Proton -Gaming company Steam also uses WINE to enable Windows(R) games to install and run on other systems. it is primary target is Linux-based systems, though some support exists for macOS as well. +Gaming company Steam also uses WINE to enable Windows(R) games to install and run on other systems. +it is primary target is Linux-based systems, though some support exists for macOS as well. While Steam does not offer a native FreeBSD client,there are several options for using the Linux(R) client using FreeBSD's Linux Compatibility Layer. [[wine-companion-programs]] ==== WINE Companion Programs -In addition to proprietary offerings, other projects have released applications designed to work in tandem with the standard, open source version of WINE. The goals for these can range from making installation easier to offering easy ways to get popular software installed. +In addition to proprietary offerings, other projects have released applications designed to work in tandem with the standard, open source version of WINE. +The goals for these can range from making installation easier to offering easy ways to get popular software installed. These solutions are covered in greater detail in the later section on <<wine-management-guis,GUI frontends>>, and include the following: @@ -164,11 +182,17 @@ Before installing WINE itself, it is useful to have the following pre-requisites * A GUI -Most Windows(R) programs are expecting to have a graphical user interface available. If WINE is installed without one present, its dependencies will include the Wayland compositor, and so a GUI will be installed along with WINE. But it is useful to have the GUI of choice installed, configured, and working correctly before installing WINE. +Most Windows(R) programs are expecting to have a graphical user interface available. +If WINE is installed without one present, its dependencies will include the Wayland compositor, and so a GUI will be installed along with WINE. +But it is useful to have the GUI of choice installed, configured, and working correctly before installing WINE. * wine-gecko -The Windows(R) operating system has for some time had a default web browser pre-installed: Internet Explorer. As a result, some applications work under the assumption that there will always be something capable of displaying web pages. In order to provide this functionality, the WINE layer includes a web browser component using the Mozilla project's Gecko engine. When WINE is first launched it will offer to download and install this, and there are reasons users might want it do so (these will be covered in a later chapter). But they can also install it prior to installing WINE, or alongside the install of WINE proper. +The Windows(R) operating system has for some time had a default web browser pre-installed: Internet Explorer. +As a result, some applications work under the assumption that there will always be something capable of displaying web pages. +In order to provide this functionality, the WINE layer includes a web browser component using the Mozilla project's Gecko engine. +When WINE is first launched it will offer to download and install this, and there are reasons users might want it do so (these will be covered in a later chapter). +But they can also install it prior to installing WINE, or alongside the install of WINE proper. Install this package with the following: @@ -187,7 +211,8 @@ Alternately, compile the port with the following: * wine-mono -This port installs the MONO framework, an open source implementation of Microsoft's .NET. Including this with the WINE installation will make it that much more likely that any applications written in .NET will install and run on the system. +This port installs the MONO framework, an open source implementation of Microsoft's .NET. +Including this with the WINE installation will make it that much more likely that any applications written in .NET will install and run on the system. To install the package: @@ -225,14 +250,18 @@ Alternately compile the WINE sub-system from source with the following: [[thirtytwo-vs-sixtyfour-bit-wine]] === Concerns of 32- Versus 64-Bit in WINE Installations -Like most software, Windows(R) applications made the upgrade from the older 32-bit architecture to 64 bits. And most recent software is written for 64-bit operating systems, although modern OSes can sometimes continue to run older 32-bit programs as well. FreeBSD is no different, having had support for 64-bit since the 5.x series. +Like most software, Windows(R) applications made the upgrade from the older 32-bit architecture to 64 bits. +And most recent software is written for 64-bit operating systems, although modern OSes can sometimes continue to run older 32-bit programs as well. +FreeBSD is no different, having had support for 64-bit since the 5.x series. -However, using old software no longer supported by default is a common use for emulators, and users commonly turn to WINE to play games and use other programs that do not run properly on modern hardware. Fortunately, FreeBSD can support all three scenarios: +However, using old software no longer supported by default is a common use for emulators, and users commonly turn to WINE to play games and use other programs that do not run properly on modern hardware. +Fortunately, FreeBSD can support all three scenarios: * On modern, 64-bit machine and want to run 64-bit Windows(R) software, simply install the ports mentioned in the above sections. The ports system will automatically install the 64-bit version. * Alternately, users might have an older 32-bit machine that they do not want to run with its original, now non-supported software. They can install the 32-bit (i386) version of FreeBSD, then install the ports in the above sections. Again, on a 32-bit machine the ports system will install the corresponding 32-bit version of WINE by default. -However, given a 64-bit version of FreeBSD and need to run *32-bit* Windows(R) applications, installing a different port is required to enable 32-bit compatibility. To install the pre-compiled package, use the following: +However, given a 64-bit version of FreeBSD and need to run *32-bit* Windows(R) applications, installing a different port is required to enable 32-bit compatibility. +To install the pre-compiled package, use the following: [source,shell] .... @@ -250,14 +279,16 @@ Or compile the port with the following: [[running-first-wine-program]] == Running a First WINE Program on FreeBSD -Now that WINE is installed, the next step is to try it out by running a simple program. An easy way to do this is to download a self-contained application, i.e., one can simply unpack and run without any complex installation process. +Now that WINE is installed, the next step is to try it out by running a simple program. +An easy way to do this is to download a self-contained application, i.e., one can simply unpack and run without any complex installation process. So-called "portable" versions of applications are good choices for this test, as are programs that run with only a single executable file. [[running-a-program-from-the-command-line]] === Running a Program from the Command Line -There are two different methods to launch a Windows program from the terminal. The first, and most straightforward is to navigate to the directory containing the program's executable ([.filename]#.EXE#) and issue the following: +There are two different methods to launch a Windows program from the terminal. +The first, and most straightforward is to navigate to the directory containing the program's executable ([.filename]#.EXE#) and issue the following: [source,shell] .... @@ -281,9 +312,11 @@ Alternately, supply the full path to the executable to use it in a script, for e [[running-a-program-from-a-gui]] === Running a Program from a GUI -After installation graphical shells should be updated with new associations for Windows executable ([.filename]#.EXE#) files. It will now be possible to browse the system using a file manager, and launch the Windows application in the same way as other files and programs (either a single- or double-click, depending on the desktop's settings). +After installation graphical shells should be updated with new associations for Windows executable ([.filename]#.EXE#) files. +It will now be possible to browse the system using a file manager, and launch the Windows application in the same way as other files and programs (either a single- or double-click, depending on the desktop's settings). -On most desktops, check to make sure this association is correct by right-clicking on the file, and looking for an entry in the context menu to open the file. One of the options (hopefully the default one) will be with the *Wine Windows Program Loader*, as shown in the below screenshot: +On most desktops, check to make sure this association is correct by right-clicking on the file, and looking for an entry in the context menu to open the file. +One of the options (hopefully the default one) will be with the *Wine Windows Program Loader*, as shown in the below screenshot: image::wine-run-np++-1.png[] @@ -294,12 +327,15 @@ In the event WINE is not the default application for [.filename]#.EXE# files aft [[configuring-wine-installation]] == Configuring WINE Installation -With an understanding of what WINE is and how it works at a high level, the next step to effectively using it on FreeBSD is becoming familiar with its configuration. The following sections will describe the key concept of the _WINE prefix_, and illustrate how it is used to control the behavior of applications run through WINE. +With an understanding of what WINE is and how it works at a high level, the next step to effectively using it on FreeBSD is becoming familiar with its configuration. +The following sections will describe the key concept of the _WINE prefix_, and illustrate how it is used to control the behavior of applications run through WINE. [[wine-prefixes]] === WINE Prefixes -A WINE _prefix_ is a directory, usually located beneath the default location of [.filename]#$HOME/.wine# though it can be located elsewhere. The prefix is a set of configurations and support files used by the wine to configure and run the Windows(R) environment a given application needs. By default, a brand new WINE installation will create the following structure when first launched by a user: +A WINE _prefix_ is a directory, usually located beneath the default location of [.filename]#$HOME/.wine# though it can be located elsewhere. +The prefix is a set of configurations and support files used by the wine to configure and run the Windows(R) environment a given application needs. +By default, a brand new WINE installation will create the following structure when first launched by a user: * [.filename]#.update-timestamp#: contains the last modified date of [.filename]#file /usr/share/wine/wine.inf#. It is used by WINE to determine if a prefix is out of date, and automatically update it if needed. * [.filename]#dosdevices/#: contains information on mappings of Windows(R) resources to resources on the host FreeBSD system. For example, after a new WINE installation, this should contain at least two entries which enable access to the FreeBSD filesystem using Windows(R)-style drive letters: @@ -315,7 +351,8 @@ A WINE _prefix_ is a directory, usually located beneath the default location of [[creating-and-using-wine-prefixes]] === Creating and Using WINE Prefixes -While WINE will create a default prefix in the user's [.filename]#$HOME/.wine/#, it is possible to set up multiple prefixes. There are a few reasons to do this: +While WINE will create a default prefix in the user's [.filename]#$HOME/.wine/#, it is possible to set up multiple prefixes. +There are a few reasons to do this: * The most common reason is to emulate different versions of Windows(R), according to the compatibility needs of the software in question. * In addition, it is common to encounter software that does not work correctly in the default environment, and requires special configuration. it is useful to isolate these in their own, custom prefixes, so the changes do not impact other applications. @@ -328,7 +365,8 @@ Creating a prefix from the terminal requires the following command: % WINEPREFIX="/home/username/.wine-new" winecfg .... -This will run the winecfg program, which can be used to configure wine prefixes (more on this in a later section). But by providing a directory path value for the `WINEPREFIX` environment variable, a new prefix is created at that location if one does not already exist. +This will run the winecfg program, which can be used to configure wine prefixes (more on this in a later section). +But by providing a directory path value for the `WINEPREFIX` environment variable, a new prefix is created at that location if one does not already exist. Supplying the same variable to the wine program will similarly cause the selected program to be run with the specified prefix: @@ -340,16 +378,21 @@ Supplying the same variable to the wine program will similarly cause the selecte [[configuring-wine-prefixes-with-winecfg]] === Configuring WINE Prefixes with winecfg -As described above WINE includes a tool called winecfg to configure prefixes from within a GUI. It contains a variety of functions, which are detailed in the sections below. When winecfg is run from within a prefix, or provided the location of a prefix within the `WINEPREFIX` variable, it enables the configuration of the selected prefix as described in the below sections. +As described above WINE includes a tool called winecfg to configure prefixes from within a GUI. +It contains a variety of functions, which are detailed in the sections below. +When winecfg is run from within a prefix, or provided the location of a prefix within the `WINEPREFIX` variable, it enables the configuration of the selected prefix as described in the below sections. -Selections made on the _Applications_ tab will affect the scope of changes made in the _Libraries_ and _Graphics_ tabs, which will be limited to the application selected. See the section on https://wiki.winehq.org/Wine_User%27s_Guide#Using_Winecfg[Using Winecfg] in the WINE Wiki for more details. +Selections made on the _Applications_ tab will affect the scope of changes made in the _Libraries_ and _Graphics_ tabs, which will be limited to the application selected. +See the section on https://wiki.winehq.org/Wine_User%27s_Guide#Using_Winecfg[Using Winecfg] in the WINE Wiki for more details. [[applications]] ==== Applications image::wine-config-1.png[] -The _Applications_ contains controls enabling the association of programs with a particular version of Windows(R). On first start-up the _Application settings_ section will contain a single entry: _Default Settings_. This corresponds to all the default configurations of the prefix, which (as the disabled _Remove application_ button implies) cannot be deleted. +The _Applications_ contains controls enabling the association of programs with a particular version of Windows(R). +On first start-up the _Application settings_ section will contain a single entry: _Default Settings_. +This corresponds to all the default configurations of the prefix, which (as the disabled _Remove application_ button implies) cannot be deleted. But additional applications can be added with the following process: @@ -357,13 +400,14 @@ But additional applications can be added with the following process: . Use the provided dialog to select the desired program's executable. . Select the version of Windows(R) to be used with the selected program. - [[libraries]] ==== Libraries image::wine-config-2.png[] -WINE provides a set of open source library files as part of its distribution that provide the same functions as their Windows(R) counterparts. However, as noted earlier in this chapter, the WINE project is always trying to keep pace with new updates to these libraries. As a result, the versions that ship with WINE may be missing functionality that the latest Windows(R) programs are expecting. +WINE provides a set of open source library files as part of its distribution that provide the same functions as their Windows(R) counterparts. +However, as noted earlier in this chapter, the WINE project is always trying to keep pace with new updates to these libraries. +As a result, the versions that ship with WINE may be missing functionality that the latest Windows(R) programs are expecting. However, winecfg makes it possible specify overrides for the built-in libraries, particularly there is a version of Windows(R) available on the same machine as the host FreeBSD installation. For each library to be overridden, do the following: @@ -405,7 +449,9 @@ This tab allows configuration of the following items: image::wine-config-5.png[] -The _Drives_ tab allows linking of directories in the host FreeBSD system to drive letters in the Windows(R) environment. The default values in this tab should look familiar, as they're displaying the contents of [.filename]#dosdevices/# in the current WINE prefix. Changes made via this dialog will reflect in [.filename]#dosdevices#, and properly-formatted links created in that directory will display in this tab. +The _Drives_ tab allows linking of directories in the host FreeBSD system to drive letters in the Windows(R) environment. +The default values in this tab should look familiar, as they're displaying the contents of [.filename]#dosdevices/# in the current WINE prefix. +Changes made via this dialog will reflect in [.filename]#dosdevices#, and properly-formatted links created in that directory will display in this tab. To create a new entry, such as for a CD-ROM (mounted at [.filename]#/mnt/cdrom#), take the following steps: @@ -414,7 +460,8 @@ To create a new entry, such as for a CD-ROM (mounted at [.filename]#/mnt/cdrom#) . Click _OK_. . Fill in the _Path_ input box by either typing the path to the resource, or click _Browse _ and use the provided dialog to select it. -By default WINE will autodetect the type of resource linked, but this can be manually overridden. See https://wiki.winehq.org/Wine_User%27s_Guide#Drive_Settings[the section in the WINE Wiki] for more detail on advanced options. +By default WINE will autodetect the type of resource linked, but this can be manually overridden. +See https://wiki.winehq.org/Wine_User%27s_Guide#Drive_Settings[the section in the WINE Wiki] for more detail on advanced options. [[audio]] ==== Audio @@ -432,17 +479,22 @@ This tab contains some configurable options for routing sound from Windows(R) pr image::wine-config-7.png[] -The final tab contains information on the WINE project, including a link to the website. It also allows entry of (entirely optional) user information, although this is not sent anywhere as it is in other operating systems. +The final tab contains information on the WINE project, including a link to the website. +It also allows entry of (entirely optional) user information, although this is not sent anywhere as it is in other operating systems. [[wine-management-guis]] == WINE Management GUIs -While the base install of WINE comes with a GUI configuration tool in winecfg, it is main purpose is just that: strictly configuring an existing WINE prefix. There are, however, more advanced applications that will assist in the initial installation of applications as well as optimizing their WINE environments. The below sections include a selection of the most popular. +While the base install of WINE comes with a GUI configuration tool in winecfg, it is main purpose is just that: strictly configuring an existing WINE prefix. +There are, however, more advanced applications that will assist in the initial installation of applications as well as optimizing their WINE environments. +The below sections include a selection of the most popular. [[winetricks]] === Winetricks -winetricks is a cross-platform, general purpose helper program for WINE. It is not developed by the WINE project proper, but rather maintained on https://github.com/Winetricks/winetricks[Github] by a group of contributors. It contains some automated "recipes" for getting common applications to work on WINE, both by optimizing the settings as well as acquiring some DLL libraries automatically. +winetricks is a cross-platform, general purpose helper program for WINE. +It is not developed by the WINE project proper, but rather maintained on https://github.com/Winetricks/winetricks[Github] by a group of contributors. +It contains some automated "recipes" for getting common applications to work on WINE, both by optimizing the settings as well as acquiring some DLL libraries automatically. [[installing-winetricks]] ==== Installing winetricks @@ -476,7 +528,8 @@ Run winetricks with the following command: % winetricks .... -Note: this should be in a 32-bit prefix to run winetricks. Launching winetricks displays a window with a number of choices, as follows: +Note: this should be in a 32-bit prefix to run winetricks. +Launching winetricks displays a window with a number of choices, as follows: image::winetricks-run-1.png[] @@ -484,7 +537,8 @@ Selecting either _Install an application_, _Install a benchmark_, or _Install a image::winetricks-run-2.png[] -Selecting one or more items and clicking _OK_ will start their installation process(es). Initially, some messages that appear to be errors may show up, but they're actually informational alerts as winetricks configures the WINE environment to get around known issues for the application: +Selecting one or more items and clicking _OK_ will start their installation process(es). +Initially, some messages that appear to be errors may show up, but they're actually informational alerts as winetricks configures the WINE environment to get around known issues for the application: image::winetricks-app-install-1.png[] @@ -500,7 +554,8 @@ In order to remove the application, run winetricks again, and select _Run an uni image::winetricks-uninstall-1.png[] -A Windows(R)-style dialog will appear with a list of installed programs and components. Select the application to be removed, then click the _Modify/Remove_ button. +A Windows(R)-style dialog will appear with a list of installed programs and components. +Select the application to be removed, then click the _Modify/Remove_ button. image::winetricks-uninstall-2.png[] @@ -511,7 +566,8 @@ image::winetricks-uninstall-3.png[] [[homura]] === Homura -Homura is an application similar to winetricks, although it was inspired by the https://lutris.net/[Lutris] gaming system for Linux. But while it is focused on games, there are also non-gaming applications available for install through Homura. +Homura is an application similar to winetricks, although it was inspired by the https://lutris.net/[Lutris] gaming system for Linux. +But while it is focused on games, there are also non-gaming applications available for install through Homura. [[installing-homura]] ==== Installing Homura @@ -523,7 +579,8 @@ To install Homura's binary package, issue the following command: # pkg install homura .... -Homura is available in the FreeBSD Ports system. However, than the _emulators_ section of Ports or binary packages, look for it in the _games_ section. +Homura is available in the FreeBSD Ports system. +However, than the _emulators_ section of Ports or binary packages, look for it in the _games_ section. [source,shell] .... @@ -534,14 +591,16 @@ Homura is available in the FreeBSD Ports system. However, than the _emulators_ s [[using-homura]] ==== Using Homura -Homura's usage is quite similar to that of winetricks. When using it for the first time, launch it from the command line (or a desktop environment runner applet) with: +Homura's usage is quite similar to that of winetricks. +When using it for the first time, launch it from the command line (or a desktop environment runner applet) with: [source,shell] .... % Homura .... -This should result in a friendly welcome message. Click _OK_ to continue. +This should result in a friendly welcome message. +Click _OK_ to continue. image::homura-launch-1.png[] @@ -553,23 +612,29 @@ Depending on the setup of the FreeBSD machine, Homura may display a message urgi image::homura-run-3.png[] -The application's window should then appear, which amounts to a "main menu" with all its options. Many of the items are the same as winetricks, although Homura offers some additional, helpful options such as opening its data folder (_Open Homura Folder_) or running a specified program (_Run a executable in prefix_). +The application's window should then appear, which amounts to a "main menu" with all its options. +Many of the items are the same as winetricks, although Homura offers some additional, helpful options such as opening its data folder (_Open Homura Folder_) or running a specified program (_Run a executable in prefix_). image::homura-install-1.png[] -To select one of Homura's supported applications to install, select _Installation_, and click _OK_. This will display a list of applications Homura can install automatically. Select one, and click _OK_ to start the process. +To select one of Homura's supported applications to install, select _Installation_, and click _OK_. +This will display a list of applications Homura can install automatically. +Select one, and click _OK_ to start the process. image::homura-install-2.png[] -As a first step Homura will download the selected program. A notification may appear in supported desktop environments. +As a first step Homura will download the selected program. +A notification may appear in supported desktop environments. image::homura-install-3.png[] -The program will also create a new prefix for the application. A standard WINE dialog with this message will display. +The program will also create a new prefix for the application. +A standard WINE dialog with this message will display. image::homura-install-4.png[] -Next, Homura will install any prerequisites for the selected program. This may involve downloading and extracting a fair number of files, the details of which will show in dialogs. +Next, Homura will install any prerequisites for the selected program. +This may involve downloading and extracting a fair number of files, the details of which will show in dialogs. image::homura-install-5.png[] @@ -577,7 +642,9 @@ Downloaded packages are automatically opened and run as required. image::homura-install-6.png[] -The installation may end with a simple desktop notification or message in the terminal, depending on how Homura was launched. But in either case Homura should return to the main screen. To confirm the installation was successful, select _Launcher_, and click _OK_. +The installation may end with a simple desktop notification or message in the terminal, depending on how Homura was launched. +But in either case Homura should return to the main screen. +To confirm the installation was successful, select _Launcher_, and click _OK_. image::homura-install-7.png[] @@ -585,16 +652,21 @@ This will display a list of installed applications. image::homura-install-8.png[] -To run the new program, select it from the list, and click _OK_. To uninstall the application, select _Uninstallation_ from the main screen, which will display a similar list. Select the program to be removed, and click _OK_. +To run the new program, select it from the list, and click _OK_. +To uninstall the application, select _Uninstallation_ from the main screen, which will display a similar list. +Select the program to be removed, and click _OK_. image::homura-uninstall-1.png[] [[running-multiple-management-guis]] === Running Multiple Management GUIs -it is worth noting that the above solutions are not mutually exclusive. it is perfectly acceptable, even advantageous, to have both installed at the same time, as they support a different set of programs. +it is worth noting that the above solutions are not mutually exclusive. +it is perfectly acceptable, even advantageous, to have both installed at the same time, as they support a different set of programs. -However, it is wise to ensure that they do not access any of the same WINE prefixes. Each of these solutions applies workarounds and makes changes to the registries based on known workarounds to existing WINE issues in order to make a given application run smoothly. Allowing both winetricks and Homura to access the same prefix could lead to some of these being overwritten, with the result being some or all applications do not work as expected. +However, it is wise to ensure that they do not access any of the same WINE prefixes. +Each of these solutions applies workarounds and makes changes to the registries based on known workarounds to existing WINE issues in order to make a given application run smoothly. +Allowing both winetricks and Homura to access the same prefix could lead to some of these being overwritten, with the result being some or all applications do not work as expected. [[wine-in-multi-user-os-installations]] == WINE in Multi-User FreeBSD Installations @@ -602,18 +674,26 @@ However, it is wise to ensure that they do not access any of the same WINE prefi [[issues-with-using-a-common-wine-prefix]] === Issues with Using a Common WINE Prefix -Like most UNIX(R)-like operating systems, FreeBSD is designed for multiple users to be logged in and working at the same time. On the other hand, Windows(R) is multi-user in the sense that there can be multiple user accounts set up on one system. But the expectation is that only one will be using the physical machine (a desktop or laptop PC) at any given moment. +Like most UNIX(R)-like operating systems, FreeBSD is designed for multiple users to be logged in and working at the same time. +On the other hand, Windows(R) is multi-user in the sense that there can be multiple user accounts set up on one system. +But the expectation is that only one will be using the physical machine (a desktop or laptop PC) at any given moment. -More recent consumer versions of Windows(R) have taken some steps to improve the OS in multi-user scenarios. But it is still largely structured around a single-user experience. Furthermore, the measures the WINE project has taken to create acompatible environment means, unlike FreeBSD applications (including WINE itself), it will resemble this single-user environment. +More recent consumer versions of Windows(R) have taken some steps to improve the OS in multi-user scenarios. +But it is still largely structured around a single-user experience. +Furthermore, the measures the WINE project has taken to create acompatible environment means, unlike FreeBSD applications (including WINE itself), it will resemble this single-user environment. -So it follows that each user will have to maintain their own set of configurations, which is potentially good. Yet it is advantageous to install applications, particularly large ones like office suites or games, only once. Two examples of reasons to do this are maintenance (software updates need only be applied once) and efficiency in storage (no duplicated files). +So it follows that each user will have to maintain their own set of configurations, which is potentially good. +Yet it is advantageous to install applications, particularly large ones like office suites or games, only once. +Two examples of reasons to do this are maintenance (software updates need only be applied once) and efficiency in storage (no duplicated files). There are two strategies to minimze the impact of multiple WINE users in the system. [[installing-applications-to-a-common-drivesettings]] === Installing Applications to a Common Drive -As shown in the section on WINE Configuration, WINE provides the ability to attach additional drives to a given prefix. In this way, applications can be installed to a common location, while each user will still have an prefix where individual settings may be kept (depending on the program). This is a good setup if there are