FreeBSD System Setup

Contents

FreeBSD System Setup
Introduction
1. Tips and Tricks
  1. FreeBSD User Ports
Base Operating System Installation
Post Installation Tasks
Disk Mirroring Configuration
Software Package Management
Encrypted Filesystem Configuration
Firewall Settings
Main Applications to Install
MySQL Configuration
PHP Configuration
Apache Configuration
Additional Tools Required for DrawMGT
WebDAV Configuration
Secure (chroot-ed) access setting for external users
1. SSH login to allow SSH port forwarding
2. Allow SCP and SFTP only
Setting logrotate
Monitoring the Server

Introduction

This page explains how to setup a FreeBSD system capable of acting as a DrawMGT server. FreeBSD differs from Linux systems in that the basic installation includes very few users tools or applications by default. This means that you need to install all application support tools that DrawMGT requires, like Apache, MySQL and PHP.

This page describes the setup of the version 7.2. The procedure can be slightly different for other versions.

FreeBSD is well documented. See the FreeBSD Handbook

Installing FreeBSD applications, called ports is simple and is explained here.

The basic steps to prepare a FreeBSD server are:

Install the base operating system
Setup disk mirroring
Install support software
Install other support tools
Install and test DrawMGT

These steps are described below.

Tips and Tricks

FreeBSD User Ports

If there is network problems accessing the pre-configured master databases, try an http server accessable from the internet browser, e.g.

cd /usr/ports/devel/git
make MASTER_SITE_OVERRIDE=http://ftp7.freebsd.org/sites/ftp.freebsd.org/pub/FreeBSD/distfiles/ install

Base Operating System Installation

Donwload an ISO image of the latest production production release:
- http://www.freebsd.org/where.html
- Typically you want the ISO disk-1. E.g. for release 7.2 its:
  - 7.2-RELEASE-i386-disk1.iso
- Alternatively download:
  - 7.2-RELEASE-i386-dvd1.iso.gz
- Note that other the CDs are not required
Put the CD (or DVD) in the system and boot
Select Standard installation in sysinstall

Disk partitions - Setup one fdisk partition with the following FreeBSD partitions (assuming disk > 300 GB):

Partition	Size	Description/Contents
/	1 GB	root partition
swap	2-4 GB	swap parition
/var	10 GB	MySQL DBs and logs
/tmp	10 GB	Make big enough to store a DVD ISO
/usr	20 GB	Applications and ports
/e/vol001	200 GB	Web trees
/e/vol002	all remaining free space	Backups (perhaps encrypted)

Note: You should tune up the new large (>100GB) filesystems by hand in order to set the default freespace (normally 8%) to a smaller value (typically 1%). It can be done anytime on unounted filesystems. For example:

```
      tunefs -m 1 /dev/ad0s1g
```

Note: Later you will make a symbolic link from /home --> /e/vol001/home
Select Everything (all development tools and sources) Minimal distribution
Network configuration - You will need the following informaion:
- Hostname and domain for the machine
- IP address for the machine
- IP address of gateway
- IP address of primary and secondary DNS servers

Post Installation Tasks

NTP Setup
- Install openntpd port: Note: This port is probably not required. ntpd is included in a Everything distribution.
```
cd /usr/ports/net/openntpd
make
make install
```
- Get full domain names of at least two NTP servers (called ntp1.domain and ntp2.domain below)
- Set system time with ntpdate:
```
ntpdate -u ntp1.domain
```
- Configure NTP servers, enable and start NTP daemon
```
vi /etc/ntp.conf
server ntp1.domain
server ntp2.domain
:x

vi /etc/rc.conf
# Add:
ntpd_enable="YES"
:x

/etc/rc.d/ntpd start
```
- Check NTP is running and has connected to servers:
```
ntpq -p
```

Install and run CVSUP.

CVSUP updates the ports collections and ensures that you install the latest applications and package versions. Basically
- it updates all the make files in the directory tree /usr/ports (or other directory trees depending on the configuration).

