https://wiki.jcihosting.com/api.php?action=feedcontributions&feedformat=atom&user=99.139.51.90
JCWiki - User contributions [en]
2026-04-21T04:34:29Z
User contributions
MediaWiki 1.42.3
https://wiki.jcihosting.com/index.php?title=Clear_space_on_boxes&diff=309
Clear space on boxes
2012-11-19T03:03:28Z
<p>99.139.51.90: </p>
<hr />
<div>'''bwdb: we move old traffic flow files to backup2'''<br />
<br /><br />
<ol start="1"><br />
<li>go to bwdb (10.1.4.203 - a7p1o4) /usr/home/archive#</li><br />
<li>scp the oldest month to any available disk with space on backup2:</li><br />
<ol style="list-style-type: upper-alpha"><br />
<li>since there are many files, you can't do a whole month at a time like this:</li><br />
*scp ft-v05.2012-06-* 10.1.4.3:/d2/bwdb/archive/ && rm -f ft-v05.2012-06-*<br />
<li>you have to start with the single digit days first:</li><br />
*scp ft-v05.2012-07-0* 10.1.4.3:/d2/bwdb/archive/ && rm -f ft-v05.2012-07-0*<br />
<li>then you can proceed with the full month:</li><br />
*scp ft-v05.2012-06-* 10.1.4.3:/d2/bwdb/archive/ && rm -f ft-v05.2012-06-*<br />
</ol><br />
<li>mostly the same on bwdb2 (a7p1o5):</li><br />
<ol style="list-style-type: upper-alpha"><br />
<li>bwdb2 /home/archive# scp ft-v05.2011-05* backup2:/mnt/data2/bwdb/archive/bwdb2/</li><br />
<li>bwdb2 /home/archive# rm ft-v05.2011-05*</li><br />
</ol><br />
</ol><br />
<br />
'''jail8'''<br />
<br /><br />
<ol start="1"><br />
<li>rm /var/mail/root</li><br />
</ol><br />
<br /><br />
'''jail9'''<br />
<ol start="1"><br />
<li>jail9 /mnt/data1# '''rm -fr old-col02106-mdfile-cxld-20120618'''</li><br />
<li>jail9 /mnt/data1#''' df .'''</li><br />
</ol><br />
Filesystem 1K-blocks Used Avail Capacity Mounted on<br />
/dev/mfid0s1g 126049816 118309094 7740722 94% /mnt/data1<br />
<ol start="3"><br />
<li>jail9 /mnt/data1#''' gzip old-col02124-mdfile-cxld-20120817'''</li><br />
</ol><br />
<br />
<br />
'''backup2'''<br />
<br /><br />
nothing yet...<br />
<br /><br />
to find candidate to move off host machines<br />
<br />
'''jails'''<br><br />
for f in `ls |grep -v DIR`; do du -sh $f; df -h $f-DIR<br><br />
<br><br />
look for bang for the buck<br><br />
<br><br />
<br />
<br />
'''virts'''<br><br />
<br><br />
vdf = df -h in container<br><br />
vdff = df everyone in cur dir (e.g. /vz or /vz1 or /vz2)</div>
99.139.51.90
https://wiki.jcihosting.com/index.php?title=Network_Time_(ntp)&diff=308
Network Time (ntp)
2012-11-19T02:22:47Z
<p>99.139.51.90: </p>
<hr />
<div># see if its connected:<br />
<br />
::[root@quar1 /vz/private]# '''ntpq -pn'''<br />
::ntpq: read: Connection refused<br />
<br />
:<big>not running</big><br />
<br />
<ol start="2"><br />
<li>start it:</li><br />
<br />
[root@quar1 /vz/private]# '''service ntpd start'''<br><br />
Starting ntpd: [ OK ]<br />
</ol><br />
<br />
<ol start="3"><br />
<li>Query the NTP Server to see if it is paired</li><br />
[root@quar1 /vz/private]#''' ntpq -pn'''<br />
remote refid st t when poll reach delay offset jitter<br>10.1.4.5 66.187.233.4 2 u 4 64 1 0.317 876558. 0.000<br />
<br><br />
</ol><br />
<ol start="4"><br />
<li>[root@quar1 /vz/private]#''' date'''</li><br />
Thu Oct 11 10:58:05 PDT 2012<br />
</ol><br />
:<big>time is 11:13</big><br />
<span style="color:red">that output from ntpq is deceiving- we're syncing connected. you want to see a * or + next to it (ex on mail):</span><br />
<br />
<br />
<ol start="5"><br />
<li>mail /usr/local/www/scripts#''' ntpq -pn'''</li><br />
</ol><br />
remote refid st t when poll reach delay offset jitter<br />
==============================================================================<br />
*66.187.233.4 .CDMA. 1 u 550 1024 377 75.159 -0.613 0.100<br />
217.204.76.170 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00<br />
64.112.189.11 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00<br />
66.69.112.130 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00<br />
+80.85.129.25 193.79.237.14 2 u 624 1024 377 147.067 -0.291 0.149<br />
<br />
<span style="color:red">(btw, if at least one is not + or * our ENTIRE network is off since all boxes sync to mail.<br />
edit /etc/ntp.conf to add servers)</span><br />
<br />
