Yes I know, FreeBSD 10 comes out, I’m also one of the authors of this dispatch on Linuxfr. But when I started to migrate my server, it was still the 9.2 which was stable. And with the jails and ports I prefer to avoid turning on the non-stable versions…
Since my personal server is not critical (I can afford a break of one day) I would change the bone quite often looking for the rare Pearl or any simply to learn new things. Currently my server is used only for Jabber and messaging, but long-term I would like to recover my blog (web) hosting. However I would like to separate the safety messaging and web part. For this several solutions:
Use 2 servers: very consumer energy and takes more space.
Use Linux + KVM (virtualization): incompatible with my server (Atom 32-bit).
Use Linux, Linux + LXC or OpenVZ: already explored LXC I want anything else.
Use FreeBSD + Jails: Yeah!
Compilation vs binary packages
Although my server is underpowered, I chose to compile myself ports. Why? Simply because the binary packages are too basic and do not include options are I need. Example: for the server web, I needed the fpm for php support. But the only way to have this it is compile yourself package php55 and enable fpm. With the official binary package, not fpm.
The host is FreeBSD 9.2 i386 installed in eggs, with host for the jails and DNS (named) server roles. For now only from the cache, we’ll see later if there is need to declare areas. Named is installed in the base system, so no special handling to activate the rc.conf in and comment on the small line in /var/named/etc/namedb/named.conf that specifies to listen as 127.0.0.1. To manage my jails, I use ezjail, a tool of Slacker that allows not only to manage everything easily, but in addition to generating a template with dynamic assemblies.
root@TARDIS:~ # jls
IADB IP Address Hostname Path
1 192.168.0.4 xmpp/usr/jails/xmpp
2 192.168.0.3 www/usr/jails/www
3 192.168.0.2 mail/usr/jails/mail
For all my new jail use the correct DNS server, edit the /usr/jails/newjail/etc/resolv.conf file and add the IP that goes well.
Jail mail is designed to receive, store and send emails. I use a sqlite backend that I put in place following this very thorough tutorial (slight adaptation to use sqlite instead of mysql). We must start by installing dovecot2 by activating the sqlite support. Then you install Postfix by activating also the sqlite support but also authentication SASL dovecot. I wanted that my mail server can manage several domains, where my choice of a structure more complex with a sql backend.
When an email is received, it is treated by Postfix that checks in the sqlite database if the domain exists. If yes it passes then to Dovecot which will store it in the location that goes well. When a user wants to send a mail, it shall submit to Postfix (submission 587) which instructs Dovecot if the user is authenticated. All exchanges are secured in STARTTLS.
Www jail is intended to act as a web server. For the installation of php to compile php55 with support for fpm, but also php55-extensions that allows support session, gd (required by pluxml), and others if needed.
It is on this jail that my blog (maniatux.fr) will soon be repatriated. The contact email address be returnee on the previous jail (mail) because as I said, I can manage multiple domains. Pluxml being very light and without the server database should take.
The xmpp jail is intended to serve as a Jabber server. I use once more Prosody, which I coupled with sqlite for storage of accounts (I do not like the light storage in/var/lib/prosody which is used by default). The establishment was rather complicated because error, Prosody refuses to start but does not indicate why. I have the specify a location for the logs and put good rights above (chown-r prosody:wheel) in order to have a debug. In fact he couldn’t write the pid. In order to use sqlite should install the port luadbi using sqlite. After having battled a bit, it works.
root@TARDIS:~ # df h
Filesystem Size Used Avail Capacity Mounted on
/ dev/ada0p2 140G 2.5 G 126 G 2%.