Install cvsup (this can take 10-20 minutes)

cd /usr/ports/net/cvsup-without-gui
make install

Configure a ports supfile

cd /root
mkdir cvsup
cd cvsup

vi ports-supfile
# Add the following
*default host=cvsup.ch.FreeBSD.org
*default base=/var/db
*default prefix=/usr
*default release=cvs tag=.
*default delete use-rel-suffix

*default compress

#src-all
#doc-all
ports-all
:x

Create script to run the runs the ports file: Put the following code

into the file /root/cvsup/run-cvsup.sh, then set execute permissions on the file.

#
# cvsup options:
#
#  -g         Disables GUI
#  -L 2       Log verbosity=2
#

PROD=$0
TS=`/bin/date +'%Y%m%d-%H%M'`

CVSUP=/usr/local/bin/cvsup

CVSUP_OPTS='-g -L 2'
CVSUP_SUPFILE='ports-supfile'
LOG_FILE=${CVSUP_SUPFILE}-${TS}.log

if [ ! -f ${CVSUP_SUPFILE} ]
then
  echo "${PROD}: No such file: ${CVSUP_SUPFILE}"
  exit 1
fi

echo "${PROD}: Log file: ${LOG_FILE}"
echo "${PROD}: SUP file: ${CVSUP_SUPFILE}"
echo "${PROD}: Start: `date`"

${CVSUP} ${CVSUP_OPTS} ${CVSUP_SUPFILE} > ${LOG_FILE}

echo "${PROD}: Done:  `date`"

Run cvsup: This could take 10-15 minutes (depending on the network connection)
```
chmod +x run-cvsup.sh
./run-cvsup.sh ports-supfile
```

Install manpages

mount /cdrom
cd /cdrom/7.2-RELEASE/manpages/
./install.sh

Install vim

cd /usr/ports/editors/vim
make install # Note: it installs python26 also

Install bash
- ```
cd /usr/ports/shells/bash
make install
```

Disk Mirroring Configuration

See: FreeBSD Handbook Chapter 19 GEOM: Modular Disk Transformation Framework Note that the device files /dev/ad1 and /dev/ad2 can be different depending on the hardvare, e.g. /dev/ad4 and /dev/ad5 on the bp.softxs.ch server.

Boot in single user mode.
Mount all file systems in read/write mode:
- ```
mount -u /
mount -a -t ufs
```

Start entering gnome command:

sysctl kern.geom.debugflags=16

gmirror label -v -b round-robin gm0 /dev/ad0
Metadata value stored on /dev/ad0
Done.

echo 'geom_mirror_load="YES"' > /boot/loader.conf

Update /etc/fstab

cp /etc/fstab /etc/fstab.orig
vi /etc/fstab
# Change each adN to gm0, and insert a mirror after /dev. For example:
#  /dev/ad0s1a --> /dev/mirror/gm0s1a.
:x

Reboot, and look for messages like the following:

ad0: 238475MB <HDT722525DLAT80 V44OA40A> at ata0-master UDMA133
acd0: DVDR <NEC DVD RW ND-3540A/1.01> at ata0-slave UDMA33
ad2: 238475MB <HDT722525DLAT80 V44OA40A> at ata1-master UDMA133
GEOM_MIRROR: Device gm0 created (id=577175128).
GEOM_MIRROR: Device gm0: provider ad0 detected.
GEOM_MIRROR: Device gm0: provider ad0 activated.
GEOM_MIRROR: Device gm0: provider mirror/gm0 launched.
Trying to mount root from ufs:/dev/mirror/gm0s1a

Add the second disk to the mirror
- ```
gmirror insert gm0 /dev/ad2
```

Check in /var/log/messages

Dec 29 13:46:11 thor kernel: GEOM_MIRROR: Device gm0: provider ad2 detected.
Dec 29 13:46:11 thor kernel: GEOM_MIRROR: Device gm0: rebuilding provider ad2.
..

Check status on command line

gmirror status
      Name    Status  Components
mirror/gm0  COMPLETE  ad0
                      ad2

Should show two components.

