# Small Homeserver - What to do?



## twilight (Dec 9, 2009)

Dear Community,

thanks for taking the time! ;-) I am really glad about communities like this one and I do have a few questions related to my little home server. Maybe one day I am able to contribute something back to this one 

You can skip ahead to the bold-marked sections if you want to leave out "my history" with FreeBSD ;-)

I am living together with 6 other guys, inside a bigger community of alltogether around 20 people. We want to have our own little wiki-server, filesharing and maybe print-server.

Coming from Gentoo-Linux I am quite experienced in compiling my own system. About 10 years ago a friend showed me FreeBSD and I was interested, but not "ready". Then I switched to MacOS-X and now came back to FreeBSD.

I played with FreeBSD 8.0 the last couple of days and think it is time to install my new server that arrived yesterday.

*Hardware configuration server*:
Intel Atom 330 (dualcore with hyperthreadding, looks like 4 cores)
NVidia ION-Chipset
NVidia 9400M GPU
2 GB DDR2 RAM
320 GB 3,5" hdd.

*Setup*: 

We have a small little router (FritzBox), which needs to be used due to VoIP :-(
dLink AccessPoint, this one is for the Laptops and is DHCP-Server as I can configure, what DNS-IPs it distributes
My cute little Server above ;-)

*What happend so far*: 


Registered with dyndns.org and having our router login and updating the dns-entry.
Installed FreeBSD 8.0 on the server
Configured inetd (only running service as of now is sshd without root-login!)
Portforwarding on the Router of Port 22 (ssh) to the server so I have remote access from my work-place
installed tools like nano and bash to make myself a little more comfortable
created /etc/adduser.conf and fitted to my needs and paths

*What do I want to do?*


I want to have a FreeBSD that is fitted to my hardware
Have mediawiki installed and locked into a jail (as I plan on making it publicly available, too!)

*Next steps*:


update the installed ports-tree: How do I do that? I could only find a howto about how to install not how to update ports
configure and compile the kernel. I will do that when I am at home, not at work for obvious reasons! ;-) 
update the system according to the freshly upgraded ports-tree
install and configure -> apache, mysql, php, mediawiki and jail it
portforwarding the port 80 (or maybe 443 for https) to my server in order to have others outside our network (but "inside" our community) to access the wiki

*Questions*:


ports: When I _make install clean_ a software, _top_ shows me a cpu-idle of about 75%. I guess that is because FreeBSD sees 4 cores but only uses 1 for the make. How do I make it use all 4 cores?
jails: What should I jail? Just the apache, or the apache and the mysql?
VPN or sshd? Should I rather setup a PPTP-VPN-server on my FreeBSD-Machine and vpn into my network, rather then portforward the sshd to the public? I mean security-wise. It would have the benefit of me having access to the router and the accesspoint from work, too!

So any comments, tipps, hints, howtos, critics are welcome 

Thanks and have a nice day!

Thomas


----------



## SirDice (Dec 9, 2009)

twilight said:
			
		

> [*]Configured inetd (only running service as of now is sshd without root-login!)


inetd isn't needed for sshd.



> [*]Have mediawiki installed and locked into a jail (as I plan on making it publicly available, too!)


The jail(8) manpage has all the info you need on how to set up a jail.



> update the installed ports-tree: How do I do that? I could only find a howto about how to install not how to update ports
> configure and compile the kernel. I will do that when I am at home, not at work for obvious reasons! ;-)
> update the system according to the freshly upgraded ports-tree
> install and configure -> apache, mysql, php, mediawiki and jail it
> portforwarding the port 80 (or maybe 443 for https) to my server in order to have others outside our network (but "inside" our community) to access the wiki


Almost everything can be found in the handbook.




> [*]jails: What should I jail? Just the apache, or the apache and the mysql?


What ever you want. You can even use 2 seperate jails.



> [*]VPN or sshd? Should I rather setup a PPTP-VPN-server on my FreeBSD-Machine and vpn into my network, rather then portforward the sshd to the public? I mean security-wise. It would have the benefit of me having access to the router and the accesspoint from work, too!


Both have about the same security risks. So, again, it's up to you


----------



## aragon (Dec 9, 2009)

Have you read the FreeBSD Handbook yet?  It should answer many of your questions...


----------



## twilight (Dec 9, 2009)

aragon said:
			
		

> Have you read the FreeBSD Handbook yet?  It should answer many of your questions...



actually I did 

That is how I got up to the point where I am now! But I could not find something about upgrading the actual ports-tree. There is enough about ugrading installed ports but not the tree itself (as far as I could tell)


----------



## twilight (Dec 9, 2009)

SirDice said:
			
		

> inetd isn't needed for sshd.