see: http://doc.ntp.org/4.1.1/ntpq.htm<br />
<br />
so its not connecting to our ntpd on mail (10.1.4.5)<br />
<br />
and this is likely cause of the large time gap (offset 876558.) so we fix it:<br />
<br />
<ol start="6"><br />
<li>[root@quar1 /vz/private]# '''date -s "11:17:00"'''<br><br />
Thu Oct 11 11:17:00 PDT 2012</li><br />
</ol><br />
<br />
<ol start="7"><br />
<li>[root@quar1 /vz/private]#''' ntpq -pn'''</li><br />
</ol><br />
remote refid st t when poll reach delay offset jitter<br />
==============================================================================<br />
10.1.4.5 66.187.233.4 2 u 1029 64 0 0.000 0.000 4000.00<br />
<br />
no offset but not connected. give it some time...<br />
<br />
<ol start="8"><br />
<li>[root@quar1 /vz/private]#''' sleep 300; ntpq -pn'''</li><br />
</ol><br />
remote refid st t when poll reach delay offset jitter<br />
==============================================================================<br />
*10.1.4.5 66.187.233.4 2 u 44 64 37 0.304 19234.8 0.649<br />
<br />
<span style="color:red"><big>Yay, done.</big></span></div>
99.139.51.90
https://wiki.jcihosting.com/index.php?title=Jail_Server_Install&diff=251
Jail Server Install
2012-11-11T23:07:05Z
<p>99.139.51.90: /* 8.x */</p>
<hr />
<div>= 8.x =<br />
<br />
All time estimates below assume disks aren’t scrubbing. Setup instructions below are for LSI card:<br />
<br />
1. make sure bios is setup for bios console redirect<br />
2950:<br />
Console redirection:<br />
LCD string..<br />
Date to GMT<br />
<br />
<br />
2. assuming mirrors (or at least disks) created (if not, refer to this), boot to disk 1 of 7.2<br />
skip kernel config (enter)<br />
custom install<br />
<br />
partition -><br />
move cursor to mfid0, hit space (takes you to partition map screen)<br />
a for entire disk<br />
q to quit and save<br />
<br />
<br />
standard mbr (no boot manager)<br />
space to unselect mfid0<br />
cursor over mfid1<br />
space<br />
a for entire disk<br />
q to quit and save<br />
none (leave untouched)<br />
<br />
cursor over mfid0<br />
space<br />
(takes you into part. Screen again) q to exit<br />
none<br />
Make sure both are checked and tab to ok<br />
<br />
Label -><br />
Make sure mfid0 is highlighted<br />
<br />
/ 512M<br />
swap 2G (for 2950 make it 6G)<br />
/var 256M <br />
/tmp 256M<br />
/usr 5G<br />
/mnt/data1 remaining space <br />
<br />
Make sure to toggle S for soft updates on all (should look like UFS2+S Y under the Newfs column)<br />
<br />
move cursor to mfid1<br />
swap 8G (or 4G if there’s a 3rd drive)<br />
/mnt/data2 remaining space (no need to newfs)<br />
<br />
q to save and exit<br />
<br />
distributions -><br />
developer<br />
custom -> lib32<br />
yes to install ports<br />
exit<br />
<br />
media -><br />
cd (or ftp in case of no cd)<br />
<br />
commit -><br />
yes<br />
(2450: 14mins, supermicro: 12mins)<br />
<br />
yes to "visit general config" -><br />
Set root pwd<br />
<br />
Add user ‘user’ member group is wheel, set password<br />
<br />
Set tz<br />
<br />
Networking->interfaces->bce0 -><br />
No IPV6<br />
dhcp=no<br />
Set hostname & domain<br />
Enable sshd<br />
<br />
exit...<br />
exit install -><br />
yes<br />
<br />
take the cd out and let the machine reboot<br />
<br />
3. double check the date/time<br />
<br />
4. edit /etc/make.conf <br />
echo "WITHOUT_X11=yes \<br />
KERNCONF=jail3 \<br />
BOOT_COMCONSOLE_SPEED=115200" >> /etc/make.conf<br />
<br />
<br />
5. add settings to /boot/loader.conf and /boot.config<br />
<br />
echo "-Dh" >> /boot.config<br />
<br />
echo 'console="comconsole,vidconsole" \<br />
boot_multicons="YES" \<br />
boot_serial="YES" \<br />
mfi_linux_load="YES" \<br />
comconsole_speed="115200"' >> /boot/loader.conf<br />
<br />
<br />
6. turn off all ttyv's except 0 and 1 in /etc/ttys<br />
also turn on ttyd0, change type to vt100:<br />
vi /etc/ttys<br />
<br />
ttyv2 "/usr/libexec/getty Pc" cons25 off secure<br />
ttyv3 "/usr/libexec/getty Pc" cons25 off secure<br />
ttyv4 "/usr/libexec/getty Pc" cons25 off secure<br />
ttyv5 "/usr/libexec/getty Pc" cons25 off secure<br />
ttyv6 "/usr/libexec/getty Pc" cons25 off secure<br />
ttyv7 "/usr/libexec/getty Pc" cons25 off secure<br />
