8.x

Assumptions

Setup instructions below assume this is DELL 2950 with an LSI-based SAS RAID card.

Server is at castle, connected to pub, private, serial and DRAC

Assuming load done via IPKVM with ISO mounted via USB

Assumes at least 4 drives, 2 mirrors

Configure server BIOS

setup console redirect, speed 115200

set LCD string to name of server "jail8"

set date to GMT

go into RAID bios and setup mirrors

configure DRAC: TODO

Install OS (sysinstall)

boot to bootonly disk for AMD version of FreeBSD, i.e. FreeBSD-8.3-RELEASE-amd64-bootonly.iso

when the install menu appears, choose custom install

partition menu

move cursor to mfid0, hit space (takes you to partition map screen). If there is only 1 mirror, there will be no option to select a drive.

type 'a' to use entire disk
type 'q' to quit and save
choose 'freebsd standard mbr'

space to unselect mfid0
cursor down to mfid1
hit space

type 'a' to use entire disk
type 'q' to quit and save
choose 'none' for boot mgr (leave untouched)

cursor over mfid0
space
(takes you into part. Screen again) 'q' to exit
none for boot mgr

Make sure both drives (mfid0 and mfid1) are checked and tab to ok

Label menu

Make sure mfid0 is highlighted at the top of the screen, setup the following partitions

/ 512M
swap 6G
/var 256M
/tmp 256M
/usr 5G
/mnt/data1 remaining space

All partitions except / should be setup for soft updates. If not, type 's' to enable for soft updates on all except for / (should look like UFS2+S Y under the Newfs column)

move cursor to mfid1 at the top of the screen
swap 8G (or 4G if there’s a 3rd drive)
/mnt/data2 remaining space
'q' to save and exit

distributions

Choose the following distribudions

• developer (ok to install ports)
• custom -> lib32

exit

media

if you are installing via a cd, no need to enter this menu or change anything. Otherwise, choose ftp to install via ftp. You will be prompted to setup networking. You will need to choose a nic (typically bce0 or bce1). Say no to DHCP and IPv6. Hopefully the public nic cable was installed in bce0 so start with that nic and provide the hostname, (public) IP, netmask, gateway and DNS. When configured, it should start pinging. If it doesn't, have the NOC swap cables. Select any FTP server, usually Main or ftp4.

commit

this usually takes 12mins during the process you may need to select a new ftp mirror, this is not a problem.

yes to "visit general config" -> Set root pwd

Add user ‘user’ member group is wheel, set password

Set tz

Networking->interfaces->bce0 -> No IPV6 dhcp=no Set hostname & domain Enable sshd

exit... exit install -> yes

take the cd out and let the machine reboot

3. double check the date/time

4. edit /etc/make.conf echo "WITHOUT_X11=yes \ KERNCONF=jail3 \ BOOT_COMCONSOLE_SPEED=115200" >> /etc/make.conf

5. add settings to /boot/loader.conf and /boot.config

echo "-Dh" >> /boot.config

echo 'console="comconsole,vidconsole" \ boot_multicons="YES" \ boot_serial="YES" \ mfi_linux_load="YES" \ comconsole_speed="115200"' >> /boot/loader.conf

6. turn off all ttyv's except 0 and 1 in /etc/ttys also turn on ttyd0, change type to vt100: vi /etc/ttys

ttyv2 "/usr/libexec/getty Pc" cons25 off secure ttyv3 "/usr/libexec/getty Pc" cons25 off secure ttyv4 "/usr/libexec/getty Pc" cons25 off secure ttyv5 "/usr/libexec/getty Pc" cons25 off secure ttyv6 "/usr/libexec/getty Pc" cons25 off secure ttyv7 "/usr/libexec/getty Pc" cons25 off secure

1. Serial terminals
2. The 'dialup' keyword identifies dialin lines to login, fingerd etc.

ttyu0 "/usr/libexec/getty std.9600" vt100 on secure

kill -1 1

on console server: vi /etc/remote (rename port to jail8 depending on where and which digi plugged into) test serial console

7. populate hosts echo "10.1.4.3 backup2" >> /etc/hosts echo "10.1.4.8 backup1" >> /etc/hosts echo "10.1.2.3 backup3" >> /etc/hosts