relatively few applications to be shared between users, and they are programs that require few custom tweaks changes to the prefix in order to function. +As shown in the section on WINE Configuration, WINE provides the ability to attach additional drives to a given prefix. +In this way, applications can be installed to a common location, while each user will still have an prefix where individual settings may be kept (depending on the program). +This is a good setup if there are relatively few applications to be shared between users, and they are programs that require few custom tweaks changes to the prefix in order to function. The steps to make install applications in this way are as follows: @@ -621,12 +701,18 @@ The steps to make install applications in this way are as follows: . Next, set permissions for this new directory to allow only desired users to access it. One approach to this is to create a new group such as "windows," add the desired users to that group (see the sub-section on groups in the Handbook's Users and Basic Account Management section), and set to the permissions on the directory to `770` (the section on Permissions in the FreeBSD Basics chapter of the Handbook illustrates this process). . Finally, add the location as a drive to the user's prefix using the winecfg as described in the above section on WINE Configuration in this chapter. -Once complete, applications can be installed to this location, and subsequently run using the assigned drive letter (or the standard UNIX(R)-style directory path). However, as noted above, only one user should be running these applications (which may be accessing files within their installation directory) at the same time. Some applications may also exhibit unexpected behavior when run by a user who is not the owner, despite being a member of the group that should have full "read/write/execute" permissions for the entire directory. +Once complete, applications can be installed to this location, and subsequently run using the assigned drive letter (or the standard UNIX(R)-style directory path). +However, as noted above, only one user should be running these applications (which may be accessing files within their installation directory) at the same time. +Some applications may also exhibit unexpected behavior when run by a user who is not the owner, despite being a member of the group that should have full "read/write/execute" permissions for the entire directory. [[using-a-common-installation-of-wine]] === Using a Common Installation of WINE -If, on the other hand, there are many applications to be shared, or they require specific tuning in order to work correctly, a different approach may be required. In this method, a completely separate user is created specifically for the purposes of storing the WINE prefix and all its installed applications. Individual users are then granted permission to run programs as this user using the su command. The result is that these users can launch a WINE application as they normally would, only it will act as though launched by the newly-created user, and therefore use the centrally-maintained prefix containing both settings and programs. To accomplish this, take the following steps. +If, on the other hand, there are many applications to be shared, or they require specific tuning in order to work correctly, a different approach may be required. +In this method, a completely separate user is created specifically for the purposes of storing the WINE prefix and all its installed applications. +Individual users are then granted permission to run programs as this user using the su command. +The result is that these users can launch a WINE application as they normally would, only it will act as though launched by the newly-created user, and therefore use the centrally-maintained prefix containing both settings and programs. +To accomplish this, take the following steps. Create a new user with the following command (as root), which will step through the required details: @@ -635,7 +721,8 @@ Create a new user with the following command (as root), which will step through # adduser .... -Enter the username (e.g., _windows_) and Full name ("Microsoft Windows"). Then accept the defaults for the remainder of the questions. Next, install the sudo utlity using binary packages with the following: +Enter the username (e.g., _windows_) and Full name ("Microsoft Windows"). +Then accept the defaults for the remainder of the questions. Next, install the sudo utlity using binary packages with the following: [source,shell] .... @@ -675,7 +762,9 @@ ADMIN ALL=(ALL) ALL WINDOWS_USERS ALL = (windows) NOPASSWD: WINDOWS .... -The result of these changes is the users named in the _User_Alias_ section are permitted to run the programs listed in the _Cmnd Alias_ section using the resources listed in the _Defaults_ section (the current display) as if they were the user listed in the final line of the file. In other words, users designates as _WINDOWS_USERS_ can run the wine and winecfg applications as user _windows_. As a bonus, the configuration here means they will not be required to enter the password for the _windows_ user. +The result of these changes is the users named in the _User_Alias_ section are permitted to run the programs listed in the _Cmnd Alias_ section using the resources listed in the _Defaults_ section (the current display) as if they were the user listed in the final line of the file. +In other words, users designates as _WINDOWS_USERS_ can run the wine and winecfg applications as user _windows_. +As a bonus, the configuration here means they will not be required to enter the password for the _windows_ user. Next provide access to the display back to the _windows_ user, as whom the WINE programs will be running: @@ -684,9 +773,13 @@ Next provide access to the display back to the _windows_ user, as whom the WINE % xhost +local:windows .... -This should be added to the list of commands run either at login or when the default graphical environment starts. Once all the above are complete, a user configured as one of the `WINDOW_USERS` in [.filename]#sudoers# can run programs using the shared prefix with the following command: +This should be added to the list of commands run either at login or when the default graphical environment starts. +Once all the above are complete, a user configured as one of the `WINDOW_USERS` in [.filename]#sudoers# can run programs using the shared prefix with the following command: -it is worth noting that multiple users accessing this shared environment at the same time is still risky. However, consider also that the shared environment can itself contain multiple prefixes. In this way an administrator can create a tested and verified set of programs, each with its own prefix. At the same time, one user can play a game while another works with office programs without the need for redundant software installations. +it is worth noting that multiple users accessing this shared environment at the same time is still risky. +However, consider also that the shared environment can itself contain multiple prefixes. +In this way an administrator can create a tested and verified set of programs, each with its own prefix. +At the same time, one user can play a game while another works with office programs without the need for redundant software installations. [[wine-on-os-faq]] == WINE on FreeBSD FAQ @@ -699,19 +792,26 @@ The following section describes some frequently asked questions, tips/tricks, or [[how-to-install-32-bit-and-64-bit-wine-on-the-same-system]] ==== How to Install 32-bit and 64-bit WINE on the Same System? -As described earlier in this section, the wine and i386-wine packages conflict with one another, and therefore cannot be installed on the same system in the normal way. However, multiple installs can be achieved using mechanisms like chroots/jails, or by building WINE from source (note this does _not_ mean building the port). +As described earlier in this section, the wine and i386-wine packages conflict with one another, and therefore cannot be installed on the same system in the normal way. +However, multiple installs can be achieved using mechanisms like chroots/jails, or by building WINE from source (note this does _not_ mean building the port). [[can-dos-programs-be-run-on-wine]] ==== Can DOS Programs Be Run on WINE? -They can, as "Console User Interface" applications as mentioned eariler in this section. However, there is an arguably better method for running DOS software: DOSBox. On the other hand, there's little reason not to at least try it. Simply create a new prefix, install the software, and if it does not work delete the prefix. +They can, as "Console User Interface" applications as mentioned eariler in this section. +However, there is an arguably better method for running DOS software: DOSBox. +On the other hand, there's little reason not to at least try it. +Simply create a new prefix, install the software, and if it does not work delete the prefix. [[should-the-wine-devel-packageport-be-installed-to-use-the-development-version-of-wine-instead-of-stable]] ==== Should the "wine-devel" Package/Port be Installed to Use the Development Version of WINE Instead of Stable? -Yes, installing this version will install the "development" version of WINE. As with the 32- and 64-bit versions, they cannot be installed together with the stable versions unless additional measures are taken. +Yes, installing this version will install the "development" version of WINE. +As with the 32- and 64-bit versions, they cannot be installed together with the stable versions unless additional measures are taken. -Note that WINE also has a "Staging" version, which contains the most recent updates. This was at one time available as a FreeBSD port; however, it has since been removed. It can be compiled directly from source however. +Note that WINE also has a "Staging" version, which contains the most recent updates. +This was at one time available as a FreeBSD port; however, it has since been removed. +It can be compiled directly from source however. [[install-optimization]] === Install Optimization @@ -719,7 +819,10 @@ Note that WINE also has a "Staging" version, which contains the most recent upda [[how-should-windows-hardware-graphics-drivers-be-handled]] ==== How Should Windows(R) Hardware (e.g., Graphics) Drivers be Handled? -Operating system drivers transfer commands between applications and hardware. WINE emulates a Windows(R) environment, including the drivers, which in turn use FreeBSD's native drivers for this transfer. it is not advisable to install Windows(R) drivers, as the WINE system is designed to use the host systems drivers. If, for example, a graphics card that benefits from dedicated drivers, install them using the standard FreeBSD methods, not Windows(R) installers. +Operating system drivers transfer commands between applications and hardware. +WINE emulates a Windows(R) environment, including the drivers, which in turn use FreeBSD's native drivers for this transfer. +it is not advisable to install Windows(R) drivers, as the WINE system is designed to use the host systems drivers. +If, for example, a graphics card that benefits from dedicated drivers, install them using the standard FreeBSD methods, not Windows(R) installers. [[is-there-a-way-to-make-windows-fonts-look-better]] ==== Is There a way to Make Windows(R) Fonts Look Better? @@ -749,7 +852,9 @@ According to https://forums.freebsd.org/threads/make-wine-ui-fonts-look-good.682 [[does-having-windows-installed-elsewhere-on-a-system-help-wine-operate]] ==== Does Having Windows(R) Installed Elsewhere on a System Help WINE Operate? -It may, depending on the application being run. As mentioned in the section describing winecfg, some built-in WINE DLLs and other libraries can be overridden by providing a path to an alternate version. Provided the Windows(R) partition or drive is mounted to the FreeBSD system and accessible to the user, configuring some of these overrides will use native Windows(R) libraries and may decrease the chance of unexpected behavior. +It may, depending on the application being run. +As mentioned in the section describing winecfg, some built-in WINE DLLs and other libraries can be overridden by providing a path to an alternate version. +Provided the Windows(R) partition or drive is mounted to the FreeBSD system and accessible to the user, configuring some of these overrides will use native Windows(R) libraries and may decrease the chance of unexpected behavior. [[application-specific]] === Application-Specific @@ -757,16 +862,22 @@ It may, depending on the application being run. As mentioned in the section desc [[where-is-the-best-place-to-see-if-application-x-works-on-wine]] ==== Where is the Best Place to see if Application X Works on WINE? -The first stop in determining compatibiliy should be the https://appdb.winehq.org/[WINE AppDB]. This is a compilation of reports of programs working (or not) on all supported platforms, although (as previously mentioned), solutions for one platform are often applicable to others. +The first stop in determining compatibiliy should be the https://appdb.winehq.org/[WINE AppDB]. +This is a compilation of reports of programs working (or not) on all supported platforms, although (as previously mentioned), solutions for one platform are often applicable to others. [[is-there-anything-that-will-help-games-run-better]] ==== Is There Anything That Will Help Games Run Better? -Perhaps. Many Windows(R) games rely on DirectX, a proprietary Microsoft graphics layer. However there are projects in the open source community attempting to implement support for this technology. +Perhaps. +Many Windows(R) games rely on DirectX, a proprietary Microsoft graphics layer. +However there are projects in the open source community attempting to implement support for this technology. -The _dxvk_ project, which is an attempt to implement DirectX using the FreeBSD-compatible Vulkan graphics sub-system, is one such. Although its primary target is WINE on Linux, https://forums.freebsd.org/threads/what-about-gaming-on-freebsd.723/page-9[some FreeBSD users report] compiling and using dxvk. +The _dxvk_ project, which is an attempt to implement DirectX using the FreeBSD-compatible Vulkan graphics sub-system, is one such. +Although its primary target is WINE on Linux, https://forums.freebsd.org/threads/what-about-gaming-on-freebsd.723/page-9[some FreeBSD users report] compiling and using dxvk. -In addition, work is under way on a https://www.freshports.org/emulators/wine-proton/[wine-proton port]. This will bring the work of Valve, developer of the Steam gaming platform, to FreeBSD. Proton is a distribution of WINE designed to allow many Windows(R) games to run on other operating systems with minimal setup. +In addition, work is under way on a https://www.freshports.org/emulators/wine-proton/[wine-proton port]. +This will bring the work of Valve, developer of the Steam gaming platform, to FreeBSD. +Proton is a distribution of WINE designed to allow many Windows(R) games to run on other operating systems with minimal setup. [[is-there-anywhere-freebsd-wine-users-gather-to-exchange-tips-and-tricks]] ==== Is There Anywhere FreeBSD WINE Users Gather to Exchange Tips and Tricks? diff --git a/documentation/content/en/books/handbook/x11/_index.adoc b/documentation/content/en/books/handbook/x11/_index.adoc index 5ffede7d23..da621299d7 100644 --- a/documentation/content/en/books/handbook/x11/_index.adoc +++ b/documentation/content/en/books/handbook/x11/_index.adoc @@ -46,7 +46,9 @@ toc::[] [[x11-synopsis]] == Synopsis -An installation of FreeBSD using bsdinstall does not automatically install a graphical user interface. This chapter describes how to install and configure Xorg, which provides the open source X Window System used to provide a graphical environment. It then describes how to find and install a desktop environment or window manager. +An installation of FreeBSD using bsdinstall does not automatically install a graphical user interface. +This chapter describes how to install and configure Xorg, which provides the open source X Window System used to provide a graphical environment. +It then describes how to find and install a desktop environment or window manager. [NOTE] ==== @@ -73,30 +75,58 @@ Before reading this chapter, you should: While it is not necessary to understand all of the details of the various components in the X Window System and how they interact, some basic knowledge of these components can be useful. X server:: -X was designed from the beginning to be network-centric, and adopts a "client-server" model. In this model, the "X server" runs on the computer that has the keyboard, monitor, and mouse attached. The server's responsibility includes tasks such as managing the display, handling input from the keyboard and mouse, and handling input or output from other devices such as a tablet or a video projector. This confuses some people, because the X terminology is exactly backward to what they expect. They expect the "X server" to be the big powerful machine down the hall, and the "X client" to be the machine on their desk. +X was designed from the beginning to be network-centric, and adopts a "client-server" model. +In this model, the "X server" runs on the computer that has the keyboard, monitor, and mouse attached. +The server's responsibility includes tasks such as managing the display, handling input from the keyboard and mouse, and handling input or output from other devices such as a tablet or a video projector. +This confuses some people, because the X terminology is exactly backward to what they expect. +They expect the "X server" to be the big powerful machine down the hall, and the "X client" to be the machine on their desk. X client:: -Each X application, such as XTerm or Firefox, is a "client". A client sends messages to the server such as "Please draw a window at these coordinates", and the server sends back messages such as "The user just clicked on the OK button". +Each X application, such as XTerm or Firefox, is a "client". +A client sends messages to the server such as "Please draw a window at these coordinates", and the server sends back messages such as "The user just clicked on the OK button". + -In a home or small office environment, the X server and the X clients commonly run on the same computer. It is also possible to run the X server on a less powerful computer and to run the X applications on a more powerful system. In this scenario, the communication between the X client and server takes place over the network. +In a home or small office environment, the X server and the X clients commonly run on the same computer. +It is also possible to run the X server on a less powerful computer and to run the X applications on a more powerful system. +In this scenario, the communication between the X client and server takes place over the network. window manager:: -X does not dictate what windows should look like on-screen, how to move them around with the mouse, which keystrokes should be used to move between windows, what the title bars on each window should look like, whether or not they have close buttons on them, and so on. Instead, X delegates this responsibility to a separate window manager application. There are http://www.xwinman.org/[dozens of window managers] available. Each window manager provides a different look and feel: some support virtual desktops, some allow customized keystrokes to manage the desktop, some have a "Start" button, and some are themeable, allowing a complete change of the desktop's look-and-feel. Window managers are available in the [.filename]#x11-wm# category of the Ports Collection. +X does not dictate what windows should look like on-screen, how to move them around with the mouse, which keystrokes should be used to move between windows, what the title bars on each window should look like, whether or not they have close buttons on them, and so on. +Instead, X delegates this responsibility to a separate window manager application. +There are http://www.xwinman.org/[dozens of window managers] available. +Each window manager provides a different look and feel: some support virtual desktops, some allow customized keystrokes to manage the desktop, some have a "Start" button, and some are themeable, allowing a complete change of the desktop's look-and-feel. +Window managers are available in the [.filename]#x11-wm# category of the Ports Collection. + -Each window manager uses a different configuration mechanism. Some expect configuration file written by hand while others provide graphical tools for most configuration tasks. +Each window manager uses a different configuration mechanism. +Some expect configuration file written by hand while others provide graphical tools for most configuration tasks. desktop environment:: -KDE and GNOME are considered to be desktop environments as they include an entire suite of applications for performing common desktop tasks. These may include office suites, web browsers, and games. +KDE and GNOME are considered to be desktop environments as they include an entire suite of applications for performing common desktop tasks. +These may include office suites, web browsers, and games. focus policy:: -The window manager is responsible for the mouse focus policy. This policy provides some means for choosing which window is actively receiving keystrokes and it should also visibly indicate which window is currently active. +The window manager is responsible for the mouse focus policy. +This policy provides some means for choosing which window is actively receiving keystrokes and it should also visibly indicate which window is currently active. + -One focus policy is called "click-to-focus". In this model, a window becomes active upon receiving a mouse click. In the "focus-follows-mouse" policy, the window that is under the mouse pointer has focus and the focus is changed by pointing at another window. If the mouse is over the root window, then this window is focused. In the "sloppy-focus" model, if the mouse is moved over the root window, the most recently used window still has the focus. With sloppy-focus, focus is only changed when the cursor enters a new window, and not when exiting the current window. In the "click-to-focus" policy, the active window is selected by mouse click. The window may then be raised and appear in front of all other windows. All keystrokes will now be directed to this window, even if the cursor is moved to another window. +One focus policy is called "click-to-focus". +In this model, a window becomes active upon receiving a mouse click. +In the "focus-follows-mouse" policy, the window that is under the mouse pointer has focus and the focus is changed by pointing at another window. +If the mouse is over the root window, then this window is focused. +In the "sloppy-focus" model, if the mouse is moved over the root window, the most recently used window still has the focus. +With sloppy-focus, focus is only changed when the cursor enters a new window, and not when exiting the current window. +In the "click-to-focus" policy, the active window is selected by mouse click. +The window may then be raised and appear in front of all other windows. +All keystrokes will now be directed to this window, even if the cursor is moved to another window. + -Different window managers support different focus models. All of them support click-to-focus, and the majority of them also support other policies. Consult the documentation for the window manager to determine which focus models are available. +Different window managers support different focus models. +All of them support click-to-focus, and the majority of them also support other policies. +Consult the documentation for the window manager to determine which focus models are available. widgets:: -Widget is a term for all of the items in the user interface that can be clicked or manipulated in some way. This includes buttons, check boxes, radio buttons, icons, and lists. A widget toolkit is a set of widgets used to create graphical applications. There are several popular widget toolkits, including Qt, used by KDE, and GTK+, used by GNOME. As a result, applications will have a different look and feel, depending upon which widget toolkit was used to create the application. +Widget is a term for all of the items in the user interface that can be clicked or manipulated in some way. +This includes buttons, check boxes, radio buttons, icons, and lists. +A widget toolkit is a set of widgets used to create graphical applications. +There are several popular widget toolkits, including Qt, used by KDE, and GTK+, used by GNOME. +As a result, applications will have a different look and feel, depending upon which widget toolkit was used to create the application. [[x-install]] == Installing Xorg @@ -118,9 +148,12 @@ To build and install from the Ports Collection: # make install clean .... -Either of these installations results in the complete Xorg system being installed. Binary packages are the best option for most users. +Either of these installations results in the complete Xorg system being installed. +Binary packages are the best option for most users. -A smaller version of the X system suitable for experienced users is available in package:x11/xorg-minimal[]. Most of the documents, libraries, and applications will not be installed. Some applications require these additional components to function. +A smaller version of the X system suitable for experienced users is available in package:x11/xorg-minimal[]. +Most of the documents, libraries, and applications will not be installed. +Some applications require these additional components to function. [[x-config]] == Xorg Configuration @@ -132,8 +165,8 @@ Xorg supports most common video cards, keyboards, and pointing devices. [TIP] ==== - -Video cards, monitors, and input devices are automatically detected and do not require any manual configuration. Do not create [.filename]#xorg.conf# or run a `-configure` step unless automatic configuration fails. +Video cards, monitors, and input devices are automatically detected and do not require any manual configuration. +Do not create [.filename]#xorg.conf# or run a `-configure` step unless automatic configuration fails. ==== [.procedure] @@ -164,7 +197,9 @@ Video cards, monitors, and input devices are automatically detected and do not r [[x-config-user-group]] === User Group for Accelerated Video -Access to [.filename]#/dev/dri# is needed to allow 3D acceleration on video cards. It is usually simplest to add the user who will be running X to either the `video` or `wheel` group. Here, man:pw[8] is used to add user _slurms_ to the `video` group, or to the `wheel` group if there is no `video` group: +Access to [.filename]#/dev/dri# is needed to allow 3D acceleration on video cards. +It is usually simplest to add the user who will be running X to either the `video` or `wheel` group. +Here, man:pw[8] is used to add user _slurms_ to the `video` group, or to the `wheel` group if there is no `video` group: [source,shell] .... @@ -174,7 +209,11 @@ Access to [.filename]#/dev/dri# is needed to allow 3D acceleration on video card [[x-config-kms]] === Kernel Mode Setting (`KMS`) -When the computer switches from displaying the console to a higher screen resolution for X, it must set the video output _mode_. Recent versions of `Xorg` use a system inside the kernel to do these mode changes more efficiently. Older versions of FreeBSD use man:sc[4], which is not aware of the `KMS` system. The end result is that after closing X, the system console is blank, even though it is still working. The newer man:vt[4] console avoids this problem. +When the computer switches from displaying the console to a higher screen resolution for X, it must set the video output _mode_. +Recent versions of `Xorg` use a system inside the kernel to do these mode changes more efficiently. +Older versions of FreeBSD use man:sc[4], which is not aware of the `KMS` system. +The end result is that after closing X, the system console is blank, even though it is still working. +The newer man:vt[4] console avoids this problem. Add this line to [.filename]#/boot/loader.conf# to enable man:vt[4]: @@ -186,19 +225,25 @@ kern.vty=vt [[x-config-files]] === Configuration Files -Manual configuration is usually not necessary. Please do not manually create configuration files unless autoconfiguration does not work. +Manual configuration is usually not necessary. +Please do not manually create configuration files unless autoconfiguration does not work. [[x-config-files-directory]] ==== Directory -Xorg looks in several directories for configuration files. [.filename]#/usr/local/etc/X11/# is the recommended directory for these files on FreeBSD. Using this directory helps keep application files separate from operating system files. +Xorg looks in several directories for configuration files. +[.filename]#/usr/local/etc/X11/# is the recommended directory for these files on FreeBSD. +Using this directory helps keep application files separate from operating system files. -Storing configuration files in the legacy [.filename]#/etc/X11/# still works. However, this mixes application files with the base FreeBSD files and is not recommended. +Storing configuration files in the legacy [.filename]#/etc/X11/# still works. +However, this mixes application files with the base FreeBSD files and is not recommended. [[x-config-files-single-or-multi]] ==== Single or Multiple Files -It is easier to use multiple files that each configure a specific setting than the traditional single [.filename]#xorg.conf#. These files are stored in the [.filename]#xorg.conf.d/# subdirectory of the main configuration file directory. The full path is typically [.filename]#/usr/local/etc/X11/xorg.conf.d/#. +It is easier to use multiple files that each configure a specific setting than the traditional single [.filename]#xorg.conf#. +These files are stored in the [.filename]#xorg.conf.d/# subdirectory of the main configuration file directory. +The full path is typically [.filename]#/usr/local/etc/X11/xorg.conf.d/#. Examples of these files are shown later in this section. @@ -264,7 +309,8 @@ For reference, see https://en.wikipedia.org/wiki/List_of_AMD_graphics_processing [[x-config-video-cards-nvidia]] NVIDIA:: -Several NVIDIA drivers are available in the [.filename]#x11# category of the Ports Collection. Install the driver that matches the video card. +Several NVIDIA drivers are available in the [.filename]#x11# category of the Ports Collection. +Install the driver that matches the video card. + For reference, see https://en.wikipedia.org/wiki/List_of_Nvidia_graphics_processing_units[]. + @@ -280,18 +326,27 @@ While we recommend this driver be rebuilt with each kernel rebuild for maximum s [[x-config-video-cards-hybrid]] Hybrid Combination Graphics:: -Some notebook computers add additional graphics processing units to those built into the chipset or processor. _Optimus_ combines Intel(R) and NVIDIA hardware. _Switchable Graphics_ or _Hybrid Graphics_ are a combination of an Intel(R) or AMD(R) processor and an AMD(R) Radeon `GPU`. +Some notebook computers add additional graphics processing units to those built into the chipset or processor. +_Optimus_ combines Intel(R) and NVIDIA hardware. +_Switchable Graphics_ or _Hybrid Graphics_ are a combination of an Intel(R) or AMD(R) processor and an AMD(R) Radeon `GPU`. + Implementations of these hybrid graphics systems vary, and Xorg on FreeBSD is not able to drive all versions of them. + -Some computers provide a `BIOS` option to disable one of the graphics adapters or select a _discrete_ mode which can be used with one of the standard video card drivers. For example, it is sometimes possible to disable the NVIDIA `GPU` in an Optimus system. The Intel(R) video can then be used with an