Software Package Management

Encrypted Filesystem Configuration

The configuration can be performed exactly as decribed in FreeBSD Handbook in chapter 'Disk Encryption with gbde'. The only difference is, that no kernel compilation and manual module loading is necessary, because gbde is part of the default kernel on FreeBSD 7.x. Because the mounting of an encrypted filesystem can be done manually only, the best way to create a shell script under root's home directory in directory bin:
```
mount_crypt.sh
```
The script contains the following lines:
```
#!/bin/sh

#kldload geom_bde &&
gbde attach /dev/mirror/gm0s1h -l /etc/gbde/gm0s1h.lock &&
fsck -p -t ffs /dev/mirror/gm0s1h.bde &&
mount /dev/mirror/gm0s1h.bde /e/vol002 &&
echo "Encrypted filesystem /dev/mirror/gm0s1h.bde successfully mounted to /e/vol002."
```

Firewall Settings

IPFILTER is used as firewall. It is exactly set as described in FreeBSD Handbook - Chapter 30.5 The IPFILTER (IPF) Firewall. Short summary of required steps: To activate IPF at boot time, the following statements need to be added to /etc/rc.conf:

# IPFILTER TN 2010-02-23
ipfilter_enable="YES"             # Start ipf firewall
ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file
ipmon_enable="YES"                # Start IP monitor log
ipmon_flags="-Ds"                 # D = start as daemon
                                  # s = log to syslog
                                  # v = log tcp window, ack, seq
                                  # n = map IP & port to names

Rulesets must be defined in /etc/rc.conf. An example ruleset (ipf.rules.orig) of a very secure inclusive type of firewall can be found in FreeBSD Handbook - 30.5.13 Inclusive Ruleset Example. Only some modifications (ipf.rules) was made for the server bp.softxs.hu, additionaly the intarface name change (dc0->ale0):

[ntibor@centos1 schema]$ diff /tmp/ipf.rules /tmp/ipf.rules.orig.ale0

# Outgoing DNS enabled ---------------------------------------------------------------
26,29c26,27
< pass out quick on ale0 proto tcp from any to 94.247.88.2 port = 53 flags S keep state
< pass out quick on ale0 proto udp from any to 94.247.88.2 port = 53 keep state
< pass out quick on ale0 proto tcp from any to 195.228.155.98 port = 53 flags S keep state
< pass out quick on ale0 proto udp from any to 195.228.155.98 port = 53 keep state
---
> pass out quick on ale0 proto tcp from any to xxx port = 53 flags S keep state
> pass out quick on ale0 proto udp from any to xxx port = 53 keep state

# Outgoing DHCP enabled -------------------------------------------------------------
36c34
< #pass out log quick on ale0 proto udp from any to any port = 67 keep state                    
---
> pass out log quick on ale0 proto udp from any to any port = 67 keep state

# Outgoing NTP enabled -------------------------------------------------------------
52,53d49
< # Allow out ntp
< pass out quick on ale0 proto tcp from any to any port = 123 flags S keep state

# Outgoing FTP disabled ------------------------------------------------------------
63c59
< #pass out quick on ale0 proto tcp from any to any port = 21 flags S keep state
---
> pass out quick on ale0 proto tcp from any to any port = 21 flags S keep state

# Outgoing Telnet disabled --------------------------------------------------------
71c66
< #pass out quick on ale0 proto tcp from any to any port = 23 flags S keep state
---
> pass out quick on ale0 proto tcp from any to any port = 23 flags S keep state

# Incoming DHCP disabled ----------------------------------------------------------
145c140
< #pass in quick on ale0 proto udp from 94.247.88.1 to any port = 68 keep state
---
> pass in quick on ale0 proto udp from z.z.z.z to any port = 68 keep state

# Incoming HTTP disabled (only HTTPS used) and incoming HTTPS enabled-------------
148,151c143
< # pass in quick on ale0 proto tcp from any to any port = 80 flags S keep state
<
< # Allow in secure www function https over TLS SSL
< pass in quick on ale0 proto tcp from any to any port = 443 flags S keep state
---
> pass in quick on ale0 proto tcp from any to any port = 80 flags S keep state

Main Applications to Install

Recommended installation sequence is as listed here.

