From 1baf94c686767eea75c551e1ae12c9acfb4fb98c Mon Sep 17 00:00:00 2001 From: Ben Burwell Date: Mon, 5 Aug 2019 23:39:28 -0400 Subject: Move FreeBSD posts to blog --- _posts/2018-09-17-freebsd-prologue.md | 80 +++++++++ _posts/2018-09-20-freebsd-jails.md | 79 +++++++++ ...2018-10-13-freebsd-jail-networking-continued.md | 24 +++ freebsd.md | 178 --------------------- index.md | 18 ++- 5 files changed, 197 insertions(+), 182 deletions(-) create mode 100644 _posts/2018-09-17-freebsd-prologue.md create mode 100644 _posts/2018-09-20-freebsd-jails.md create mode 100644 _posts/2018-10-13-freebsd-jail-networking-continued.md delete mode 100644 freebsd.md diff --git a/_posts/2018-09-17-freebsd-prologue.md b/_posts/2018-09-17-freebsd-prologue.md new file mode 100644 index 0000000..d31104d --- /dev/null +++ b/_posts/2018-09-17-freebsd-prologue.md @@ -0,0 +1,80 @@ +--- +title: Notes on setting up a FreeBSD home server +redirect_from: /freebsd.html +--- + +A few months ago, I purchased a beefy second-hand tower to act as a home server. +I was looking to bring some of the services that I was previously outsourcing +into a single location, and to expand my familiarity with networking and systems +administration. Specifically, I wanted to: + +- Replace the small DigitalOcean box that I was using as a VPN/proxy when I + needed to use public WiFi +- Stop paying for a GitHub subscription to host private repositories +- Have a better home media and file sharing/backup solution +- Host a Minecraft server (nothing too serious, I occasionally play with a few + friends) +- Have a stable home for various VMs that I spin up as part of my security lab + (I've been playing around with pen testing and trying to learn more about + Windows as a part of this). + + + +My initial solution was to install a free version of VMWare ESXi as a hypervisor +and create several virtual machines. It was actually quite easy to get ESXi up +and running and start creating VMs. For the past several months, my home network +has been completely routed through the server (it has dual Ethernet, so I'm +using pfSense in a VM as my firewall/NAT/DHCP/etc), and I've spun up several VMs +(mostly Ubuntu) for things like Gitlab and Minecraft. + +However, there are a few things that I don't quite like. I did have an incident +following a power outage after my free trial of ESXi had expired but before I +inputted my free license key in the UI. This resulted in my pfSense VM not +auto-booting and due to some poor configuration on my part, I was unable to +access the ESXi web UI to enter the license key without resetting the network +settings through the ESXi console. This brings me to my second gripe: the ESXi +web UI is _very_ buggy and overall pretty awful to use. Certain pages have to be +reloaded to work properly, dialogs are randomly empty, etc. Thirdly, I've found +myself creating a "general purpose" VM that I can SSH into remotely. While +there's nothing explicitly _wrong_ with this, it just doesn't feel quite right +to me to have a general purpose server that is completely parallel to my other +server VMs. + +As a result of these shortcomings and learnings, I have decided to embark upon a +journey towards further simplification and reliability. I'll be replacing ESXi +with FreeBSD, a rock-solid operating system. Rather than running a utility VM, +I'll simply have the FreeBSD system on the server itself as a "base of +operations." + +I plan to learn more about and use several tools during this process. Currently, +I only have one 2 TB drive installed. I plan to add a second one and use zfs to +create a mirrored vdev pool for redundancy. This will make me feel a lot better +about using my server as a backup destination. Of course, this in itself is not +a complete backup solution, but it's a significant step forward from just +relying on a single disk. Rather than running pfSense in a VM, I plan to just +use the ISC DHCP server from the ports collection and use the built-in `pf` +firewall to accomplish just about everything I was using pfSense for. I'll +likely also end up running a BIND DNS server for a few local network things. + +I am still learning about jails in FreeBSD, but I think they could replace a few +of the VMs I have currently, such as the Minecraft and GitLab servers. I plan to +use bhyve to run things like Windows VMs for pen testing that jails are clearly +not suited for. + +I've used FreeBSD as my desktop OS in the past, and really love how it feels +compared with GNU/Linux. Everything just seems more straightforward, and I was +surprised to find that things like graphics drivers Just Work™ under +FreeBSD where they