8. put key in authorized_keys on backup2 cd ssh-keygen -t dsa -b 1024 (default location, leave password blank)

cat /root/.ssh/id_dsa.pub | ssh backup2 'cat - >> /root/.ssh/authorized_keys' cat /root/.ssh/id_dsa.pub | ssh backup1 'cat - >> /root/.ssh/authorized_keys' cat /root/.ssh/id_dsa.pub | ssh backup3 'cat - >> /root/.ssh/authorized_keys'

confirm that you can ssh to backup2 and backup1 without getting a login prompt

ssh backup2 hostname

ssh backup1 hostname

ssh backup3 hostname

9. create & populate binaries/scripts dirs mkdir -p /usr/local/jail/bin mkdir -p /usr/local/jail/rc.d mkdir -p /usr/local/jail/template/ mkdir /mnt/data1 mkdir /mnt/data2 scp backup2:"/mnt/data4/bin/freebsd8.x/*" /usr/local/jail/bin cd /usr/local/jail/rc.d/ touch quad1 touch deprecated chmod +x * cd /usr/local/jail/bin ln -s /usr/local/jail/rc.d/quad1 quad1 ln -s /usr/local/jail/bin/jailmake_md jailmake ln -s /usr/local/jail/bin/js_md js ln -s /usr/local/jail/bin/canceljail_md canceljail ln -s /usr/local/jail/bin/jailmakeempty_md jailmakeempty ln -s /usr/local/jail/bin/postboot_md postboot ln -s /usr/local/jail/bin/preboot_md preboot ln -s /usr/local/jail/bin/startjail_md startjail ln -s /usr/local/jail/bin/stopjail_md stopjail

rehash

10. edit root's path and login script: vi /root/.cshrc

Change alias entries (add G): alias la ls -aG alias lf ls -FAG alias ll ls -lAG alias ls ls -AG alias mbm mb mount alias mbu mb umount alias cjb cd /usr/local/jail/bin alias cd1 cd /mnt/data1 alias cd2 cd /mnt/data2 alias cd3 cd /mnt/data3 alias jtop jtop lj alias j jobs

add to path: /usr/local/jail/bin (if adaptec card installed, also add /compat/linux/usr/sbin)

and alter the prompt, set the following: set prompt = "`/bin/hostname -s` %/# "

at the bottom of the file add: set sshtty=`who am i|awk '{print $2}'` /usr/sbin/rtprio 3 -`psj | grep $sshtty | awk '{print $2}'`

set shortty=`who am i | awk '{print $2}' | sed -E 's/.*(..)$/\1/'` foreach x (`psj | grep sh | grep $shortty | awk '{print $2}'`) /usr/sbin/rtprio 2 -$x end

To load the new file: source /root/.cshrc

11. install cvsup cd /usr/ports/net/cvsup-without-gui make install clean; rehash; mail -s 'cvs installed' dave.boodman@vtext.com < /dev/null

(stay close for gettext options, 2450: 27mins, supermicro: 17mins, 2950: 22mins)

12. get latest sources for this release: cd /usr/src echo "*default host=cvsup4.freebsd.org\

• default base=/usr\
• default prefix=/usr\
• default release=cvs tag=RELENG_8_3\
• default delete use-rel-suffix\
• default compress\

src-all" > sup

-OR-

echo "*default host=cvsup4.freebsd.org\

• default base=/usr\
• default prefix=/usr\
• default release=cvs tag=RELENG_8\
• default delete use-rel-suffix\
• default compress\

src-all" > sup

(stable)

cvsup sup ; mail -s 'cvs sup done' dave.boodman@vtext.com < /dev/null

(2450, ~12mins, supermicro, 27mins, 2950: 7mins)

13. configure new kernel.

cd /usr/src/sys/amd64/conf scp backup2:/mnt/data4/build/freebsd/kern_config-8.2-amd64 ./jail3

edit the kernel config and change ident to be the name of the jail: vi jail3 ident jail3

edit /sys/conf/newvers.sh to add –jc2 to the end of the BRANCH string (RELEASE-jc2) vi /sys/conf/newvers.sh

notes: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html

14. bring over patches from backup2

The various patches are in /mnt/data4/build/freebsd/patches on backup2. There are dirs for each version. Not all dirs are populated, but patches for later versions work on older ones unless there is a new patch in the older dir.

cd /usr/src scp backup2:"/mnt/data4/build/freebsd/patches/8.0/*" .