Intel(R) driver. +Some computers provide a `BIOS` option to disable one of the graphics adapters or select a _discrete_ mode which can be used with one of the standard video card drivers. +For example, it is sometimes possible to disable the NVIDIA `GPU` in an Optimus system. +The Intel(R) video can then be used with an Intel(R) driver. + -`BIOS` settings depend on the model of computer. In some situations, both ``GPU``s can be left enabled, but creating a configuration file that only uses the main `GPU` in the `Device` section is enough to make such a system functional. +`BIOS` settings depend on the model of computer. +In some situations, both ``GPU``s can be left enabled, but creating a configuration file that only uses the main `GPU` in the `Device` section is enough to make such a system functional. + [[x-config-video-cards-other]] Other Video Cards:: Drivers for some less-common video cards can be found in the [.filename]#x11-drivers# directory of the Ports Collection. + -Cards that are not supported by a specific driver might still be usable with the package:x11-drivers/xf86-video-vesa[] driver. This driver is installed by package:x11/xorg[]. It can also be installed manually as package:x11-drivers/xf86-video-vesa[]. Xorg attempts to use this driver when a specific driver is not found for the video card. +Cards that are not supported by a specific driver might still be usable with the package:x11-drivers/xf86-video-vesa[] driver. +This driver is installed by package:x11/xorg[]. +It can also be installed manually as package:x11-drivers/xf86-video-vesa[]. +Xorg attempts to use this driver when a specific driver is not found for the video card. + package:x11-drivers/xf86-video-scfb[] is a similar nonspecialized video driver that works on many `UEFI` and ARM(R) computers. @@ -314,7 +369,8 @@ Section "Device" EndSection .... -If more than one video card is present, the `BusID` identifier can be uncommented and set to select the desired card. A list of video card bus ``ID``s can be displayed with `pciconf -lv | grep -B3 display`. +If more than one video card is present, the `BusID` identifier can be uncommented and set to select the desired card. +A list of video card bus ``ID``s can be displayed with `pciconf -lv | grep -B3 display`. ==== + To set the Radeon driver in a configuration file: @@ -373,7 +429,9 @@ EndSection [[x-config-monitors]] === Monitors -Almost all monitors support the Extended Display Identification Data standard (`EDID`). Xorg uses `EDID` to communicate with the monitor and detect the supported resolutions and refresh rates. Then it selects the most appropriate combination of settings to use with that monitor. +Almost all monitors support the Extended Display Identification Data standard (`EDID`). +Xorg uses `EDID` to communicate with the monitor and detect the supported resolutions and refresh rates. +Then it selects the most appropriate combination of settings to use with that monitor. Other resolutions supported by the monitor can be chosen by setting the desired resolution in configuration files, or after the X server has been started with man:xrandr[1]. @@ -400,9 +458,11 @@ DisplayPort-0 disconnected (normal left inverted right x axis y axis) HDMI-0 disconnected (normal left inverted right x axis y axis) .... + -This shows that the `DVI-0` output is being used to display a screen resolution of 1920x1200 pixels at a refresh rate of about 60 Hz. Monitors are not attached to the `DisplayPort-0` and `HDMI-0` connectors. +This shows that the `DVI-0` output is being used to display a screen resolution of 1920x1200 pixels at a refresh rate of about 60 Hz. +Monitors are not attached to the `DisplayPort-0` and `HDMI-0` connectors. + -Any of the other display modes can be selected with man:xrandr[1]. For example, to switch to 1280x1024 at 60 Hz: +Any of the other display modes can be selected with man:xrandr[1]. +For example, to switch to 1280x1024 at 60 Hz: + [source,shell] .... @@ -411,7 +471,9 @@ Any of the other display modes can be selected with man:xrandr[1]. For example, + A common task is using the external video output on a notebook computer for a video projector. + -The type and quantity of output connectors varies between devices, and the name given to each output varies from driver to driver. What one driver calls `HDMI-1`, another might call `HDMI1`. So the first step is to run man:xrandr[1] to list all the available outputs: +The type and quantity of output connectors varies between devices, and the name given to each output varies from driver to driver. +What one driver calls `HDMI-1`, another might call `HDMI1`. +So the first step is to run man:xrandr[1] to list all the available outputs: + [source,shell] .... @@ -437,14 +499,17 @@ DP1 disconnected (normal left inverted right x axis y axis) + Four outputs were found: the built-in panel `LVDS1`, and external `VGA1`, `HDMI1`, and `DP1` connectors. + -The projector has been connected to the `VGA1` output. man:xrandr[1] is now used to set that output to the native resolution of the projector and add the additional space to the right side of the desktop: +The projector has been connected to the `VGA1` output. +man:xrandr[1] is now used to set that output to the native resolution of the projector and add the additional space to the right side of the desktop: + [source,shell] .... % xrandr --output VGA1 --auto --right-of LVDS1 .... + -`--auto` chooses the resolution and refresh rate detected by `EDID`. If the resolution is not correctly detected, a fixed value can be given with `--mode` instead of the `--auto` statement. For example, most projectors can be used with a 1024x768 resolution, which is set with `--mode 1024x768`. +`--auto` chooses the resolution and refresh rate detected by `EDID`. +If the resolution is not correctly detected, a fixed value can be given with `--mode` instead of the `--auto` statement. +For example, most projectors can be used with a 1024x768 resolution, which is set with `--mode 1024x768`. + man:xrandr[1] is often run from [.filename]#.xinitrc# to set the appropriate mode when X starts. @@ -496,9 +561,12 @@ EndSection [[x-config-input-keyboard-layout]] Keyboard Layout:: -The standardized location of keys on a keyboard is called a _layout_. Layouts and other adjustable parameters are listed in man:xkeyboard-config[7]. +The standardized location of keys on a keyboard is called a _layout_. +Layouts and other adjustable parameters are listed in man:xkeyboard-config[7]. + -A United States layout is the default. To select an alternate layout, set the `XkbLayout` and `XkbVariant` options in an `InputClass`. This will be applied to all input devices that match the class. +A United States layout is the default. +To select an alternate layout, set the `XkbLayout` and `XkbVariant` options in an `InputClass`. +This will be applied to all input devices that match the class. + This example selects a French keyboard layout. + @@ -521,7 +589,9 @@ EndSection .Setting Multiple Keyboard Layouts [example] ==== -Set United States, Spanish, and Ukrainian keyboard layouts. Cycle through these layouts by pressing kbd:[Alt+Shift]. package:x11/xxkb[] or package:x11/sbxkb[] can be used for improved layout switching control and current layout indicators. +Set United States, Spanish, and Ukrainian keyboard layouts. +Cycle through these layouts by pressing kbd:[Alt+Shift]. +package:x11/xxkb[] or package:x11/sbxkb[] can be used for improved layout switching control and current layout indicators. [.filename]#/usr/local/etc/X11/xorg.conf.d/kbd-layout-multi.conf# @@ -538,7 +608,9 @@ EndSection [[x-config-input-keyboard-zap]] Closing Xorg From the Keyboard:: -X can be closed with a combination of keys. By default, that key combination is not set because it conflicts with keyboard commands for some applications. Enabling this option requires changes to the keyboard `InputDevice` section: +X can be closed with a combination of keys. +By default, that key combination is not set because it conflicts with keyboard commands for some applications. +Enabling this option requires changes to the keyboard `InputDevice` section: + .Enabling Keyboard Exit from X [example] @@ -564,10 +636,12 @@ EndSection If using package:xorg-server[] 1.20.8 or later under FreeBSD {rel121-current} and not using man:moused[8], add `kern.evdev.rcpt_mask=12` to [.filename]#/etc/sysctl.conf#. ==== -Many mouse parameters can be adjusted with configuration options. See man:mousedrv[4] for a full list. +Many mouse parameters can be adjusted with configuration options. +See man:mousedrv[4] for a full list. [[x11-input-mice-buttons]] Mouse Buttons:: -The number of buttons on a mouse can be set in the mouse `InputDevice` section of [.filename]#xorg.conf#. To set the number of buttons to 7: +The number of buttons on a mouse can be set in the mouse `InputDevice` section of [.filename]#xorg.conf#. +To set the number of buttons to 7: + .Setting the Number of Mouse Buttons [example] @@ -587,15 +661,17 @@ EndSection [[x-config-manual-configuration]] === Manual Configuration -In some cases, Xorg autoconfiguration does not work with particular hardware, or a different configuration is desired. For these cases, a custom configuration file can be created. +In some cases, Xorg autoconfiguration does not work with particular hardware, or a different configuration is desired. +For these cases, a custom configuration file can be created. [WARNING] ==== - -Do not create manual configuration files unless required. Unnecessary manual configuration can prevent proper operation. +Do not create manual configuration files unless required. +Unnecessary manual configuration can prevent proper operation. ==== -A configuration file can be generated by Xorg based on the detected hardware. This file is often a useful starting point for custom configurations. +A configuration file can be generated by Xorg based on the detected hardware. +This file is often a useful starting point for custom configurations. Generating an [.filename]#xorg.conf#: @@ -604,7 +680,8 @@ Generating an [.filename]#xorg.conf#: # Xorg -configure .... -The configuration file is saved to [.filename]#/root/xorg.conf.new#. Make any changes desired, then test that file (using `-retro` so there is a visible background) with: +The configuration file is saved to [.filename]#/root/xorg.conf.new#. +Make any changes desired, then test that file (using `-retro` so there is a visible background) with: [source,shell] .... @@ -619,7 +696,13 @@ After the new configuration has been adjusted and tested, it can be split into s [[type1]] === Type1 Fonts -The default fonts that ship with Xorg are less than ideal for typical desktop publishing applications. Large presentation fonts show up jagged and unprofessional looking, and small fonts are almost completely unintelligible. However, there are several free, high quality Type1 (PostScript(R)) fonts available which can be readily used with Xorg. For instance, the URW font collection (package:x11-fonts/urwfonts[]) includes high quality versions of standard type1 fonts (Times Roman(TM), Helvetica(TM), Palatino(TM) and others). The Freefonts collection (package:x11-fonts/freefonts[]) includes many more fonts, but most of them are intended for use in graphics software such as the Gimp, and are not complete enough to serve as screen fonts. In addition, Xorg can be configured to use TrueType(R) fonts with a minimum of effort. For more details on this, see the man:X[7] manual page or <<truetype>>. +The default fonts that ship with Xorg are less than ideal for typical desktop publishing applications. +Large presentation fonts show up jagged and unprofessional looking, and small fonts are almost completely unintelligible. +However, there are several free, high quality Type1 (PostScript(R)) fonts available which can be readily used with Xorg. +For instance, the URW font collection (package:x11-fonts/urwfonts[]) includes high quality versions of standard type1 fonts (Times Roman(TM), Helvetica(TM), Palatino(TM) and others). +The Freefonts collection (package:x11-fonts/freefonts[]) includes many more fonts, but most of them are intended for use in graphics software such as the Gimp, and are not complete enough to serve as screen fonts. +In addition, Xorg can be configured to use TrueType(R) fonts with a minimum of effort. +For more details on this, see the man:X[7] manual page or <<truetype>>. To install the above Type1 font collections from binary packages, run the following commands: @@ -636,7 +719,8 @@ Alternatively, to build from the Ports Collection, run the following commands: # make install clean .... -And likewise with the freefont or other collections. To have the X server detect these fonts, add an appropriate line to the X server configuration file ([.filename]#/etc/X11/xorg.conf#), which reads: +And likewise with the freefont or other collections. +To have the X server detect these fonts, add an appropriate line to the X server configuration file ([.filename]#/etc/X11/xorg.conf#), which reads: [.programlisting] .... @@ -651,19 +735,26 @@ Alternatively, at the command line in the X session run: % xset fp rehash .... -This will work but will be lost when the X session is closed, unless it is added to the startup file ([.filename]#~/.xinitrc# for a normal `startx` session, or [.filename]#~/.xsession# when logging in through a graphical login manager like XDM). A third way is to use the new [.filename]#/usr/local/etc/fonts/local.conf# as demonstrated in <<antialias>>. +This will work but will be lost when the X session is closed, unless it is added to the startup file ([.filename]#~/.xinitrc# for a normal `startx` session, or [.filename]#~/.xsession# when logging in through a graphical login manager like XDM). +A third way is to use the new [.filename]#/usr/local/etc/fonts/local.conf# as demonstrated in <<antialias>>. [[truetype]] === TrueType(R) Fonts -Xorg has built in support for rendering TrueType(R) fonts. There are two different modules that can enable this functionality. The freetype module is used in this example because it is more consistent with the other font rendering back-ends. To enable the freetype module just add the following line to the `"Module"` section of [.filename]#/etc/X11/xorg.conf#. +Xorg has built in support for rendering TrueType(R) fonts. +There are two different modules that can enable this functionality. +The freetype module is used in this example because it is more consistent with the other font rendering back-ends. +To enable the freetype module just add the following line to the `"Module"` section of [.filename]#/etc/X11/xorg.conf#. [.programlisting] .... Load "freetype" .... -Now make a directory for the TrueType(R) fonts (for example, [.filename]#/usr/local/share/fonts/TrueType#) and copy all of the TrueType(R) fonts into this directory. Keep in mind that TrueType(R) fonts cannot be directly taken from an Apple(R) Mac(R); they must be in UNIX(R)/MS-DOS(R)/Windows(R) format for use by Xorg. Once the files have been copied into this directory, use mkfontscale to create a [.filename]#fonts.dir#, so that the X font renderer knows that these new files have been installed. `mkfontscale` can be installed as a package: +Now make a directory for the TrueType(R) fonts (for example, [.filename]#/usr/local/share/fonts/TrueType#) and copy all of the TrueType(R) fonts into this directory. +Keep in mind that TrueType(R) fonts cannot be directly taken from an Apple(R) Mac(R); they must be in UNIX(R)/MS-DOS(R)/Windows(R) format for use by Xorg. +Once the files have been copied into this directory, use mkfontscale to create a [.filename]#fonts.dir#, so that the X font renderer knows that these new files have been installed. +`mkfontscale` can be installed as a package: [source,shell] .... @@ -678,7 +769,8 @@ Then create an index of X font files in a directory: # mkfontscale .... -Now add the TrueType(R) directory to the font path. This is just the same as described in <<type1>>: +Now add the TrueType(R) directory to the font path. +This is just the same as described in <<type1>>: [source,shell] .... @@ -688,16 +780,21 @@ Now add the TrueType(R) directory to the font path. This is just the same as des or add a `FontPath` line to [.filename]#xorg.conf#. -Now Gimp, LibreOffice, and all of the other X applications should now recognize the installed TrueType(R) fonts. Extremely small fonts (as with text in a high resolution display on a web page) and extremely large fonts (within LibreOffice) will look much better now. +Now Gimp, LibreOffice, and all of the other X applications should now recognize the installed TrueType(R) fonts. +Extremely small fonts (as with text in a high resolution display on a web page) and extremely large fonts (within LibreOffice) will look much better now. [[antialias]] === Anti-Aliased Fonts All fonts in Xorg that are found in [.filename]#/usr/local/share/fonts/# and [.filename]#~/.fonts/# are automatically made available for anti-aliasing to Xft-aware applications. Most recent applications are Xft-aware, including KDE, GNOME, and Firefox. -To control which fonts are anti-aliased, or to configure anti-aliasing properties, create (or edit, if it already exists) the file [.filename]#/usr/local/etc/fonts/local.conf#. Several advanced features of the Xft font system can be tuned using this file; this section describes only some simple possibilities. For more details, please see man:fonts-conf[5]. +To control which fonts are anti-aliased, or to configure anti-aliasing properties, create (or edit, if it already exists) the file [.filename]#/usr/local/etc/fonts/local.conf#. +Several advanced features of the Xft font system can be tuned using this file; this section describes only some simple possibilities. +For more details, please see man:fonts-conf[5]. -This file must be in XML format. Pay careful attention to case, and make sure all tags are properly closed. The file begins with the usual XML header followed by a DOCTYPE definition, and then the `<fontconfig>` tag: +This file must be in XML format. +Pay careful attention to case, and make sure all tags are properly closed. +The file begins with the usual XML header followed by a DOCTYPE definition, and then the `<fontconfig>` tag: [.programlisting] .... @@ -706,7 +803,8 @@ This file must be in XML format. Pay careful attention to case, and make sure al <fontconfig> .... -As previously stated, all fonts in [.filename]#/usr/local/share/fonts/# as well as [.filename]#~/.fonts/# are already made available to Xft-aware applications. To add another directory outside of these two directory trees, add a line like this to [.filename]#/usr/local/etc/fonts/local.conf#: +As previously stated, all fonts in [.filename]#/usr/local/share/fonts/# as well as [.filename]#~/.fonts/# are already made available to Xft-aware applications. +To add another directory outside of these two directory trees, add a line like this to [.filename]#/usr/local/etc/fonts/local.conf#: [.programlisting] .... @@ -720,7 +818,8 @@ After adding new fonts, and especially new font directories, rebuild the font ca # fc-cache -f .... -Anti-aliasing makes borders slightly fuzzy, which makes very small text more readable and removes "staircases" from large text, but can cause eyestrain if applied to normal text. To exclude font sizes smaller than 14 point from anti-aliasing, include these lines: +Anti-aliasing makes borders slightly fuzzy, which makes very small text more readable and removes "staircases" from large text, but can cause eyestrain if applied to normal text. +To exclude font sizes smaller than 14 point from anti-aliasing, include these lines: [.programlisting] .... @@ -742,7 +841,10 @@ Anti-aliasing makes borders slightly fuzzy, which makes very small text more rea </match> .... -Spacing for some monospaced fonts might also be inappropriate with anti-aliasing. This seems to be an issue with KDE, in particular. One possible fix is to force the spacing for such fonts to be 100. Add these lines: +Spacing for some monospaced fonts might also be inappropriate with anti-aliasing. +This seems to be an issue with KDE, in particular. +One possible fix is to force the spacing for such fonts to be 100. +Add these lines: [.programlisting] .... @@ -778,7 +880,10 @@ Spacing for some monospaced fonts might also be inappropriate with anti-aliasing </match> .... -Certain fonts, such as Helvetica, may have a problem when anti-aliased. Usually this manifests itself as a font that seems cut in half vertically. At worst, it may cause applications to crash. To avoid this, consider adding the following to [.filename]#local.conf#: +Certain fonts, such as Helvetica, may have a problem when anti-aliased. +Usually this manifests itself as a font that seems cut in half vertically. +At worst, it may cause applications to crash. +To avoid this, consider adding the following to [.filename]#local.conf#: [.programlisting] .... @@ -792,11 +897,15 @@ Certain fonts, such as Helvetica, may have a problem when anti-aliased. Usually </match> .... -After editing [.filename]#local.conf#, make certain to end the file with the `</fontconfig>` tag. Not doing this will cause changes to be ignored. +After editing [.filename]#local.conf#, make certain to end the file with the `</fontconfig>` tag. +Not doing this will cause changes to be ignored. -Users can add personalized settings by creating their own [.filename]#~/.config/fontconfig/fonts.conf#. This file uses the same `XML` format described above. +Users can add personalized settings by creating their own [.filename]#~/.config/fontconfig/fonts.conf#. +This file uses the same `XML` format described above. -One last point: with an LCD screen, sub-pixel sampling may be desired. This basically treats the (horizontally separated) red, green and blue components separately to improve the horizontal resolution; the results can be dramatic. To enable this, add the line somewhere in [.filename]#local.conf#: +One last point: with an LCD screen, sub-pixel sampling may be desired. +This basically treats the (horizontally separated) red, green and blue components separately to improve the horizontal resolution; the results can be dramatic. +To enable this, add the line somewhere in [.filename]#local.conf#: [.programlisting] .... @@ -818,13 +927,17 @@ Depending on the sort of display, `rgb` may need to be changed to `bgr`, `vrgb` [[x-xdm]] == The X Display Manager -Xorg provides an X Display Manager, XDM, which can be used for login session management. XDM provides a graphical interface for choosing which display server to connect to and for entering authorization information such as a login and password combination. +Xorg provides an X Display Manager, XDM, which can be used for login session management. +XDM provides a graphical interface for choosing which display server to connect to and for entering authorization information such as a login and password combination. -This section demonstrates how to configure the X Display Manager on FreeBSD. Some desktop environments provide their own graphical login manager. Refer to <<x11-wm-gnome>> for instructions on how to configure the GNOME Display Manager and <<x11-wm-kde>> for instructions on how to configure the KDE Display Manager. +This section demonstrates how to configure the X Display Manager on FreeBSD. +Some desktop environments provide their own graphical login manager. +Refer to <<x11-wm-gnome>> for instructions on how to configure the GNOME Display Manager and <<x11-wm-kde>> for instructions on how to configure the KDE Display Manager. === Configuring XDM -To install XDM, use the package:x11/xdm[] package or port. Once installed, XDM can be configured to run when the machine boots up by adding the following line to [.filename]#/etc/rc.conf#: +To install XDM, use the package:x11/xdm[] package or port. +Once installed, XDM can be configured to run when the machine boots up by adding the following line to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -833,7 +946,10 @@ xdm_enable="YES" XDM will run on the ninth virtual terminal by default. -The XDM configuration directory is located in [.filename]#/usr/local/etc/X11/xdm#. This directory contains several files used to change the behavior and appearance of XDM, as well as a few scripts and programs used to set up the desktop when XDM is running. <<xdm-config-files>> summarizes the function of each of these files. The exact syntax and usage of these files is described in man:xdm[1]. +The XDM configuration directory is located in [.filename]#/usr/local/etc/X11/xdm#. +This directory contains several files used to change the behavior and appearance of XDM, as well as a few scripts and programs used to set up the desktop when XDM is running. +<<xdm-config-files>> summarizes the function of each of these files. +The exact syntax and usage of these files is described in man:xdm[1]. [[xdm-config-files]] .XDM Configuration Files @@ -869,7 +985,8 @@ The XDM configuration directory is located in [.filename]#/usr/local/etc/X11/xdm === Configuring Remote Access -By default, only users on the same system can login using XDM. To enable users on other systems to connect to the display server, edit the access control rules and enable the connection listener. +By default, only users on the same system can login using XDM. +To enable users on other systems to connect to the display server, edit the access control rules and enable the connection listener. To configure XDM to listen for any remote connection, comment out the `DisplayManager.requestPort` line in [.filename]#/usr/local/etc/X11/xdm/xdm-config# by putting a `!` in front of it: @@ -880,17 +997,23 @@ To configure XDM to listen for any remote connection, comment out the `DisplayMa DisplayManager.requestPort: 0 .... -Save the edits and restart XDM. To restrict remote access, look at the example entries in [.filename]#/usr/local/etc/X11/xdm/Xaccess# and refer to man:xdm[1] for further information. +Save the edits and restart XDM. +To restrict remote access, look at the example entries in [.filename]#/usr/local/etc/X11/xdm/Xaccess# and refer to man:xdm[1] for further information. [[x11-wm]] == Desktop Environments -This section describes how to install three popular desktop environments on a FreeBSD system. A desktop environment can range from a simple window manager to a complete suite of desktop applications. Over a hundred desktop environments are available in the [.filename]#x11-wm# category of the Ports Collection. +This section describes how to install three popular desktop environments on a FreeBSD system. +A desktop environment can range from a simple window manager to a complete suite of desktop applications. +Over a hundred desktop environments are available in the [.filename]#x11-wm# category of the Ports Collection. [[x11-wm-gnome]] === GNOME -GNOME is a user-friendly desktop environment. It includes a panel for starting applications and displaying status, a desktop, a set of tools and applications, and a set of conventions that make it easy for applications to cooperate and be consistent with each other. More information regarding GNOME on FreeBSD can be found at https://www.FreeBSD.org/gnome[https://www.FreeBSD.org/gnome]. That web site contains additional documentation about installing, configuring, and managing GNOME on FreeBSD. +GNOME is a user-friendly desktop environment. +It includes a panel for starting applications and displaying status, a desktop, a set of tools and applications, and a set of conventions that make it easy for applications to cooperate and be consistent with each other. +More information regarding GNOME on FreeBSD can be found at https://www.FreeBSD.org/gnome[https://www.FreeBSD.org/gnome]. +That web site contains additional documentation about installing, configuring, and managing GNOME on FreeBSD. This desktop environment can be installed from a package: @@ -899,7 +1022,8 @@ This desktop environment can be installed from a package: # pkg install gnome3 .... -To instead build GNOME from ports, use the following command. GNOME is a large application and will take some time to compile, even on a fast computer. +To instead build GNOME from ports, use the following command. +GNOME is a large application and will take some time to compile, even on a fast computer. [source,shell] .... @@ -907,28 +1031,34 @@ To instead build GNOME from ports, use the following command. GNOME is a large a # make install clean .... -GNOME requires [.filename]#/proc# to be mounted. Add this line to [.filename]#/etc/fstab# to mount this file system automatically during system startup: +GNOME requires [.filename]#/proc# to be mounted. +Add this line to [.filename]#/etc/fstab# to mount this file system automatically during system startup: [.programlisting] .... proc /proc procfs rw 0 0 .... -GNOME uses D-Bus for a message bus and hardware abstraction. These applications are automatically installed as dependencies of GNOME. Enable them in [.filename]#/etc/rc.conf# so they will be started when the system boots: +GNOME uses D-Bus for a message bus and hardware abstraction. +These applications are automatically installed as dependencies of GNOME. +Enable them in [.filename]#/etc/rc.conf# so they will be started when the system boots: [.programlisting] .... dbus_enable="YES" .... -After installation, configure Xorg to start GNOME. The easiest way to do this is to enable the GNOME Display Manager, GDM, which is installed as part of the GNOME package or port. It can be enabled by adding this line to [.filename]#/etc/rc.conf#: +After installation, configure Xorg to start GNOME. +The easiest way to do this is to enable the GNOME Display Manager, GDM, which is installed as part of the GNOME package or port. +It can be enabled by adding this line to [.filename]#/etc/rc.conf#: [.programlisting] .... gdm_enable="YES" .... -It is often desirable to also start all GNOME services. To achieve this, add a second line to [.filename]#/etc/rc.conf#: +It is often desirable to also start all GNOME services. +To achieve this, add a second line to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -937,14 +1067,17 @@ gnome_enable="YES" GDM will start automatically when the system boots. -A second method for starting GNOME is to type `startx` from the command-line after configuring [.filename]#~/.xinitrc#. If this file already exists, replace the line that starts the current window manager with one that starts [.filename]#/usr/local/bin/gnome-session#. If this file does not exist, create it with this command: +A second method for starting GNOME is to type `startx` from the command-line after configuring [.filename]#~/.xinitrc#. +If this file already exists, replace the line that starts the current window manager with one that starts [.filename]#/usr/local/bin/gnome-session#. +If this file does not exist, create it with this command: [source,shell] .... % echo "exec /usr/local/bin/gnome-session" > ~/.xinitrc .... -A third method is to use XDM as the display manager. In this case, create an executable [.filename]#~/.xsession#: +A third method is to use XDM as the display manager. +In this case, create an executable [.filename]#~/.xsession#: [source,shell] .... @@ -954,7 +1087,10 @@ A third method is to use XDM as the display manager. In this case, create an exe [[x11-wm-kde]] === KDE -KDE is another easy-to-use desktop environment. This desktop provides a suite of applications with a consistent look and feel, a standardized menu and toolbars, keybindings, color-schemes, internationalization, and a centralized, dialog-driven desktop configuration. More information on KDE can be found at http://www.kde.org/[http://www.kde.org/]. For FreeBSD-specific information, consult http://freebsd.kde.org/[http://freebsd.kde.org]. +KDE is another easy-to-use desktop environment. +This desktop provides a suite of applications with a consistent look and feel, a standardized menu and toolbars, keybindings, color-schemes, internationalization, and a centralized, dialog-driven