MySQL Server/Client

cd /usr/ports/databases/mysql54-server
make install # Note: it installs mysql54-client also
/usr/local/bin/mysql_install_db

Apache

cd /usr/ports/www/apache22
make install # Use default options plus MYSQL

PHP5, PEAR and PECL_HTTP (use defaults is not otherwise noted)

cd /usr/ports/lang/php5
make install # Use default options plus APACHE2
cd /usr/ports/lang/php5-extensions
make install # Use default options plus MBSTRING, MYSQL, BUNDLED_PCRE, UTF8
cd /usr/ports/devel/pear
make install
cd /usr/ports/databases/pear-DB
make install
cd /usr/ports/sysutils/pear-Log
make install # Select options PEAR_DB, PEAR_Mail, PEAR_NET_SMTP
cd /usr/ports/net/pear-XML_RPC
make install
cd /usr/ports/mail/pear-Mail_Mime
make install
cd /usr/ports/www/pecl-http
make install

Perl packages

cd /usr/ports/devel/p5-Config-General
make install

mb-string
- If on any reason PHP4 is used then the multibyte string packege is needed
```
cd /usr/ports/converters/php4-mbstring
make install
```

MySQL Configuration

FreeBSD does not automatically include a default my.cnf for MySQL. Instead, a set of sample configuration files can be found under /usr/local/share/mysql. These configuration files include my-small.cnf, my-medium.cnf, my-large.cnf, my-innodb-heavy-4G, and my-huge.cnf. The appropriate file can be copied and used as a template configuration:

cp /usr/local/share/mysq/mysql-large.cnf /usr/local/etc/my.cnf
/usr/local/etc/rc.d/mysql-server restart

Setting binary log expiration, default database character set and collation in [mysqld] section of my.cnf.

vi /usr/local/etc/my.cnf
  [mysqld]
  ...
  expire_logs_days=14                          -- hold binary log for 2 weeks (more than enough)
  ...
  character_set_server=utf8
  collation_server=utf8_general_ci             -- for western languages or utf8_hungarian_ci

Use the following command in mysql to check actual and available settings

mysql ....
  SHOW CHARACTER SET;                           -- list available character sets
  SHOW COLLATION LIKE 'utf8%';                  -- list available UTF-8 collations
    -- show current database settings
  show variables like "character_set_%";        -- show current settings
  show variables like "collation_%";
  -- List all databases with locale information (mysql 5.x)
  select SCHEMA_NAME, DEFAULT_CHARACTER_SET_NAME, DEFAULT_COLLATION_NAME from information_schema.SCHEMATA;

Use the following command in mysql to create database not as default settings

create database db character set utf8 collate utf8_hungarian_ci;

Notes
- Use the following command to set the correct character set in mysql:
- ```
set names utf8;
```
- mysql allows you enter national characters if the LANG variable is correctly set
- ```
export LANG=en_US.UTF-8
```
- Note that character conversion will be made automatically if you copy data between databases of different characters sets
- Check if mysql timezone table is filled up:
- ```
mysl> select * from mysql.time_zone_name
```
- If the select above gives no records, fill up the timezone table:
- ```
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -uroot -psqladmin mysql
```

PHP Configuration

Change php.ini, take the recommended production version and change it

cd /usr/local/etc
cp php.ini-recommended php.ini
vi php.ini
diff php.ini-recommended php.ini
213c213
< allow_call_time_pass_reference = Off
---
> allow_call_time_pass_reference = On
313c313
< max_execution_time = 30     ; Maximum execution time of each script, in seconds
---
> max_execution_time = 240     ; Maximum execution time of each script, in seconds
316c316
< memory_limit = 128M      ; Maximum amount of memory a script may consume (128MB)
---
> memory_limit = 512M      ; Maximum amount of memory a script may consume (256MB)
382c382
< display_errors = Off
---
> display_errors = On
443c443
< ;error_log = filename
---
> error_log = /var/log/php_errors.log
499c499
< post_max_size = 8M
---
> post_max_size = 128M
534c534
< ;include_path = ".:/php/includes"
---
> include_path = ".:/php/includes:/usr/local/share/pear"
612c612
< upload_max_filesize = 2M
---
> upload_max_filesize = 128M
725c725
< ;date.timezone =
---
> date.timezone = "Europe/Zurich"
986c986
< ;browscap = extra/browscap.ini
---
> browscap = /usr/local/etc/browscap.ini
1055c1055
< ;session.save_path = "/tmp"
---
> ;session.save_path = "/var/lib/php/session"
1148c1148
< session.use_trans_sid = 0
---
> session.use_trans_sid = 1