I guessed I would need it for apache and mysql, no? If not how would I deactivate inetd and still keep sshd running?


----------



## SirDice (Dec 9, 2009)

twilight said:
			
		

> I guessed I would need it for apache and mysql, no? If not how would I deactivate inetd and still keep sshd running?


Inetd isn't needed at all.

Just add to /etc/rc.conf:

```
sshd_enable="YES"
```

For apache, assuming 2.2.x:

```
apache22_enable="YES"
```

Mysql:

```
mysql_enable="YES"
```


----------



## twilight (Dec 9, 2009)

After looking into the rc.conf-file I could see the entry for sshd was enabled.
I then looked into the inetd.conf and it was disabled there, so I just disabled inetd
inside the rc.conf. That did the trick, thanks!


----------



## mickey (Dec 9, 2009)

twilight said:
			
		

> We have a small little router (FritzBox), which needs to be used due to VoIP :-(


Most of these devices can be switched into a bridged mode, acting like a DSL modem. So you could use your FreeBSD machine as a router, and continue using the VoIP features of the device 



			
				twilight said:
			
		

> update the installed ports-tree: How do I do that? I could only find a howto about how to install not how to update ports


[CMD=""]more /usr/share/examples/cvsup/ports-supfile[/CMD]
And read the fine handbook 



			
				twilight said:
			
		

> When I _make install clean_ a software, _top_ shows me a cpu-idle of about 75%. I guess that is because FreeBSD sees 4 cores but only uses 1 for the make. How do I make it use all 4 cores?


As of FreeBSD 8, parallel port building is supported. As not every software builds without problems, when compiled with parallel make jobs, this feature is enabled, based on a whitelist. This means you have to do nothing, to take advantage of it, for ports known to build without problems. If you are daring to try, you may set _FORCE_MAKE_JOBS=yes_ and _MAKE_JOBS_NUMBER=XX_ in /etc/make.conf, where XX is the number of parallel make jobs to start.


----------



## chalbersma (Dec 9, 2009)

twilight said:
			
		

> *What do I want to do?*
> 
> 
> update the installed ports-tree: How do I do that? I could only find a howto about how to install not how to update ports
> ...



1)
For ports I generally use portsnap. A quick:

```
# portsnap fetch extract
```
should get you up and running with your ports.  Then anytime you wish to update them run:

```
# portsnap fetch update
```
Check out the handbook page on ports for other ways of installing/updating.

2)
Building and installing a custom kernel is something I've never actually had time to do properly (I've done them but I just haven't had time to test them thouroughly). But the handbook page on instructions is here if you are interested.

3)
For upgrading the system I always have the same method. Update the kernel then update the ports.  If you decide to stick with the generic kernel then an update is:

```
# freebsd-update fetch
# freebsd-update install
```
Followed by a reboot. Keep in mind 

```
# freebsd-update rollback
```
is available if something goes wrong.
And for upgrading the ports I always use

```
# portupgrade -ca
```
The "-c" flag loads all your configs first. I'd recommend it.
Here's the relevant page.

4) 
The jail man page and the handbook page on jails should be enough to get you started.  As for the configs of the services themselves SirDice's suggestions are top noch.

5) 
Don't quote me on this one but I believe port forwarding will be handled by your router, so poke around in those manuals (unless I'm wrong which could be entirely possible).

Q1) I believe you can make that work by compiling more than one app at once. I know I read something somewhere about trying to get the system to utilize all the cores naturally but f me if I can remember where that was.

Q2) Jails are nice but I would suggest not using them. Not because the security isn't there but just because the jails seem like it would be too much of a hassle to warrants the added security. Esp if you're just running a web server / print server.  I gen use jails to test out software that doesn't yet have a port like monkey web server. It has a port but the latest and greatest is still in devel so when I wanted to test that out I used a jail.

Q3) VPN or ssh? Your call which would you rather use?

CRH


----------



## twilight (Dec 9, 2009)

-> mickey and chalbersma:

Now that was very helpful. After re-reading the ports-passage in the handbook, I am using portsnap to fetch and update my ports-tree!

thanks for the headsup to updating the kernel and the system, too!

I just read the FreeBSD_Update-Page, ran the commands but I've got a problem:
_freebsd-update fetch_ fetches as it should (it said "fetching 6 patches" among other stuff),
and then said the new Release would be _8.0-RELEASE-p1_ but uname -a still says it is _8.0-RELEASE #0_

The handbook said that default is to run the /boot/GENERIC - kernel. That file is nowhere to be found  on my system. Instead I have "kernel" an "kernel.old". Whil kernel.old has a new timestamp, the "kernel" still has the same timestamp as it had before.