# Serial terminals<br />
# The 'dialup' keyword identifies dialin lines to login, fingerd etc.<br />
ttyu0 "/usr/libexec/getty std.9600" vt100 on secure<br />
<br />
kill -1 1<br />
<br />
on console server:<br />
vi /etc/remote<br />
(rename port to jail8 depending on where and which digi plugged into)<br />
test serial console<br />
<br />
<br />
7. populate hosts<br />
echo "10.1.4.3 backup2" >> /etc/hosts<br />
echo "10.1.4.8 backup1" >> /etc/hosts<br />
echo "10.1.2.3 backup3" >> /etc/hosts<br />
<br />
<br />
8. put key in authorized_keys on backup2<br />
cd<br />
ssh-keygen -t dsa -b 1024 <br />
(default location, leave password blank)<br />
<br />
cat /root/.ssh/id_dsa.pub | ssh backup2 'cat - >> /root/.ssh/authorized_keys' <br />
cat /root/.ssh/id_dsa.pub | ssh backup1 'cat - >> /root/.ssh/authorized_keys'<br />
cat /root/.ssh/id_dsa.pub | ssh backup3 'cat - >> /root/.ssh/authorized_keys'<br />
<br />
confirm that you can ssh to backup2 and backup1 without getting a login prompt<br />
<br />
ssh backup2 hostname<br />
<br />
ssh backup1 hostname<br />
<br />
ssh backup3 hostname<br />
<br />
9. create & populate binaries/scripts dirs<br />
mkdir -p /usr/local/jail/bin<br />
mkdir -p /usr/local/jail/rc.d<br />
mkdir -p /usr/local/jail/template/<br />
mkdir /mnt/data1<br />
mkdir /mnt/data2<br />
scp backup2:"/mnt/data4/bin/freebsd8.x/*" /usr/local/jail/bin<br />
cd /usr/local/jail/rc.d/<br />
touch quad1<br />
touch deprecated<br />
chmod +x *<br />
cd /usr/local/jail/bin<br />
ln -s /usr/local/jail/rc.d/quad1 quad1<br />
ln -s /usr/local/jail/bin/jailmake_md jailmake<br />
ln -s /usr/local/jail/bin/js_md js<br />
ln -s /usr/local/jail/bin/canceljail_md canceljail<br />
ln -s /usr/local/jail/bin/jailmakeempty_md jailmakeempty<br />
ln -s /usr/local/jail/bin/postboot_md postboot<br />
ln -s /usr/local/jail/bin/preboot_md preboot<br />
ln -s /usr/local/jail/bin/startjail_md startjail<br />
ln -s /usr/local/jail/bin/stopjail_md stopjail<br />
<br />
rehash<br />
<br />
10. edit root's path and login script:<br />
vi /root/.cshrc<br />
<br />
Change alias entries (add G):<br />
alias la ls -aG<br />
alias lf ls -FAG<br />
alias ll ls -lAG<br />
alias ls ls -AG<br />
alias mbm mb mount<br />
alias mbu mb umount<br />
alias cjb cd /usr/local/jail/bin<br />
alias cd1 cd /mnt/data1<br />
alias cd2 cd /mnt/data2<br />
alias cd3 cd /mnt/data3<br />
alias jtop jtop lj<br />
alias j jobs<br />
<br />
add to path: <br />
/usr/local/jail/bin <br />
(if adaptec card installed, also add /compat/linux/usr/sbin)<br />
<br />
and alter the prompt, set the following:<br />
set prompt = "`/bin/hostname -s` %/# "<br />
<br />
at the bottom of the file add:<br />
set sshtty=`who am i|awk '{print $2}'`<br />
/usr/sbin/rtprio 3 -`psj | grep $sshtty | awk '{print $2}'`<br />
<br />
set shortty=`who am i | awk '{print $2}' | sed -E 's/.*(..)$/\1/'`<br />
foreach x (`psj | grep sh | grep $shortty | awk '{print $2}'`)<br />
/usr/sbin/rtprio 2 -$x<br />
end<br />
<br />
To load the new file:<br />
source /root/.cshrc<br />
<br />
11. install cvsup<br />
cd /usr/ports/net/cvsup-without-gui <br />
make install clean; rehash; mail -s 'cvs installed' dave.boodman@vtext.com < /dev/null<br />
<br />
(stay close for gettext options, 2450: 27mins, supermicro: 17mins, 2950: 22mins)<br />
<br />
12. get latest sources for this release:<br />
cd /usr/src <br />
echo "*default host=cvsup4.freebsd.org\<br />
*default base=/usr\<br />
*default prefix=/usr\<br />
*default release=cvs tag=RELENG_8_3\<br />
*default delete use-rel-suffix\<br />
*default compress\<br />
src-all" > sup<br />
<br />
-OR-<br />
<br />
echo "*default host=cvsup4.freebsd.org\<br />
*default base=/usr\<br />
*default prefix=/usr\<br />
*default release=cvs tag=RELENG_8\<br />
*default delete use-rel-suffix\<br />
*default compress\<br />
src-all" > sup<br />
<br />
(stable)<br />
<br />
<br />
cvsup sup ; mail -s 'cvs sup done' dave.boodman@vtext.com < /dev/null<br />
<br />
(2450, ~12mins, supermicro, 27mins, 2950: 7mins)<br />
<br />
<br />
13. configure new kernel. <br />
<br />
cd /usr/src/sys/amd64/conf <br />
scp backup2:/mnt/data4/build/freebsd/kern_config-8.2-amd64 ./jail3<br />