Install a browscap.ini file. Download php_browscap.ini from http://browsers.garykeith.com/downloads.asp,
- change the name to browscap.ini, and save it in the /usr/local/etc.
Setup session directory

mkdir -p /var/lib/php/session
chmod 770 /var/lib/php/session
chgrp www /var/lib/php/session

The session timeout (timeout for automatic logout) is set also in php.ini. See Setting Session Timeout.

Apache Configuration

Basic Configuration

Enable and start HTTP daemon

vi /etc/rc.conf
# Add:
apache22_enable="YES"
:x

Apache PHP module configuration

Edit apache configuration file:

vi /usr/local/etc/apache22/httpd.conf

Comment out setting AddDefaultCharset to allow the META tags in HTML content to control the character set
```
#AddDefaultCharset UTF-8
```
You have to add index.php after index.html to the DirectoryIndex directive, so it should look like this:

# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>

Add the following lines at the end and save changes:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Start apache
```
/usr/local/etc/rc.d/apache22 start
```
Check apache php modul
- Create phpinfo
- ```
cd /usr/local/www/apache22/data
cat > phpinfo.php
<?php phpinfo( ); ?>
^D     # CTRL-D = EOF
```
- Run phpinfo in the browser (use appropriate address instead of 192.168.1.100):
- ```
http://192.168.1.100/phpinfo.php
```
- You should see a detailed table about PHP and apache settings.
Check apache, php and mysql
- Create test-db.php (native mysql connection) in /usr/local/www/apache22/data
- Run test-db.php from the browser, you should get the message "connected"
- ```
http://192.168.1.100/test-db.php
```
- Create user.php (PEAR DB connection) in /usr/local/www/apache22/data
- Run user.php from the browser
- ```
http://192.168.1.100/user.php
```
- You should get a similar table:
- Host
  
  User
  
  Password
  
  localhost
  
  root
  
  *E2DB48CF596333DCD736D6DDFDA77AFB1068A7DF
Check apache logfile for any error:
```
  view /var/log/httpd-error.log
```

Virtual Host Configuration

Additional Tools Required for DrawMGT

PERL modules, wget, zip

cd /usr/ports/www/p5-HTML-Parser
make install
cd /usr/ports/ftp/wget
make install
cd /usr/ports/archivers/zip
make install

htmldoc

Unfortunately the htmldoc version which supports UTF-8 is not available in FreeBSD port. Wee need 1.9.x or higher. It must be installed manually as root:

# remove htmldoc if it is installed from port
pkg_info | grep htmld
pkg_delete htmldoc-1.8.27_5
# download htmldoc source
cd /root
wget http://ftp.easysw.com/pub/htmldoc/snapshots/htmldoc-1.9.x-r1629.tar.bz2
tar xf htmldoc-1.9.x-r1629.tar.bz2
cd ./htmldoc-1.9.x-r1629
./configure
make
make install

pdflatex

We need to install texlive package as root, which is not available (yet) as user port.

cd /tmp
wget http://mirror.ctan.org/systems/texlive/tlnet/install-tl-unx.tar.gz
tar xf install-tl-unx.tar.gz
cd install-tl-20120104
 O              # options
  L             # create symlinks in standard directories
  <Enter> 3x
  R             # return to main menu
 I              # start installation to hard disk

Thai language support is not build in the LaTeX babel package, we need to istall it manually if necessary (CAUTION: use gmake instead of make):

wget ftp://linux.thai.net/pub/thailinux/software/thailatex/thailatex-0.4.6.tar.gz
tar xf thailatex-0.4.6.tar.gz
cd thailatex-0.4.6
./configure --with-texmfdir=/usr/local/texlive/2011/texmf
gmake install
cd sripts
sh sync-babel
sh sync-thailatex

cd /usr/ports/print/fontforge
make install

wget ftp://linux.thai.net/pub/thailinux/software/thaifonts-scalable/thaifonts-scalable-0.4.17.tar.gz
tar xf thaifonts-scalable-0.4.17.tar.gz
cd thaifonts-scalable-0.4.17
./configure --enable-latex --with-texmfdir=/usr/local/texlive/2011/texmf
gmake install

WebDAV Configuration

See here.

