FreeBSD¶
- jail
- FreeBSDのコードリポジトリ https://reviews.freebsd.org/diffusion/
- ↑で使われてるPhabricatorについて https://qiita.com/yamori813/items/009a7c1dac6fe35c84eb
Sambaの転送速度がやけに遅い¶
オフロード機能が悪い時
ifconfig igb0 -tso4 -tso6 -rxcsum -txcsum -rxcsum6 -txcsum6
ifconfig igb1 -tso4 -tso6 -rxcsum -txcsum -rxcsum6 -txcsum6
FreeBSD as Router¶
Unbound¶
最初から入っている /usr/sbin/local-unbound を使用する。
- 起動:
/etc/rc.d/local_unbound start - 設定ファイル:
/etc/unbound/ - デフォルトパス:
/var/unbound- ログファイルも
/var/unbound/var/log/にある
- ログファイルも
- キャッシュダンプ:
/usr/sbin/local-unbound-control dump_cache - インフラキャッシュダンプ:
/usr/sbin/local-unbound-control dump_infra
カーネル管理¶
freebsd-kernel でユーザーランドのバージョン確認。-k を付けるとカーネルバージョン。
% freebsd-version
11.4-RELEASE-p3
% freebsd-version -k
11.4-RELEASE-p3
パッチのみの適用¶
# freebsd-update fetch
# freebsd-update install
バージョンアップ¶
# freebsd-update -r 12.0-RELEASE
# freebsd-update install
# reboot
# freebsd-update install
ユーザー操作¶
su - してrootになるには wheel グループに所属する必要がある
adduser ${USER}
pw groupadd ${GROUP}
pw groupmod wheel -m ${USER}
pw groupshow wheel
pw userdell ${USER}
sudo¶
入ってないので入れる。
pkg install sudo
visudo を叩いてwheelグループのどちらかコメントアウトを外す。
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
CPUの温度表示¶
# kldload coretemp
# sysctl dev.cpu | grep temperature
dev.cpu.7.temperature: 34.0C
dev.cpu.5.temperature: 33.0C
dev.cpu.3.temperature: 36.0C
dev.cpu.1.temperature: 35.0C
dev.cpu.6.temperature: 34.0C
dev.cpu.4.temperature: 33.0C
dev.cpu.2.temperature: 35.0C
dev.cpu.0.temperature: 35.0C
/boot/loader.conf に coretemp_load="YES" を追記。
Network¶
route¶
route -6 del default
route -6 add default fe80::1%igb0
lagg¶
/etc/rc.conf に以下のように書いて service netif restart する。
# lagg0 (igb0 + igb1)
ifconfig_igb0="up"
ifconfig_igb1="up"
cloned_interfaces="lagg0"
ifconfig_lagg0="laggproto loadbalance laggport igb0 laggport igb1 mtu 9000"
ifconfig_lagg0_alias0="inet 192.168.1.3 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
ifconfig_lagg0_ipv6="inet6 2001:db8:1:2::3/64"
ipv6_defaultrouter="fe80::1%lagg0"
パッケージ管理¶
pkg: パッケージ管理コマンド
# pkg update
# pkg upgrade
ics-dhcp-server¶
# pkg install isc-dhcp44-server
...
Message from isc-dhcp44-server-4.4.2_1:
--
**** To setup dhcpd, please edit /usr/local/etc/dhcpd.conf.
**** This port installs the dhcp daemon, but doesn't invoke dhcpd by default.
If you want to invoke dhcpd at startup, add these lines to /etc/rc.conf:
dhcpd_enable="YES" # dhcpd enabled?
dhcpd_flags="-q" # command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf" # configuration file
dhcpd_ifaces="" # ethernet interface(s)
dhcpd_withumask="022" # file creation mask
**** If compiled with paranoia support (the default), the following rc.conf
options are also supported:
dhcpd_chuser_enable="YES" # runs w/o privileges?
dhcpd_withuser="dhcpd" # user name to run as
dhcpd_withgroup="dhcpd" # group name to run as
dhcpd_chroot_enable="YES" # runs chrooted?
dhcpd_devfs_enable="YES" # use devfs if available?
dhcpd_rootdir="/var/db/dhcpd" # directory to run in
dhcpd_includedir="<some_dir>" # directory with config-
files to include
**** WARNING: never edit the chrooted or jailed dhcpd.conf file but
/usr/local/etc/dhcpd.conf instead which is always copied where
needed upon startup.
openldap-server¶
# pkg install openldap-server
...