devfs 1.0 k 1.0 k 0 B 100% / dev
devfs 1.0 k 1.0 k 0 B 100% / var/named/dev
/ usr/jails/basejail 140G 2.5 G 126 G 2% / usr/jails/xmpp/basejail
devfs 1.0 k 1.0 k 0 B 100% / usr/jails/xmpp/dev
fdescfs 1.0 k 1.0 k 0 B 100% / usr/jails/xmpp/dev/fd
procfs 4.0 k 4.0 k 0 B 100% / usr/jails/xmpp/proc
/ usr/jails/basejail 140G 2.5 G 126 G 2% / usr/jails/www/basejail
devfs 1.0 k 1.0 k 0 B 100% / usr/jails/www/dev
fdescfs 1.0 k 1.0 k 0 B 100% / usr/jails/www/dev/fd
procfs 4.0 k 4.0 k 0 B 100% / usr/jails/www/proc
/ usr/jails/basejail 140G 2.5 G 126 G 2% / usr/jails/mail/basejail
devfs 1.0 k 1.0 k 0 B 100% / usr/jails/mail/dev
fdescfs 1.0 k 1.0 k 0 B 100% / usr/jails/mail/dev/fd
procfs 4.0 k 4.0 k 0 B 100% / usr/jails/mail/proc
Used disk space is 2, 5GB, knowing that there were the base system, the template, and the ports tree. It is quite interesting. Let’s now load on the CPU and memory:
last pid: 12938; load averages: 0.00, 0.00, 0.00 up 0 + 22: 54:08 13:14:23
48 processes: 1 running, 47 sleeping
CPU: 1.1% user, 0.0% nice, 1.5% system, 0.2% interrupt, 97.2% idle
Mem: 55 M Active, 216 M sessionname, 113 M Wired, 69 M Buf, 589 M Free
Swap: 4096M Total, 4096M Free
Roughly even with 3 VPS system is very little requested: 55 MB of memory used, and CPU at 3% load.
To supervise I simply use logwatch. This is a script that generates a report and regularly sends an email that indicates the disk space, ssh connections and unsuccessful attempts to access to certain services. Logwatch can be installed from/usr/ports/sysutils/logwatch. Then we must specify Output = mail in the logwatch.conf and add a cron (@daily usr/local/sbin/logwatch.pl).
You can either install logwatch on host-only, or put it on each jail. I chose the second option for more details.
On the mail server, it is Postfix that is used for sending the report. However on the other jail, I left sendmail. Need to edit the /etc/mail/freebsd.mc file and then specify:
define (‘SMART_HOST’, ‘192.168.0.2’)
Save and then enter:
M4 /etc/mail/freebsd.mc > /etc/mail/freebsd.cf
Sendmail will then use our relay. No need to activate the rc.conf in because it does not work as a daemon in this case there.
For backups one speaks many bacula or rsync. In my case I chose to make more simple as: 1) bacula is suitable for large infra with multiple servers and dedicated storage) 2 rsync requires a remote storage medium that I did not (my SIN does not turn 24/24). So I just a simple sh script 🙂
#! / bin/sh
tar – zcvf /root/ “backup-‘date – v – d +%B-%Y'”.tar.gz \ ”
The 1st of the month at midnight the script will run, and in his name he will be shown the (preceding) month. So a backup executed February 1, 2014 will be named January – 2014.tar.gz if everything goes well.
I don’t have databases with no need to stop the jail before the backup. I backup/etc that contain configuration and/home that contain the data. No need of rest.
Note: ezjail-admin allows you to save the jails, but I don’t use it because of two major drawbacks: 1) it saves everything including the ports tree, which is long and useless 2) it requires to stop the jail, and I did not want to have downtime to each backup, it is not on Windows Server.
FreeBSD ça envoie du rêve, c’est très puissant, ezjail-admin est un outil qui m’a fait franchir le pas. On gère ses jails avec une facilité déconcertante. Je suis volontairement resté vague sur cet article, car le but était de présenter un retour d’expérience, et non un tutoriel qui aurait été de toutes manières trop long. Si vous vous lancez dans l’aventure et souhaitez obtenir mes fichiers de configuration ou des explications, n’hésitez pas !