desktop configuration. +More information on KDE can be found at http://www.kde.org/[http://www.kde.org/]. +For FreeBSD-specific information, consult http://freebsd.kde.org/[http://freebsd.kde.org]. To install the KDE package, type: @@ -963,7 +1099,9 @@ To install the KDE package, type: # pkg install x11/kde5 .... -To instead build the KDE port, use the following command. Installing the port will provide a menu for selecting which components to install. KDE is a large application and will take some time to compile, even on a fast computer. +To instead build the KDE port, use the following command. +Installing the port will provide a menu for selecting which components to install. +KDE is a large application and will take some time to compile, even on a fast computer. [source,shell] .... @@ -971,21 +1109,26 @@ To instead build the KDE port, use the following command. Installing the port wi # make install clean .... -KDE requires [.filename]#/proc# to be mounted. Add this line to [.filename]#/etc/fstab# to mount this file system automatically during system startup: +KDE requires [.filename]#/proc# to be mounted. +Add this line to [.filename]#/etc/fstab# to mount this file system automatically during system startup: [.programlisting] .... proc /proc procfs rw 0 0 .... -KDE uses D-Bus for a message bus and hardware abstraction. These applications are automatically installed as dependencies of KDE. Enable them in [.filename]#/etc/rc.conf# so they will be started when the system boots: +KDE uses D-Bus for a message bus and hardware abstraction. +These applications are automatically installed as dependencies of KDE. +Enable them in [.filename]#/etc/rc.conf# so they will be started when the system boots: [.programlisting] .... dbus_enable="YES" .... -Since KDE Plasma 5, the KDE Display Manager, KDM is no longer developed. A possible replacement is SDDM. To install it, type: +Since KDE Plasma 5, the KDE Display Manager, KDM is no longer developed. +A possible replacement is SDDM. +To install it, type: [source,shell] .... @@ -999,14 +1142,16 @@ Add this line to [.filename]#/etc/rc.conf#: sddm_enable="YES" .... -A second method for launching KDE Plasma is to type `startx` from the command line. For this to work, the following line is needed in [.filename]#~/.xinitrc#: +A second method for launching KDE Plasma is to type `startx` from the command line. +For this to work, the following line is needed in [.filename]#~/.xinitrc#: [.programlisting] .... exec ck-launch-session startplasma-x11 .... -A third method for starting KDE Plasma is through XDM. To do so, create an executable [.filename]#~/.xsession# as follows: +A third method for starting KDE Plasma is through XDM. +To do so, create an executable [.filename]#~/.xsession# as follows: [source,shell] .... @@ -1018,7 +1163,11 @@ Once KDE Plasma is started, refer to its built-in help system for more informati [[x11-wm-xfce]] === Xfce -Xfce is a desktop environment based on the GTK+ toolkit used by GNOME. However, it is more lightweight and provides a simple, efficient, easy-to-use desktop. It is fully configurable, has a main panel with menus, applets, and application launchers, provides a file manager and sound manager, and is themeable. Since it is fast, light, and efficient, it is ideal for older or slower machines with memory limitations. More information on Xfce can be found at http://www.xfce.org/[http://www.xfce.org]. +Xfce is a desktop environment based on the GTK+ toolkit used by GNOME. +However, it is more lightweight and provides a simple, efficient, easy-to-use desktop. +It is fully configurable, has a main panel with menus, applets, and application launchers, provides a file manager and sound manager, and is themeable. +Since it is fast, light, and efficient, it is ideal for older or slower machines with memory limitations. +More information on Xfce can be found at http://www.xfce.org/[http://www.xfce.org]. To install the Xfce package: @@ -1035,21 +1184,25 @@ Alternatively, to build the port: # make install clean .... -Xfce uses D-Bus for a message bus. This application is automatically installed as dependency of Xfce. Enable it in [.filename]#/etc/rc.conf# so it will be started when the system boots: +Xfce uses D-Bus for a message bus. +This application is automatically installed as dependency of Xfce. +Enable it in [.filename]#/etc/rc.conf# so it will be started when the system boots: [.programlisting] .... dbus_enable="YES" .... -Unlike GNOME or KDE, Xfce does not provide its own login manager. In order to start Xfce from the command line by typing `startx`, first create [.filename]#~/.xinitrc# with this command: +Unlike GNOME or KDE, Xfce does not provide its own login manager. +In order to start Xfce from the command line by typing `startx`, first create [.filename]#~/.xinitrc# with this command: [source,shell] .... % echo ". /usr/local/etc/xdg/xfce4/xinitrc" > ~/.xinitrc .... -An alternate method is to use XDM. To configure this method, create an executable [.filename]#~/.xsession#: +An alternate method is to use XDM. +To configure this method, create an executable [.filename]#~/.xsession#: [source,shell] .... @@ -1066,7 +1219,9 @@ Installing the Compiz Fusion package is easy, but configuring it requires a few [[x-compiz-video-card]] === Setting up the FreeBSD nVidia Driver -Desktop effects can cause quite a load on the graphics card. For an nVidia-based graphics card, the proprietary driver is required for good performance. Users of other graphics cards can skip this section and continue with the [.filename]#xorg.conf# configuration. +Desktop effects can cause quite a load on the graphics card. +For an nVidia-based graphics card, the proprietary driver is required for good performance. +Users of other graphics cards can skip this section and continue with the [.filename]#xorg.conf# configuration. To determine which nVidia driver is needed see the link:{faq}#idp59950544[FAQ question on the subject]. @@ -1079,7 +1234,8 @@ For example, to install the latest driver: # pkg install x11/nvidia-driver .... -The driver will create a kernel module, which needs to be loaded at system startup. Add the following line to [.filename]#/boot/loader.conf#: +The driver will create a kernel module, which needs to be loaded at system startup. +Add the following line to [.filename]#/boot/loader.conf#: [.programlisting] .... @@ -1088,7 +1244,9 @@ nvidia_load="YES" [NOTE] ==== -To immediately load the kernel module into the running kernel issue a command like `kldload nvidia`. However, it has been noted that some versions of Xorg will not function properly if the driver is not loaded at boot time. After editing [.filename]#/boot/loader.conf#, a reboot is recommended. +To immediately load the kernel module into the running kernel issue a command like `kldload nvidia`. +However, it has been noted that some versions of Xorg will not function properly if the driver is not loaded at boot time. +After editing [.filename]#/boot/loader.conf#, a reboot is recommended. ==== With the kernel module loaded, you normally only need to change a single line in [.filename]#xorg.conf# to enable the proprietary driver: @@ -1107,7 +1265,8 @@ and change it to: Driver "nvidia" .... -Start the GUI as usual, and you should be greeted by the nVidia splash. Everything should work as usual. +Start the GUI as usual, and you should be greeted by the nVidia splash. +Everything should work as usual. [[xorg-configuration]] === Configuring `xorg.conf` for Desktop Effects @@ -1142,7 +1301,9 @@ DefaultDepth 24 Option "AddARGBGLXVisuals" "True" .... -Locate the "Subsection" that refers to the screen resolution that you wish to use. For example, if you wish to use 1280x1024, locate the section that follows. If the desired resolution does not appear in any subsection, you may add the relevant entry by hand: +Locate the "Subsection" that refers to the screen resolution that you wish to use. +For example, if you wish to use 1280x1024, locate the section that follows. +If the desired resolution does not appear in any subsection, you may add the relevant entry by hand: [.programlisting] .... @@ -1200,7 +1361,8 @@ When the installation is finished, start your graphic desktop and at a terminal, % emerald --replace & .... -Your screen will flicker for a few seconds, as your window manager (e.g., Metacity if you are using GNOME) is replaced by Compiz Fusion. Emerald takes care of the window decorations (i.e., close, minimize, maximize buttons, title bars and so on). +Your screen will flicker for a few seconds, as your window manager (e.g., Metacity if you are using GNOME) is replaced by Compiz Fusion. +Emerald takes care of the window decorations (i.e., close, minimize, maximize buttons, title bars and so on). You may convert this to a trivial script and have it run at startup automatically (e.g., by adding to "Sessions" in a GNOME desktop): @@ -1237,7 +1399,9 @@ If you have selected "gconf support" during the build, you will also be able to [[x11-troubleshooting]] == Troubleshooting -If the mouse does not work, you will need to first configure it before proceeding. In recent Xorg versions, the `InputDevice` sections in [.filename]#xorg.conf# are ignored in favor of the autodetected devices. To restore the old behavior, add the following line to the `ServerLayout` or `ServerFlags` section of this file: +If the mouse does not work, you will need to first configure it before proceeding. +In recent Xorg versions, the `InputDevice` sections in [.filename]#xorg.conf# are ignored in favor of the autodetected devices. +To restore the old behavior, add the following line to the `ServerLayout` or `ServerFlags` section of this file: [.programlisting] .... @@ -1248,9 +1412,12 @@ Input devices may then be configured as in previous versions, along with any oth [NOTE] ==== -As previously explained the hald daemon will, by default, automatically detect your keyboard. There are chances that your keyboard layout or model will not be correct, desktop environments like GNOME, KDE or Xfce provide tools to configure the keyboard. However, it is possible to set the keyboard properties directly either with the help of the man:setxkbmap[1] utility or with a hald's configuration rule. +As previously explained the hald daemon will, by default, automatically detect your keyboard. +There are chances that your keyboard layout or model will not be correct, desktop environments like GNOME, KDE or Xfce provide tools to configure the keyboard. +However, it is possible to set the keyboard properties directly either with the help of the man:setxkbmap[1] utility or with a hald's configuration rule. -For example if, one wants to use a PC 102 keys keyboard coming with a french layout, we have to create a keyboard configuration file for hald called [.filename]#x11-input.fdi# and saved in the [.filename]#/usr/local/etc/hal/fdi/policy# directory. This file should contain the following lines: +For example if, one wants to use a PC 102 keys keyboard coming with a french layout, we have to create a keyboard configuration file for hald called [.filename]#x11-input.fdi# and saved in the [.filename]#/usr/local/etc/hal/fdi/policy# directory. +This file should contain the following lines: [.programlisting] .... @@ -1279,7 +1446,9 @@ It is possible to do the same configuration from an X terminal or a script with [.filename]#/usr/local/share/X11/xkb/rules/base.lst# lists the various keyboard, layouts and options available. ==== -The [.filename]#xorg.conf.new# configuration file may now be tuned to taste. Open the file in a text editor such as man:emacs[1] or man:ee[1]. If the monitor is an older or unusual model that does not support autodetection of sync frequencies, those settings can be added to [.filename]#xorg.conf.new# under the `"Monitor"` section: +The [.filename]#xorg.conf.new# configuration file may now be tuned to taste. +Open the file in a text editor such as man:emacs[1] or man:ee[1]. +If the monitor is an older or unusual model that does not support autodetection of sync frequencies, those settings can be added to [.filename]#xorg.conf.new# under the `"Monitor"` section: [.programlisting] .... @@ -1292,16 +1461,20 @@ Section "Monitor" EndSection .... -Most monitors support sync frequency autodetection, making manual entry of these values unnecessary. For the few monitors that do not support autodetection, avoid potential damage by only entering values provided by the manufacturer. +Most monitors support sync frequency autodetection, making manual entry of these values unnecessary. +For the few monitors that do not support autodetection, avoid potential damage by only entering values provided by the manufacturer. -X allows DPMS (Energy Star) features to be used with capable monitors. The man:xset[1] program controls the time-outs and can force standby, suspend, or off modes. If you wish to enable DPMS features for your monitor, you must add the following line to the monitor section: +X allows DPMS (Energy Star) features to be used with capable monitors. +The man:xset[1] program controls the time-outs and can force standby, suspend, or off modes. +If you wish to enable DPMS features for your monitor, you must add the following line to the monitor section: [.programlisting] .... Option "DPMS" .... -While the [.filename]#xorg.conf.new# configuration file is still open in an editor, select the default resolution and color depth desired. This is defined in the `"Screen"` section: +While the [.filename]#xorg.conf.new# configuration file is still open in an editor, select the default resolution and color depth desired. +This is defined in the `"Screen"` section: [.programlisting] .... @@ -1318,35 +1491,51 @@ Section "Screen" EndSection .... -The `DefaultDepth` keyword describes the color depth to run at by default. This can be overridden with the `-depth` command line switch to man:Xorg[1]. The `Modes` keyword describes the resolution to run at for the given color depth. Note that only VESA standard modes are supported as defined by the target system's graphics hardware. In the example above, the default color depth is twenty-four bits per pixel. At this color depth, the accepted resolution is 1024 by 768 pixels. +The `DefaultDepth` keyword describes the color depth to run at by default. +This can be overridden with the `-depth` command line switch to man:Xorg[1]. +The `Modes` keyword describes the resolution to run at for the given color depth. +Note that only VESA standard modes are supported as defined by the target system's graphics hardware. +In the example above, the default color depth is twenty-four bits per pixel. +At this color depth, the accepted resolution is 1024 by 768 pixels. Finally, write the configuration file and test it using the test mode given above. [NOTE] ==== -One of the tools available to assist you during troubleshooting process are the Xorg log files, which contain information on each device that the Xorg server attaches to. Xorg log file names are in the format of [.filename]#/var/log/Xorg.0.log#. The exact name of the log can vary from [.filename]#Xorg.0.log# to [.filename]#Xorg.8.log# and so forth. +One of the tools available to assist you during troubleshooting process are the Xorg log files, which contain information on each device that the Xorg server attaches to. +Xorg log file names are in the format of [.filename]#/var/log/Xorg.0.log#. +The exact name of the log can vary from [.filename]#Xorg.0.log# to [.filename]#Xorg.8.log# and so forth. ==== -If all is well, the configuration file needs to be installed in a common location where man:Xorg[1] can find it. This is typically [.filename]#/etc/X11/xorg.conf# or [.filename]#/usr/local/etc/X11/xorg.conf#. +If all is well, the configuration file needs to be installed in a common location where man:Xorg[1] can find it. +This is typically [.filename]#/etc/X11/xorg.conf# or [.filename]#/usr/local/etc/X11/xorg.conf#. [source,shell] .... # cp xorg.conf.new /etc/X11/xorg.conf .... -The Xorg configuration process is now complete. Xorg may be now started with the man:startx[1] utility. The Xorg server may also be started with the use of man:xdm[1]. +The Xorg configuration process is now complete. +Xorg may be now started with the man:startx[1] utility. +The Xorg server may also be started with the use of man:xdm[1]. === Configuration with Intel(R) `i810` Graphics Chipsets -Configuration with Intel(R) i810 integrated chipsets requires the [.filename]#agpgart# AGP programming interface for Xorg to drive the card. See the man:agp[4] driver manual page for more information. +Configuration with Intel(R) i810 integrated chipsets requires the [.filename]#agpgart# AGP programming interface for Xorg to drive the card. +See the man:agp[4] driver manual page for more information. -This will allow configuration of the hardware as any other graphics board. Note on systems without the man:agp[4] driver compiled in the kernel, trying to load the module with man:kldload[8] will not work. This driver has to be in the kernel at boot time through being compiled in or using [.filename]#/boot/loader.conf#. +This will allow configuration of the hardware as any other graphics board. +Note on systems without the man:agp[4] driver compiled in the kernel, trying to load the module with man:kldload[8] will not work. +This driver has to be in the kernel at boot time through being compiled in or using [.filename]#/boot/loader.conf#. === Adding a Widescreen Flatpanel to the Mix -This section assumes a bit of advanced configuration knowledge. If attempts to use the standard configuration tools above have not resulted in a working configuration, there is information enough in the log files to be of use in getting the setup working. Use of a text editor will be necessary. +This section assumes a bit of advanced configuration knowledge. +If attempts to use the standard configuration tools above have not resulted in a working configuration, there is information enough in the log files to be of use in getting the setup working. +Use of a text editor will be necessary. -Current widescreen (WSXGA, WSXGA+, WUXGA, WXGA, WXGA+, et.al.) formats support 16:10 and 10:9 formats or aspect ratios that can be problematic. Examples of some common screen resolutions for 16:10 aspect ratios are: +Current widescreen (WSXGA, WSXGA+, WUXGA, WXGA, WXGA+, et.al.) formats support 16:10 and 10:9 formats or aspect ratios that can be problematic. +Examples of some common screen resolutions for 16:10 aspect ratios are: * 2560x1600 * 1920x1200 @@ -1373,7 +1562,9 @@ EndSection Xorg is smart enough to pull the resolution information from the widescreen via I2C/DDC information so it knows what the monitor can handle as far as frequencies and resolutions. -If those `ModeLines` do not exist in the drivers, one might need to give Xorg a little hint. Using [.filename]#/var/log/Xorg.0.log# one can extract enough information to manually create a `ModeLine` that will work. Simply look for information resembling this: +If those `ModeLines` do not exist in the drivers, one might need to give Xorg a little hint. +Using [.filename]#/var/log/Xorg.0.log# one can extract enough information to manually create a `ModeLine` that will work. +Simply look for information resembling this: [.programlisting] .... @@ -1384,7 +1575,8 @@ If those `ModeLines` do not exist in the drivers, one might need to give Xorg a (II) MGA(0): Ranges: V min: 48 V max: 85 Hz, H min: 30 H max: 94 kHz, PixClock max 170 MHz .... -This information is called EDID information. Creating a `ModeLine` from this is just a matter of putting the numbers in the correct order: +This information is called EDID information. +Creating a `ModeLine` from this is just a matter of putting the numbers in the correct order: [.programlisting] .... @@ -1411,11 +1603,13 @@ Now having completed these simple editing steps, X should start on your new wide ==== I have installed Compiz Fusion, and after running the commands you mention, my windows are left without title bars and buttons. What is wrong? -You are probably missing a setting in [.filename]#/etc/X11/xorg.conf#. Review this file carefully and check especially the `DefaultDepth` and `AddARGBGLXVisuals` directives. +You are probably missing a setting in [.filename]#/etc/X11/xorg.conf#. +Review this file carefully and check especially the `DefaultDepth` and `AddARGBGLXVisuals` directives. ==== When I run the command to start Compiz Fusion, the X server crashes and I am back at the console. What is wrong? -If you check [.filename]#/var/log/Xorg.0.log#, you will probably find error messages during the X startup. The most common would be: +If you check [.filename]#/var/log/Xorg.0.log#, you will probably find error messages during the X startup. +The most common would be: [source,shell] .... @@ -1426,4 +1620,5 @@ If you check [.filename]#/var/log/Xorg.0.log#, you will probably find error mess (EE) NVIDIA(0): reinstalling the NVIDIA driver. .... -This is usually the case when you upgrade Xorg. You will need to reinstall the package:x11/nvidia-driver[] package so glx is built again. +This is usually the case when you upgrade Xorg. +You will need to reinstall the package:x11/nvidia-driver[] package so glx is built again. diff --git a/documentation/content/en/books/handbook/zfs/_index.adoc b/documentation/content/en/books/handbook/zfs/_index.adoc index 2f463aa61c..c854c9b09c 100644 --- a/documentation/content/en/books/handbook/zfs/_index.adoc +++ b/documentation/content/en/books/handbook/zfs/_index.adoc @@ -58,12 +58,24 @@ A complete list of features and terminology is shown in <<zfs-term>>. [[zfs-differences]] == What Makes ZFS Different -ZFS is significantly different from any previous file system because it is more than just a file system. Combining the traditionally separate roles of volume manager and file system provides ZFS with unique advantages. The file system is now aware of the underlying structure of the disks. Traditional file systems could only be created on a single disk at a time. If there were two disks then two separate file systems would have to be created. In a traditional hardware RAID configuration, this problem was avoided by presenting the operating system with a single logical disk made up of the space provided by a number of physical disks, on top of which the operating system placed a file system. Even in the case of software RAID solutions like those provided by GEOM, the UFS file system living on top of the RAID transform believed that it was dealing with a single device. ZFS's combination of the volume manager and the file system solves this and allows the creation of many file systems all sharing a pool of available storage. One of the biggest advantages to ZFS's awareness of the physical layout of the disks is that existing file systems can be grown automatically when additional disks are added to the pool. This new space is then made available to all of the file systems. ZFS also has a number of different properties that can be applied to each file system, giving many advantages to creating a number of different file systems and datasets rather than a single monolithic file system. +ZFS is significantly different from any previous file system because it is more than just a file system. +Combining the traditionally separate roles of volume manager and file system provides ZFS with unique advantages. +The file system is now aware of the underlying structure of the disks. +Traditional file systems could only be created on a single disk at a time. +If there were two disks then two separate file systems would have to be created. +In a traditional hardware RAID configuration, this problem was avoided by presenting the operating system with a single logical disk made up of the space provided by a number of physical disks, on top of which the operating system placed a file system. +Even in the case of software RAID solutions like those provided by GEOM, the UFS file system living on top of the RAID transform believed that it was dealing with a single device. +ZFS's combination of the volume manager and the file system solves this and allows the creation of many file systems all sharing a pool of available storage. +One of the biggest advantages to ZFS's awareness of the physical layout of the disks is that existing file systems can be grown automatically when additional disks are added to the pool. +This new space is then made available to all of the file systems. +ZFS also has a number of different properties that can be applied to each file system, +giving many advantages to creating a number of different file systems and datasets rather than a single monolithic file system. [[zfs-quickstart]] == Quick Start Guide -There is a startup mechanism that allows FreeBSD to mount ZFS pools during system initialization. To enable it, add this line to [.filename]#/etc/rc.conf#: +There is a startup mechanism that allows FreeBSD to mount ZFS pools during system initialization. +To enable it, add this line to [.filename]#/etc/rc.conf#: [.programlisting] .... @@ -77,7 +89,8 @@ Then start the service: # service zfs start .... -The examples in this section assume three SCSI disks with the device names [.filename]#da0#, [.filename]#da1#, and [.filename]#da2#. Users of SATA hardware should instead use [.filename]#ada# device names. +The examples in this section assume three SCSI disks with the device names [.filename]#da0#, [.filename]#da1#, and [.filename]#da2#. +Users of SATA hardware should instead use [.filename]#ada# device names. [[zfs-quickstart-single-disk-pool]] === Single Disk Pool @@ -101,7 +114,9 @@ devfs 1 1 0 100% /dev example 17547136 0 17547136 0% /example .... -This output shows that the `example` pool has been created and mounted. It is now accessible as a file system. Files can be created on it and users can browse it: +This output shows that the `example` pool has been created and mounted. +It is now accessible as a file system. +Files can be created on it and users can browse it: [source,shell] .... @@ -115,7 +130,8 @@ drwxr-xr-x 21 root wheel 512 Aug 29 23:12 .. -rw-r--r-- 1 root wheel 0 Aug 29 23:15 testfile .... -However, this pool is not taking advantage of any ZFS features. To create a dataset on this pool with compression enabled: +However, this pool is not taking advantage of any ZFS features. +To create a dataset on this pool with compression enabled: [source,shell] .... @@ -123,7 +139,8 @@ However, this pool is not taking advantage of any ZFS features. To create a data # zfs set compression=gzip example/compressed .... -The `example/compressed` dataset is now a ZFS compressed file system. Try copying some large files to [.filename]#/example/compressed#. +The `example/compressed` dataset is now a ZFS compressed file system. +Try copying some large files to [.filename]#/example/compressed#. Compression can be disabled with: @@ -171,7 +188,10 @@ example on /example (zfs, local) example/compressed on /example/compressed (zfs, local) .... -After creation, ZFS datasets can be used like any file systems. However, many other features are available which can be set on a per-dataset basis. In the example below, a new file system called `data` is created. Important files will be stored here, so it is configured to keep two copies of each data block: +After creation, ZFS datasets can be used like any file systems. +However, many other features are available which can be set on a per-dataset basis. +In the example below, a new file system called `data` is created. +Important files will be stored here, so it is configured to keep two copies of each data block: [source,shell] .... @@ -193,7 +213,9 @@ example/compressed 17547008 0 17547008 0% /example/compressed example/data 17547008 0 17547008 0% /example/data .... -Notice that each file system on the pool has the same amount of available space. This is the reason for using `df` in these examples, to show that the file systems use only the amount of space they need and all draw from the same pool. ZFS eliminates concepts such as volumes and partitions, and allows multiple file systems to occupy the same pool. +Notice that each file system on the pool has the same amount of available space. +This is the reason for using `df` in these examples, to show that the file systems use only the amount of space they need and all draw from the same pool. +ZFS eliminates concepts such as volumes and partitions, and allows multiple file systems to occupy the same pool. To destroy the file systems and then destroy the pool as it is no longer needed: @@ -207,7 +229,9 @@ To destroy the file systems and then destroy the pool as it is no longer needed: [[zfs-quickstart-raid-z]] === RAID-Z -Disks fail. One method of avoiding data loss from disk failure is to implement RAID. ZFS supports this feature in its pool design. RAID-Z pools require three or more disks but provide more usable space than mirrored pools. +Disks fail. One method of avoiding data loss from disk failure is to implement RAID. +ZFS supports this feature in its pool design. +RAID-Z pools require three or more disks but provide more usable space than mirrored pools. This example creates a RAID-Z pool, specifying the disks to add to the pool: @@ -218,10 +242,14 @@ This example creates a RAID-Z pool, specifying the disks to add to the pool: [NOTE] ==== -Sun(TM) recommends that the number of devices used in a RAID-Z configuration be between three and nine. For environments requiring a single pool consisting of 10 disks or more, consider breaking it up into smaller RAID-Z groups. If only two disks are available and redundancy is a requirement, consider using a ZFS mirror. Refer to man:zpool[8] for more details. +Sun(TM) recommends that the number of devices used in a RAID-Z configuration be between three and nine. +For environments requiring a single pool consisting of 10 disks or more, consider breaking it up into smaller RAID-Z groups. +If only two disks are available and redundancy is a requirement, consider using a ZFS mirror. +Refer to man:zpool[8] for more details. ==== -The previous example created the `storage` zpool. This example makes a new file system called `home` in that pool: +The previous example created the `storage` zpool. +This example makes a new file system called `home` in that pool: [source,shell] .... @@ -246,7 +274,8 @@ To make this the new home directory for users, copy the user data to this direct # ln -s /storage/home /usr/home .... -Users data is now stored on the freshly-created [.filename]#/storage/home#. Test by adding a new user and logging in as that user. +Users data is now stored on the freshly-created [.filename]#/storage/home#. +Test by adding a new user and logging in as that user. Try creating a file system snapshot which can be rolled back later: @@ -257,21 +286,26 @@ Try creating a file system snapshot which can be rolled back later: Snapshots can only be made of a full file system, not a single directory or file. -The `@` character is a delimiter between the file system name or the volume name. If an important directory has been accidentally deleted, the file system can be backed up, then rolled back to an earlier snapshot when the directory still existed: +The `@` character is a delimiter between the file system name or the volume name. +If an important directory has been accidentally deleted, the file system can be backed up, +then rolled back to an earlier snapshot when the directory still existed: [source,shell] .... # zfs rollback storage/home@08-30-08 .... -To list all available snapshots, run `ls` in the file system's [.filename]#.zfs/snapshot# directory. For example, to see the previously taken snapshot: +To list all available snapshots, run `ls` in the file system's [.filename]#.zfs/snapshot# directory. +For example, to see the previously taken snapshot: [source,shell] .... # ls /storage/home/.zfs/snapshot .... -It is possible to write a script to perform regular snapshots on user data. However, over time, snapshots can consume a great