mod server & freebsd (freebsd day taiwan)
TRANSCRIPT
MOD server and FreeBSD
Kevin Lomsi funtoro
The FreeBSD project
The beginning ...
Why choose FreeBSD
It was chosen by accident
Apart from that, there are a couple of good reasons
Why choose FreeBSD, cont.● The community is always willing to help out● The ports tree contains a large collection of 3rd party
software● Service initialization is simple
rc.conf(5)● Creating a customized memstick/iso is easy
release(7)● The BSD license, high performance network, stable, etc.
ArchitectureFrom http://www.funtoroeurope.com/files/clankove/struktura-bus.jpg
development(7)
Based on -CURRENT; see Benno Rice's talk on keeping current:
https://goo.gl/C5tWYa
Building a memstick/iso on bhyve(4)
Making root file system read only● /etc/fstab:
# Device Mountpoint FStype Options Dump Pass#/dev/gpt/rootfs / ufs ro 1 1
● /etc/rc.conf:
hostid_enable="NO"
sendmail_enable="NONE"
syslogd_enable="NO"
dumpdev="NO"
root_rw_mount="NO"
update_motd="NO"
Making root file system read only,cont.
● A Few things which should be taken care of
3rd party applications such as MySQL
/etc/localtime, /etc/resolv.conf
/var/db/pkg
For example, you might add a line to /etc/rc.d/var that symlinks the directory to /var/db/pkg
Managing services boot orderServices can be skipped during the boot time because impacted services haven't access to resources that haven't been booted yet
Control services boot order with rcorder(8)
# rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
...
/etc/rc.d/moused
rcorder: requirement `usbd' in file `/usr/local/etc/rc.d/hald' has no providers.
/usr/local/etc/rc.d/hald
...
Multicast TFTP server (atftpd)Clients need to download an image of the kernel through TFTP
Unfortunately atftpd only built on Linux machine
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522192
Ported to FreeBSD (r262417)
Issues and solutions in our deployment
File systems
Networking
File systems
FUSE
MSDOSFS
NTFS
UFS2
EXT2FS
TMPFS
FUSE
FUSE is SLOW
MSDOSFSLack of Unicode support
Added Unicode support to MSDOSFS, SMBFS, and NTFS (r227650, r228023)
Cannot export a msdosfs file system bigger than 128GB with NFS
Doesn't change ctime and mtime
NTFS
Lack of write support
GSoC 2012 project "NTFS for FreeBSD" was based on Apple implementation
Removed NTFS kernel support (r241636, r247665)
Possible solution: Tuxera NTFS kernel driver
UFS2In rw mode, softupdates + journaling = corruption ?!
We disable journaling on all our UFS2 devices and in addition use this:
background_fsck="NO"
fsck_y_enable="YES"
There's no open source utility that can read and write to UFS(2) partitions in Windows
EXT2FSLack of journaling and EXT4 write supports
Open source utilities (Ext2Fsd, Ext2IFS) are available for Windows that
allow both reading and writing EXT2/3/4 partitions
TMPFSCould not be exported over NFS
Quick fix for adding NFS export support to TMPFS (r230208);
plus a bug fixed by jh:
allow update mounts only for certain options(r234346)
NetworkingNICs
rpcbind(8)
Firewalls
NICs: em(4)Works good without known wired behavior and has produced good performance over a gigabit wire
The datasheet is available
The client was unable to mount NFS share over UDP
Fixed by yongari (r214441)
Incorrect Rx checksum handling when testing VLC's UDP-Lite (r264212) streaming mode
Corrections to the RX checksum code (r249509)
NICs: re(4)
Fails at high traffic; stress test with ftp/axel
re0: watchdog timeout
re0: link state changed to DOWN
Use the vendor driver with minor modifications but it has one drawback: it doesn't use miibus(4)
The datasheet is not available
rpcbind(8)
rpcbind can be abused by remote attackers for rpc amplification attacks(DDoS)
Prevent rpcbind from listening on all interfaces for UDP and TCP connections
rpcbind_flags="-h 192.168.1.1"
nfs_server_flags="-h 192.168.1.1"
mountd_flags="-h 192.168.1.1"
Firewalls: ipfw(4) & pf(4)
Kernel panic with pf kept happening
locking issue; fixed as r226938
Switching to ipfw makes me/us happy
Support the FreeBSD project
https://www.freebsdfoundation.org/donate/