<br />
edit the kernel config and change ident to be the name of the jail:<br />
vi jail3<br />
ident jail3<br />
<br />
edit /sys/conf/newvers.sh to add –jc2 to the end of the BRANCH string (RELEASE-jc2)<br />
vi /sys/conf/newvers.sh<br />
<br />
notes: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html<br />
<br />
14. bring over patches from backup2<br />
<br />
The various patches are in /mnt/data4/build/freebsd/patches on backup2. There are dirs for each version. Not all dirs are populated, but patches for later versions work on older ones unless there is a new patch in the older dir.<br />
<br />
cd /usr/src<br />
scp backup2:"/mnt/data4/build/freebsd/patches/8.0/*" .<br />
<br />
Apply patches:<br />
patch -l < jls-patch<br />
<br />
<br />
15. build, install kernel and world<br />
<br />
cd /boot<br />
<br />
mv kernel kernel.GENERIC<br />
cd kernel.GENERIC<br />
mkdir hold<br />
mv mfi_linux.ko hold/<br />
mv linux.ko hold/<br />
mv linprocfs.ko hold/<br />
mv linsysfs.ko hold/<br />
mv geom_vinum.ko hold/<br />
mv geom_concat.ko hold/<br />
mv zfs.* hold/<br />
mv opensolaris* hold/<br />
<br />
rm *.ko<br />
rm *.symbols<br />
mv hold/* .<br />
rmdir hold/<br />
<br />
cd /usr/src<br />
make buildkernel installkernel<br />
<br />
make buildworld ; mail -s 'buildworld done' dave.boodman@vtext.com < /dev/null<br />
(2450: 1:56min, supermicro: 59mins, 2950: 38mins)<br />
make installworld <br />
(2450: 3min, supermicro: 1min, 2950: :34)<br />
mergemaster -i<br />
<br />
cd /sys/modules/zfs<br />
make <br />
make install<br />
<br />
cd /sys/modules/opensolaris<br />
make <br />
make install<br />
<br />
<br />
16. populate devfs ruleset<br />
scp backup2:/mnt/data4/build/freebsd/devfs.rules.8x /etc/devfs.rules<br />
<br />
17. populate /etc/rc.conf with IPs and NFS settings<br />
vi /etc/rc.conf<br />
<br />
kern_securelevel_enable="NO"<br />
portmap_enable="NO"<br />
sendmail_enable="NO"<br />
usbd_enable="YES"<br />
<br />
nfs_client_enable="YES"<br />
nfs_reserved_port_only="YES"<br />
inetd_enable="YES"<br />
inetd_flags="-wW -a 10.1.2.103"<br />
devfs_system_ruleset="devfsrules_show_all"<br />
<br />
ifconfig_em1="inet 10.1.2.103 netmask 255.255.255.0"<br />
ifconfig_em0="inet 69.55.229.7 netmask 255.255.255.0"<br />
#ifconfig_fxp0_alias0="inet 69.55.2xx.xx netmask 255.255.255.0"<br />
<br />
fsck_y_enable="YES"<br />
background_fsck="NO"<br />
#rc_mfi_raid_tty_log="YES"<br />
#zfs_enable="YES"<br />
<br />
<br />
18. make sure sysctls are set and preserved after reboot<br />
echo "kern.consmute=0\<br />
kern.ipc.shm_use_phys=1\<br />
kern.ipc.shmall=131070\<br />
kern.ipc.shmmax=134217728\<br />
net.inet.tcp.syncookies=0\<br />
kern.maxfiles=32768\<br />
kern.fallback_elf_brand=3\<br />
kern.maxprocperuid=4000\<br />
security.jail.sysvipc_allowed=1\<br />
security.jail.allow_raw_sockets=1\<br />
security.jail.socket_unixiproute_only=1\<br />
security.jail.chflags_allowed=0\<br />
dev.amr.0.allow_volume_configure=1\<br />
compat.linux.osrelease=2.6.12\<br />
vm.pmap.shpgperproc=500\<br />
security.bsd.unprivileged_read_msgbuf=0\<br />
kern.maxvnodes=400000" >> /etc/sysctl.conf<br />
<br />
NOTE: watch vfs.numvnodes to see where to set maxvnodes<br />
<br />
19. mount procfs<br />
echo "proc /proc procfs rw 0 0" >> /etc/fstab<br />
<br />
For Dell 2950/2450:<br />
echo "linprocfs /usr/compat/linux/proc linprocfs rw 0 0" >> /etc/fstab<br />
<br />
For Dell 2950:<br />
echo "linsysfs /usr/compat/linux/sys linsysfs rw 0 0" >> /etc/fstab<br />
<br />
mkdir -p /usr/compat/linux/proc<br />
mkdir -p /usr/compat/linux/sys<br />
<br />
19. enable noatime option<br />
NOT APPLICABLE IF RUNNING GVINUM or zfs<br />
data1 and data2 should look something like:<br />
/dev/amrd0s1g /mnt/data1 ufs rw,noatime 2 2<br />
<br />
20. reboot. Confirm new kernel is loaded<br />
<br />
uname -a<br />
<br />
Check devfs rules:<br />
devfs rule showsets<br />
devfs rule -s 3 show<br />
<br />
21. update ports:<br />
cd /usr/ports<br />
echo "*default host=cvsup4.FreeBSD.org\<br />
*default base=/usr\<br />
*default prefix=/usr\<br />
*default release=cvs tag=RELENG_8_3\<br />
*default delete use-rel-suffix\<br />