Am I doing something wrong? I am definitely sure I have not compiled a new kernel ;-)


as for portforwarding: I already did that, otherwise I would not have any access to the FreeBSD-Box at all ;-) I am a network-admin after all, just not familiar with FreeBSD as of now :-(

Well, I guess I have to read some more about jails before I try and use them!


----------



## twilight (Dec 9, 2009)

I still can't edit. :-(

after running "freebsd-update fetch" I of course ran "freebsd-update install" and rebootet!!

But uname -a says the same, before fetching, before installing and after rebooting


----------



## dennylin93 (Dec 9, 2009)

twilight said:
			
		

> I still can't edit. :-(



You can edit after 10 days and 10 posts. I haven't used freebsd-update for a long time, so I'm not sure what the process should be like.


----------



## twilight (Dec 9, 2009)

mickey said:
			
		

> If you are daring to try, you may set _FORCE_MAKE_JOBS=yes_ and _MAKE_JOBS_NUMBER=XX_ in /etc/make.conf, where XX is the number of parallel make jobs to start.



Coming from gentoo linux (which features a similar to ports portage-collection, you bet I am daring to try ;-)

I did and what I found was: compiling took less than half the time than before. CPU load increased drastically and idle dropped drastically. And on some ports it still just uses one CPU, so I guess there are ports that are difficult in parallel making, and they don't get overridden bye FORCE_MAKE_JOBS=yes, but everything else does make use of all 4 cpus now, and so far now make complained (updating the whole system right now ;-))

Thanks again!

So I guess I need to get the kernel-update running and I could actually start configuring my wiki-server ;-) sweet!!


----------



## twilight (Dec 9, 2009)

I really need to be more thorough before submitting my posts 

Meant to write: "and so far no make complained""


----------



## mickey (Dec 9, 2009)

twilight said:
			
		

> I did and what I found was: compiling took less than half the time than before. CPU load increased drastically and idle dropped drastically. And on some ports it still just uses one CPU, so I guess there are ports that are difficult in parallel making, and they don't get overridden bye FORCE_MAKE_JOBS=yes, but everything else does make use of all 4 cpus now, and so far now make complained (updating the whole system right now ;-))



Yes, from what I've read, there's also the possibility to mark specific ports as not buildable in parallel. I am not sure though, how many of the ports have been marked (either as parallel build safe or unsafe) at this time.



			
				twilight said:
			
		

> So I guess I need to get the kernel-update running and I could actually start configuring my wiki-server ;-) sweet!!



Guess it will find your interest, that if you are building world/kernel from source, you may as well do that in parallel, by specifying the _-j <numjobs>_ option to make


----------



## phoenix (Dec 9, 2009)

twilight said:
			
		

> actually I did
> 
> That is how I got up to the point where I am now! But I could not find something about upgrading the actual ports-tree. There is enough about ugrading installed ports but not the tree itself (as far as I could tell)



portsnap()


----------



## phoenix (Dec 9, 2009)

twilight said:
			
		

> I still can't edit. :-(
> 
> after running "freebsd-update fetch" I of course ran "freebsd-update install" and rebootet!!
> 
> But uname -a says the same, before fetching, before installing and after rebooting



uname outputs the version number embedded in the kernel itself.  If the kernel is not patched by freebsd-update (ie it's other parts of the OS that are updated), then the version will not change.


----------



## twilight (Dec 9, 2009)

thanks, that is interessting 

But I still have not figured out how to update my kernel.

All my tools and stuff are upgraded, but the kernel still is not. I am still running 8.0-RELEASE while _freebsd-update fetch_ finds version 8.0-RELEASE-p1. After issuing _freebsd-update install_ and rebooting it still is running the "old" version of the kernel.

Is 8.0-RELEASE-p1 a new release?

I thought so and that is why I did _freebsd-update -r  8.0-RELEASE-p1 upgrade_.
It found the release, asked me about wether my installed and not installed packages look reasonable, which they did. Then it tried to download, but that did not work. Then it said installing, and after a reboot I still have the old kernel-release, but another _freebsd-update fetch_ says _No updates needed to update system to 8.0-RELEASE-p1_.

And under /boot/ there still is no GENERIC. loader.conf is empty, /boot/defaults/loader.conf says it is using /boot/kernel instead of /boot/GENERIC AND the folder still has the old time/date, only the /boot/kernel.old has a newer time.


----------



## twilight (Dec 9, 2009)

phoenix said:
			
		

> uname outputs the version number embedded in the kernel itself.  If the kernel is not patched by freebsd-update (ie it's other parts of the OS that are updated), then the version will not change.



so you are saying my system is up to date?