Message from openldap-client-2.4.57:
--
The OpenLDAP client package has been successfully installed.
Edit
/usr/local/etc/openldap/ldap.conf
to change the system-wide client defaults.
Try `man ldap.conf' and visit the OpenLDAP FAQ-O-Matic at
http://www.OpenLDAP.org/faq/index.cgi?file=3
for more information.
=====
Message from openldap-server-2.4.57:
--
The OpenLDAP server package has been successfully installed.
In order to run the LDAP server, you need to edit
/usr/local/etc/openldap/slapd.conf
to suit your needs and add the following lines to /etc/rc.conf:
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
Then start the server with
/usr/local/etc/rc.d/slapd start
or reboot.
Try `man slapd' and the online manual at
http://www.OpenLDAP.org/doc/
for more information.
slapd runs under a non-privileged user id (by default `ldap'),
see /usr/local/etc/rc.d/slapd for more information.
samba.schemaの取得
# cd /usr/local/etc/openldap
# fetch -o schema/samba.schema 'https://git.samba.org/samba.git/?p=samba.git;a=blob_plain;f=examples/LDAP/samba.schema'
samba4¶
# pkg install samba413
...
=====
Message from bash-completion-2.11,2:
--
To enable the bash completion library, add the following to
your .bashrc file:
[[ $PS1 && -f /usr/local/share/bash-completion/bash_completion.sh ]] && \
source /usr/local/share/bash-completion/bash_completion.sh
See /usr/local/share/doc/bash-completion/README.md for more information.
=====
Message from ca_root_nss-3.58:
--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
Assessment and verification of trust is the complete responsibility of the
system administrator.
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
This enables SSL Certificate Verification by client software without manual
intervention.
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
* /etc/ssl/cert.pem
* /usr/local/etc/ssl/cert.pem
* /usr/local/openssl/cert.pem
=====
Message from trousers-0.3.14_3:
--
To run tcsd automatically, add the following line to /etc/rc.conf:
tcsd_enable="YES"
You might want to edit /usr/local/etc/tcsd.conf to reflect your setup.
If you want to use tcsd with software TPM emulator, use the following
configuration in /etc/rc.conf:
tcsd_enable="YES"
tcsd_mode="emulator"
tpmd_enable="YES"
To use TPM, add your_account to '_tss' group like following:
# pw groupmod _tss -m your_account
=====
Message from libinotify-20180201_2:
--
Libinotify functionality on FreeBSD is missing support for
- detecting a file being moved into or out of a directory within the
same filesystem
- certain modifications to a symbolic link (rather than the
file it points to.)
in addition to the known limitations on all platforms using kqueue(2)
where various open and close notifications are unimplemented.
This means the following regression tests will fail:
Directory notifications:
IN_MOVED_FROM
IN_MOVED_TO
Open/close notifications:
IN_OPEN
IN_CLOSE_NOWRITE
IN_CLOSE_WRITE
Symbolic Link notifications:
IN_DONT_FOLLOW
IN_ATTRIB
IN_MOVE_SELF
IN_DELETE_SELF
Kernel patches to address the missing directory and symbolic link
notifications are available from:
https://github.com/libinotify-kqueue/libinotify-kqueue/tree/master/patches
You might want to consider increasing the kern.maxfiles tunable if you plan
to use this library for applications that need to monitor activity of a lot
of files.
=====
Message from gamin-0.1.10_10:
--
Gamin will only provide realtime notification of changes for at most n files,
where n is the minimum value between (kern.maxfiles * 0.7) and
(kern.maxfilesperproc - 200). Beyond that limit, files will be polled.