*default compress\<br />
ports-all tag=." > sup<br />
<br />
cvsup sup; mail -s 'cvs sup ports done' dave.boodman@vtext.com < /dev/null<br />
<br />
(2450: 18mins, supermicro: 19mins; 2950: 24mins)<br />
<br />
22. Install raid mgmt tool<br />
<br />
(for 2850 PERC 4e/Di- no linux)<br />
cd /usr/ports/distfiles/<br />
fetch http://backup01.best-hosting.ru/pub/FreeBSD/ports/distfiles/dr_freebsd_1.51.zip<br />
cd /usr/ports/sysutils/megarc<br />
make install clean<br />
megarc -dispCfg -a0<br />
<br />
need to install perl since linux base won't grab it:<br />
cd /usr/ports/lang/perl5.8<br />
make install clean<br />
<br />
---------------<br />
<br />
(for Perc5/i, 6/i)<br />
install linux_base:<br />
cd /usr/ports/emulators/linux_base-fc4<br />
make install clean <br />
(2450: 7min, supermicro: 3mins, 2950: 14mins)<br />
Note: didnt succeed due to libtool requirement<br />
<br />
cd /usr/ports/distfiles<br />
fetch http://www.lsi.com/DistributionSystem/AssetDocument/support/downloads/megaraid/miscellaneous/linux/2.00.15_Linux_MegaCLI.zip<br />
cd /usr/ports/sysutils/linux-megacli<br />
make install clean<br />
also failed due to libtool, so did<br />
scp /usr/local/sbin/mega* root@10.1.4.110:/usr/local/sbin/<br />
scp /usr/local/libexec/MegaCli root@10.1.4.110:/usr/local/libexec/MegaCli<br />
<br />
Test:<br />
rehash; megacli ldinfo lall a0<br />
<br />
23. install rsync from ports<br />
cd /usr/ports/net/rsync<br />
make install clean<br />
<br />
choose default options<br />
<br />
24. configure inetd to respond to mrtg load queries<br />
echo "load stream tcp nowait user /usr/local/jail/bin/load.pl load.pl" >> /etc/inetd.conf<br />
<br />
echo "load 12384/tcp" >> /etc/services<br />
<br />
25. install bb client<br />
(need linux compat for this, won't install on 8.2 - libtool 2.4 need. So, instead copied over linux: rsync -aSHv --exclude=proc --exclude=sys 10.1.4.108:/usr/compat/linux/ /usr/compat/linux/)<br />
<br />
adduser<br />
Username: bb<br />
Full name: bb<br />
Uid (Leave empty for default): 1984<br />
Login group [bb]:<br />
Login group is bb. Invite bb into other groups? []:<br />
Login class [default]:<br />
Shell (sh csh tcsh nologin) [sh]: <br />
Home directory [/home/bb]:<br />
Use password-based authentication? [yes]:<br />
Use an empty password? (yes/no) [no]:<br />
Use a random password? (yes/no) [no]: yes<br />
Lock out the account after creation? [no]:<br />
Username : bb<br />
Password : <random><br />
Full Name : bb<br />
Uid : 1984<br />
Class :<br />
Groups : bb<br />
Home : /home/bb<br />
Shell : /bin/sh<br />
Locked : no<br />
OK? (yes/no): yes<br />
<br />
cd /usr/home/bb<br />
scp backup2:/mnt/data4/build/bb/bb-freebsd_linuxcompat.tgz .<br />
tar xzf bb-freebsd_linuxcompat.tgz<br />
<br />
edit /home/bb/bbc1.9e-btf/etc/bb-hosts with something like:<br />
echo "69.55.230.2 mail.johncompanies.com # BBPAGER BBNET BBDISPLAY smtp ssh \<br />
69.55.229.7 jail3.johncompanies.com # ssh" > /home/bb/bbc1.9e-btf/etc/bb-hosts<br />
or<br />
echo "10.1.4.5 mail.johncompanies.com # BBPAGER BBNET BBDISPLAY smtp ssh \<br />
10.1.4.103 jail3.johncompanies.com # ssh" > /home/bb/bbc1.9e-btf/etc/bb-hosts<br />
<br />
vi /home/bb/bbc1.9e-btf/ext/openfiles <br />
MACHINE="jail3,johncompanies,com" # HAS TO BE IN A,B,C FORM<br />
<br />
cd /usr/home/bb/bbc1.9e-btf/etc<br />
./bbchkcfg.sh <br />
(y to questions)<br />
./bbchkhosts.sh<br />
(ignore ssh errors)<br />
cd ../..<br />
chown -R bb .<br />
su bb<br />
cd<br />
cd bbc1.9e-btf<br />
./runbb.sh start<br />
more BBOUT <br />
(look for errors)<br />
exit<br />
<br />
echo 'su - bb -c "cd /home/bb/bbc1.9e-btf; ./runbb.sh start"' > /usr/local/etc/rc.d/bb.sh<br />
chmod +x /usr/local/etc/rc.d/bb.sh<br />
<br />
<br />
NOTE: to get bb working on amd, had to copy over bin dir from linux dist <br />
<br />
26. configure load mrtg, on mail<br />
vi /usr/local/www/mgmt/mrtg/mrtg1.cfg <br />
(add new entry to file following existing format)<br />
<br />
27. configure bb on mail:<br />
vi /usr/home/bb/bbsrc/bb1.9i-btf/etc/bb-hosts<br />
10.1.4.109 jail9.johncompanies.com # ssh<br />
or<br />
69.55.229.7 jail3.johncompanies.com # ssh<br />
<br />
su bb<br />
cd<br />