Apply patches: patch -l < jls-patch

15. build, install kernel and world

cd /boot

mv kernel kernel.GENERIC cd kernel.GENERIC mkdir hold mv mfi_linux.ko hold/ mv linux.ko hold/ mv linprocfs.ko hold/ mv linsysfs.ko hold/ mv geom_vinum.ko hold/ mv geom_concat.ko hold/ mv zfs.* hold/ mv opensolaris* hold/

rm *.ko rm *.symbols mv hold/* . rmdir hold/

cd /usr/src make buildkernel installkernel

make buildworld ; mail -s 'buildworld done' dave.boodman@vtext.com < /dev/null (2450: 1:56min, supermicro: 59mins, 2950: 38mins) make installworld (2450: 3min, supermicro: 1min, 2950: :34) mergemaster -i

cd /sys/modules/zfs make make install

cd /sys/modules/opensolaris make make install

16. populate devfs ruleset scp backup2:/mnt/data4/build/freebsd/devfs.rules.8x /etc/devfs.rules

17. populate /etc/rc.conf with IPs and NFS settings vi /etc/rc.conf

kern_securelevel_enable="NO" portmap_enable="NO" sendmail_enable="NO" usbd_enable="YES"

nfs_client_enable="YES" nfs_reserved_port_only="YES" inetd_enable="YES" inetd_flags="-wW -a 10.1.2.103" devfs_system_ruleset="devfsrules_show_all"

ifconfig_em1="inet 10.1.2.103 netmask 255.255.255.0" ifconfig_em0="inet 69.55.229.7 netmask 255.255.255.0"

1. ifconfig_fxp0_alias0="inet 69.55.2xx.xx netmask 255.255.255.0"

fsck_y_enable="YES" background_fsck="NO"

1. rc_mfi_raid_tty_log="YES"
2. zfs_enable="YES"

18. make sure sysctls are set and preserved after reboot echo "kern.consmute=0\ kern.ipc.shm_use_phys=1\ kern.ipc.shmall=131070\ kern.ipc.shmmax=134217728\ net.inet.tcp.syncookies=0\ kern.maxfiles=32768\ kern.fallback_elf_brand=3\ kern.maxprocperuid=4000\ security.jail.sysvipc_allowed=1\ security.jail.allow_raw_sockets=1\ security.jail.socket_unixiproute_only=1\ security.jail.chflags_allowed=0\ dev.amr.0.allow_volume_configure=1\ compat.linux.osrelease=2.6.12\ vm.pmap.shpgperproc=500\ security.bsd.unprivileged_read_msgbuf=0\ kern.maxvnodes=400000" >> /etc/sysctl.conf

NOTE: watch vfs.numvnodes to see where to set maxvnodes

19. mount procfs echo "proc /proc procfs rw 0 0" >> /etc/fstab

For Dell 2950/2450: echo "linprocfs /usr/compat/linux/proc linprocfs rw 0 0" >> /etc/fstab

For Dell 2950: echo "linsysfs /usr/compat/linux/sys linsysfs rw 0 0" >> /etc/fstab

mkdir -p /usr/compat/linux/proc mkdir -p /usr/compat/linux/sys

19. enable noatime option NOT APPLICABLE IF RUNNING GVINUM or zfs data1 and data2 should look something like: /dev/amrd0s1g /mnt/data1 ufs rw,noatime 2 2

20. reboot. Confirm new kernel is loaded

uname -a

Check devfs rules: devfs rule showsets devfs rule -s 3 show

21. update ports: cd /usr/ports echo "*default host=cvsup4.FreeBSD.org\

• default base=/usr\
• default prefix=/usr\
• default release=cvs tag=RELENG_8_3\
• default delete use-rel-suffix\
• default compress\

ports-all tag=." > sup

cvsup sup; mail -s 'cvs sup ports done' dave.boodman@vtext.com < /dev/null

(2450: 18mins, supermicro: 19mins; 2950: 24mins)

22. Install raid mgmt tool

(for 2850 PERC 4e/Di- no linux) cd /usr/ports/distfiles/ fetch http://backup01.best-hosting.ru/pub/FreeBSD/ports/distfiles/dr_freebsd_1.51.zip cd /usr/ports/sysutils/megarc make install clean megarc -dispCfg -a0

need to install perl since linux base won't grab it: cd /usr/ports/lang/perl5.8 make install clean