If you often open several large folders with Nautilus, you might want to
increase the kern.maxfiles tunable (you do not need to set
kern.maxfilesperproc, since it is computed at boot time from kern.maxfiles).
The behavior of gamin can be controlled via the various gaminrc files.
See http://www.gnome.org/~veillard/gamin/config.html on how to create
these files. In particular, if you find gam_server is taking up too much
CPU time polling for changes, something like the following may help
in one of the gaminrc files:
# reduce polling frequency to once per 10 seconds
# for UFS file systems in order to lower CPU load
fsset ufs poll 10
--
===> NOTICE:
The gamin port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:
https://bugs.freebsd.org/bugzilla
More information about port maintainership is available at:
https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
=====
Message from samba413-4.13.1_1:
--
How to start: http://wiki.samba.org/index.php/Samba4/HOWTO
* Your configuration is: /usr/local/etc/smb4.conf
* All the relevant databases are under: /var/db/samba4
* All the logs are under: /var/log/samba4
* Provisioning script is: /usr/local/bin/samba-tool
For additional documentation check: http://wiki.samba.org/index.php/Samba4
Bug reports should go to the: https://bugzilla.samba.org/
pam_ldap & nss_ldap¶
# pkg install pam_ldap nss_ldap
...
=====
Message from pam_ldap-186:
--
Edit /usr/local/etc/ldap.conf in order to use this module. Then
create a /usr/local/etc/pam.d/ldap with a line similar to the following:
login auth sufficient /usr/local/lib/pam_ldap.so
=====
Message from nss_ldap-1.265_13:
--
The nss_ldap module expects to find its configuration files at the
following paths:
LDAP configuration: /usr/local/etc/nss_ldap.conf
LDAP secret (optional): /usr/local/etc/nss_ldap.secret
zfs¶
壊れた時にUSBスティックから起動して zpool import -f したい時というのはたまにある。
# -f: 強制
# -R: マウントポイント
zpool import -fR /mnt ${pool_name}
同名のpool名がある場合はimport出来ないので -t で別名を与える。
# zpool import -fR /mnt zroot
cannot import 'zroot': a pool with that name already exists
use the form 'zpool import [-t] <pool | id> <newpool>' to give it a new temporary or permanent name
# zpool import -fR /mnt -t zroot zroot_11R4
zpoolのバックアップを別のマウントポイントにとりあえず展開したい場合。
# -r: 再帰的にバックアップを取る
zfs snapshot -r zroot_bk@snapYYYYMMDD
# -R: 子孫も含めてファイルに書き出す
zfs send -vR zroot_bk@snapYYYYMMDD > YYYYMMDD_zroot_backup
# バックアップ受信用のマウントポイントを作る
zfs create -o mountpoint=/backup zroot/backup
# バックアップファイルを展開する
# -u: receive後にマウントしない
zfs receive -uvdF zroot/backup < YYYYMMDD_zroot_backup
# この時点ではマウントされていないことを確認
zfs mount
# マウント先の変更
zfs list | grep backup
zfs set mountpoint=/backup/ zroot/backup/ROOT/default
zfs set mountpoint=/backup/tmp zroot/backup/tmp
zfs set mountpoint=/backup/usr zroot/backup/usr
zfs set mountpoint=/backup/usr/home zroot/backup/usr/home
zfs set mountpoint=/backup/usr/ports zroot/backup/usr/ports
zfs set mountpoint=/backup/usr/src zroot/backup/usr/src
zfs set mountpoint=/backup/var zroot/backup/var
zfs set mountpoint=/backup/var/crash zroot/backup/var/crash
zfs set mountpoint=/backup/var/log zroot/backup/var/log
zfs set mountpoint=/backup/var/mail zroot/backup/var/mail
zfs set mountpoint=/backup/var/tmp zroot/backup/var/tmp
# マウント
zfs mount -a
zpool upgrade 2020/10/20¶
# freebsd-version
11.4-RELEASE-p3
# freebsd-version -k
11.4-RELEASE-p3
# zpool status
pool: lib_02
state: ONLINE
status: Some supported features are not enabled on the pool. The pool can
still be used, but some features are unavailable.