Secure (chroot-ed) access setting for external users

SSH login to allow SSH port forwarding

Create a minimal chroot environment for user who logs in the system with ssh. Only the shell will be enabled. Perform the whole procedure as root.

Create the user (e.g. limited) with own group and sh as shell (as root) and change the ownership of his home directory (needed by chroot).

adduser
cd /home/limited
chown root:wheel .

Copy the minimum environment to allow to run /bin/sh with /home/limited as root directory:

ldd /bin/sh    # determine shared libraries to be copied
        libedit.so.6 => /lib/libedit.so.6 (0x28097000)
        libncurses.so.7 => /lib/libncurses.so.7 (0x280ac000)
        libc.so.7 => /lib/libc.so.7 (0x280eb000)
mkdir lib
cp /lib/libedit.so.6 /lib/libncurses.so.7 /lib/libc.so.7 lib
# copy the ELF runner
mkdir libexec
cp /libexec/ld-elf.so.1 libexec

Change sshd settings to switch in chroot-ed environment for this user ans restart sshd:

vim /etc/ssh/sshd_config    # add the following lines
    Match User limited
    ChrootDirectory %h
    Match
/etc/rc.d/sshd restart

Allow SCP and SFTP only

Create a minimal chroot environment for user who should have the rights only to use scp and sftp limited to his home directory. A good and free SFTP and FTP client for Windows is WinSCP. Perform the whole procedure below as root.

Install rssh from the ports system, if it is not installed yet:
```
cd /usr/ports/shells/rssh
make install
```
Create the user (e.g. limited) with own group and rssh as shell (as root) and change the ownership of his home directory (needed by chroot).

adduser
cd /home/limited
chown root:wheel .

Create and edit rssh config file

cp -n /usr/local/etc/rssh.conf.dist /usr/local/etc/rssh.conf     # CAUTION only at first time setting
vi /usr/local/etc/rssh.conf 
     # uncoment the following lines to enable rcp and sftp
     allowscp
     allowsftp
     # add the following line for each user
     user=limited:022:00011:/home/limited

Copy the minimum chroot environment to allow to run rssh, sftp with /home/limited as root directory:

cd /home/limited
mkdir -p usr/bin usr/libexec usr/local/libexec usr/lib lib libexec bin dev etc
cp /usr/bin/scp usr/bin/
cp /usr/libexec/sftp-server  usr/libexec/
cp /usr/local/libexec/rssh_chroot_helper  usr/local/libexec/
cp /bin/sh bin/
cp /libexec/ld-elf.so.1 libexec
ldd /usr/bin/scp /bin/sh     # determine shared libraries to be copied
   /usr/bin/scp:
        libssh.so.4 => /usr/lib/libssh.so.4 (0x28081000)
        libcrypt.so.4 => /lib/libcrypt.so.4 (0x280be000)
        libcrypto.so.5 => /lib/libcrypto.so.5 (0x280d7000)
        libz.so.4 => /lib/libz.so.4 (0x28230000)
        libc.so.7 => /lib/libc.so.7 (0x28242000)
        libgssapi.so.9 => /usr/lib/libgssapi.so.9 (0x28344000)
        libkrb5.so.9 => /usr/lib/libkrb5.so.9 (0x2834b000)
        libasn1.so.9 => /usr/lib/libasn1.so.9 (0x28385000)
        libcom_err.so.4 => /usr/lib/libcom_err.so.4 (0x283ae000)
        libmd.so.4 => /lib/libmd.so.4 (0x283b0000)
        libroken.so.9 => /usr/lib/libroken.so.9 (0x283bf000)
   /bin/sh:
        libedit.so.6 => /lib/libedit.so.6 (0x28097000)
        libncurses.so.7 => /lib/libncurses.so.7 (0x280ac000)
        libc.so.7 => /lib/libc.so.7 (0x280eb000)
cp /usr/lib/libssh.so.4 /usr/lib/libgssapi.so.9 /usr/lib/libkrb5.so.9 /usr/lib/libasn1.so.9 /usr/lib/libcom_err.so.4  /usr/lib/libroken.so.9 usr/lib
cp /lib/libcrypt.so.4 /lib/libcrypto.so.5 /lib/libz.so.4 /lib/libc.so.7 /lib/libmd.so.4 /lib/libedit.so.6 /lib/libncurses.so.7 lib