bbsrc/bb/runbb.sh restart ; exit<br />
<br />
28. remove reserve space, enable softupdates (probably already set, so not necessary)<br />
cd<br />
umount /mnt/data1<br />
umount /mnt/data2<br />
tunefs -m 0 /mnt/data1<br />
tunefs -m 0 /mnt/data2<br />
mount -a<br />
<br />
29. DEPRECATED - ntpd listens on jail IPs- security risk <br />
echo "server 10.1.4.5" > /etc/ntp.conf<br />
<br />
/usr/sbin/ntpd -p /var/run/ntpd.pid<br />
sleep 2; ntpq -p<br />
(confirm it’s able to reach our time server)<br />
<br />
But there's a bug so install new ntp from ports<br />
/usr/ports/net/ntp<br />
<br />
<br />
30. fwd and reverse lookups on ns1c<br />
vr johncompanies.com<br />
vi internal.johncompanies.com<br />
rndc reload johncompanies.com IN private<br />
(edit the PTR too)<br />
<br />
<br />
31. if needed, make a g partition<br />
<br />
bsdlabel -e /dev/mfid0s1<br />
<br />
given:<br />
# /dev/aacd0s1:<br />
8 partitions:<br />
# size offset fstype [fsize bsize bps/cpg]<br />
a: 262144 0 4.2BSD 2048 16384 16392<br />
b: 4194304 262144 swap<br />
c: 143363997 0 unused 0 0 # "raw" part, don't edit<br />
d: 524288 4456448 4.2BSD 2048 16384 32776<br />
e: 524288 4980736 4.2BSD 2048 16384 32776<br />
f: 6291456 5505024 4.2BSD 2048 16384 28552<br />
<br />
new offset = 6291456 + 5505024 = 11796480<br />
new size is size for 'c' partition minus the new start from above<br />
143363997 - 11796480 = 131567517<br />
So:<br />
g: 131567517 11796480 unused 0 0<br />
<br />
<br />
Create a g partition on 2nd mirror – bsdlabel no longer works (below shows d partition made with sysinstall):<br />
<br />
jail8 /usr/home/bb# gpart show<br />
=> 63 285474735 mfid0 MBR (136G)<br />
63 285458922 1 freebsd [active] (136G)<br />
285458985 15813 - free - (7.7M)<br />
<br />
=> 0 285458922 mfid0s1 BSD (136G)<br />
0 524288 1 freebsd-ufs (256M)<br />
524288 12582912 2 freebsd-swap (6.0G)<br />
13107200 524288 4 freebsd-ufs (256M)<br />
13631488 524288 5 freebsd-ufs (256M)<br />
14155776 8388608 6 freebsd-ufs (4.0G)<br />
22544384 262914538 7 freebsd-ufs (125G)<br />
<br />
=> 63 584843175 mfid1 MBR (279G)<br />
63 584830197 1 freebsd [active] (279G)<br />
584830260 12978 - free - (6.3M)<br />
<br />
=> 0 584830197 mfid1s1 BSD (279G)<br />
0 16777216 2 freebsd-swap (8.0G)<br />
16777216 568052981 4 freebsd-ufs (271G)<br />
<br />
jail8 /usr/home/bb# gpart show mfid1s1<br />
=> 0 584830197 mfid1s1 BSD (279G)<br />
0 16777216 2 freebsd-swap (8.0G)<br />
16777216 568052981 4 freebsd-ufs (271G)<br />
<br />
# gpart list mfid1s1<br />
<br />
Geom name: mfid1s1<br />
fwheads: 255<br />
fwsectors: 63<br />
last: 584830196<br />
first: 0<br />
entries: 8<br />
scheme: BSD<br />
Providers:<br />
1. Name: mfid1s1b<br />
Mediasize: 8589934592 (8.0G)<br />
Sectorsize: 512<br />
Mode: r1w1e0<br />
rawtype: 1<br />
length: 8589934592<br />
offset: 0<br />
type: freebsd-swap<br />
index: 2<br />
end: 16777215<br />
start: 0<br />
2. Name: mfid1s1d<br />
Mediasize: 290843126272 (271G)<br />
Sectorsize: 512<br />
Mode: r0w0e0<br />
rawtype: 7<br />
length: 290843126272<br />
offset: 8589934592<br />
type: freebsd-ufs<br />
index: 4<br />
end: 584830196<br />
start: 16777216<br />
Consumers:<br />
1. Name: mfid1s1<br />
Mediasize: 299433060864 (279G)<br />
Sectorsize: 512<br />
Mode: r1w1e1<br />
<br />
# gpart delete -i 4 mfid1s1<br />
mfid1s1d deleted<br />
jail8 /usr/home/bb# gpart list mfid1s1<br />
Geom name: mfid1s1<br />
fwheads: 255<br />
fwsectors: 63<br />
last: 584830196<br />
first: 0<br />
entries: 8<br />
scheme: BSD<br />
Providers:<br />
1. Name: mfid1s1b<br />
Mediasize: 8589934592 (8.0G)<br />
Sectorsize: 512<br />
Mode: r1w1e0<br />
rawtype: 1<br />
length: 8589934592<br />
offset: 0<br />
type: freebsd-swap<br />
index: 2<br />
end: 16777215<br />
start: 0<br />
Consumers:<br />
1. Name: mfid1s1<br />
Mediasize: 299433060864 (279G)<br />
Sectorsize: 512<br />
Mode: r1w1e1<br />
<br />
# gpart show mfid1s1<br />
=> 0 584830197 mfid1s1 BSD (279G)<br />
0 16777216 2 freebsd-swap (8.0G)<br />
16777216 568052981 - free - (271G)<br />
<br />
# gpart add -t freebsd-ufs -i 7 mfid1s1<br />
mfid1s1g added<br />
<br />
# gpart show mfid1s1<br />
=> 0 584830197 mfid1s1 BSD (279G)<br />