require a lot of ugly finagling under Linux. I'm quite +looking forward to using FreeBSD more often frequently, and gaining more depth +in some of its great tools like jails and pf. + +To start making the transition (which might be a little painful), I've installed +a fresh copy of FreeBSD 11.2 on a currently-unused machine to start poking +around with zfs configurations, jails, and bhyve. This will give me the +foundation I need to effectively set up my top-level environment and hopefully +get it mostly right the first time. Incidentally, I'm also about half way +through reading [The Book of PF](https://nostarch.com/pf3) from No Starch Press, +which will no doubt be helpful in my transition from pfSense to pure pf. + +I intend to update this page with notes as I continue on my FreeBSD journey. +Stay tuned! diff --git a/_posts/2018-09-20-freebsd-jails.md b/_posts/2018-09-20-freebsd-jails.md new file mode 100644 index 0000000..ad860de --- /dev/null +++ b/_posts/2018-09-20-freebsd-jails.md @@ -0,0 +1,79 @@ +--- +title: "FreeBSD Experiment 1: Jails" +--- + +In my preparations for removing ESXi, I tried creating a simple jail on my test +box `helios`. As part of my purpose is to learn as much as possible, I decided +against using a tool like `ezjail` in favor of doing it "by hand." While the +FreeBSD Handbook has some information on creating jails without using additional +tools, pretty much every other document I found suggested using ezjail. There's +a chance I'll revisit ezjail in the future, as it seems to have some helpful +features like having a "base jail" so you only need one copy of the FreeBSD base +system, but for now I'd like to do as much as possible without additional tools. + + + +My goal for this experiment was to set up a simple web server (nginx) inside a +jail. To start, I edited `/etc/jail.conf` to contain the following: + +``` +www { + host.hostname = www.local; + ip4.addr = 10.0.2.202; + path = "/usr/jail/www"; + exec.start = "/bin/sh /etc/rc"; + exec.stop = "/bin/sh /etc/rc.shutdown"; +} +``` + +Next, I used `bsdinstall(8)` to install the base system instead of compiling +from source: + +``` +root@helios:~ # bsdinstall jail /usr/jail/www +``` + +I then added `jail_enable="YES"` to `/etc/rc.conf` and started the jail: + +``` +root@helios:~ # service jail start www +``` + +This took a few seconds to complete, and then the jail showed up when I ran +`jls`: + +``` +root@helios:~ # jls + JID IP Address Hostname Path + 1 10.0.2.202 www.local /usr/jail/www +``` + +I was able to enter the jail: + +``` +root@helios:~ # jexec www /bin/sh +# +``` + +But I seem not to have Internet connectivity, as attempting to use `pkg-ng` +fails: + +``` +# pkg install nginx +The package management tool is not yet installed on your system. +Do you want to fetch and install it now? [y/N]: y +Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait... +pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Non-recoverable resolver failure +A pre-built version of pkg could not be found for your system. +Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'. +``` + +Running `ifconfig` inside the jail shows that I do not seem to have an IP +address, nor can I seem to communicate with any hosts. Interestingly when I +attempt to ping my gateway, I get the message: + +``` +ping: ssend socket: Operation not permitted +``` + +Clearly there's something I've not yet figured out. diff --git a/_posts/2018-10-13-freebsd-jail-networking-continued.md b/_posts/2018-10-13-freebsd-jail-networking-continued.md new file mode 100644 index 0000000..9653410 --- /dev/null +++ b/_posts/2018-10-13-freebsd-jail-networking-continued.md @@ -0,0 +1,24 @@ +--- +title: FreeBSD Jail Networking Continued +--- + +I decided to take another crack at the jail configuration I started in +[Experiment 1]({% post_url 2018-09-20-freebsd-jails %}). After reading bits and +pieces of a few random websites (including various ServerFault posts), on an +inkling I added the line `interface = "bge0";` to my `/etc/jail.conf` file and +ran `service jail restart www` (`bge0` is my LAN interface on the host). After +`jexec`ing in, I tried `pkg install nginx` again and it worked like a charm! + + + +I also noticed that when I run `ifconfig` on my host now, both the original +10.0.2.201 and the jail's 10.0.2.202 addresses had been added to the `bge0` +interface. I wondered whether that meant that I could now SSH into the host +using the jail's IP address. So on my laptop, I ran `ssh bb@10.0.2.202` and lo +and behold, it worked. The opposite, however, is _not_ true: loading +http://10.0.2.201 in a web browser does not give me the beautiful "welcome