---

(for Perc5/i, 6/i) install linux_base: cd /usr/ports/emulators/linux_base-fc4 make install clean (2450: 7min, supermicro: 3mins, 2950: 14mins) Note: didnt succeed due to libtool requirement

cd /usr/ports/distfiles fetch http://www.lsi.com/DistributionSystem/AssetDocument/support/downloads/megaraid/miscellaneous/linux/2.00.15_Linux_MegaCLI.zip cd /usr/ports/sysutils/linux-megacli make install clean also failed due to libtool, so did scp /usr/local/sbin/mega* root@10.1.4.110:/usr/local/sbin/ scp /usr/local/libexec/MegaCli root@10.1.4.110:/usr/local/libexec/MegaCli

Test: rehash; megacli ldinfo lall a0

23. install rsync from ports cd /usr/ports/net/rsync make install clean

choose default options

24. configure inetd to respond to mrtg load queries echo "load stream tcp nowait user /usr/local/jail/bin/load.pl load.pl" >> /etc/inetd.conf

echo "load 12384/tcp" >> /etc/services

25. install bb client (need linux compat for this, won't install on 8.2 - libtool 2.4 need. So, instead copied over linux: rsync -aSHv --exclude=proc --exclude=sys 10.1.4.108:/usr/compat/linux/ /usr/compat/linux/) NEED TO INSTALL PERL SEPARATELY!

adduser Username: bb Full name: bb Uid (Leave empty for default): 1984 Login group [bb]: Login group is bb. Invite bb into other groups? []: Login class [default]: Shell (sh csh tcsh nologin) [sh]: Home directory [/home/bb]: Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: yes Lock out the account after creation? [no]: Username  : bb Password  : <random> Full Name  : bb Uid  : 1984 Class  : Groups  : bb Home  : /home/bb Shell  : /bin/sh Locked  : no OK? (yes/no): yes

cd /usr/home/bb scp backup2:/mnt/data4/build/bb/bb-freebsd_linuxcompat.tgz . tar xzf bb-freebsd_linuxcompat.tgz

edit /home/bb/bbc1.9e-btf/etc/bb-hosts with something like: echo "69.55.230.2 mail.johncompanies.com # BBPAGER BBNET BBDISPLAY smtp ssh \ 69.55.229.7 jail3.johncompanies.com # ssh" > /home/bb/bbc1.9e-btf/etc/bb-hosts or echo "10.1.4.5 mail.johncompanies.com # BBPAGER BBNET BBDISPLAY smtp ssh \ 10.1.4.103 jail3.johncompanies.com # ssh" > /home/bb/bbc1.9e-btf/etc/bb-hosts

vi /home/bb/bbc1.9e-btf/ext/openfiles MACHINE="jail3,johncompanies,com" # HAS TO BE IN A,B,C FORM

cd /usr/home/bb/bbc1.9e-btf/etc ./bbchkcfg.sh (y to questions) ./bbchkhosts.sh (ignore ssh errors) cd ../.. chown -R bb . su bb cd cd bbc1.9e-btf ./runbb.sh start more BBOUT (look for errors) exit

echo 'su - bb -c "cd /home/bb/bbc1.9e-btf; ./runbb.sh start"' > /usr/local/etc/rc.d/bb.sh chmod +x /usr/local/etc/rc.d/bb.sh

NOTE: to get bb working on amd, had to copy over bin dir from linux dist

26. configure load mrtg, on mail vi /usr/local/www/mgmt/mrtg/mrtg1.cfg (add new entry to file following existing format)

27. configure bb on mail: vi /usr/home/bb/bbsrc/bb1.9i-btf/etc/bb-hosts 10.1.4.109 jail9.johncompanies.com # ssh or 69.55.229.7 jail3.johncompanies.com # ssh

su bb cd bbsrc/bb/runbb.sh restart ; exit

28. remove reserve space, enable softupdates (probably already set, so not necessary) cd umount /mnt/data1 umount /mnt/data2 tunefs -m 0 /mnt/data1 tunefs -m 0 /mnt/data2 mount -a

29. DEPRECATED - ntpd listens on jail IPs- security risk echo "server 10.1.4.5" > /etc/ntp.conf

/usr/sbin/ntpd -p /var/run/ntpd.pid sleep 2; ntpq -p (confirm it’s able to reach our time server)