0 16777216 2 freebsd-swap (8.0G)<br />
16777216 568052981 7 freebsd-ufs (271G)<br />
<br />
<br />
<br />
32. create the jail template<br />
<br />
touch /mnt/data1/jail-template20g<br />
mdconfig -a -t vnode -s 20g -f /mnt/data1/jail-template20g -u 0<br />
newfs -O 1 /dev/md0<br />
mkdir /mnt/data1/jail-DIR<br />
mount /dev/md0 /mnt/data1/jail-DIR<br />
<br />
cd /usr/ports/sysutils/jailutils<br />
make install clean<br />
<br />
cd /usr/src<br />
make world DESTDIR=/mnt/data1/jail-DIR; pagedave<br />
(2450: 2:28mins, supermicro: 55mins, 2950: 1h )<br />
cd etc<br />
make distribution DESTDIR=/mnt/data1/jail-DIR<br />
mount -t devfs devfs /mnt/data1/jail-DIR/dev<br />
devfs -m /mnt/data1/jail-DIR/dev rule -s 3 applyset <br />
cd /mnt/data1/jail-DIR<br />
ln -sf dev/null kernel<br />
cp /usr/local/sbin/jkill /mnt/data1/jail-DIR/sbin<br />
<br />
jail /mnt/data1/jail-DIR testhostname 192.168.11.100 /bin/sh<br />
csh<br />
touch /etc/fstab<br />
echo 'network_interfaces=""\<br />
hostname="newsystem"\<br />
kern_securelevel_enable="NO"\<br />
sendmail_enable="YES"\<br />
sshd_enable="YES"' > /etc/rc.conf<br />
<br />
echo "nameserver 69.55.225.225\<br />
nameserver 69.55.230.3" >> /etc/resolv.conf<br />
<br />
vi /etc/crontab<br />
remove the adjkerntz lines<br />
comment out periodic’s and put this line above them:<br />
# IF YOU UNCOMMENT THESE, PLEASE ADJUST THEIR RUN TIME<br />
<br />
rm -rf /etc/periodic/daily/400.status-disks<br />
<br />
check /tmp for crap<br />
<br />
vi /etc/periodic/security/100.chksetuid<br />
replace: MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`<br />
with: MP='/' (use single quotes)<br />
<br />
mkdir -p /usr/compat/linux/dev<br />
<br />
adduser (Add account for user, make sure in wheel group)<br />
<br />
Username: user<br />
Full name: user<br />
Uid (Leave empty for default):<br />
Login group [user]:<br />
Login group is user. Invite user into other groups? []: wheel<br />
Login class [default]:<br />
Shell (sh csh tcsh nologin) [sh]:<br />
Home directory [/home/user]:<br />
Home directory permissions (Leave empty for default):<br />
Use password-based authentication? [yes]:<br />
Use an empty password? (yes/no) [no]:<br />
Use a random password? (yes/no) [no]: y<br />
Lock out the account after creation? [no]:<br />
Username : user<br />
Password : <random><br />
Full Name : user<br />
Uid : 1001<br />
Class :<br />
Groups : user<br />
Home : /home/user<br />
Home Mode :<br />
Shell : /bin/sh<br />
Locked : no<br />
OK? (yes/no): y<br />
adduser: INFO: Successfully added (user) to the user database.<br />
adduser: INFO: Password for (user) is: 901gmYjO<br />
Add another user? (yes/no): n<br />
Goodbye!<br />
<br />
vi /usr/home/user/.profile (and add to the file):<br />
TERM=vt100; export TERM<br />
<br />
tzsetup<br />
<br />
newaliases <br />
<br />
rm /sbin/halt /sbin/reboot<br />
ln /sbin/jkill /sbin/halt<br />
ln /sbin/jkill /sbin/reboot<br />
<br />
#cd /dev<br />
#rm console<br />
#ln -s null console<br />
<br />
vi /etc/syslog.conf (comment out console and move to /var/log/messages):<br />
#*.err;kern.warning;auth.notice;mail.crit /dev/console *.err;kern.warning;auth.notice;mail.crit /var/log/messages <br />
<br />
exit<br />
exit<br />
<br />
cd libexec<br />
chflags noschg ld-elf32.so.1<br />
chflags noschg ld-elf.so.1<br />
<br />
mv ld-elf32.so.1 ld-elf32.so.1-orig<br />
ln ld-elf.so.1 ld-elf32.so.1<br />
<br />
chflags schg ld-elf.so.1<br />
chflags schg ld-elf32.so.1<br />
<br />
mv /mnt/data1/jail-DIR/usr/sbin/traceroute /mnt/data1/jail-DIR/usr/sbin/_traceroute<br />
<br />
echo '#\!/bin/sh\<br />
/usr/sbin/_traceroute -i bce0 $1' >> /mnt/data1/jail-DIR/usr/sbin/traceroute <br />
chmod +x /mnt/data1/jail-DIR/usr/sbin/traceroute <br />
<br />
<br />
cd /usr/ports<br />
make -DNOCLEANDEPENDS clean <br />
(2450: 15mins , supermicro: 29mins, 2950: 18mins)<br />
rm -fr /usr/ports/distfiles/*<br />
cp -r /usr/ports /mnt/data1/jail-DIR/usr (2450: 2:00 mins , supermicro: 15mins, 2950: 3mins)<br />
<br />
rm /mnt/data1/jail-DIR/root/.history<br />
<br />
cd <br />
umount /mnt/data1/jail-DIR/dev<br />
dump -0a -f /usr/local/jail/template/template /dev/md0<br />