to +nginx" page that http://10.0.2.202 has. + +I'm sure some trickier stuff will arise when dealing with NAT and multiple +interfaces, but for now I'm satisfied that I have a basic understanding of how +to set up a service in a jail and expose it to the network. diff --git a/freebsd.md b/freebsd.md deleted file mode 100644 index 7ba8995..0000000 --- a/freebsd.md +++ /dev/null @@ -1,178 +0,0 @@ ---- -title: Notes on setting up a FreeBSD home server ---- - -# Notes on setting up a FreeBSD home server - -## 2018-09-17: Prologue - -A few months ago, I purchased a beefy second-hand tower to act as a home server. -I was looking to bring some of the services that I was previously outsourcing -into a single location, and to expand my familiarity with networking and systems -administration. Specifically, I wanted to: - -- Replace the small DigitalOcean box that I was using as a VPN/proxy when I - needed to use public WiFi -- Stop paying for a GitHub subscription to host private repositories -- Have a better home media and file sharing/backup solution -- Host a Minecraft server (nothing too serious, I occasionally play with a few - friends) -- Have a stable home for various VMs that I spin up as part of my security lab - (I've been playing around with pen testing and trying to learn more about - Windows as a part of this). - -My initial solution was to install a free version of VMWare ESXi as a hypervisor -and create several virtual machines. It was actually quite easy to get ESXi up -and running and start creating VMs. For the past several months, my home network -has been completely routed through the server (it has dual Ethernet, so I'm -using pfSense in a VM as my firewall/NAT/DHCP/etc), and I've spun up several VMs -(mostly Ubuntu) for things like Gitlab and Minecraft. - -However, there are a few things that I don't quite like. I did have an incident -following a power outage after my free trial of ESXi had expired but before I -inputted my free license key in the UI. This resulted in my pfSense VM not -auto-booting and due to some poor configuration on my part, I was unable to -access the ESXi web UI to enter the license key without resetting the network -settings through the ESXi console. This brings me to my second gripe: the ESXi -web UI is _very_ buggy and overall pretty awful to use. Certain pages have to be -reloaded to work properly, dialogs are randomly empty, etc. Thirdly, I've found -myself creating a "general purpose" VM that I can SSH into remotely. While -there's nothing explicitly _wrong_ with this, it just doesn't feel quite right -to me to have a general purpose server that is completely parallel to my other -server VMs. - -As a result of these shortcomings and learnings, I have decided to embark upon a -journey towards further simplification and reliability. I'll be replacing ESXi -with FreeBSD, a rock-solid operating system. Rather than running a utility VM, -I'll simply have the FreeBSD system on the server itself as a "base of -operations." - -I plan to learn more about and use several tools during this process. Currently, -I only have one 2 TB drive installed. I plan to add a second one and use zfs to -create a mirrored vdev pool for redundancy. This will make me feel a lot better -about using my server as a backup destination. Of course, this in itself is not -a complete backup solution, but it's a significant step forward from just -relying on a single disk. Rather than running pfSense in a VM, I plan to just -use the ISC DHCP server from the ports collection and use the built-in `pf` -firewall to accomplish just about everything I was using pfSense for. I'll -likely also end up running a BIND DNS server for a few local network things. - -I am still learning about jails in FreeBSD, but I think they could replace a few -of the VMs I have currently, such as the Minecraft and GitLab servers. I plan to -use bhyve to run things like Windows VMs for pen testing that jails are clearly -not suited for. - -I've used FreeBSD as my desktop OS in the past, and really love how it feels -compared with GNU/Linux. Everything just seems more straightforward, and I was -surprised to find that things like graphics drivers Just Work™ under -FreeBSD where they require a lot of ugly finagling under Linux. I'm quite -looking forward to using FreeBSD more often frequently, and gaining more depth -in some of its great tools like jails and pf. - -To start making the transition (which might be a little painful), I've installed -a fresh copy of FreeBSD 11.2 on a currently-unused machine to start poking -around with zfs configurations, jails, and bhyve. This will give me the -foundation