But there's a bug so install new ntp from ports /usr/ports/net/ntp

30. fwd and reverse lookups on ns1c vr johncompanies.com vi internal.johncompanies.com rndc reload johncompanies.com IN private (edit the PTR too)

31. if needed, make a g partition

bsdlabel -e /dev/mfid0s1

given:

1. /dev/aacd0s1:

8 partitions:

1. size offset fstype [fsize bsize bps/cpg]

 a:   262144        0    4.2BSD     2048 16384 16392
 b:  4194304   262144      swap
 c: 143363997        0    unused        0     0         # "raw" part, don't edit
 d:   524288  4456448    4.2BSD     2048 16384 32776
 e:   524288  4980736    4.2BSD     2048 16384 32776
 f:  6291456  5505024    4.2BSD     2048 16384 28552

new offset = 6291456 + 5505024 = 11796480 new size is size for 'c' partition minus the new start from above 143363997 - 11796480 = 131567517 So: g: 131567517 11796480 unused 0 0

Create a g partition on 2nd mirror – bsdlabel no longer works (below shows d partition made with sysinstall):

jail8 /usr/home/bb# gpart show => 63 285474735 mfid0 MBR (136G)

        63  285458922      1  freebsd  [active]  (136G)
 285458985      15813         - free -  (7.7M)

=> 0 285458922 mfid0s1 BSD (136G)

         0     524288        1  freebsd-ufs  (256M)
    524288   12582912        2  freebsd-swap  (6.0G)
  13107200     524288        4  freebsd-ufs  (256M)
  13631488     524288        5  freebsd-ufs  (256M)
  14155776    8388608        6  freebsd-ufs  (4.0G)
  22544384  262914538        7  freebsd-ufs  (125G)

=> 63 584843175 mfid1 MBR (279G)

        63  584830197      1  freebsd  [active]  (279G)
 584830260      12978         - free -  (6.3M)

=> 0 584830197 mfid1s1 BSD (279G)

         0   16777216        2  freebsd-swap  (8.0G)
  16777216  568052981        4  freebsd-ufs  (271G)

jail8 /usr/home/bb# gpart show mfid1s1 => 0 584830197 mfid1s1 BSD (279G)

         0   16777216        2  freebsd-swap  (8.0G)
  16777216  568052981        4  freebsd-ufs  (271G)

1. gpart list mfid1s1

Geom name: mfid1s1 fwheads: 255 fwsectors: 63 last: 584830196 first: 0 entries: 8 scheme: BSD Providers: 1. Name: mfid1s1b

  Mediasize: 8589934592 (8.0G)
  Sectorsize: 512
  Mode: r1w1e0
  rawtype: 1
  length: 8589934592
  offset: 0
  type: freebsd-swap
  index: 2
  end: 16777215
  start: 0

2. Name: mfid1s1d

  Mediasize: 290843126272 (271G)
  Sectorsize: 512
  Mode: r0w0e0
  rawtype: 7
  length: 290843126272
  offset: 8589934592
  type: freebsd-ufs
  index: 4
  end: 584830196
  start: 16777216

Consumers: 1. Name: mfid1s1

  Mediasize: 299433060864 (279G)
  Sectorsize: 512
  Mode: r1w1e1

1. gpart delete -i 4 mfid1s1

mfid1s1d deleted jail8 /usr/home/bb# gpart list mfid1s1 Geom name: mfid1s1 fwheads: 255 fwsectors: 63 last: 584830196 first: 0 entries: 8 scheme: BSD Providers: 1. Name: mfid1s1b

  Mediasize: 8589934592 (8.0G)
  Sectorsize: 512
  Mode: r1w1e0
  rawtype: 1
  length: 8589934592
  offset: 0
  type: freebsd-swap
  index: 2
  end: 16777215
  start: 0

Consumers: 1. Name: mfid1s1

  Mediasize: 299433060864 (279G)
  Sectorsize: 512
  Mode: r1w1e1

1. gpart show mfid1s1

=> 0 584830197 mfid1s1 BSD (279G)

         0   16777216        2  freebsd-swap  (8.0G)
  16777216  568052981           - free -  (271G)

1. gpart add -t freebsd-ufs -i 7 mfid1s1

mfid1s1g added

1. gpart show mfid1s1

=> 0 584830197 mfid1s1 BSD (279G)