deal of disk space. The previous snapshot can be removed using the command: +It is possible to write a script to perform regular snapshots on user data. +However, over time, snapshots can consume a great deal of disk space. +The previous snapshot can be removed using the command: [source,shell] .... @@ -304,7 +338,9 @@ storage 26320512 0 26320512 0% /storage storage/home 26320512 0 26320512 0% /home .... -This completes the RAID-Z configuration. Daily status updates about the file systems created can be generated as part of the nightly man:periodic[8] runs. Add this line to [.filename]#/etc/periodic.conf#: +This completes the RAID-Z configuration. +Daily status updates about the file systems created can be generated as part of the nightly man:periodic[8] runs. +Add this line to [.filename]#/etc/periodic.conf#: [.programlisting] .... @@ -314,7 +350,8 @@ daily_status_zfs_enable="YES" [[zfs-quickstart-recovering-raid-z]] === Recovering RAID-Z -Every software RAID has a method of monitoring its `state`. The status of RAID-Z devices may be viewed with this command: +Every software RAID has a method of monitoring its `state`. +The status of RAID-Z devices may be viewed with this command: [source,shell] .... @@ -359,7 +396,8 @@ This indicates that the device was previously taken offline by the administrator # zpool offline storage da1 .... -Now the system can be powered down to replace [.filename]#da1#. When the system is back online, the failed disk can replaced in the pool: +Now the system can be powered down to replace [.filename]#da1#. +When the system is back online, the failed disk can replaced in the pool: [source,shell] .... @@ -391,22 +429,28 @@ In this example, everything is normal. [[zfs-quickstart-data-verification]] === Data Verification -ZFS uses checksums to verify the integrity of stored data. These are enabled automatically upon creation of file systems. +ZFS uses checksums to verify the integrity of stored data. +These are enabled automatically upon creation of file systems. [WARNING] ==== - -Checksums can be disabled, but it is _not_ recommended! Checksums take very little storage space and provide data integrity. Many ZFS features will not work properly with checksums disabled. There is no noticeable performance gain from disabling these checksums. +Checksums can be disabled, but it is _not_ recommended! Checksums take very little storage space and provide data integrity. +Many ZFS features will not work properly with checksums disabled. +There is no noticeable performance gain from disabling these checksums. ==== -Checksum verification is known as _scrubbing_. Verify the data integrity of the `storage` pool with this command: +Checksum verification is known as _scrubbing_. +Verify the data integrity of the `storage` pool with this command: [source,shell] .... # zpool scrub storage .... -The duration of a scrub depends on the amount of data stored. Larger amounts of data will take proportionally longer to verify. Scrubs are very I/O intensive, and only one scrub is allowed to run at a time. After the scrub completes, the status can be viewed with `status`: +The duration of a scrub depends on the amount of data stored. +Larger amounts of data will take proportionally longer to verify. +Scrubs are very I/O intensive, and only one scrub is allowed to run at a time. +After the scrub completes, the status can be viewed with `status`: [source,shell] .... @@ -426,19 +470,28 @@ config: errors: No known data errors .... -The completion date of the last scrub operation is displayed to help track when another scrub is required. Routine scrubs help protect data from silent corruption and ensure the integrity of the pool. +The completion date of the last scrub operation is displayed to help track when another scrub is required. +Routine scrubs help protect data from silent corruption and ensure the integrity of the pool. Refer to man:zfs[8] and man:zpool[8] for other ZFS options. [[zfs-zpool]] == `zpool` Administration -ZFS administration is divided between two main utilities. The `zpool` utility controls the operation of the pool and deals with adding, removing, replacing, and managing disks. The <<zfs-zfs,`zfs`>> utility deals with creating, destroying, and managing datasets, both <<zfs-term-filesystem,file systems>> and <<zfs-term-volume,volumes>>. +ZFS administration is divided between two main utilities. +The `zpool` utility controls the operation of the pool and deals with adding, removing, replacing, and managing disks. +The <<zfs-zfs,`zfs`>> utility deals with creating, destroying, and managing datasets, both <<zfs-term-filesystem,file systems>> and <<zfs-term-volume,volumes>>. [[zfs-zpool-create]] === Creating and Destroying Storage Pools -Creating a ZFS storage pool (_zpool_) involves making a number of decisions that are relatively permanent because the structure of the pool cannot be changed after the pool has been created. The most important decision is what types of vdevs into which to group the physical disks. See the list of <<zfs-term-vdev,vdev types>> for details about the possible options. After the pool has been created, most vdev types do not allow additional disks to be added to the vdev. The exceptions are mirrors, which allow additional disks to be added to the vdev, and stripes, which can be upgraded to mirrors by attaching an additional disk to the vdev. Although additional vdevs can be added to expand a pool, the layout of the pool cannot be changed after pool creation. Instead, the data must be backed up and the pool destroyed and recreated. +Creating a ZFS storage pool (_zpool_) involves making a number of decisions that are relatively permanent because the structure of the pool cannot be changed after the pool has been created. +The most important decision is what types of vdevs into which to group the physical disks. +See the list of <<zfs-term-vdev,vdev types>> for details about the possible options. +After the pool has been created, most vdev types do not allow additional disks to be added to the vdev. +The exceptions are mirrors, which allow additional disks to be added to the vdev, and stripes, which can be upgraded to mirrors by attaching an additional disk to the vdev. +Although additional vdevs can be added to expand a pool, the layout of the pool cannot be changed after pool creation. +Instead, the data must be backed up and the pool destroyed and recreated. Create a simple mirror pool: @@ -460,7 +513,8 @@ config: errors: No known data errors .... -Multiple vdevs can be created at once. Specify multiple groups of disks separated by the vdev type keyword, `mirror` in this example: +Multiple vdevs can be created at once. +Specify multiple groups of disks separated by the vdev type keyword, `mirror` in this example: [source,shell] .... @@ -483,7 +537,13 @@ config: errors: No known data errors .... -Pools can also be constructed using partitions rather than whole disks. Putting ZFS in a separate partition allows the same disk to have other partitions for other purposes. In particular, partitions with bootcode and file systems needed for booting can be added. This allows booting from disks that are also members of a pool. There is no performance penalty on FreeBSD when using a partition rather than a whole disk. Using partitions also allows the administrator to _under-provision_ the disks, using less than the full capacity. If a future replacement disk of the same nominal size as the original actually has a slightly smaller capacity, the smaller partition will still fit, and the replacement disk can still be used. +Pools can also be constructed using partitions rather than whole disks. +Putting ZFS in a separate partition allows the same disk to have other partitions for other purposes. +In particular, partitions with bootcode and file systems needed for booting can be added. +This allows booting from disks that are also members of a pool. +There is no performance penalty on FreeBSD when using a partition rather than a whole disk. +Using partitions also allows the administrator to _under-provision_ the disks, using less than the full capacity. +If a future replacement disk of the same nominal size as the original actually has a slightly smaller capacity, the smaller partition will still fit, and the replacement disk can still be used. Create a <<zfs-term-vdev-raidz,RAID-Z2>> pool using partitions: @@ -509,14 +569,25 @@ config: errors: No known data errors .... -A pool that is no longer needed can be destroyed so that the disks can be reused. Destroying a pool involves first unmounting all of the datasets in that pool. If the datasets are in use, the unmount operation will fail and the pool will not be destroyed. The destruction of the pool can be forced with `-f`, but this can cause undefined behavior in applications which had open files on those datasets. +A pool that is no longer needed can be destroyed so that the disks can be reused. +Destroying a pool involves first unmounting all of the datasets in that pool. +If the datasets are in use, the unmount operation will fail and the pool will not be destroyed. +The destruction of the pool can be forced with `-f`, but this can cause undefined behavior in applications which had open files on those datasets. [[zfs-zpool-attach]] === Adding and Removing Devices -There are two cases for adding disks to a zpool: attaching a disk to an existing vdev with `zpool attach`, or adding vdevs to the pool with `zpool add`. Only some <<zfs-term-vdev,vdev types>> allow disks to be added to the vdev after creation. +There are two cases for adding disks to a zpool: attaching a disk to an existing vdev with `zpool attach`, or adding vdevs to the pool with `zpool add`. +Only some <<zfs-term-vdev,vdev types>> allow disks to be added to the vdev after creation. -A pool created with a single disk lacks redundancy. Corruption can be detected but not repaired, because there is no other copy of the data. The <<zfs-term-copies,copies>> property may be able to recover from a small failure such as a bad sector, but does not provide the same level of protection as mirroring or RAID-Z. Starting with a pool consisting of a single disk vdev, `zpool attach` can be used to add an additional disk to the vdev, creating a mirror. `zpool attach` can also be used to add additional disks to a mirror group, increasing redundancy and read performance. If the disks being used for the pool are partitioned, replicate the layout of the first disk on to the second. `gpart backup` and `gpart restore` can be used to make this process easier. +A pool created with a single disk lacks redundancy. +Corruption can be detected but not repaired, because there is no other copy of the data. +The <<zfs-term-copies,copies>> property may be able to recover from a small failure such as a bad sector, +but does not provide the same level of protection as mirroring or RAID-Z. +Starting with a pool consisting of a single disk vdev, `zpool attach` can be used to add an additional disk to the vdev, creating a mirror. +`zpool attach` can also be used to add additional disks to a mirror group, increasing redundancy and read performance. +If the disks being used for the pool are partitioned, replicate the layout of the first disk on to the second. +`gpart backup` and `gpart restore` can be used to make this process easier. Upgrade the single disk (stripe) vdev _ada0p3_ to a mirror by attaching _ada1p3_: @@ -578,9 +649,16 @@ config: errors: No known data errors .... -When adding disks to the existing vdev is not an option, as for RAID-Z, an alternative method is to add another vdev to the pool. Additional vdevs provide higher performance, distributing writes across the vdevs. Each vdev is responsible for providing its own redundancy. It is possible, but discouraged, to mix vdev types, like `mirror` and `RAID-Z`. Adding a non-redundant vdev to a pool containing mirror or RAID-Z vdevs risks the data on the entire pool. Writes are distributed, so the failure of the non-redundant disk will result in the loss of a fraction of every block that has been written to the pool. +When adding disks to the existing vdev is not an option, as for RAID-Z, an alternative method is to add another vdev to the pool. +Additional vdevs provide higher performance, distributing writes across the vdevs. Each vdev is responsible for providing its own redundancy. +It is possible, but discouraged, to mix vdev types, like `mirror` and `RAID-Z`. +Adding a non-redundant vdev to a pool containing mirror or RAID-Z vdevs risks the data on the entire pool. +Writes are distributed, so the failure of the non-redundant disk will result in the loss of a fraction of every block that has been written to the pool. -Data is striped across each of the vdevs. For example, with two mirror vdevs, this is effectively a RAID 10 that stripes writes across two sets of mirrors. Space is allocated so that each vdev reaches 100% full at the same time. There is a performance penalty if the vdevs have different amounts of free space, as a disproportionate amount of the data is written to the less full vdev. +Data is striped across each of the vdevs. +For example, with two mirror vdevs, this is effectively a RAID 10 that stripes writes across two sets of mirrors. +Space is allocated so that each vdev reaches 100% full at the same time. +There is a performance penalty if the vdevs have different amounts of free space, as a disproportionate amount of the data is written to the less full vdev. When attaching additional devices to a boot pool, remember to update the bootcode. @@ -624,7 +702,8 @@ config: errors: No known data errors .... -Currently, vdevs cannot be removed from a pool, and disks can only be removed from a mirror if there is enough remaining redundancy. If only one disk in a mirror group remains, it ceases to be a mirror and reverts to being a stripe, risking the entire pool if that remaining disk fails. +Currently, vdevs cannot be removed from a pool, and disks can only be removed from a mirror if there is enough remaining redundancy. +If only one disk in a mirror group remains, it ceases to be a mirror and reverts to being a stripe, risking the entire pool if that remaining disk fails. Remove a disk from a three-way mirror group: @@ -663,7 +742,10 @@ errors: No known data errors [[zfs-zpool-status]] === Checking the Status of a Pool -Pool status is important. If a drive goes offline or a read, write, or checksum error is detected, the corresponding error count increases. The `status` output shows the configuration and status of each device in the pool and the status of the entire pool. Actions that need to be taken and details about the last <<zfs-zpool-scrub,`scrub`>> are also shown. +Pool status is important. +If a drive goes offline or a read, write, or checksum error is detected, the corresponding error count increases. +The `status` output shows the configuration and status of each device in the pool and the status of the entire pool. +Actions that need to be taken and details about the last <<zfs-zpool-scrub,`scrub`>> are also shown. [source,shell] .... @@ -689,12 +771,21 @@ errors: No known data errors [[zfs-zpool-clear]] === Clearing Errors -When an error is detected, the read, write, or checksum counts are incremented. The error message can be cleared and the counts reset with `zpool clear _mypool_`. Clearing the error state can be important for automated scripts that alert the administrator when the pool encounters an error. Further errors may not be reported if the old errors are not cleared. +When an error is detected, the read, write, or checksum counts are incremented. +The error message can be cleared and the counts reset with `zpool clear _mypool_`. +Clearing the error state can be important for automated scripts that alert the administrator when the pool encounters an error. +Further errors may not be reported if the old errors are not cleared. [[zfs-zpool-replace]] === Replacing a Functioning Device -There are a number of situations where it may be desirable to replace one disk with a different disk. When replacing a working disk, the process keeps the old disk online during the replacement. The pool never enters a <<zfs-term-degraded,degraded>> state, reducing the risk of data loss. `zpool replace` copies all of the data from the old disk to the new one. After the operation completes, the old disk is disconnected from the vdev. If the new disk is larger than the old disk, it may be possible to grow the zpool, using the new space. See <<zfs-zpool-online,Growing a Pool>>. +There are a number of situations where it may be desirable to replace one disk with a different disk. +When replacing a working disk, the process keeps the old disk online during the replacement. +The pool never enters a <<zfs-term-degraded,degraded>> state, reducing the risk of data loss. +`zpool replace` copies all of the data from the old disk to the new one. +After the operation completes, the old disk is disconnected from the vdev. +If the new disk is larger than the old disk, it may be possible to grow the zpool, using the new space. +See <<zfs-zpool-online,Growing a Pool>>. Replace a functioning device in the pool: @@ -762,11 +853,18 @@ errors: No known data errors [[zfs-zpool-resilver]] === Dealing with Failed Devices -When a disk in a pool fails, the vdev to which the disk belongs enters the <<zfs-term-degraded,degraded>> state. All of the data is still available, but performance may be reduced because missing data must be calculated from the available redundancy. To restore the vdev to a fully functional state, the failed physical device must be replaced. ZFS is then instructed to begin the <<zfs-term-resilver,resilver>> operation. Data that was on the failed device is recalculated from available redundancy and written to the replacement device. After completion, the vdev returns to <<zfs-term-online,online>> status. +When a disk in a pool fails, the vdev to which the disk belongs enters the <<zfs-term-degraded,degraded>> state. +All of the data is still available, but performance may be reduced because missing data must be calculated from the available redundancy. +To restore the vdev to a fully functional state, the failed physical device must be replaced. +ZFS is then instructed to begin the <<zfs-term-resilver,resilver>> operation. +Data that was on the failed device is recalculated from available redundancy and written to the replacement device. +After completion, the vdev returns to <<zfs-term-online,online>> status. -If the vdev does not have any redundancy, or if multiple devices have failed and there is not enough redundancy to compensate, the pool enters the <<zfs-term-faulted,faulted>> state. If a sufficient number of devices cannot be reconnected to the pool, the pool becomes inoperative and data must be restored from backups. +If the vdev does not have any redundancy, or if multiple devices have failed and there is not enough redundancy to compensate, the pool enters the <<zfs-term-faulted,faulted>> state. +If a sufficient number of devices cannot be reconnected to the pool, the pool becomes inoperative and data must be restored from backups. -When replacing a failed disk, the name of the failed disk is replaced with the GUID of the device. A new device name parameter for `zpool replace` is not required if the replacement device has the same device name. +When replacing a failed disk, the name of the failed disk is replaced with the GUID of the device. +A new device name parameter for `zpool replace` is not required if the replacement device has the same device name. Replace a failed disk using `zpool replace`: @@ -828,7 +926,9 @@ errors: No known data errors [[zfs-zpool-scrub]] === Scrubbing a Pool -It is recommended that pools be <<zfs-term-scrub,scrubbed>> regularly, ideally at least once every month. The `scrub` operation is very disk-intensive and will reduce performance while running. Avoid high-demand periods when scheduling `scrub` or use <<zfs-advanced-tuning-scrub_delay,`vfs.zfs.scrub_delay`>> to adjust the relative priority of the `scrub` to prevent it interfering with other workloads. +It is recommended that pools be <<zfs-term-scrub,scrubbed>> regularly, ideally at least once every month. +The `scrub` operation is very disk-intensive and will reduce performance while running. +Avoid high-demand periods when scheduling `scrub` or use <<zfs-advanced-tuning-scrub_delay,`vfs.zfs.scrub_delay`>> to adjust the relative priority of the `scrub` to prevent it interfering with other workloads. [source,shell] .... @@ -859,9 +959,19 @@ In the event that a scrub operation needs to be cancelled, issue `zpool scrub -s [[zfs-zpool-selfheal]] === Self-Healing -The checksums stored with data blocks enable the file system to _self-heal_. This feature will automatically repair data whose checksum does not match the one recorded on another device that is part of the storage pool. For example, a mirror with two disks where one drive is starting to malfunction and cannot properly store the data any more. This is even worse when the data has not been accessed for a long time, as with long term archive storage. Traditional file systems need to run algorithms that check and repair the data like man:fsck[8]. These commands take time, and in severe cases, an administrator has to manually decide which repair operation must be performed. When ZFS detects a data block with a checksum that does not match, it tries to read the data from the mirror disk. If that disk can provide the correct data, it will not only give that data to the application requesting it, but also correct the wrong data on the disk that had the bad checksum. This happens without any interaction from a system administrator during normal pool operation. +The checksums stored with data blocks enable the file system to _self-heal_. +This feature will automatically repair data whose checksum does not match the one recorded on another device that is part of the storage pool. +For example, a mirror with two disks where one drive is starting to malfunction and cannot properly store the data any more. +This is even worse when the data has not been accessed for a long time, as with long term archive storage. +Traditional file systems need to run algorithms that check and repair the data like man:fsck[8]. +These commands take time, and in severe cases, an administrator has to manually decide which repair operation must be performed. +When ZFS detects a data block with a checksum that does not match, it tries to read the data from the mirror disk. +If that disk can provide the correct data, it will not only give that data to the application requesting it, +but also correct the wrong data on the disk that had the bad checksum. +This happens without any interaction from a system administrator during normal pool operation. -The next example demonstrates this self-healing behavior. A mirrored pool of disks [.filename]#/dev/ada0# and [.filename]#/dev/ada1# is created. +The next example demonstrates this self-healing behavior. +A mirrored pool of disks [.filename]#/dev/ada0# and [.filename]#/dev/ada1# is created. [source,shell] .... @@ -884,7 +994,8 @@ NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALT healer 960M 92.5K 960M - - 0% 0% 1.00x ONLINE - .... -Some important data that have to be protected from data errors using the self-healing feature are copied to the pool. A checksum of the pool is created for later comparison. +Some important data that have to be protected from data errors using the self-healing feature are copied to the pool. +A checksum of the pool is created for later comparison. [source,shell] .... @@ -897,12 +1008,16 @@ healer 960M 67.7M 892M 7% 1.00x ONLINE - SHA1 (/healer) = 2753eff56d77d9a536ece6694bf0a82740344d1f .... -Data corruption is simulated by writing random data to the beginning of one of the disks in the mirror. To prevent ZFS from healing the data as soon as it is detected, the pool is exported before the corruption and imported again afterwards. +Data corruption is simulated by writing random data to the beginning of one of the disks in the mirror. +To prevent ZFS from healing the data as soon as it is detected, the pool is exported before the corruption and imported again afterwards. [WARNING] ==== - -This is a dangerous operation that can destroy vital data. It is shown here for demonstrational purposes only and should not be attempted during normal operation of a storage pool. Nor should this intentional corruption example be run on any disk with a different file system on it. Do not use any other disk device names other than the ones that are part of the pool. Make certain that proper backups of the pool are created before running the command! +This is a dangerous operation that can destroy vital data. +It is shown here for demonstrational purposes only and should not be attempted during normal operation of a storage pool. +Nor should this intentional corruption example be run on any disk with a different file system on it. +Do not use any other disk device names other than the ones that are part of the pool. +Make certain that proper backups of the pool are created before running the command! ==== [source,shell] @@ -915,7 +1030,10 @@ This is a dangerous operation that can destroy vital data. It is shown here for # zpool import healer .... -The pool status shows that one device has experienced an error. Note that applications reading data from the pool did not receive any incorrect data. ZFS provided data from the [.filename]#ada0# device with the correct checksums. The device with the wrong checksum can be found easily as the `CKSUM` column contains a nonzero value. +The pool status shows that one device has experienced an error. +Note that applications reading data from the pool did not receive any incorrect data. +ZFS provided data from the [.filename]#ada0# device with the correct checksums. +The device with the wrong checksum can be found easily as the `CKSUM` column contains a nonzero value. [source,shell] .... @@ -939,7 +1057,8 @@ The pool status shows that one device has experienced an error. Note that applic errors: No known data errors .... -The error was detected and handled by using the redundancy present in the unaffected [.filename]#ada0# mirror disk. A checksum comparison with the original one will reveal whether the pool is consistent again. +The error was detected and handled by using the redundancy present in the unaffected [.filename]#ada0# mirror disk. +A checksum comparison with the original one will reveal whether the pool is consistent again. [source,shell] .... @@ -949,7 +1068,13 @@ SHA1 (/healer) = 2753eff56d77d9a536ece6694bf0a82740344d1f SHA1 (/healer) = 2753eff56d77d9a536ece6694bf0a82740344d1f .... -The two checksums that were generated before and after the intentional tampering with the pool data still match. This shows how ZFS is capable of detecting and correcting any errors automatically when the checksums differ. Note that this is only possible when there is enough redundancy present in the pool. A pool consisting of a single device has no self-healing capabilities. That is also the reason why checksums are so important in ZFS and should not be disabled for any reason. No man:fsck[8] or similar file system consistency check program is required to detect and correct this and the pool was still available during the time there was a problem. A scrub operation is now required to overwrite the corrupted data on [.filename]#ada1#. +The two checksums that were generated before and after the intentional tampering with the pool data still match. +This shows how ZFS is capable of detecting and correcting any errors automatically when the checksums differ. +Note that this is only possible when there is enough redundancy present in the pool. +A pool consisting of a single device has no self-healing capabilities. +That is also the reason why checksums are so important in ZFS and should not be disabled for any reason. +No man:fsck[8] or similar file system consistency check program is required to detect and correct this and the pool was still available during the time there was a problem. +A scrub operation is now required to overwrite the corrupted data on [.filename]#ada1#. [source,shell] .... @@ -976,7 +1101,9 @@ config: errors: No known data errors .... -The scrub operation reads data from [.filename]#ada0# and rewrites any data with an incorrect checksum on [.filename]#ada1#. This is indicated by the `(repairing)` output from `zpool status`. After the operation is complete, the pool status changes to: +The scrub operation reads data from [.filename]#ada0# and rewrites any data with an incorrect checksum on [.filename]#ada1#. +This is indicated by the `(repairing)` output from `zpool status`. +After the operation is complete, the pool status changes to: [source,shell] .... @@ -1000,7 +1127,8 @@ config: errors: No known data errors .... -After the scrub operation completes and all the data has been synchronized from [.filename]#ada0# to [.filename]#ada1#, the error messages can be <<zfs-zpool-clear,cleared>> from the pool status by running `zpool clear`. +After the scrub operation completes and all the data has been synchronized from [.filename]#ada0# to [.filename]#ada1#, +the error messages can be <<zfs-zpool-clear,cleared>> from the pool status by running `zpool clear`. [source,shell] .... @@ -1025,14 +1153,27 @@ The pool is now back to a fully working state and all the errors have been clear [[zfs-zpool-online]] === Growing a Pool -The usable size of a redundant pool is limited by the capacity of the smallest device in each vdev. The smallest device can be replaced with a larger device. After completing a <<zfs-zpool-replace,replace>> or <<zfs-term-resilver,resilver>> operation, the pool can grow to use the capacity of the new device. For example, consider a mirror of a 1 TB drive and a 2 TB drive. The usable space is 1 TB. When the 1 TB drive is replaced with another 2 TB drive, the resilvering process copies the existing data onto the new drive. As both of the devices now have 2 TB capacity, the mirror's available space can be grown to 2 TB. +The usable size of a redundant pool is limited by the capacity of the smallest device in each vdev. +The smallest device can be replaced with a larger device. +After completing a <<zfs-zpool-replace,replace>> or <<zfs-term-resilver,resilver>> operation, the pool can grow to use the capacity of the new device. +For example, consider a mirror of a 1 TB drive and a 2 TB drive. +The usable space is 1 TB. +When the 1 TB drive is replaced with another 2 TB drive, the resilvering process copies the existing data onto the new drive. +As both of the devices now have 2 TB capacity, the mirror's available space can be grown to 2 TB. -Expansion is triggered by using `zpool online -e` on each device. After expansion of all devices, the additional space becomes available to the pool. +Expansion is triggered by using `zpool online -e` on each device. +After expansion of all devices, the additional space becomes available to the pool. [[zfs-zpool-import]] === Importing and Exporting Pools -Pools are _exported_ before moving them to another system. All datasets are unmounted, and each device is marked as exported but still locked so it cannot be used by other disk subsystems. This allows pools to be _imported_ on other machines, other operating systems that support ZFS, and even different hardware architectures (with some caveats, see man:zpool[8]). When a dataset has open files, `zpool export -f` can be used to force the export of a pool. Use this with caution. The datasets are forcibly unmounted, potentially resulting in unexpected behavior by the applications which had open files on those datasets. +Pools are _exported_ before moving them to another system. +All datasets are unmounted, and each device is marked as exported but still locked so it cannot be used by other disk subsystems. +This allows pools to be _imported_ on