----------



## SirDice (Dec 9, 2009)

twilight said:
			
		

> And under /boot/ there still is no GENERIC. loader.conf is empty, /boot/defaults/loader.conf says it is using /boot/kernel instead of /boot/GENERIC AND the folder still has the old time/date, only the /boot/kernel.old has a newer time.


GENERIC is the name of the config used to create the kernel. There will never be a file called /boot/GENERIC.


----------



## tangram (Dec 9, 2009)

twilight said:
			
		

> But I still have not figured out how to update my kernel.



Chapter 8 Configuring the FreeBSD Kernel

Everything you need to know to customize and compile a FreeBSD kernel.


----------



## twilight (Dec 9, 2009)

tangram said:
			
		

> Chapter 8 Configuring the FreeBSD Kernel
> 
> Everything you need to know to customize and compile a FreeBSD kernel.



thank you, but I know that chapter and have read it already. But it did not answer my question about why f_reebsd-update_ did not do it's job (at least, that's what I thought and it turned out to be correct, read 3 or so posts above



			
				SirDice said:
			
		

> GENERIC is the name of the config used to create the kernel. There will never be a file called /boot/GENERIC.



Now that is something I find sort of confusing :-( Why is in every documentation that I find a path _/boot/GENERIC_ when it is not an actual path but tells me, that /boot/kernel is compiled using the GENERIC-Config file. I really find that confusing :\ but thanks for the hint!


----------



## twilight (Dec 9, 2009)

twilight said:
			
		

> and it turned out to be correct, read 3 or so posts above



that should read: The tool turned out to be correct, not my thought about the tool did something wrong ;-)


----------



## SirDice (Dec 9, 2009)

twilight said:
			
		

> Now that is something I find sort of confusing :-( Why is in every documentation that I find a path _/boot/GENERIC_ when it is not an actual path but tells me, that /boot/kernel is compiled using the GENERIC-Config file. I really find that confusing :\ but thanks for the hint!


I can imagine it's confusing because /boot/GENERIC is simply not correct 

Couldn't find it mentioned in the handbook either.


----------



## twilight (Dec 9, 2009)

SirDice said:
			
		

> I can imagine it's confusing because /boot/GENERIC is simply not correct
> 
> Couldn't find it mentioned in the handbook either.



Here: http://www.freebsd.org/doc/en/books/handbook/updating-upgrading-freebsdupdate.html
under 24.2.3 Major and Minor Upgrades 



> The GENERIC kernel will be installed in /boot/GENERIC by default.


----------



## twilight (Dec 9, 2009)

that was something that I read on several pages/documents and forums (yes, I do google before asking questions ;-)) and it simply confused me!

sry


----------



## SirDice (Dec 9, 2009)

Ah.. I had to read up that bit, I never use freebsd-update, I always source update :e

But it looks like you skipped reading an important bit:


> *If a custom kernel is in use*, the upgrade process is slightly more involved. A copy of the GENERIC kernel is needed, and it should be placed in /boot/GENERIC. If the GENERIC kernel is not already present in the system, it may be obtained using one of the following methods:
> 
> 
> If a custom kernel has only been built once, the kernel in /boot/kernel.old is actually the GENERIC one. Simply rename this directory to /boot/GENERIC.
> ...


----------



## twilight (Dec 9, 2009)

SirDice said:
			
		

> Ah.. I had to read up that bit, I never use freebsd-update, I always source update :e
> 
> But it looks like you skipped reading an important bit:



there it is again 





> simply rename it to /boot/GENERIC


.

;-)

and: as of now I did not build my own kernel. I did not configure anything kernelwise, I just installed the system.

And ran freebsd-update, which is supposed to do a binary update, so I really thought there should be /boot/GENERIC


----------



## twilight (Dec 9, 2009)

also, I think I did not install the sources?! Because /usr/src is in fact empty on my system.


----------



## tangram (Dec 9, 2009)

twilight said:
			
		

> there it is again .
> 
> ;-)
> 
> ...



SirDice quoted information from the Handbook just says that to better identify your old kernel and associated modules you should the kernel.old directory to GENERIC.

The generic kernel configuration file is /usr/src/sys/i386/conf/GENERIC and should not be edited but copied instead.


----------



## tangram (Dec 9, 2009)

twilight said:
			
		

> also, I think I did not install the sources?! Because /usr/src is in fact empty on my system.



Upon installation there was a question regarding which distribution to install. You probably didn't install the one that mentioned kernel/system source code.

You can install it from CD or use csup(1).