         0   16777216        2  freebsd-swap  (8.0G)
  16777216  568052981        7  freebsd-ufs  (271G)

32. create the jail template

touch /mnt/data1/jail-template20g mdconfig -a -t vnode -s 20g -f /mnt/data1/jail-template20g -u 0 newfs -O 1 /dev/md0 mkdir /mnt/data1/jail-DIR mount /dev/md0 /mnt/data1/jail-DIR

cd /usr/ports/sysutils/jailutils make install clean

cd /usr/src make world DESTDIR=/mnt/data1/jail-DIR; pagedave (2450: 2:28mins, supermicro: 55mins, 2950: 1h ) cd etc make distribution DESTDIR=/mnt/data1/jail-DIR mount -t devfs devfs /mnt/data1/jail-DIR/dev devfs -m /mnt/data1/jail-DIR/dev rule -s 3 applyset cd /mnt/data1/jail-DIR ln -sf dev/null kernel cp /usr/local/sbin/jkill /mnt/data1/jail-DIR/sbin

jail /mnt/data1/jail-DIR testhostname 192.168.11.100 /bin/sh csh touch /etc/fstab echo 'network_interfaces=""\ hostname="newsystem"\ kern_securelevel_enable="NO"\ sendmail_enable="YES"\ sshd_enable="YES"' > /etc/rc.conf

echo "nameserver 69.55.225.225\ nameserver 69.55.230.3" >> /etc/resolv.conf

vi /etc/crontab remove the adjkerntz lines comment out periodic’s and put this line above them:

1. IF YOU UNCOMMENT THESE, PLEASE ADJUST THEIR RUN TIME

rm -rf /etc/periodic/daily/400.status-disks

check /tmp for crap

vi /etc/periodic/security/100.chksetuid replace: MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort` with: MP='/' (use single quotes)

mkdir -p /usr/compat/linux/dev

adduser (Add account for user, make sure in wheel group)

Username: user Full name: user Uid (Leave empty for default): Login group [user]: Login group is user. Invite user into other groups? []: wheel Login class [default]: Shell (sh csh tcsh nologin) [sh]: Home directory [/home/user]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: y Lock out the account after creation? [no]: Username  : user Password  : <random> Full Name  : user Uid  : 1001 Class  : Groups  : user Home  : /home/user Home Mode  : Shell  : /bin/sh Locked  : no OK? (yes/no): y adduser: INFO: Successfully added (user) to the user database. adduser: INFO: Password for (user) is: 901gmYjO Add another user? (yes/no): n Goodbye!

vi /usr/home/user/.profile (and add to the file): TERM=vt100; export TERM

tzsetup

newaliases

rm /sbin/halt /sbin/reboot ln /sbin/jkill /sbin/halt ln /sbin/jkill /sbin/reboot

1. cd /dev
2. rm console
3. ln -s null console

vi /etc/syslog.conf (comment out console and move to /var/log/messages):

1. • .err;kern.warning;auth.notice;mail.crit /dev/console *.err;kern.warning;auth.notice;mail.crit /var/log/messages

exit exit

cd libexec chflags noschg ld-elf32.so.1 chflags noschg ld-elf.so.1

mv ld-elf32.so.1 ld-elf32.so.1-orig ln ld-elf.so.1 ld-elf32.so.1

chflags schg ld-elf.so.1 chflags schg ld-elf32.so.1

mv /mnt/data1/jail-DIR/usr/sbin/traceroute /mnt/data1/jail-DIR/usr/sbin/_traceroute

echo '#\!/bin/sh\ /usr/sbin/_traceroute -i bce0 $1' >> /mnt/data1/jail-DIR/usr/sbin/traceroute chmod +x /mnt/data1/jail-DIR/usr/sbin/traceroute

cd /usr/ports make -DNOCLEANDEPENDS clean (2450: 15mins , supermicro: 29mins, 2950: 18mins) rm -fr /usr/ports/distfiles/* cp -r /usr/ports /mnt/data1/jail-DIR/usr (2450: 2:00 mins , supermicro: 15mins, 2950: 3mins)

rm /mnt/data1/jail-DIR/root/.history

cd umount /mnt/data1/jail-DIR/dev dump -0a -f /usr/local/jail/template/template /dev/md0 umount /dev/md0 rmdir /mnt/data1/jail-DIR mdconfig -d -u 0