umount /dev/md0<br />
rmdir /mnt/data1/jail-DIR<br />
mdconfig -d -u 0<br />
<br />
<br />
33. setup backups<br />
echo '#\!/bin/sh\<br />
backupdir=/data/jail3\<br />
server=backup1\<br />
\<br />
## ENTRY /etc\<br />
## ENTRY /usr/local/etc\<br />
## ENTRY /usr/local/jail\<br />
## ENTRY /root/logs' > /usr/local/jail/bin/backup.config<br />
<br />
on backup1:<br />
setup backup dirs:<br />
ssh backup1 mkdir -p /data/jail3/0<br />
<br />
on backup1, add the system to <br />
vi /usr/local/sbin/snapshot_rotate<br />
<br />
on mail:<br />
vi /usr/local/www/mgmt/cgi/backupgraph.pl<br />
(add hostname)<br />
<br />
Edit /usr/local/jail/bin/backup.xxx to use the right drives and copy to /usr/local/jail/bin/backup <br />
<br />
34. mkdir /root/logs<br />
<br />
35. edit sshd_config for security<br />
vi /etc/ssh/sshd_config<br />
ListenAddress 69.55.229.7<br />
ListenAddress 10.1.2.103<br />
<br />
kill -1 `cat /var/run/sshd.pid`<br />
<br />
36. add crontab entries<br />
crontab -e<br />
5 0 * * * /usr/local/jail/bin/backup.md<br />
1 0 1 * * /usr/local/jail/bin/ipfwreset<br />
0 18 * * * /usr/local/jail/bin/ipfwbackup<br />
4,9,14,19,24,29,34,39,44,49,55,59 * * * * /usr/local/jail/bin/trafstats<br />
0 0,6,12,18 * * * /usr/local/jail/bin/sync_jail_names<br />
*/5 * * * * /usr/local/jail/bin/perc5iraidchk<br />
*/5 * * * * /usr/local/jail/bin/perc4eraidchk<br />
<br />
37. Reboot notify script<br />
ln -s /usr/local/jail/bin/notify.sh /usr/local/etc/rc.d/notify.sh <br />
<br />
38. add to management db (on mail and devweb) jc.ref_machines and jc.ref_templates<br />
<br />
uname -r<br />
8.0-RELEASE-p2<br />
<br />
insert into ref_machines values (null,'mx2','mx2.johncompanies.com',0,'m');<br />
select machine_id from ref_machines where host='mx2';<br />
+------------+<br />
| machine_id |<br />
+------------+<br />
| 35 |<br />
+------------+<br />
insert into ref_templates values ('',' 8.3-RELEASE-jc2',10,'FreeBSD 8.3',0);<br />
<br />
39. add to server/cabinet map. On mail:<br />
vi /usr/local/www/mgmt/html/cabinetmap.html<br />
<br />
40. add an outside blocking rule to the firewall, so this machine can only be reached from inside the firewall. Follow example already in firewall jail17 is:<br />
<br />
00117 allow ip from { 69.55.230.2 or 69.55.230.10 or 69.55.225.225 or 69.55.238.150 } to 69.55.228.200<br />
00117 deny ip from any to 69.55.228.200<br />
<br />
jail19 would be 00119...<br />
ipfw add 00109 allow ip from { 69.55.230.2 or 69.55.230.10 or 69.55.225.225 } to 69.55.232.3<br />
ipfw add 00109 deny ip from any to 69.55.232.3<br />
<br />
41. select customers for probe map<br />
<br />
42. patch jail against starting jails with rtprio<br />
<br />
mv /usr/sbin/jail /usr/sbin/jail_<br />
echo '#\!/bin/sh\<br />
/usr/sbin/rtprio -t /usr/sbin/jail_ $*' > /usr/sbin/jail<br />
chmod +x /usr/sbin/jail<br />
<br />
43. make sure mail works<br />
If there are map errors:<br />
cd /etc/mail; make maps<br />
<br />
<br />
44. rdate<br />
<br />
cd /usr/ports/sysutils/rdate<br />
make install clean<br />
<br />
crontab -e<br />
0 0 * * * /usr/local/sbin/rdate -s utcnist.colorado.edu<br />
<br />
/usr/local/sbin/rdate -s utcnist.colorado.edu<br />
<br />
<br />
45. recover space on /usr (optional)<br />
<br />
rm -fr /usr/obj<br />
<br />
46. wrapper jps<br />
<br />
mv /usr/local/sbin/jps /usr/local/sbin/jps_<br />
<br />
47. wrapper jls<br />
<br />
mv /usr/sbin/jls /usr/sbin/jls_<br />
<br />
48. wrapper jexec<br />
<br />
mv /usr/sbin/jexec /usr/sbin/jexec_<br />
<br />
49. install jtop<br />
<br />
cd /usr/ports/sysutils/jtop<br />
make install clean<br />
<br />
50. block jails from reaching private net<br />
echo 'ipfw add 1 deny ip from 69.55.224.0/20 to 10.1.4.0/24' > /usr/local/etc/rc.d/ipfw.sh<br />
chmod 0700 /usr/local/etc/rc.d/ipfw.sh<br />
<br />
<br />
xx. setup fuse<br />
<br />
cd /usr/ports/sysutils/fusefs-kmod/<br />
make install<br />
<br />
vi /etc/rc.conf<br />
fusefs_enable="YES"<br />
<br />
sysctl vfs.usermount=1<br />
<br />
cd /usr/ports/sysutils/fusefs-sshfs<br />
make install<br />
<br />
sshfs 1005@usw-s009.rsync.net: /mnt/data1/69.55.234.68-col00001-DIR/mnt</div>
99.139.51.90