----------



## chalbersma (Dec 10, 2009)

twilight said:
			
		

> Here: http://www.freebsd.org/doc/en/books/handbook/updating-upgrading-freebsdupdate.html
> under 24.2.3 Major and Minor Upgrades



That is odd

```
> ls
GENERIC		boot2		gptboot		loader.conf	pxeboot
beastie.4th	cdboot		gptzfsboot	loader.help	screen.4th
boot		defaults	kernel		loader.rc support.4th
boot0		device.hints	kernel.old	mbr		zfs
boot0sio	firmware	loader		modules		zfsboot
boot1		frames.4th	loader.4th	pmbr
> pwd
/boot
>
```
I do have a directory called that and my kernel is installed there.  

As for the p1 in the release I believe it just stands for patchset 1.


----------



## twilight (Dec 13, 2009)

Hello and a happy 3rd advent 

As of Friday evening I have everything up and running:
- All patches are applied
- sshd is compiled, installed and running
- mySQL is compiled, installed and running
- Apache22 is compiled, installed and running
- PHP is compiled, installed and running
- Mediawiki is compiled, installed and running.

During my trial to get everything working I had the experience, that, say, sshd would not start at bootup.

I thought that might have been because I added apache to the rc.conf, but replaced the apache1.3 port (which mediawiki installs by default) with the apache22-version, but did not change the value in rc.conf from enable_apache to enable_apache22.

At friday evening I had every service recompiled and configured and everything worked as it should. So I told my users to start registering in the wiki and using it 

On Saturday morning everything worked fine and I took of to visit my family. On Saturday Noon I showed the wiki to my cousin and it worked fine.

When I tried to show the wiki to my father on Saturday Evening, nothing worked. I'd just get timeouts on both ports/pages, http:80 and https:443.

*sshd stopped working, too.*

Now, seeing that had problem that some services would not get started at bootup (although set correctly in the rc.conf) but the system otherwise works fine, and after a reboot every service gets started correctly, I am beginning to wonder if maybe the services just died and did not reload.

As I am using rc.conf, what happens when a service dies? Is it just dead or does some daemon watch over it and restart it? As I see it, that is, what inetd is for, right? And why do daemons die after all?

As I don't have any access to the server, I just can speculate, but maybe somebody could tell me, which logfiles to look at to maybe get an answer? I will get my hands on the server tonight as I am going back "home".


----------



## mickey (Dec 13, 2009)

twilight said:
			
		

> As I am using rc.conf, what happens when a service dies?



Services are not normally supposed to die off.



			
				twilight said:
			
		

> As I see it, that is, what inetd is for, right?



Not really. inetd is conceived as a 'super-server' for a larger number of small services like ftp, telnet, daytime, chargen, etc, which historically used to run on most *nix machines. This way only one process has to listen on a number of ports and start the server processes on demand, instead of having lots of processes sitting idle, waiting for connections.

inetd is absolutely not meant to drive high-volume services like http, and will likewise deliver poor performance, when used for such services.



			
				twilight said:
			
		

> As I don't have any access to the server, I just can speculate, but maybe somebody could tell me, which logfiles to look at to maybe get an answer? I will get my hands on the server tonight as I am going back "home".



/var/log/messages would be a good start to look at. And of course the specific logfiles of the services that have died.


----------



## twilight (Dec 13, 2009)

thanks man, from MacOS and Linux I thought of something like /var/log/system.log or so. But messages was my first point to look at.

Since I had the same sympthoms before (i.e. sshd did not come up e.g.) I thought it died. But it did not.

Something happend, because when I came back the server was power-less. Somebody turned off the power switch OR we had a power outage. Anyhow, when it booted up, I looked into /var/log/messages, and it really seems like just somebody switched off the power or so. When pressing the power button, it shuts down properly, but the log did not say anything about a shutdown, instead saying today around the time I turned it back on: unclean unmounted volumes.

So... not FreeBSDs (or my configs) fault here ;-)

Gotta talk to all the people that could have done this ;-)

Thanks guys, you are awesome and with your help and the handbook and my knowledge from Gentoo and MacOS it seems I am finally a happy FreeBSD-User ;-)


----------



## twilight (Dec 14, 2009)

yep, power outage :-(


----------



## sixtydoses (Dec 14, 2009)

chalbersma said:
			
		

> Q2) Jails are nice but I would suggest not using them. Not because the security isn't there but just because the jails seem like it would be too much of a hassle to warrants the added security. Esp if you're just running a web server / print server.  I gen use jails to test out software that doesn't yet have a port like monkey web server. It has a port but the latest and greatest is still in devel so when I wanted to test that out I used a jail.



Our opinions vary, but IMHO running a web server is a good reason to use jail.


----------