other machines, other operating systems that support ZFS, +and even different hardware architectures (with some caveats, see man:zpool[8]). +When a dataset has open files, `zpool export -f` can be used to force the export of a pool. +Use this with caution. +The datasets are forcibly unmounted, potentially resulting in unexpected behavior by the applications which had open files on those datasets. Export a pool that is not in use: @@ -1041,7 +1182,12 @@ Export a pool that is not in use: # zpool export mypool .... -Importing a pool automatically mounts the datasets. This may not be the desired behavior, and can be prevented with `zpool import -N`. `zpool import -o` sets temporary properties for this import only. `zpool import altroot=` allows importing a pool with a base mount point instead of the root of the file system. If the pool was last used on a different system and was not properly exported, an import might have to be forced with `zpool import -f`. `zpool import -a` imports all pools that do not appear to be in use by another system. +Importing a pool automatically mounts the datasets. +This may not be the desired behavior, and can be prevented with `zpool import -N`. +`zpool import -o` sets temporary properties for this import only. +`zpool import altroot=` allows importing a pool with a base mount point instead of the root of the file system. +If the pool was last used on a different system and was not properly exported, an import might have to be forced with `zpool import -f`. +`zpool import -a` imports all pools that do not appear to be in use by another system. List all available pools for import: @@ -1072,7 +1218,11 @@ mypool 110K 47.0G 31K /mnt/mypool [[zfs-zpool-upgrade]] === Upgrading a Storage Pool -After upgrading FreeBSD, or if a pool has been imported from a system using an older version of ZFS, the pool can be manually upgraded to the latest version of ZFS to support newer features. Consider whether the pool may ever need to be imported on an older system before upgrading. Upgrading is a one-way process. Older pools can be upgraded, but pools with newer features cannot be downgraded. +After upgrading FreeBSD, or if a pool has been imported from a system using an older version of ZFS, +the pool can be manually upgraded to the latest version of ZFS to support newer features. +Consider whether the pool may ever need to be imported on an older system before upgrading. +Upgrading is a one-way process. +Older pools can be upgraded, but pools with newer features cannot be downgraded. Upgrade a v28 pool to support `Feature Flags`: @@ -1121,7 +1271,9 @@ Enabled the following features on 'mypool': multi_vdev_crash_dump .... -The newer features of ZFS will not be available until `zpool upgrade` has completed. `zpool upgrade -v` can be used to see what new features will be provided by upgrading, as well as which features are already supported. +The newer features of ZFS will not be available until `zpool upgrade` has completed. +`zpool upgrade -v` can be used to see what new features will be provided by upgrading, +as well as which features are already supported. Upgrade a pool to support additional feature flags: @@ -1178,8 +1330,9 @@ Enabled the following features on 'mypool': [WARNING] ==== - -The boot code on systems that boot from a pool must be updated to support the new pool version. Use `gpart bootcode` on the partition that contains the boot code. There are two types of bootcode available, depending on way the system boots: GPT (the most common option) and EFI (for more modern systems). +The boot code on systems that boot from a pool must be updated to support the new pool version. +Use `gpart bootcode` on the partition that contains the boot code. +There are two types of bootcode available, depending on way the system boots: GPT (the most common option) and EFI (for more modern systems). For legacy boot using GPT, use the following command: @@ -1195,13 +1348,18 @@ For systems using EFI to boot, execute the following command: # gpart bootcode -p /boot/boot1.efifat -i 1 ada1 .... -Apply the bootcode to all bootable disks in the pool. See man:gpart[8] for more information. +Apply the bootcode to all bootable disks in the pool. +See man:gpart[8] for more information. ==== [[zfs-zpool-history]] === Displaying Recorded Pool History -Commands that modify the pool are recorded. Recorded actions include the creation of datasets, changing properties, or replacement of a disk. This history is useful for reviewing how a pool was created and which user performed a specific action and when. History is not kept in a log file, but is part of the pool itself. The command to review this history is aptly named `zpool history`: +Commands that modify the pool are recorded. +Recorded actions include the creation of datasets, changing properties, or replacement of a disk. +This history is useful for reviewing how a pool was created and which user performed a specific action and when. +History is not kept in a log file, but is part of the pool itself. +The command to review this history is aptly named `zpool history`: [source,shell] .... @@ -1213,9 +1371,13 @@ History for 'tank': 2013-02-27.18:51:18 zfs create tank/backup .... -The output shows `zpool` and `zfs` commands that were executed on the pool along with a timestamp. Only commands that alter the pool in some way are recorded. Commands like `zfs list` are not included. When no pool name is specified, the history of all pools is displayed. +The output shows `zpool` and `zfs` commands that were executed on the pool along with a timestamp. +Only commands that alter the pool in some way are recorded. +Commands like `zfs list` are not included. +When no pool name is specified, the history of all pools is displayed. -`zpool history` can show even more information when the options `-i` or `-l` are provided. `-i` displays user-initiated events as well as internally logged ZFS events. +`zpool history` can show even more information when the options `-i` or `-l` are provided. +`-i` displays user-initiated events as well as internally logged ZFS events. [source,shell] .... @@ -1230,7 +1392,8 @@ History for 'tank': 2013-02-27.18:51:18 zfs create tank/backup .... -More details can be shown by adding `-l`. History records are shown in a long format, including information like the name of the user who issued the command and the hostname on which the change was made. +More details can be shown by adding `-l`. +History records are shown in a long format, including information like the name of the user who issued the command and the hostname on which the change was made. [source,shell] .... @@ -1242,14 +1405,24 @@ History for 'tank': 2013-02-27.18:51:18 zfs create tank/backup [user 0 (root) on myzfsbox:global] .... -The output shows that the `root` user created the mirrored pool with disks [.filename]#/dev/ada0# and [.filename]#/dev/ada1#. The hostname `myzfsbox` is also shown in the commands after the pool's creation. The hostname display becomes important when the pool is exported from one system and imported on another. The commands that are issued on the other system can clearly be distinguished by the hostname that is recorded for each command. +The output shows that the `root` user created the mirrored pool with disks [.filename]#/dev/ada0# and [.filename]#/dev/ada1#. +The hostname `myzfsbox` is also shown in the commands after the pool's creation. +The hostname display becomes important when the pool is exported from one system and imported on another. +The commands that are issued on the other system can clearly be distinguished by the hostname that is recorded for each command. -Both options to `zpool history` can be combined to give the most detailed information possible for any given pool. Pool history provides valuable information when tracking down the actions that were performed or when more detailed output is needed for debugging. +Both options to `zpool history` can be combined to give the most detailed information possible for any given pool. +Pool history provides valuable information when tracking down the actions that were performed or when more detailed output is needed for debugging. [[zfs-zpool-iostat]] === Performance Monitoring -A built-in monitoring system can display pool I/O statistics in real time. It shows the amount of free and used space on the pool, how many read and write operations are being performed per second, and how much I/O bandwidth is currently being utilized. By default, all pools in the system are monitored and displayed. A pool name can be provided to limit monitoring to just that pool. A basic example: +A built-in monitoring system can display pool I/O statistics in real time. +It shows the amount of free and used space on the pool, +how many read and write operations are being performed per second, +and how much I/O bandwidth is currently being utilized. +By default, all pools in the system are monitored and displayed. +A pool name can be provided to limit monitoring to just that pool. +A basic example: [source,shell] .... @@ -1260,9 +1433,17 @@ pool alloc free read write read write data 288G 1.53T 2 11 11.3K 57.1K .... -To continuously monitor I/O activity, a number can be specified as the last parameter, indicating a interval in seconds to wait between updates. The next statistic line is printed after each interval. Press kbd:[Ctrl+C] to stop this continuous monitoring. Alternatively, give a second number on the command line after the interval to specify the total number of statistics to display. +To continuously monitor I/O activity, a number can be specified as the last parameter, +indicating a interval in seconds to wait between updates. +The next statistic line is printed after each interval. +Press kbd:[Ctrl+C] to stop this continuous monitoring. +Alternatively, give a second number on the command line after the interval to specify the total number of statistics to display. -Even more detailed I/O statistics can be displayed with `-v`. Each device in the pool is shown with a statistics line. This is useful in seeing how many read and write operations are being performed on each device, and can help determine if any individual device is slowing down the pool. This example shows a mirrored pool with two devices: +Even more detailed I/O statistics can be displayed with `-v`. +Each device in the pool is shown with a statistics line. +This is useful in seeing how many read and write operations are being performed on each device, +and can help determine if any individual device is slowing down the pool. +This example shows a mirrored pool with two devices: [source,shell] .... @@ -1280,17 +1461,30 @@ data 288G 1.53T 2 12 9.23K 61.5K [[zfs-zpool-split]] === Splitting a Storage Pool -A pool consisting of one or more mirror vdevs can be split into two pools. Unless otherwise specified, the last member of each mirror is detached and used to create a new pool containing the same data. The operation should first be attempted with `-n`. The details of the proposed operation are displayed without it actually being performed. This helps confirm that the operation will do what the user intends. +A pool consisting of one or more mirror vdevs can be split into two pools. +Unless otherwise specified, the last member of each mirror is detached and used to create a new pool containing the same data. +The operation should first be attempted with `-n`. +The details of the proposed operation are displayed without it actually being performed. +This helps confirm that the operation will do what the user intends. [[zfs-zfs]] == `zfs` Administration -The `zfs` utility is responsible for creating, destroying, and managing all ZFS datasets that exist within a pool. The pool is managed using <<zfs-zpool,`zpool`>>. +The `zfs` utility is responsible for creating, destroying, and managing all ZFS datasets that exist within a pool. +The pool is managed using <<zfs-zpool,`zpool`>>. [[zfs-zfs-create]] === Creating and Destroying Datasets -Unlike traditional disks and volume managers, space in ZFS is _not_ preallocated. With traditional file systems, after all of the space is partitioned and assigned, there is no way to add an additional file system without adding a new disk. With ZFS, new file systems can be created at any time. Each <<zfs-term-dataset,_dataset_>> has properties including features like compression, deduplication, caching, and quotas, as well as other useful properties like readonly, case sensitivity, network file sharing, and a mount point. Datasets can be nested inside each other, and child datasets will inherit properties from their parents. Each dataset can be administered, <<zfs-zfs-allow,delegated>>, <<zfs-zfs-send,replicated>>, <<zfs-zfs-snapshot,snapshotted>>, <<zfs-zfs-jail,jailed>>, and destroyed as a unit. There are many advantages to creating a separate dataset for each different type or set of files. The only drawbacks to having an extremely large number of datasets is that some commands like `zfs list` will be slower, and the mounting of hundreds or even thousands of datasets can slow the FreeBSD boot process. +Unlike traditional disks and volume managers, space in ZFS is _not_ preallocated. +With traditional file systems, after all of the space is partitioned and assigned, there is no way to add an additional file system without adding a new disk. +With ZFS, new file systems can be created at any time. +Each <<zfs-term-dataset,_dataset_>> has properties including features like compression, deduplication, caching, and quotas, as well as other useful properties like readonly, case sensitivity, network file sharing, and a mount point. +Datasets can be nested inside each other, and child datasets will inherit properties from their parents. +Each dataset can be administered, <<zfs-zfs-allow,delegated>>, <<zfs-zfs-send,replicated>>, <<zfs-zfs-snapshot,snapshotted>>, <<zfs-zfs-jail,jailed>>, and destroyed as a unit. +There are many advantages to creating a separate dataset for each different type or set of files. +The only drawbacks to having an extremely large number of datasets is that some commands like `zfs list` will be slower, +and the mounting of hundreds or even thousands of datasets can slow the FreeBSD boot process. Create a new dataset and enable <<zfs-term-compression-lz4,LZ4 compression>> on it: @@ -1330,7 +1524,8 @@ mypool/var/mail 144K 93.2G 144K /var/mail mypool/var/tmp 152K 93.2G 152K /var/tmp .... -Destroying a dataset is much quicker than deleting all of the files that reside on the dataset, as it does not involve scanning all of the files and updating all of the corresponding metadata. +Destroying a dataset is much quicker than deleting all of the files that reside on the dataset, +as it does not involve scanning all of the files and updating all of the corresponding metadata. Destroy the previously-created dataset: @@ -1370,14 +1565,23 @@ mypool/var/mail 144K 93.2G 144K /var/mail mypool/var/tmp 152K 93.2G 152K /var/tmp .... -In modern versions of ZFS, `zfs destroy` is asynchronous, and the free space might take several minutes to appear in the pool. Use `zpool get freeing _poolname_` to see the `freeing` property, indicating how many datasets are having their blocks freed in the background. If there are child datasets, like <<zfs-term-snapshot,snapshots>> or other datasets, then the parent cannot be destroyed. To destroy a dataset and all of its children, use `-r` to recursively destroy the dataset and all of its children. Use `-n -v` to list datasets and snapshots that would be destroyed by this operation, but do not actually destroy anything. Space that would be reclaimed by destruction of snapshots is also shown. +In modern versions of ZFS, `zfs destroy` is asynchronous, and the free space might take several minutes to appear in the pool. +Use `zpool get freeing _poolname_` to see the `freeing` property, indicating how many datasets are having their blocks freed in the background. +If there are child datasets, like <<zfs-term-snapshot,snapshots>> or other datasets, then the parent cannot be destroyed. +To destroy a dataset and all of its children, use `-r` to recursively destroy the dataset and all of its children. +Use `-n -v` to list datasets and snapshots that would be destroyed by this operation, but do not actually destroy anything. +Space that would be reclaimed by destruction of snapshots is also shown. [[zfs-zfs-volume]] === Creating and Destroying Volumes -A volume is a special type of dataset. Rather than being mounted as a file system, it is exposed as a block device under [.filename]#/dev/zvol/poolname/dataset#. This allows the volume to be used for other file systems, to back the disks of a virtual machine, or to be exported using protocols like iSCSI or HAST. +A volume is a special type of dataset. +Rather than being mounted as a file system, it is exposed as a block device under [.filename]#/dev/zvol/poolname/dataset#. +This allows the volume to be used for other file systems, to back the disks of a virtual machine, or to be exported using protocols like iSCSI or HAST. -A volume can be formatted with any file system, or used without a file system to store raw data. To the user, a volume appears to be a regular disk. Putting ordinary file systems on these _zvols_ provides features that ordinary disks or file systems do not normally have. For example, using the compression property on a 250 MB volume allows creation of a compressed FAT file system. +A volume can be formatted with any file system, or used without a file system to store raw data. +To the user, a volume appears to be a regular disk. Putting ordinary file systems on these _zvols_ provides features that ordinary disks or file systems do not normally have. +For example, using the compression property on a 250 MB volume allows creation of a compressed FAT file system. [source,shell] .... @@ -1394,12 +1598,17 @@ Filesystem Size Used Avail Capacity Mounted on /dev/zvol/tank/fat32 on /mnt (msdosfs, local) .... -Destroying a volume is much the same as destroying a regular file system dataset. The operation is nearly instantaneous, but it may take several minutes for the free space to be reclaimed in the background. +Destroying a volume is much the same as destroying a regular file system dataset. +The operation is nearly instantaneous, but it may take several minutes for the free space to be reclaimed in the background. [[zfs-zfs-rename]] === Renaming a Dataset -The name of a dataset can be changed with `zfs rename`. The parent of a dataset can also be changed with this command. Renaming a dataset to be under a different parent dataset will change the value of those properties that are inherited from the parent dataset. When a dataset is renamed, it is unmounted and then remounted in the new location (which is inherited from the new parent dataset). This behavior can be prevented with `-u`. +The name of a dataset can be changed with `zfs rename`. +The parent of a dataset can also be changed with this command. +Renaming a dataset to be under a different parent dataset will change the value of those properties that are inherited from the parent dataset. +When a dataset is renamed, it is unmounted and then remounted in the new location (which is inherited from the new parent dataset). +This behavior can be prevented with `-u`. Rename a dataset and move it to be under a different parent dataset: @@ -1440,7 +1649,9 @@ mypool/var/newname 87.5K 93.2G 87.5K /var/newname mypool/var/tmp 152K 93.2G 152K /var/tmp .... -Snapshots can also be renamed like this. Due to the nature of snapshots, they cannot be renamed into a different parent dataset. To rename a recursive snapshot, specify `-r`, and all snapshots with the same name in child datasets will also be renamed. +Snapshots can also be renamed like this. +Due to the nature of snapshots, they cannot be renamed into a different parent dataset. +To rename a recursive snapshot, specify `-r`, and all snapshots with the same name in child datasets will also be renamed. [source,shell] .... @@ -1456,9 +1667,15 @@ mypool/var/newname@new_snapshot_name 0 - 87.5K - [[zfs-zfs-set]] === Setting Dataset Properties -Each ZFS dataset has a number of properties that control its behavior. Most properties are automatically inherited from the parent dataset, but can be overridden locally. Set a property on a dataset with `zfs set _property=value dataset_`. Most properties have a limited set of valid values, `zfs get` will display each possible property and valid values. Most properties can be reverted to their inherited values using `zfs inherit`. +Each ZFS dataset has a number of properties that control its behavior. +Most properties are automatically inherited from the parent dataset, but can be overridden locally. +Set a property on a dataset with `zfs set _property=value dataset_`. +Most properties have a limited set of valid values, `zfs get` will display each possible property and valid values. +Most properties can be reverted to their inherited values using `zfs inherit`. -User-defined properties can also be set. They become part of the dataset configuration and can be used to provide additional information about the dataset or its contents. To distinguish these custom properties from the ones supplied as part of ZFS, a colon (`:`) is used to create a custom namespace for the property. +User-defined properties can also be set. +They become part of the dataset configuration and can be used to provide additional information about the dataset or its contents. +To distinguish these custom properties from the ones supplied as part of ZFS, a colon (`:`) is used to create a custom namespace for the property. [source,shell] .... @@ -1468,7 +1685,9 @@ NAME PROPERTY VALUE SOURCE tank custom:costcenter 1234 local .... -To remove a custom property, use `zfs inherit` with `-r`. If the custom property is not defined in any of the parent datasets, it will be removed completely (although the changes are still recorded in the pool's history). +To remove a custom property, use `zfs inherit` with `-r`. +If the custom property is not defined in any of the parent datasets, +it will be removed completely (although the changes are still recorded in the pool's history). [source,shell] .... @@ -1483,7 +1702,10 @@ tank custom:costcenter - - [[zfs-zfs-set-share]] ==== Getting and Setting Share Properties -Two commonly used and useful dataset properties are the NFS and SMB share options. Setting these define if and how ZFS datasets may be shared on the network. At present, only setting sharing via NFS is supported on FreeBSD. To get the current status of a share, enter: +Two commonly used and useful dataset properties are the NFS and SMB share options. +Setting these define if and how ZFS datasets may be shared on the network. +At present, only setting sharing via NFS is supported on FreeBSD. +To get the current status of a share, enter: [source,shell] .... @@ -1502,7 +1724,8 @@ To enable sharing of a dataset, enter: # zfs set sharenfs=on mypool/usr/home .... -It is also possible to set additional options for sharing datasets through NFS, such as `-alldirs`, `-maproot` and `-network`. To set additional options to a dataset shared through NFS, enter: +It is also possible to set additional options for sharing datasets through NFS, such as `-alldirs`, `-maproot` and `-network`. +To set additional options to a dataset shared through NFS, enter: [source,shell] .... @@ -1512,14 +1735,33 @@ It is also possible to set additional options for sharing datasets through NFS, [[zfs-zfs-snapshot]] === Managing Snapshots -<<zfs-term-snapshot,Snapshots>> are one of the most powerful features of ZFS. A snapshot provides a read-only, point-in-time copy of the dataset. With Copy-On-Write (COW), snapshots can be created quickly by preserving the older version of the data on disk. If no snapshots exist, space is reclaimed for future use when data is rewritten or deleted. Snapshots preserve disk space by recording only the differences between the current dataset and a previous version. Snapshots are allowed only on whole datasets, not on individual files or directories. When a snapshot is created from a dataset, everything contained in it is duplicated. This includes the file system properties, files, directories, permissions, and so on. Snapshots use no additional space when they are first created, only consuming space as the blocks they reference are changed. Recursive snapshots taken with `-r` create a snapshot with the same name on the dataset and all of its children, providing a consistent moment-in-time snapshot of all of the file systems. This can be important when an application has files on multiple datasets that are related or dependent upon each other. Without snapshots, a backup would have copies of the files from different points in time. - -Snapshots in ZFS provide a variety of features that even other file systems with snapshot functionality lack. A typical example of snapshot use is to have a quick way of backing up the current state of the file system when a risky action like a software installation or a system upgrade is performed. If the action fails, the snapshot can be rolled back and the system has the same state as when the snapshot was created. If the upgrade was successful, the snapshot can be deleted to free up space. Without snapshots, a failed upgrade often requires a restore from backup, which is tedious, time consuming, and may require downtime during which the system cannot be used. Snapshots can be rolled back quickly, even while the system is running in normal operation, with little or no downtime. The time savings are enormous with multi-terabyte storage systems and the time required to copy the data from backup. Snapshots are not a replacement for a complete backup of a pool, but can be used as a quick and easy way to store a copy of the dataset at a specific point in time. +<<zfs-term-snapshot,Snapshots>> are one of the most powerful features of ZFS. +A snapshot provides a read-only, point-in-time copy of the dataset. +With Copy-On-Write (COW), snapshots can be created quickly by preserving the older version of the data on disk. +If no snapshots exist, space is reclaimed for future use when data is rewritten or deleted. +Snapshots preserve disk space by recording only the differences between the current dataset and a previous version. +Snapshots are allowed only on whole datasets, not on individual files or directories. +When a snapshot is created from a dataset, everything contained in it is duplicated. +This includes the file system properties, files, directories, permissions, and so on. +Snapshots use no additional space when they are first created, only consuming space as the blocks they reference are changed. +Recursive snapshots taken with `-r` create a snapshot with the same name on the dataset and all of its children, providing a consistent moment-in-time snapshot of all of the file systems. +This can be important when an application has files on multiple datasets that are related or dependent upon each other. +Without snapshots, a backup would have copies of the files from different points in time. + +Snapshots in ZFS provide a variety of features that even other file systems with snapshot functionality lack. +A typical example of snapshot use is to have a quick way of backing up the current state of the file system when a risky action like a software installation or a system upgrade is performed. +If the action fails, the snapshot can be rolled back and the system has the same state as when the snapshot was created. +If the upgrade was successful, the snapshot can be deleted to free up space. +Without snapshots, a failed upgrade often requires a restore from backup, which is tedious, time consuming, and may require downtime during which the system cannot be used. +Snapshots can be rolled back quickly, even while the system is running in normal operation, with little or no downtime. +The time savings are enormous with multi-terabyte storage systems and the time required to copy the data from backup. +Snapshots are not a replacement for a complete backup of a pool, but can be used as a quick and easy way to store a copy of the dataset at a specific point in time. [[zfs-zfs-snapshot-creation]] ==== Creating Snapshots -Snapshots are created with `zfs snapshot _dataset_@_snapshotname_`. Adding `-r` creates a snapshot recursively, with the same name on all child datasets. +Snapshots are created with `zfs snapshot _dataset_@_snapshotname_`. +Adding `-r` creates a snapshot recursively, with the same name on all child datasets. Create a recursive snapshot of the entire pool: @@ -1562,9 +1804,13 @@ mypool/var/newname@my_recursive_snapshot 0 - 87.5K - mypool/var/tmp@my_recursive_snapshot 0 - 152K - .... -Snapshots are not shown by a normal `zfs list` operation. To list snapshots, `-t snapshot` is appended to `zfs list`. `-t all` displays both file systems and snapshots. +Snapshots are not shown by a normal `zfs list` operation. +To list snapshots, `-t snapshot` is appended to `zfs list`. +`-t all` displays both file systems and snapshots. -Snapshots are not mounted directly, so no path is shown in the `MOUNTPOINT` column. There is no mention of available disk space in the `AVAIL` column, as snapshots cannot be written to after they are created. Compare the snapshot to the original dataset from which it was created: +Snapshots are not mounted directly, so no path is shown in the `MOUNTPOINT` column. +There is no mention of available disk space in the `AVAIL` column, as snapshots cannot be written to after they are created. +Compare the snapshot to the original dataset from which it was created: [source,shell] .... @@ -1574,7 +1820,10 @@ mypool/usr/home 184K 93.2G 184K /usr/home mypool/usr/home@my_recursive_snapshot 0 - 184K - .... -Displaying both the dataset and the snapshot together reveals how snapshots work in <<zfs-term-cow,COW>> fashion. They save only the changes (_delta_) that were made and not the complete file system contents all over again. This means that snapshots take little space when few changes are made. Space usage can be made even more apparent by copying a file to the dataset, then making a second snapshot: +Displaying both the dataset and the snapshot together reveals how snapshots work in <<zfs-term-cow,COW>> fashion. +They save only the changes (_delta_) that were made and not the complete file system contents all over again. +This means that snapshots take little space when few changes are made. +Space usage can be made even more apparent by copying a file to the dataset, then making a second snapshot: [source,shell] .... @@ -1587,12 +1836,17 @@ mypool/var/tmp@my_recursive_snapshot 88K - 152K - mypool/var/tmp@after_cp 0 - 118K - .... -The second snapshot contains only the changes to the dataset after the copy operation. This yields enormous space savings. Notice that the size of the snapshot `_mypool/var/tmp@my_recursive_snapshot_` also changed in the `USED` column to indicate the changes between itself and the snapshot taken afterwards. +The second snapshot contains only the changes to the dataset after the copy operation. +This yields enormous space savings. +Notice that the size of the snapshot `_mypool/var/tmp@my_recursive_snapshot_` also changed in the `USED` column to indicate the changes between itself and the snapshot taken afterwards. [[zfs-zfs-snapshot-diff]] ==== Comparing Snapshots -ZFS provides a built-in command to compare the differences in content between two snapshots. This is helpful when many snapshots were taken over time and the user wants to see how the file system has changed over time. For example, `zfs diff` lets a user find the latest snapshot that still contains a file that was accidentally deleted. Doing this for the two snapshots that were created in the previous section yields this output: +ZFS provides a built-in command to compare the differences in content between two snapshots. +This is helpful when