Create a devfs filesystem inside the /dev directory in the chroot environment

vi /etc/fstab   # add the following line
     none                    /home/limited/dev devfs   rw      0       0
mount -t devfs devfs /home/limited/dev

Copy both /etc/passwd and /etc/master.passwd to the chroot environment. It is a good idea to edit them and remove all existing accounts except the one(s) for the user(s) that will have access to the chroot. After edited the files, we have to use the pwd_mkdb tool to generate the password database inside the chroot environment:

cp /etc/passwd /etc/master.passwd etc/
pwd_mkdb -d /home/limited/etc /home/limited/etc/master.passwd

Setting logrotate

Edit /etc/newsyslog.conf and add similar lines:

#
# -- HCMC2
#
# logfilename                                                                  [owner:group]        mode count size when flags
/home/hcmc2/www/html/test/var/hcmc2/zg.softxs.ch-test/log/drawmgt.log          www:hcmc2            664  10    50000 *    J
/home/hcmc2/www/html/test/var/hcmc2/zg.softxs.ch-test/log/event.log            hcmc2:hcmc2          664  10    50000 *    J
/home/hcmc2/www/html/prod/var/hcmc2/zg.softxs.ch-prod/log/drawmgt.log          www:hcmc2            664  10    50000 *    J
/home/hcmc2/www/html/prod/var/hcmc2/zg.softxs.ch-prod/log/event.log            hcmc2:hcmc2          664  10    50000 *    J

Monitoring the Server

File system space
Backups

Mirroring ok

By hand

gmirror status -s
mirror/gm0  COMPLETE  ad0
mirror/gm0  COMPLETE  ad2

Via cron

# lofn.softxs.ch:crontab
# $Id$
#
# -- Gmirror monitoring
#
57 02 * * * /root/bin/mailcron -x -u"alan@softxs.ch" -s"lofn: Gmirror monitoring" /root/bin/checkGmirror.pl -v
#
# -- end --

Script: /root/bin/checkGmirror.pl

#
# Check that gmirror disks are present and OK.
# By default expects that two disks are present.
#
# Usage: checkGmirror.pl [-v]
#
# Typical output of 'gmirror status -s'
#
#   mirror/gm0  COMPLETE  ad0
#   mirror/gm0  COMPLETE  ad2
#
#   $component  $status   $device
#

use strict;

my $V = ( $ARGV[ 0 ] eq '-v' ) ? 1 : 0;

my $RC = 0;

my $EXPECTED_DEVICE_COUNT = 2;

my $CMD="/sbin/gmirror status -s";

open( CMD, "$CMD|" ) or die( "$0: Unable to run command: \'$CMD\'\n" );

my %components;
my $line;
while( defined( $line = <CMD> ) ) {
  chomp ( $line );
  my( $component, $status, $device ) = split( /\s+/, $line );
  $components{ $device } = $status;
  $RC = 1 if ( $status eq 'DEGRADED' );
}
close( CMD );

if ( scalar( keys( %components ) ) != $EXPECTED_DEVICE_COUNT ) {
  $RC = 1;
  $V = 1;
}

if ( $RC || $V ) {
  if ( $RC ) {
    print( "$0: ERROR: gmirror: status: BAD\n" );
  } else {
    print( "$0: gmirror: status OK\n" );
  }
  foreach my $device ( keys( %components ) ) {
    my $status = $components{ $device };
    print( "  device: $device, status: $status\n" );
  }
}

exit $RC;

# -- end --

Host	User	Password
localhost	root	*E2DB48CF596333DCD736D6DDFDA77AFB1068A7DF