33. setup backups echo '#\!/bin/sh\ backupdir=/data/jail3\ server=backup1\ \

1. 1. ENTRY /etc\
   2. ENTRY /usr/local/etc\
   3. ENTRY /usr/local/jail\
   4. ENTRY /root/logs' > /usr/local/jail/bin/backup.config

on backup1: setup backup dirs: ssh backup1 mkdir -p /data/jail3/0

on backup1, add the system to vi /usr/local/sbin/snapshot_rotate

on mail: vi /usr/local/www/mgmt/cgi/backupgraph.pl (add hostname)

Edit /usr/local/jail/bin/backup.xxx to use the right drives and copy to /usr/local/jail/bin/backup

34. mkdir /root/logs

35. edit sshd_config for security vi /etc/ssh/sshd_config ListenAddress 69.55.229.7 ListenAddress 10.1.2.103

kill -1 `cat /var/run/sshd.pid`

36. add crontab entries crontab -e 5 0 * * * /usr/local/jail/bin/backup.md 1 0 1 * * /usr/local/jail/bin/ipfwreset 0 18 * * * /usr/local/jail/bin/ipfwbackup 4,9,14,19,24,29,34,39,44,49,55,59 * * * * /usr/local/jail/bin/trafstats 0 0,6,12,18 * * * /usr/local/jail/bin/sync_jail_names

• /5 * * * * /usr/local/jail/bin/perc5iraidchk
• /5 * * * * /usr/local/jail/bin/perc4eraidchk

37. Reboot notify script ln -s /usr/local/jail/bin/notify.sh /usr/local/etc/rc.d/notify.sh

38. add to management db (on mail and devweb) jc.ref_machines and jc.ref_templates

uname -r 8.0-RELEASE-p2

insert into ref_machines values (null,'mx2','mx2.johncompanies.com',0,'m'); select machine_id from ref_machines where host='mx2'; +------------+ | machine_id | +------------+ | 35 | +------------+ insert into ref_templates values (,' 8.3-RELEASE-jc2',10,'FreeBSD 8.3',0);

39. add to server/cabinet map. On mail: vi /usr/local/www/mgmt/html/cabinetmap.html

40. add an outside blocking rule to the firewall, so this machine can only be reached from inside the firewall. Follow example already in firewall jail17 is:

00117 allow ip from { 69.55.230.2 or 69.55.230.10 or 69.55.225.225 or 69.55.238.150 } to 69.55.228.200 00117 deny ip from any to 69.55.228.200

jail19 would be 00119... ipfw add 00109 allow ip from { 69.55.230.2 or 69.55.230.10 or 69.55.225.225 } to 69.55.232.3 ipfw add 00109 deny ip from any to 69.55.232.3

41. select customers for probe map

42. patch jail against starting jails with rtprio

mv /usr/sbin/jail /usr/sbin/jail_ echo '#\!/bin/sh\ /usr/sbin/rtprio -t /usr/sbin/jail_ $*' > /usr/sbin/jail chmod +x /usr/sbin/jail

43. make sure mail works If there are map errors: cd /etc/mail; make maps

44. rdate

cd /usr/ports/sysutils/rdate make install clean

crontab -e 0 0 * * * /usr/local/sbin/rdate -s utcnist.colorado.edu

/usr/local/sbin/rdate -s utcnist.colorado.edu

45. recover space on /usr (optional)

rm -fr /usr/obj

46. wrapper jps

mv /usr/local/sbin/jps /usr/local/sbin/jps_

47. wrapper jls

mv /usr/sbin/jls /usr/sbin/jls_

48. wrapper jexec

mv /usr/sbin/jexec /usr/sbin/jexec_

49. install jtop

cd /usr/ports/sysutils/jtop make install clean

50. block jails from reaching private net echo 'ipfw add 1 deny ip from 69.55.224.0/20 to 10.1.4.0/24' > /usr/local/etc/rc.d/ipfw.sh chmod 0700 /usr/local/etc/rc.d/ipfw.sh

xx. setup fuse

cd /usr/ports/sysutils/fusefs-kmod/ make install

vi /etc/rc.conf fusefs_enable="YES"

sysctl vfs.usermount=1

cd /usr/ports/sysutils/fusefs-sshfs make install

sshfs 1005@usw-s009.rsync.net: /mnt/data1/69.55.234.68-col00001-DIR/mnt