many snapshots were taken over time and the user wants to see how the file system has changed over time. +For example, `zfs diff` lets a user find the latest snapshot that still contains a file that was accidentally deleted. +Doing this for the two snapshots that were created in the previous section yields this output: [source,shell] .... @@ -1606,7 +1860,8 @@ M /var/tmp/ + /var/tmp/passwd .... -The command lists the changes between the specified snapshot (in this case `_mypool/var/tmp@my_recursive_snapshot_`) and the live file system. The first column shows the type of change: +The command lists the changes between the specified snapshot (in this case `_mypool/var/tmp@my_recursive_snapshot_`) and the live file system. +The first column shows the type of change: [.informaltable] [cols="20%,80%"] @@ -1644,12 +1899,24 @@ M /var/tmp/ + /var/tmp/passwd .... -A backup administrator can compare two snapshots received from the sending host and determine the actual changes in the dataset. See the <<zfs-zfs-send,Replication>> section for more information. +A backup administrator can compare two snapshots received from the sending host and determine the actual changes in the dataset. +See the <<zfs-zfs-send,Replication>> section for more information. [[zfs-zfs-snapshot-rollback]] ==== Snapshot Rollback -When at least one snapshot is available, it can be rolled back to at any time. Most of the time this is the case when the current state of the dataset is no longer required and an older version is preferred. Scenarios such as local development tests have gone wrong, botched system updates hampering the system's overall functionality, or the requirement to restore accidentally deleted files or directories are all too common occurrences. Luckily, rolling back a snapshot is just as easy as typing `zfs rollback _snapshotname_`. Depending on how many changes are involved, the operation will finish in a certain amount of time. During that time, the dataset always remains in a consistent state, much like a database that conforms to ACID principles is performing a rollback. This is happening while the dataset is live and accessible without requiring a downtime. Once the snapshot has been rolled back, the dataset has the same state as it had when the snapshot was originally taken. All other data in that dataset that was not part of the snapshot is discarded. Taking a snapshot of the current state of the dataset before rolling back to a previous one is a good idea when some data is required later. This way, the user can roll back and forth between snapshots without losing data that is still valuable. +When at least one snapshot is available, it can be rolled back to at any time. +Most of the time this is the case when the current state of the dataset is no longer required and an older version is preferred. +Scenarios such as local development tests have gone wrong, botched system updates hampering the system's overall functionality, +or the requirement to restore accidentally deleted files or directories are all too common occurrences. +Luckily, rolling back a snapshot is just as easy as typing `zfs rollback _snapshotname_`. +Depending on how many changes are involved, the operation will finish in a certain amount of time. +During that time, the dataset always remains in a consistent state, much like a database that conforms to ACID principles is performing a rollback. +This is happening while the dataset is live and accessible without requiring a downtime. +Once the snapshot has been rolled back, the dataset has the same state as it had when the snapshot was originally taken. +All other data in that dataset that was not part of the snapshot is discarded. +Taking a snapshot of the current state of the dataset before rolling back to a previous one is a good idea when some data is required later. +This way, the user can roll back and forth between snapshots without losing data that is still valuable. In the first example, a snapshot is rolled back because of a careless `rm` operation that removes too much data than was intended. @@ -1668,7 +1935,9 @@ passwd passwd.copy vi.recover vi.recover .... -At this point, the user realized that too many files were deleted and wants them back. ZFS provides an easy way to get them back using rollbacks, but only when snapshots of important data are performed on a regular basis. To get the files back and start over from the last snapshot, issue the command: +At this point, the user realized that too many files were deleted and wants them back. +ZFS provides an easy way to get them back using rollbacks, but only when snapshots of important data are performed on a regular basis. +To get the files back and start over from the last snapshot, issue the command: [source,shell] .... @@ -1677,7 +1946,9 @@ At this point, the user realized that too many files were deleted and wants them passwd passwd.copy vi.recover .... -The rollback operation restored the dataset to the state of the last snapshot. It is also possible to roll back to a snapshot that was taken much earlier and has other snapshots that were created after it. When trying to do this, ZFS will issue this warning: +The rollback operation restored the dataset to the state of the last snapshot. +It is also possible to roll back to a snapshot that was taken much earlier and has other snapshots that were created after it. +When trying to do this, ZFS will issue this warning: [source,shell] .... @@ -1693,7 +1964,11 @@ mypool/var/tmp@after_cp mypool/var/tmp@diff_snapshot .... -This warning means that snapshots exist between the current state of the dataset and the snapshot to which the user wants to roll back. To complete the rollback, these snapshots must be deleted. ZFS cannot track all the changes between different states of the dataset, because snapshots are read-only. ZFS will not delete the affected snapshots unless the user specifies `-r` to indicate that this is the desired action. If that is the intention, and the consequences of losing all intermediate snapshots is understood, the command can be issued: +This warning means that snapshots exist between the current state of the dataset and the snapshot to which the user wants to roll back. +To complete the rollback, these snapshots must be deleted. +ZFS cannot track all the changes between different states of the dataset, because snapshots are read-only. +ZFS will not delete the affected snapshots unless the user specifies `-r` to indicate that this is the desired action. +If that is the intention, and the consequences of losing all intermediate snapshots is understood, the command can be issued: [source,shell] .... @@ -1710,7 +1985,11 @@ The output from `zfs list -t snapshot` confirms that the intermediate snapshots [[zfs-zfs-snapshot-snapdir]] ==== Restoring Individual Files from Snapshots -Snapshots are mounted in a hidden directory under the parent dataset: [.filename]#.zfs/snapshots/snapshotname#. By default, these directories will not be displayed even when a standard `ls -a` is issued. Although the directory is not displayed, it is there nevertheless and can be accessed like any normal directory. The property named `snapdir` controls whether these hidden directories show up in a directory listing. Setting the property to `visible` allows them to appear in the output of `ls` and other commands that deal with directory contents. +Snapshots are mounted in a hidden directory under the parent dataset: [.filename]#.zfs/snapshots/snapshotname#. +By default, these directories will not be displayed even when a standard `ls -a` is issued. +Although the directory is not displayed, it is there nevertheless and can be accessed like any normal directory. +The property named `snapdir` controls whether these hidden directories show up in a directory listing. +Setting the property to `visible` allows them to appear in the output of `ls` and other commands that deal with directory contents. [source,shell] .... @@ -1724,7 +2003,9 @@ mypool/var/tmp snapdir hidden default . .. .zfs passwd vi.recover .... -Individual files can easily be restored to a previous state by copying them from the snapshot back to the parent dataset. The directory structure below [.filename]#.zfs/snapshot# has a directory named exactly like the snapshots taken earlier to make it easier to identify them. In the next example, it is assumed that a file is to be restored from the hidden [.filename]#.zfs# directory by copying it from the snapshot that contained the latest version of the file: +Individual files can easily be restored to a previous state by copying them from the snapshot back to the parent dataset. +The directory structure below [.filename]#.zfs/snapshot# has a directory named exactly like the snapshots taken earlier to make it easier to identify them. +In the next example, it is assumed that a file is to be restored from the hidden [.filename]#.zfs# directory by copying it from the snapshot that contained the latest version of the file: [source,shell] .... @@ -1738,7 +2019,11 @@ passwd vi.recover # cp /var/tmp/.zfs/snapshot/after_cp/passwd /var/tmp .... -When `ls .zfs/snapshot` was issued, the `snapdir` property might have been set to hidden, but it would still be possible to list the contents of that directory. It is up to the administrator to decide whether these directories will be displayed. It is possible to display these for certain datasets and prevent it for others. Copying files or directories from this hidden [.filename]#.zfs/snapshot# is simple enough. Trying it the other way around results in this error: +When `ls .zfs/snapshot` was issued, the `snapdir` property might have been set to hidden, but it would still be possible to list the contents of that directory. +It is up to the administrator to decide whether these directories will be displayed. +It is possible to display these for certain datasets and prevent it for others. +Copying files or directories from this hidden [.filename]#.zfs/snapshot# is simple enough. +Trying it the other way around results in this error: [source,shell] .... @@ -1746,16 +2031,26 @@ When `ls .zfs/snapshot` was issued, the `snapdir` property might have been set t cp: /var/tmp/.zfs/snapshot/after_cp/rc.conf: Read-only file system .... -The error reminds the user that snapshots are read-only and cannot be changed after creation. Files cannot be copied into or removed from snapshot directories because that would change the state of the dataset they represent. +The error reminds the user that snapshots are read-only and cannot be changed after creation. +Files cannot be copied into or removed from snapshot directories because that would change the state of the dataset they represent. -Snapshots consume space based on how much the parent file system has changed since the time of the snapshot. The `written` property of a snapshot tracks how much space is being used by the snapshot. +Snapshots consume space based on how much the parent file system has changed since the time of the snapshot. +The `written` property of a snapshot tracks how much space is being used by the snapshot. -Snapshots are destroyed and the space reclaimed with `zfs destroy _dataset_@_snapshot_`. Adding `-r` recursively removes all snapshots with the same name under the parent dataset. Adding `-n -v` to the command displays a list of the snapshots that would be deleted and an estimate of how much space would be reclaimed without performing the actual destroy operation. +Snapshots are destroyed and the space reclaimed with `zfs destroy _dataset_@_snapshot_`. +Adding `-r` recursively removes all snapshots with the same name under the parent dataset. +Adding `-n -v` to the command displays a list of the snapshots that would be deleted and an estimate of how much space would be reclaimed without performing the actual destroy operation. [[zfs-zfs-clones]] === Managing Clones -A clone is a copy of a snapshot that is treated more like a regular dataset. Unlike a snapshot, a clone is not read only, is mounted, and can have its own properties. Once a clone has been created using `zfs clone`, the snapshot it was created from cannot be destroyed. The child/parent relationship between the clone and the snapshot can be reversed using `zfs promote`. After a clone has been promoted, the snapshot becomes a child of the clone, rather than of the original parent dataset. This will change how the space is accounted, but not actually change the amount of space consumed. The clone can be mounted at any point within the ZFS file system hierarchy, not just below the original location of the snapshot. +A clone is a copy of a snapshot that is treated more like a regular dataset. +Unlike a snapshot, a clone is not read only, is mounted, and can have its own properties. +Once a clone has been created using `zfs clone`, the snapshot it was created from cannot be destroyed. +The child/parent relationship between the clone and the snapshot can be reversed using `zfs promote`. +After a clone has been promoted, the snapshot becomes a child of the clone, rather than of the original parent dataset. +This will change how the space is accounted, but not actually change the amount of space consumed. +The clone can be mounted at any point within the ZFS file system hierarchy, not just below the original location of the snapshot. To demonstrate the clone feature, this example dataset is used: @@ -1768,7 +2063,10 @@ camino/home/joe@plans 21K - 85.5K - camino/home/joe@backup 0K - 87K - .... -A typical use for clones is to experiment with a specific dataset while keeping the snapshot around to fall back to in case something goes wrong. Since snapshots cannot be changed, a read/write clone of a snapshot is created. After the desired result is achieved in the clone, the clone can be promoted to a dataset and the old file system removed. This is not strictly necessary, as the clone and dataset can coexist without problems. +A typical use for clones is to experiment with a specific dataset while keeping the snapshot around to fall back to in case something goes wrong. +Since snapshots cannot be changed, a read/write clone of a snapshot is created. +After the desired result is achieved in the clone, the clone can be promoted to a dataset and the old file system removed. +This is not strictly necessary, as the clone and dataset can coexist without problems. [source,shell] .... @@ -1785,7 +2083,12 @@ usr/home/joe 1.3G 31k 1.3G 0% /usr/home/joe usr/home/joenew 1.3G 31k 1.3G 0% /usr/home/joenew .... -After a clone is created it is an exact copy of the state the dataset was in when the snapshot was taken. The clone can now be changed independently from its originating dataset. The only connection between the two is the snapshot. ZFS records this connection in the property `origin`. Once the dependency between the snapshot and the clone has been removed by promoting the clone using `zfs promote`, the `origin` of the clone is removed as it is now an independent dataset. This example demonstrates it: +After a clone is created it is an exact copy of the state the dataset was in when the snapshot was taken. +The clone can now be changed independently from its originating dataset. +The only connection between the two is the snapshot. +ZFS records this connection in the property `origin`. +Once the dependency between the snapshot and the clone has been removed by promoting the clone using `zfs promote`, the `origin` of the clone is removed as it is now an independent dataset. +This example demonstrates it: [source,shell] .... @@ -1798,7 +2101,9 @@ NAME PROPERTY VALUE SOURCE camino/home/joenew origin - - .... -After making some changes like copying [.filename]#loader.conf# to the promoted clone, for example, the old directory becomes obsolete in this case. Instead, the promoted clone can replace it. This can be achieved by two consecutive commands: `zfs destroy` on the old dataset and `zfs rename` on the clone to name it like the old dataset (it could also get an entirely different name). +After making some changes like copying [.filename]#loader.conf# to the promoted clone, for example, the old directory becomes obsolete in this case. +Instead, the promoted clone can replace it. +This can be achieved by two consecutive commands: `zfs destroy` on the old dataset and `zfs rename` on the clone to name it like the old dataset (it could also get an entirely different name). [source,shell] .... @@ -1812,12 +2117,23 @@ Filesystem Size Used Avail Capacity Mounted on usr/home/joe 1.3G 128k 1.3G 0% /usr/home/joe .... -The cloned snapshot is now handled like an ordinary dataset. It contains all the data from the original snapshot plus the files that were added to it like [.filename]#loader.conf#. Clones can be used in different scenarios to provide useful features to ZFS users. For example, jails could be provided as snapshots containing different sets of installed applications. Users can clone these snapshots and add their own applications as they see fit. Once they are satisfied with the changes, the clones can be promoted to full datasets and provided to end users to work with like they would with a real dataset. This saves time and administrative overhead when providing these jails. +The cloned snapshot is now handled like an ordinary dataset. +It contains all the data from the original snapshot plus the files that were added to it like [.filename]#loader.conf#. +Clones can be used in different scenarios to provide useful features to ZFS users. +For example, jails could be provided as snapshots containing different sets of installed applications. +Users can clone these snapshots and add their own applications as they see fit. +Once they are satisfied with the changes, the clones can be promoted to full datasets and provided to end users to work with like they would with a real dataset. +This saves time and administrative overhead when providing these jails. [[zfs-zfs-send]] === Replication -Keeping data on a single pool in one location exposes it to risks like theft and natural or human disasters. Making regular backups of the entire pool is vital. ZFS provides a built-in serialization feature that can send a stream representation of the data to standard output. Using this technique, it is possible to not only store the data on another pool connected to the local system, but also to send it over a network to another system. Snapshots are the basis for this replication (see the section on <<zfs-zfs-snapshot,ZFS snapshots>>). The commands used for replicating data are `zfs send` and `zfs receive`. +Keeping data on a single pool in one location exposes it to risks like theft and natural or human disasters. +Making regular backups of the entire pool is vital. +ZFS provides a built-in serialization feature that can send a stream representation of the data to standard output. +Using this technique, it is possible to not only store the data on another pool connected to the local system, but also to send it over a network to another system. +Snapshots are the basis for this replication (see the section on <<zfs-zfs-snapshot,ZFS snapshots>>). +The commands used for replicating data are `zfs send` and `zfs receive`. These examples demonstrate ZFS replication with these two pools: @@ -1829,7 +2145,13 @@ backup 960M 77K 896M - - 0% 0% 1.00x ONLINE - mypool 984M 43.7M 940M - - 0% 4% 1.00x ONLINE - .... -The pool named _mypool_ is the primary pool where data is written to and read from on a regular basis. A second pool, _backup_ is used as a standby in case the primary pool becomes unavailable. Note that this fail-over is not done automatically by ZFS, but must be manually done by a system administrator when needed. A snapshot is used to provide a consistent version of the file system to be replicated. Once a snapshot of _mypool_ has been created, it can be copied to the _backup_ pool. Only snapshots can be replicated. Changes made since the most recent snapshot will not be included. +The pool named _mypool_ is the primary pool where data is written to and read from on a regular basis. +A second pool, _backup_ is used as a standby in case the primary pool becomes unavailable. +Note that this fail-over is not done automatically by ZFS, but must be manually done by a system administrator when needed. +A snapshot is used to provide a consistent version of the file system to be replicated. +Once a snapshot of _mypool_ has been created, it can be copied to the _backup_ pool. +Only snapshots can be replicated. +Changes made since the most recent snapshot will not be included. [source,shell] .... @@ -1839,7 +2161,9 @@ NAME USED AVAIL REFER MOUNTPOINT mypool@backup1 0 - 43.6M - .... -Now that a snapshot exists, `zfs send` can be used to create a stream representing the contents of the snapshot. This stream can be stored as a file or received by another pool. The stream is written to standard output, but must be redirected to a file or pipe or an error is produced: +Now that a snapshot exists, `zfs send` can be used to create a stream representing the contents of the snapshot. +This stream can be stored as a file or received by another pool. +The stream is written to standard output, but must be redirected to a file or pipe or an error is produced: [source,shell] .... @@ -1848,7 +2172,8 @@ Error: Stream can not be written to a terminal. You must redirect standard output. .... -To back up a dataset with `zfs send`, redirect to a file located on the mounted backup pool. Ensure that the pool has enough free space to accommodate the size of the snapshot being sent, which means all of the data contained in the snapshot, not just the changes from the previous snapshot. +To back up a dataset with `zfs send`, redirect to a file located on the mounted backup pool. +Ensure that the pool has enough free space to accommodate the size of the snapshot being sent, which means all of the data contained in the snapshot, not just the changes from the previous snapshot. [source,shell] .... @@ -1859,9 +2184,14 @@ backup 960M 63.7M 896M - - 0% 6% 1.00x ONLINE - mypool 984M 43.7M 940M - - 0% 4% 1.00x ONLINE - .... -The `zfs send` transferred all the data in the snapshot called _backup1_ to the pool named _backup_. Creating and sending these snapshots can be done automatically with a man:cron[8] job. +The `zfs send` transferred all the data in the snapshot called _backup1_ to the pool named _backup_. +Creating and sending these snapshots can be done automatically with a man:cron[8] job. -Instead of storing the backups as archive files, ZFS can receive them as a live file system, allowing the backed up data to be accessed directly. To get to the actual data contained in those streams, `zfs receive` is used to transform the streams back into files and directories. The example below combines `zfs send` and `zfs receive` using a pipe to copy the data from one pool to another. The data can be used directly on the receiving pool after the transfer is complete. A dataset can only be replicated to an empty dataset. +Instead of storing the backups as archive files, ZFS can receive them as a live file system, allowing the backed up data to be accessed directly. +To get to the actual data contained in those streams, `zfs receive` is used to transform the streams back into files and directories. +The example below combines `zfs send` and `zfs receive` using a pipe to copy the data from one pool to another. +The data can be used directly on the receiving pool after the transfer is complete. +A dataset can only be replicated to an empty dataset. [source,shell] .... @@ -1880,7 +2210,9 @@ mypool 984M 43.7M 940M - - 0% 4% 1.00x ONLINE - [[zfs-send-incremental]] ==== Incremental Backups -`zfs send` can also determine the difference between two snapshots and send only the differences between the two. This saves disk space and transfer time. For example: +`zfs send` can also determine the difference between two snapshots and send only the differences between the two. +This saves disk space and transfer time. +For example: [source,shell] .... @@ -1895,7 +2227,10 @@ backup 960M 61.7M 898M - - 0% 6% 1.00x ONLINE - mypool 960M 50.2M 910M - - 0% 5% 1.00x ONLINE - .... -A second snapshot called _replica2_ was created. This second snapshot contains only the changes that were made to the file system between now and the previous snapshot, _replica1_. Using `zfs send -i` and indicating the pair of snapshots generates an incremental replica stream containing only the data that has changed. This can only succeed if the initial snapshot already exists on the receiving side. +A second snapshot called _replica2_ was created. +This second snapshot contains only the changes that were made to the file system between now and the previous snapshot, _replica1_. +Using `zfs send -i` and indicating the pair of snapshots generates an incremental replica stream containing only the data that has changed. +This can only succeed if the initial snapshot already exists on the receiving side. [source,shell] .... @@ -1923,16 +2258,29 @@ mypool@replica1 29.9K - 50.0M - mypool@replica2 0 - 55.0M - .... -The incremental stream was successfully transferred. Only the data that had changed was replicated, rather than the entirety of _replica1_. Only the differences were sent, which took much less time to transfer and saved disk space by not copying the complete pool each time. This is useful when having to rely on slow networks or when costs per transferred byte must be considered. +The incremental stream was successfully transferred. +Only the data that had changed was replicated, rather than the entirety of _replica1_. +Only the differences were sent, which took much less time to transfer and saved disk space by not copying the complete pool each time. +This is useful when having to rely on slow networks or when costs per transferred byte must be considered. -A new file system, _backup/mypool_, is available with all of the files and data from the pool _mypool_. If `-P` is specified, the properties of the dataset will be copied, including compression settings, quotas, and mount points. When `-R` is specified, all child datasets of the indicated dataset will be copied, along with all of their properties. Sending and receiving can be automated so that regular backups are created on the second pool. +A new file system, _backup/mypool_, is available with all of the files and data from the pool _mypool_. +If `-P` is specified, the properties of the dataset will be copied, including compression settings, quotas, and mount points. +When `-R` is specified, all child datasets of the indicated dataset will be copied, along with all of their properties. +Sending and receiving can be automated so that regular backups are created on the second pool. [[zfs-send-ssh]] ==== Sending Encrypted Backups over SSH -Sending streams over the network is a good way to keep a remote backup, but it does come with a drawback. Data sent over the network link is not encrypted, allowing anyone to intercept and transform the streams back into data without the knowledge of the sending user. This is undesirable, especially when sending the streams over the internet to a remote host. SSH can be used to securely encrypt data send over a network connection. Since ZFS only requires the stream to be redirected from standard output, it is relatively easy to pipe it through SSH. To keep the contents of the file system encrypted in transit and on the remote system, consider using https://wiki.freebsd.org/PEFS[PEFS]. +Sending streams over the network is a good way to keep a remote backup, but it does come with a drawback. +Data sent over the network link is not encrypted, allowing anyone to intercept and transform the streams back into data without the knowledge of the sending user. +This is undesirable, especially when sending the streams over the internet to a remote host. +SSH can be used to securely encrypt data send over a network connection. +Since ZFS only requires the stream to be redirected from standard output, it is relatively easy to pipe it through SSH. +To keep the contents of the file system encrypted in transit and on the remote system, consider using https://wiki.freebsd.org/PEFS[PEFS]. -A few settings and security precautions must be completed first. Only the necessary steps required for the `zfs send` operation are shown here. For more information on SSH, see crossref:security[openssh,"OpenSSH"]. +A few settings and security precautions must be completed first. +Only the necessary steps required for the `zfs send` operation are shown here. +For more information on SSH, see crossref:security[openssh,"OpenSSH"]. This configuration is required: @@ -1965,14 +2313,26 @@ The unprivileged user now has the ability to receive and mount datasets, and the % zfs send -R mypool/home@monday | ssh someuser@backuphost zfs recv -dvu recvpool/backup .... -A recursive snapshot called _monday_ is made of the file system dataset _home_ that resides on the pool _mypool_. Then it is sent with `zfs send -R` to include the dataset, all child datasets, snapshots, clones, and settings in the stream. The output is piped to the waiting `zfs receive` on the remote host _backuphost_ through SSH. Using a fully qualified domain name or IP address is recommended. The receiving machine writes the data to the _backup_ dataset on the _recvpool_ pool. Adding `-d` to `zfs recv` overwrites the name of the pool on the receiving side with the name of the snapshot. `-u` causes the file systems to not be mounted on the receiving side. When `-v` is included, more detail about the transfer is shown, including elapsed time and the amount of data transferred. +A recursive snapshot called _monday_ is made of the file system dataset _home_ that resides on the pool _mypool_. +Then it is sent with `zfs send -R` to include the dataset, all child datasets, snapshots, clones, and settings in the stream. +The output is piped to the waiting `zfs receive` on the remote host _backuphost_ through SSH. +Using a fully qualified domain name or IP address is recommended. +The receiving machine writes the data to the _backup_ dataset on the _recvpool_ pool. +Adding `-d` to `zfs recv` overwrites the name of the pool on the receiving side with the name of the snapshot. +`-u` causes the file systems to not be mounted on the receiving side. +When `-v` is included, more detail about the transfer is shown, including elapsed time and the amount of data transferred. [[zfs-zfs-quota]] === Dataset, User, and Group Quotas -<<zfs-term-quota,Dataset quotas>> are used to restrict the amount of space that can be consumed by a particular dataset. <<zfs-term-refquota,Reference Quotas>> work in very much the same way, but only count the space used by the dataset itself, excluding snapshots and child datasets. Similarly, <<zfs-term-userquota,user>> and <<zfs-term-groupquota,group>> quotas can be used to prevent users or groups from using all of the space in the pool or dataset. +<<zfs-term-quota,Dataset quotas>> are used to restrict the amount of space that can be consumed by a particular dataset. +<<zfs-term-refquota,Reference Quotas>> work in very much the same way, but only count the space used by the dataset itself, excluding snapshots and child datasets. +Similarly, <<zfs-term-userquota,user>> and <<zfs-term-groupquota,group>> quotas can be used to prevent users or groups from using all of the space in the pool or dataset. -The following examples assume that the users already exist in the system. Before adding a user to the system, make sure to create their home dataset first and set the `mountpoint` to `/home/_bob_`. Then, create the user and make the home directory point to the dataset's `mountpoint` location. This will properly set owner and group permissions without shadowing any pre-existing home directory paths that might exist. +The following examples assume that the users already exist in the system. +Before adding a user to the system, make sure to create their home dataset first and set the `mountpoint` to `/home/_bob_`. +Then, create the user and make the home directory point to the dataset's `mountpoint` location. +This will properly set owner and group permissions without shadowing any pre-existing home directory paths that might exist. To enforce a dataset quota of 10 GB for [.filename]#storage/home/bob#: @@ -2018,7 +2378,9 @@ To remove any quota: [NOTE] ==== -User quota properties are not displayed by `zfs get all`. Non-`root` users can only see their own quotas unless they have been granted the `userquota` privilege. Users with this privilege are able to view and set everyone's quota. +User quota properties are not displayed by `zfs get all`. +Non-`root` users can only see their own quotas unless they have been granted the `userquota` privilege. +Users with this privilege are able to view and set everyone's quota. ==== The general format for setting a group quota is: `groupquota@_group_=_size_`. @@ -2037,9 +2399,12 @@ To remove the quota for the group _firstgroup_, or to make sure that one is not # zfs set groupquota@firstgroup=none .... -As with the user quota property, non-`root` users can only see the quotas associated with the groups to which they belong. However, `root` or a user with the `groupquota` privilege can view and set all quotas for all groups. +As with the user quota property, non-`root` users can only see the quotas associated with the groups to which they belong. +However, `root` or a user with the `groupquota` privilege can view and set all quotas for all groups. -To display the amount of space used by each user on a file system or snapshot along with any quotas, use `zfs userspace`. For group information, use `zfs groupspace`. For more information about supported options or how to display only specific options, refer to man:zfs[1]. +To display the amount of space used by each user on a file system or snapshot along with any quotas, use `zfs userspace`. +For group information, use `zfs groupspace`. +For more information about supported options or how to display only specific options, refer to man:zfs[1]. Users with sufficient privileges, and `root`, can list the quota for [.filename]#storage/home/bob# using: @@ -2051,7 +2416,9 @@ Users with sufficient privileges, and `root`, can list the quota for [.filename] [[zfs-zfs-reservation]] === Reservations -<<zfs-term-reservation,Reservations>> guarantee a minimum amount of space will always be available on a dataset. The reserved space will not be available to any other dataset. This feature can be especially useful to ensure that free space is available for an important dataset or log files. +<<zfs-term-reservation,Reservations>> guarantee a minimum amount of space will always be available on a dataset. +The reserved space will not be available to any other dataset. +This feature can be especially useful to ensure that free space is available for an important dataset or log files. The general format of the `reservation` property is `reservation=_size_`, so to set a reservation of 10 GB on [.filename]#storage/home/bob#, use: @@ -2080,9 +2447,16 @@ This command shows any reservations or refreservations that exist on [.filename] [[zfs-zfs-compression]] === Compression -ZFS provides transparent compression. Compressing data at the block level as it is written not only saves space, but can also increase disk throughput. If data is compressed by 25%, but the compressed data is written to the disk at the same rate as the uncompressed version, resulting in an effective write speed of 125%. Compression can also be a great alternative to <<zfs-zfs-deduplication,Deduplication>> because it does not require additional memory. +ZFS provides transparent compression. +Compressing data at the block level as it is written not only saves space, but can also increase disk throughput. +If data is compressed by 25%, but the compressed data is written to the disk at the same rate as the uncompressed version, resulting in an effective write speed of 125%. +Compression can also be a great alternative to <<zfs-zfs-deduplication,Deduplication>> because it does not require additional memory. -ZFS offers several different compression algorithms, each with different trade-offs. With the introduction of LZ4 compression in ZFS v5000, it is possible to enable compression for the entire pool without the large performance trade-off of other algorithms. The biggest advantage to LZ4 is the _early abort_ feature. If LZ4 does not achieve at least 12.5% compression in the first part of the data, the block is written uncompressed to avoid wasting CPU cycles trying to compress data that is either already compressed or uncompressible. For details about the different compression algorithms available in ZFS, see the <<zfs-term-compression,Compression>> entry in the terminology section. +ZFS offers several different compression algorithms, each with different trade-offs. +With the introduction of LZ4 compression in ZFS v5000, it is possible to enable compression for the entire pool without the large performance trade-off of other algorithms. +The biggest advantage to LZ4 is the _early abort_ feature. +If LZ4 does not achieve at least 12.5% compression in the first part of the data, the block is written uncompressed to avoid wasting CPU cycles trying to compress data that is either already compressed or uncompressible. +For details about the different compression algorithms available in ZFS, see the <<zfs-term-compression,Compression>> entry in the terminology section. The administrator can monitor the effectiveness of compression using a number of dataset properties. @@ -2096,29 +2470,52 @@ mypool/compressed_dataset compression lz4 local mypool/compressed_dataset logicalused 496G - .... -The dataset is currently using 449 GB of space (the used property). Without compression, it would have taken 496 GB of space (the `logicalused` property). This results in the 1.11:1 compression ratio. +The dataset is currently using 449 GB of space (the used property). +Without compression, it would have taken 496 GB of space (the `logicalused` property). +This results in the 1.11:1 compression ratio. -Compression can have an unexpected side effect when combined with <<zfs-term-userquota,User Quotas>>. User quotas restrict how much space a user can consume on a dataset, but the measurements are based on how much space is used _after compression_. So if a user has a quota of 10 GB, and writes 10 GB of compressible data, they will still be able to store additional data. If they later update a file, say a database, with more or less compressible data, the amount of space available to them will change. This can result in the odd situation where a user did not increase the actual amount of data (the `logicalused` property), but the change in compression caused them to reach their quota limit. +Compression can have an unexpected side effect when combined with <<zfs-term-userquota,User Quotas>>. +User quotas restrict how much space a user can consume on a dataset, but the measurements are based on how much space is used _after compression_. +So if a user has a quota of 10 GB, and writes 10 GB of compressible data, they will still be able to store additional data. +If they later update a file, say a database, with more or less compressible data, the amount of space available to them will change. +This can result in the odd situation where a user did not increase the actual amount of data (the `logicalused` property), but the change in compression caused them to reach their quota limit. -Compression can have a similar unexpected interaction with backups. Quotas are often used to limit how much data can be stored to ensure there is sufficient backup space available. However since quotas do not consider compression, more data may be written than would fit with uncompressed backups. +Compression can have a similar unexpected interaction with backups. +Quotas are often used to limit how much data can be stored to ensure there is sufficient backup space available. +However since quotas do not consider compression, more data may be written than would fit with uncompressed backups. [[zfs-zfs-compression-zstd]] === Zstandard Compression -In OpenZFS 2.0, a new compression algorithm was added. Zstandard (Zstd) offers higher compression ratios than the default LZ4 while offering much greater speeds than the alternative, gzip. OpenZFS 2.0 is available starting with FreeBSD 12.1-RELEASE via package:sysutils/openzfs[] and has been the default in FreeBSD 13-CURRENT since September 2020, and will by in FreeBSD 13.0-RELEASE. +In OpenZFS 2.0, a new compression algorithm was added. +Zstandard (Zstd) offers higher compression ratios than the default LZ4 while offering much greater speeds than the alternative, gzip. OpenZFS 2.0 is available starting with FreeBSD 12.1-RELEASE via package:sysutils/openzfs[] and has been the default in FreeBSD 13-CURRENT since September 2020, and will by in FreeBSD 13.0-RELEASE. -Zstd provides a large selection of compression levels, providing fine-grained control over performance versus compression ratio. One of the main advantages of Zstd is that the decompression speed is independent of the compression level. For data that is written once but read many times, Zstd allows the use of the highest compression levels without a read performance penalty. +Zstd provides a large selection of compression levels, providing fine-grained control over performance versus compression ratio. +One of the main advantages of Zstd is that the decompression speed is independent of the compression level. +For data that is written once but read many times, Zstd allows the use of the highest compression levels without a read performance penalty. -Even when data is updated frequently, there are often performance gains that come from enabling compression. One of the biggest advantages comes from the compressed ARC feature. ZFS's Adaptive Replacement Cache (ARC) caches the compressed version of the data in RAM, decompressing it each time it is needed. This allows the same amount of RAM to store more data and metadata, increasing the cache hit ratio. +Even when data is updated frequently, there are often performance gains that come from enabling compression. +One of the biggest advantages comes from the compressed ARC feature. +ZFS's Adaptive Replacement Cache (ARC) caches the compressed version of the data in RAM, decompressing it each time it is needed. +This allows the same amount of RAM to store more data and metadata, increasing the cache hit ratio. -ZFS offers 19 levels of Zstd compression, each offering incrementally more space savings in exchange for slower compression. The default level is `zstd-3` and offers greater compression than LZ4 without being significantly slower. Levels above 10 require significant amounts of memory to compress each block, so they are discouraged on systems with less than 16 GB of RAM. ZFS also implements a selection of the Zstd_fast_ levels, which get correspondingly faster but offer lower compression ratios. ZFS supports `zstd-fast-1` through `zstd-fast-10`, `zstd-fast-20` through `zstd-fast-100` in increments of 10, and finally `zstd-fast-500` and `zstd-fast-1000` which provide minimal compression, but offer very high performance. +ZFS offers 19 levels of Zstd compression, each offering incrementally more space savings in exchange for slower compression. +The default level is `zstd-3` and offers greater compression than LZ4 without being significantly slower. +Levels above 10 require significant amounts of memory to compress each block, so they are discouraged on systems with less than 16 GB of RAM. +ZFS also implements a selection of the Zstd_fast_ levels, which get correspondingly faster but offer lower compression ratios. +ZFS supports `zstd-fast-1` through `zstd-fast-10`, `zstd-fast-20` through `zstd-fast-100` in increments of 10, and finally `zstd-fast-500` and `zstd-fast-1000` which provide minimal compression, but offer very high performance. -If ZFS is not able to allocate the required memory to compress a block with Zstd, it will fall back to storing the block uncompressed. This is unlikely to happen outside of the highest levels of Zstd on systems that are memory constrained. The sysctl `kstat.zfs.misc.zstd.compress_alloc_fail` counts how many times this has occurred since the ZFS module was loaded. +If ZFS is not able to allocate the required memory to compress a block with Zstd, it will fall back to storing the block uncompressed. +This is unlikely to happen outside of the highest levels of Zstd on systems that are memory constrained. +The sysctl `kstat.zfs.misc.zstd.compress_alloc_fail` counts how many times this has occurred since the ZFS module was loaded. [[zfs-zfs-deduplication]] === Deduplication -When enabled, <<zfs-term-deduplication,deduplication>> uses the checksum of each block to detect duplicate blocks. When a new block is a duplicate of an existing block, ZFS writes an additional reference to the existing data instead of the whole duplicate block. Tremendous space savings are possible if the data contains many duplicated files or repeated information. Be warned: deduplication requires an extremely large amount of memory, and most of the space savings can be had without the extra cost by enabling compression instead. +When enabled, <<zfs-term-deduplication,deduplication>> uses the checksum of each block to detect duplicate blocks. +When a new block is a duplicate of an existing block, ZFS writes an additional reference to the existing data instead of the whole duplicate block. +Tremendous space savings are possible if the data contains many duplicated files or repeated information. +Be warned: deduplication requires an extremely large amount of memory, and most of the space savings can be had without the extra cost by enabling compression instead. To activate deduplication, set the `dedup` property on the target pool: @@ -2127,7 +2524,9 @@ To activate deduplication, set the `dedup` property on the target pool: # zfs set dedup=on pool .... -Only new data being written to the pool will be deduplicated. Data that has already been written to the pool will not be deduplicated merely by activating this option. A pool with a freshly activated deduplication property will look like this example: +Only new data being written to the pool will be deduplicated. +Data that has already been written to the pool will not be deduplicated merely by activating this option. +A pool with a freshly activated deduplication property will look like this example: [source,shell] .... @@ -2136,7 +2535,9 @@ NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTRO pool 2.84G 2.19M 2.83G - - 0% 0% 1.00x ONLINE - .... -The `DEDUP` column shows the actual rate of deduplication for the pool. A value of `1.00x` shows that data has not been deduplicated yet. In the next example, the ports tree is copied three times into different directories on the deduplicated pool created above. +The `DEDUP` column shows the actual rate of deduplication for the pool. +A value of `1.00x` shows that data has not been deduplicated yet. +In the next example, the ports tree is copied three times into different directories on the deduplicated pool created above. [source,shell] .... @@ -2154,9 +2555,12 @@ NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROO pool 2.84G 20.9M 2.82G - - 0% 0% 3.00x ONLINE - .... -The `DEDUP` column shows a factor of `3.00x`. Multiple copies of the ports tree data was detected and deduplicated, using only a third of the space. The potential for space savings can be enormous, but comes at the cost of having enough memory to keep track of the deduplicated blocks. +The `DEDUP` column shows a factor of `3.00x`. +Multiple copies of the ports tree data was detected and deduplicated, using only a third of the space. +The potential for space savings can be enormous, but comes at the cost of having enough memory to keep track of the deduplicated blocks. -Deduplication is not always beneficial, especially when the data on a pool is not redundant. ZFS can show potential space savings by simulating deduplication on an existing pool: +Deduplication is not always beneficial, especially when the data on a pool is not redundant. +ZFS can show potential space savings by simulating deduplication on an existing pool: [source,shell] .... @@ -2182,27 +2586,45 @@ refcnt blocks LSIZE PSIZE DSIZE blocks LSIZE PSIZE DSIZE dedup = 1.05, compress = 1.11, copies = 1.00, dedup * compress / copies = 1.16 .... -After `zdb -S` finishes analyzing the pool, it shows the space reduction ratio that would be achieved by activating deduplication. In this case, `1.16` is a very poor space saving ratio that is mostly provided by compression. Activating deduplication on this pool would not save any significant amount of space, and is not worth the amount of memory required to enable deduplication. Using the formula _ratio = dedup * compress / copies_, system administrators can plan the storage allocation, deciding whether the workload will contain enough duplicate blocks to justify the memory requirements. If the data is reasonably compressible, the space savings may be very good. Enabling compression first is recommended, and compression can also provide greatly increased performance. Only enable deduplication in cases where the additional savings will be considerable and there is sufficient memory for the <<zfs-term-deduplication,DDT>>. +After `zdb -S` finishes analyzing the pool, it shows the space reduction ratio that would be achieved by activating deduplication. +In this case, `1.16` is a very poor space saving ratio that is mostly provided by compression. +Activating deduplication on this pool would not save any significant amount of space, and is not worth the amount of memory required to enable deduplication. +Using the formula _ratio = dedup * compress / copies_, system administrators can plan the storage allocation, deciding whether the workload will contain enough duplicate blocks to justify the memory requirements. +If the data is reasonably compressible, the space savings may be very good. +Enabling compression first is recommended, and compression can also provide greatly increased performance. +Only enable deduplication in cases where the additional savings will be considerable and there is sufficient memory for the <<zfs-term-deduplication,DDT>>. [[zfs-zfs-jail]] === ZFS and Jails -`zfs jail` and the corresponding `jailed` property are used to delegate a ZFS dataset to a crossref:jails[jails,Jail]. `zfs jail _jailid_` attaches a dataset to the specified jail, and `zfs unjail` detaches it. For the dataset to be controlled from within a jail, the `jailed` property must be set. Once a dataset is jailed, it can no longer be mounted on the host because it may have mount points that would compromise the security of the host. +`zfs jail` and the corresponding `jailed` property are used to delegate a ZFS dataset to a crossref:jails[jails,Jail]. +`zfs jail _jailid_` attaches a dataset to the specified jail, and `zfs unjail` detaches it. +For the dataset to be controlled from within a jail, the `jailed` property must be set. +Once a dataset is jailed, it can no longer be mounted on the host because it may have mount points that would compromise the security of the host. [[zfs-zfs-allow]] == Delegated Administration -A comprehensive permission delegation system allows unprivileged users to perform ZFS administration functions. For example, if each user's home directory is a dataset, users can be given permission to create and destroy snapshots of their home directories. A backup user can be given permission to use replication features. A usage statistics script can be allowed to run with access only to the space utilization data for all users. It is even possible to delegate the ability to delegate permissions. Permission delegation is possible for each subcommand and most properties. +A comprehensive permission delegation system allows unprivileged users to perform ZFS administration functions. +For example, if each user's home directory is a dataset, users can be given permission to create and destroy snapshots of their home directories. +A backup user can be given permission to use replication features. +A usage statistics script can be allowed to run with access only to the space utilization data for all users. +It is even possible to delegate the ability to delegate permissions. +Permission delegation is possible for each subcommand and most properties. [[zfs-zfs-allow-create]] === Delegating Dataset Creation -`zfs allow _someuser_ create _mydataset_` gives the specified user permission to create child datasets under the selected parent dataset. There is a caveat: creating a new dataset involves mounting it. That requires setting the FreeBSD `vfs.usermount` man:sysctl[8] to `1` to allow non-root users to mount a file system. There is another restriction aimed at preventing abuse: non-`root` users must own the mountpoint where the file system is to be mounted. +`zfs allow _someuser_ create _mydataset_` gives the specified user permission to create child datasets under the selected parent dataset. +There is a caveat: creating a new dataset involves mounting it. +That requires setting the FreeBSD `vfs.usermount` man:sysctl[8] to `1` to allow non-root users to mount a file system. +There is another restriction aimed at preventing abuse: non-`root` users must own the mountpoint where the file system is to be mounted. [[zfs-zfs-allow-allow]] === Delegating Permission Delegation -`zfs allow _someuser_ allow _mydataset_` gives the specified user the ability to assign any permission they have on the target dataset, or its children, to other users. If a user has the `snapshot` permission and the `allow` permission, that user can then grant the `snapshot` permission to other users. +`zfs allow _someuser_ allow _mydataset_` gives the specified user the ability to assign any permission they have on the target dataset, or its children, to other users. +If a user has the `snapshot` permission and the `allow` permission, that user can then grant the `snapshot` permission to other users. [[zfs-advanced]] == Advanced Topics @@ -2218,11 +2640,18 @@ There are a number of tunables that can be adjusted to make ZFS perform best for * [[zfs-advanced-tuning-vdev-cache-size]] `_vfs.zfs.vdev.cache.size_` - A preallocated amount of memory reserved as a cache for each device in the pool. The total amount of memory used will be this value multiplied by the number of devices. This value can only be adjusted at boot time, and is set in [.filename]#/boot/loader.conf#. * [[zfs-advanced-tuning-min-auto-ashift]] `_vfs.zfs.min_auto_ashift_` - Minimum `ashift` (sector size) that will be used automatically at pool creation time. The value is a power of two. The default value of `9` represents `2^9 = 512`, a sector size of 512 bytes. To avoid _write amplification_ and get the best performance, set this value to the largest sector size used by a device in the pool. + -Many drives have 4 KB sectors. Using the default `ashift` of `9` with these drives results in write amplification on these devices. Data that could be contained in a single 4 KB write must instead be written in eight 512-byte writes. ZFS tries to read the native sector size from all devices when creating a pool, but many drives with 4 KB sectors report that their sectors are 512 bytes for compatibility. Setting `vfs.zfs.min_auto_ashift` to `12` (`2^12 = 4096`) before creating a pool forces ZFS to use 4 KB blocks for best performance on these drives. +Many drives have 4 KB sectors. +Using the default `ashift` of `9` with these drives results in write amplification on these devices. +Data that could be contained in a single 4 KB write must instead be written in eight 512-byte writes. +ZFS tries to read the native sector size from all devices when creating a pool, but many drives with 4 KB sectors report that their sectors are 512 bytes for compatibility. +Setting `vfs.zfs.min_auto_ashift` to `12` (`2^12 = 4096`) before creating a pool forces ZFS to use 4 KB blocks for best performance on these drives. + -Forcing 4 KB blocks is also useful on pools where disk upgrades are planned. Future disks are likely to use 4 KB sectors, and `ashift` values cannot be changed after a pool is created. +Forcing 4 KB blocks is also useful on pools where disk upgrades are planned. +Future disks are likely to use 4 KB sectors, and `ashift` values cannot be changed after a pool is created. + -In some specific cases, the smaller 512-byte block size might be preferable. When used with 512-byte disks for databases, or as storage for virtual machines, less data is transferred during small random reads. This can provide better performance, especially when using a smaller ZFS record size. +In some specific cases, the smaller 512-byte block size might be preferable. +When used with 512-byte disks for databases, or as storage for virtual machines, less data is transferred during small random reads. +This can provide better performance, especially when using a smaller ZFS record size. * [[zfs-advanced-tuning-prefetch_disable]] `_vfs.zfs.prefetch_disable_` - Disable prefetch. A value of `0` is enabled and `1` is disabled. The default is `0`, unless the system has less than 4 GB of RAM. Prefetch works by reading larger blocks than were requested into the <<zfs-term-arc,ARC>> in hopes that the data will be needed soon. If the workload has a large number of random reads, disabling prefetch may actually improve performance by reducing unnecessary reads. This value can be adjusted at any time with man:sysctl[8]. * [[zfs-advanced-tuning-vdev-trim_on_init]] `_vfs.zfs.vdev.trim_on_init_` - Control whether new devices added to the pool have the `TRIM` command run on them. This ensures the best performance and longevity for SSDs, but takes extra time. If the device has already been secure erased, disabling this setting will make the addition of the new device faster. This value can be adjusted at any time with man:sysctl[8]. * [[zfs-advanced-tuning-vdev-max_pending]] `_vfs.zfs.vdev.max_pending_` - Limit the number of pending I/O requests per device. A higher value will keep the device command queue full and may give higher throughput. A lower value will reduce latency. This value can be adjusted at any time with man:sysctl[8]. @@ -2241,7 +2670,12 @@ Some of the features provided by ZFS are memory intensive, and may require tunin ==== Memory -As a bare minimum, the total system memory should be at least one gigabyte. The amount of recommended RAM depends upon the size of the pool and which ZFS features are used. A general rule of thumb is 1 GB of RAM for every 1 TB of storage. If the deduplication feature is used, a general rule of thumb is 5 GB of RAM per TB of storage to be deduplicated. While some users successfully use ZFS with less RAM, systems under heavy load may panic due to memory exhaustion. Further tuning may be required for systems with less than the recommended RAM requirements. +As a bare minimum, the total system memory should be at least one gigabyte. +The amount of recommended RAM depends upon the size of the pool and which ZFS features are used. +A general rule of thumb is 1 GB of RAM for every 1 TB of storage. +If the deduplication feature is used, a general rule of thumb is 5 GB of RAM per TB of storage to be deduplicated. +While some users successfully use ZFS with less RAM, systems under heavy load may panic due to memory exhaustion. +Further tuning may be required for systems with less than the recommended RAM requirements. ==== Kernel Configuration @@ -2252,11 +2686,14 @@ Due to the address space limitations of the i386(TM) platform, ZFS users on the options KVA_PAGES=512 .... -This expands the kernel address space, allowing the `vm.kvm_size` tunable to be pushed beyond the currently imposed limit of 1 GB, or the limit of 2 GB for PAE. To find the most suitable value for this option, divide the desired address space in megabytes by four. In this example, it is `512` for 2 GB. +This expands the kernel address space, allowing the `vm.kvm_size` tunable to be pushed beyond the currently imposed limit of 1 GB, or the limit of 2 GB for PAE. +To find the most suitable value for this option, divide the desired address space in megabytes by four. +In this example, it is `512` for 2 GB. ==== Loader Tunables -The [.filename]#kmem# address space can be increased on all FreeBSD architectures. On a test system with 1 GB of physical memory, success was achieved with these options added to [.filename]#/boot/loader.conf#, and the system restarted: +The [.filename]#kmem# address space can be increased on all FreeBSD architectures. +On a test system with 1 GB of physical memory, success was achieved with these options added to [.filename]#/boot/loader.conf#, and the system restarted: [.programlisting] .... @@ -2279,7 +2716,13 @@ For a more detailed list of recommendations for ZFS-related tuning, see https:// [[zfs-term]] == ZFS Features and Terminology -ZFS is a fundamentally different file system because it is more than just a file system. ZFS combines the roles of file system and volume manager, enabling additional storage devices to be added to a live system and having the new space available on all of the existing file systems in that pool immediately. By combining the traditionally separate roles, ZFS is able to overcome previous limitations that prevented RAID groups being able to grow. Each top level device in a pool is called a _vdev_, which can be a simple disk or a RAID transformation such as a mirror or RAID-Z array. ZFS file systems (called _datasets_) each have access to the combined free space of the entire pool. As blocks are allocated from the pool, the space available to each file system decreases. This approach avoids the common pitfall with extensive partitioning where free space becomes fragmented across the partitions. +ZFS is a fundamentally different file system because it is more than just a file system. +ZFS combines the roles of file system and volume manager, enabling additional storage devices to be added to a live system and having the new space available on all of the existing file systems in that pool immediately. +By combining the traditionally separate roles, ZFS is able to overcome previous limitations that prevented RAID groups being able to grow. +Each top level device in a pool is called a _vdev_, which can be a simple disk or a RAID transformation such as a mirror or RAID-Z array. +ZFS file systems (called _datasets_) each have access to the combined free space of the entire pool. +As blocks are allocated from the pool, the space available to each file system decreases. +This approach avoids the common pitfall with extensive partitioning where free space becomes fragmented across the partitions. [.informaltable] [cols="10%,90%"] @@ -2295,8 +2738,9 @@ a|A pool is made up of one or more vdevs, which themselves can be a single disk + [CAUTION] ==== - -Using an entire disk as part of a bootable pool is strongly discouraged, as this may render the pool unbootable. Likewise, you should not use an entire disk as part of a mirror or RAID-Z vdev. These are because it is impossible to reliably determine the size of an unpartitioned disk at boot time and because there's no place to put in boot code. +Using an entire disk as part of a bootable pool is strongly discouraged, as this may render the pool unbootable. +Likewise, you should not use an entire disk as part of a mirror or RAID-Z vdev. +These are because it is impossible to reliably determine the size of an unpartitioned disk at boot time and because there's no place to put in boot code. ==== * [[zfs-term-vdev-file]] _File_ - In addition to disks, ZFS pools can be backed by regular files, this is especially useful for testing and experimentation. Use the full path to the file as the device path in `zpool create`. All vdevs must be at least 128 MB in size. |