I need to effectively set up my top-level environment and hopefully -get it mostly right the first time. Incidentally, I'm also about half way -through reading [The Book of PF](https://nostarch.com/pf3) from No Starch Press, -which will no doubt be helpful in my transition from pfSense to pure pf. - -I intend to update this page with notes as I continue on my FreeBSD journey. -Stay tuned! - -## 2018-09-20: Experiment 1: Jails - -In my preparations for removing ESXi, I tried creating a simple jail on my test -box `helios`. As part of my purpose is to learn as much as possible, I decided -against using a tool like `ezjail` in favor of doing it "by hand." While the -FreeBSD Handbook has some information on creating jails without using additional -tools, pretty much every other document I found suggested using ezjail. There's -a chance I'll revisit ezjail in the future, as it seems to have some helpful -features like having a "base jail" so you only need one copy of the FreeBSD base -system, but for now I'd like to do as much as possible without additional tools. - -My goal for this experiment was to set up a simple web server (nginx) inside a -jail. To start, I edited `/etc/jail.conf` to contain the following: - -``` -www { - host.hostname = www.local; - ip4.addr = 10.0.2.202; - path = "/usr/jail/www"; - exec.start = "/bin/sh /etc/rc"; - exec.stop = "/bin/sh /etc/rc.shutdown"; -} -``` - -Next, I used `bsdinstall(8)` to install the base system instead of compiling -from source: - -``` -root@helios:~ # bsdinstall jail /usr/jail/www -``` - -I then added `jail_enable="YES"` to `/etc/rc.conf` and started the jail: - -``` -root@helios:~ # service jail start www -``` - -This took a few seconds to complete, and then the jail showed up when I ran -`jls`: - -``` -root@helios:~ # jls - JID IP Address Hostname Path - 1 10.0.2.202 www.local /usr/jail/www -``` - -I was able to enter the jail: - -``` -root@helios:~ # jexec www /bin/sh -# -``` - -But I seem not to have Internet connectivity, as attempting to use `pkg-ng` -fails: - -``` -# pkg install nginx -The package management tool is not yet installed on your system. -Do you want to fetch and install it now? [y/N]: y -Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait... -pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Non-recoverable resolver failure -A pre-built version of pkg could not be found for your system. -Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'. -``` - -Running `ifconfig` inside the jail shows that I do not seem to have an IP -address, nor can I seem to communicate with any hosts. Interestingly when I -attempt to ping my gateway, I get the message: - -``` -ping: ssend socket: Operation not permitted -``` - -Clearly there's something I've not yet figured out. - -## 2018-10-13: Experiment 2: Jail Networking Continued - -I decided to take another crack at the jail configuration I started in -[Experiment 1](#2018-09-20-experiment-1-jails). After reading bits and pieces of -a few random websites (including various ServerFault posts), on an inkling I -added the line `interface = "bge0";` to my `/etc/jail.conf` file and ran -`service jail restart www` (`bge0` is my LAN interface on the host). After -`jexec`ing in, I tried `pkg install nginx` again and it worked like a charm! - -I also noticed that when I run `ifconfig` on my host now, both the original -10.0.2.201 and the jail's 10.0.2.202 addresses had been added to the `bge0` -interface. I wondered whether that meant that I could now SSH into the host -using the jail's IP address. So on my laptop, I ran `ssh bb@10.0.2.202` and lo -and behold, it worked. The opposite, however, is _not_ true: loading -http://10.0.2.201 in a web browser does not give me the beautiful "welcome to -nginx" page that http://10.0.2.202 has. - -I'm sure some trickier stuff will arise when dealing with NAT and multiple -interfaces, but for now I'm satisfied that I have a basic understanding of how -to set up a service in a jail and expose it to the network. diff --git a/index.md b/index.md index 8c35fee..6c2d7e8 100644 --- a/index.md +++ b/index.md @@ -5,7 +5,17 @@ title: Ben Burwell # Ben Burwell -- [blog](/posts/) -- [theatre](/theatre.html) -- [freebsd notes](/freebsd.html) -- mail: anything you'd like @benburwell.com +- [Blog](/posts/) +- [Tech theatre](/theatre.html) +- Email: anything @benburwell.com + +**Around the net…** + +- [GitHub](https://github.com/benburwell) +- [Sourcehut](https://git.sr.ht/~benburwell) + +**Projects** + +- [HowToChooseAPassword.com](https://howtochooseapassword.com) +- [PlateZero](https://platezero.com) +- [MedicMate](https://medicmate.io) -- cgit v1.2.3