action: Enable all features using 'zpool upgrade'. Once this is done,
the pool may no longer be accessible by software that does not support
the features. See zpool-features(7) for details.
scan: resilvered 3.84T in 0 days 16:43:11 with 0 errors on Thu Oct 19 13:01:57 2017
config:
NAME STATE READ WRITE CKSUM
lib_02 ONLINE 0 0 0
raidz2-0 ONLINE 0 0 0
da5 ONLINE 0 0 0
da0 ONLINE 0 0 0
da3 ONLINE 0 0 0
da2 ONLINE 0 0 0
da1 ONLINE 0 0 0
da4 ONLINE 0 0 0
errors: No known data errors
pool: zroot
state: ONLINE
status: Some supported features are not enabled on the pool. The pool can
still be used, but some features are unavailable.
action: Enable all features using 'zpool upgrade'. Once this is done,
the pool may no longer be accessible by software that does not support
the features. See zpool-features(7) for details.
scan: scrub repaired 0 in 0 days 00:00:33 with 0 errors on Sun Mar 3 01:52:49 2019
config:
NAME STATE READ WRITE CKSUM
zroot ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
gpt/zfs0 ONLINE 0 0 0
gpt/zfs1 ONLINE 0 0 0
errors: No known data errors
# zpool upgrade lib_02
This system supports ZFS pool feature flags.
Enabled the following features on 'lib_02':
sha512
skein
device_removal
obsolete_counts
zpool_checkpoint
spacemap_v2
# zpool upgrade zroot
This system supports ZFS pool feature flags.
Enabled the following features on 'zroot':
sha512
skein
device_removal
obsolete_counts
zpool_checkpoint
spacemap_v2
If you boot from pool 'zroot', don't forget to update boot code.
Assuming you use GPT partitioning and da0 is your boot disk
the following command will do it:
gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 da0
# gpart show
=> 34 125045357 ada0 GPT (60G)
34 1024 1 freebsd-boot (512K)
1058 4194304 2 freebsd-swap (2.0G)
4195362 120850029 3 freebsd-zfs (58G)
=> 34 125045357 ada1 GPT (60G)
34 1024 1 freebsd-boot (512K)
1058 4194304 2 freebsd-swap (2.0G)
4195362 120850029 3 freebsd-zfs (58G)
# gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0
partcode written to ada0p1
bootcode written to ada0
# gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada1
partcode written to ada1p1
bootcode written to ada1
# zpool status
pool: lib_02
state: ONLINE
scan: resilvered 3.84T in 0 days 16:43:11 with 0 errors on Thu Oct 19 13:01:57 2017
config:
NAME STATE READ WRITE CKSUM
lib_02 ONLINE 0 0 0
raidz2-0 ONLINE 0 0 0
da5 ONLINE 0 0 0
da0 ONLINE 0 0 0
da3 ONLINE 0 0 0
da2 ONLINE 0 0 0
da1 ONLINE 0 0 0
da4 ONLINE 0 0 0
errors: No known data errors
pool: zroot
state: ONLINE
scan: scrub repaired 0 in 0 days 00:00:33 with 0 errors on Sun Mar 3 01:52:49 2019
config:
NAME STATE READ WRITE CKSUM
zroot ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
gpt/zfs0 ONLINE 0 0 0
gpt/zfs1 ONLINE 0 0 0
errors: No known data errors
Memo¶
- FreeBSD でログインシェルを変更
- unboundのDNSSEC対応
- https://dnssec.vs.uni-due.de/
drill sigok.verteiltesysteme.net @127.0.0.1=>;; ->>HEADER<<- opcode: QUERY, rcode: NOERRORdrill sigfail.verteiltesysteme.net @127.0.0.1=>;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL
- unboundのKSKロールオーバー
最終更新日: 2023-02-11 03:57:07