Sock­ets and nullfs: works now in –cur­rent

I just up­dated to a re­cent -cur­rent and tried the new nullfs. Sock­ets (e.g. the MySQL one) work now with nullfs. No need to have e.g. jails on the same FS and hard­link the socket to not need to use TCP in MySQL (or an IP at all for the jail).

Great work!

StumbleUponXINGBalatarinBox.netDiggGoogle GmailNetvouzPlurkSiteJotTypePad PostYahoo BookmarksVKSlashdotPocketHacker NewsDiigoBuddyMarksRedditLinkedInBibSonomyBufferEmailHatenaLiveJournalNewsVinePrintViadeoYahoo MailAIMBitty BrowserCare2 NewsEvernoteMail.RuPrintFriendlyWaneloYahoo MessengerYoolinkWebnewsStumpediaProtopage BookmarksOdnoklassnikiMendeleyInstapaperFarkCiteULikeBlinklistAOL MailTwitterGoogle+PinterestTumblrAmazon Wish ListBlogMarksDZoneDeliciousFlipboardFolkdJamespotMeneameMixiOknotiziePushaSvejoSymbaloo FeedsWhatsAppYouMobdiHITTWordPressRediff MyPageOutlook.comMySpaceDesign FloatBlogger PostApp.netDiary.RuKindle ItNUjijSegnaloTuentiWykopTwiddlaSina WeiboPinboardNetlogLineGoogle BookmarksDiasporaBookmarks.frBaiduFacebookGoogle ClassroomKakaoQzoneSMSTelegramRenrenKnownYummlyShare/​Save

X11 in a jail with NVidia hard­ware

Just be­fore christ­mas I de­cided I will spend the “im­mense” amount of 40 EUR for a graphic card for a sys­tem which was without one. The sys­tem is sup­posed to re­place my dy­ing home-​server. I already moved everything, ex­cept my Desktop-​in-​a-​Jail (ac­tu­ally it is my home-​cinema-​jail).

The old sys­tem had a Radeon 9200SE, and it was enough for what I used it for. Now… for a few bucks you can get a lot more horsepower today. After look­ing around a little bit I de­cided to buy a NVidia card. I made this de­cision be­cause it looks like I can get bet­ter driver sup­port for it. So I got a Ge­Force GT 520 with 1 GB of RAM (I doubt I will be able to use that much RAM) and without a fan.

With the Radeon 9200SE I was not able to get the 3D stuff ac­tiv­ated (at least in the jail, I did not try without), Xorg com­plains about a miss­ing ag­p­gart mod­ule but I have AGP in the ker­nel (no /​dev/​agpgart out­side the jail). I did not spend time to in­vest­ig­ate this, as the main pur­pose – play­ing movies – worked. Now with the NVidia card I de­cided to give the 3D part a try again.

After adding the NVidia device entries to the jail, and a little bit of fight­ing with the Xorg-​HAL in­ter­ac­tion, I got a work­ing desktop. The biggest prob­lem to verify that 3D is work­ing was, that I did not had xdri­info in­stalled. After in­stalling it, I no­ticed that it does not work with the NVidia driver.  :-(  Next stop nvidia-​settings: runs great, dis­plays a nice FreeBSD+NVidia logo, and … tells me that OpenGL is con­figured. Hmmm… OK, but I want to see it!

As I de­cided to switch from Gnome to KDE 4 at  the same time (I was us­ing KDE when it was at V 0.x, switched to Gnome as it looked nicer to me, and now I switch back after read­ing all the stuff in the net that KDE 4 is “bet­ter” than Gnome 3), I was a little bit out of know­ledge how to see the 3D stuff in ac­tion. So I quickly went to the set­tings and searched for some­thing which looks like it may use 3D. To my sur­prise, it was already us­ing 3D stuff. Nice. I fully real­ized how nice, when play­ing a video and us­ing Alt-​Tab to switch win­dows: the video was play­ing full speed scaled down in the window-​switcher-​thumbnail-​view.

That was too easy. I am happy about it.

Now that I have a work­ing setup of X11-​in-​a-​jail for Radeon and Ge­Force cards, I want to cleanup my changes to the ker­nel and the con­fig files (devfs.rules) and have a look to get this com­mit­ted. A big part of this work is prob­ably writ­ing doc­u­ment­a­tion (most prob­ably in the wiki).

I still want to see some fancy 3D stuff now. I tried to in­stall x11-​clocks/​glclock, but the build fails with an un­defined ref­er­ence to „glPoly­gonOff­se­tEXT“. :-( Any re­com­mend­a­tion for a fancy 3D dis­play? My pri­or­ity is on “fancy/​nice” with as less vi­ol­ence as pos­sible. Most prob­ably I will look at it once and then dein­stall it again, so it should be avail­able in the Ports Col­lec­tion (or in­cluded in KDE 4).

How I setup a Jail-​Host

Every­one has his own way of set­ting up a ma­chine to serve as a host of mul­tiple jails. Here is my way, YMMV.

Ini­tial FreeBSD in­stall

I use sev­eral hard­disks in a Soft­ware–RAID setup. It does not mat­ter much if you set them up with one big par­ti­tion or with sev­eral par­ti­tions, feel free to fol­low your pref­er­ences here. My way of par­ti­tion­ing the hard­disks is de­scribed in a pre­vi­ous post. That post only shows the com­mands to split the hard­disks into two par­ti­tions and use ZFS for the rootfs. The com­mands to ini­tial­ize the ZFS data par­ti­tion are not de­scribed, but you should be able to fig­ure it out your­self (and you can de­cide on your own what kind of RAID level you want to use). For this FS I set atime, exec and setuid to off in the ZFS op­tions.

On the ZFS data par­ti­tion I cre­ate a new data­set for the sys­tem. For this data­set I set atime, exec and setuid to off in the ZFS op­tions. In­side this data­set I cre­ate data­sets for /​home, /​usr/​compat, /​usr/​local, /​usr/​obj, /​usr/​ports/​, /​usr/​src, /​usr/​sup and /​var/​ports. There are two ways of do­ing this. One way is to set the ZFS moun­t­point. The way I prefer is to set re­l­at­ive sym­links to it, e.g. “cd /​usr; ln –s ../​data/​system/​usr_​obj obj”. I do this be­cause this way I can tem­por­ary im­port the pool on an­other ma­chine (e.g. my desktop, if the need arises) without fear to in­ter­fere with the sys­tem. The ZFS op­tions are set as fol­lows:

ZFS op­tions for data/​system/​*



data/​system/​home exec on
data/​system/​usr_​compat exec on
data/​system/​usr_​compat setuid on
data/​system/​usr_​local exec on
data/​system/​usr_​local setuid on
data/​system/​usr_​obj exec on
data/​system/​usr_​ports exec on
data/​system/​usr_​ports setuid on
data/​system/​usr_​src exec on
data/​system/​usr_​sup sec­ond­arycache none
data/​system/​var_​ports exec on

The exec op­tion for home is not ne­ces­sary if you keep sep­ar­ate data­sets for each user. Nor­mally I keep sep­ar­ate data­sets for home dir­ect­or­ies, but Jail-​Hosts should not have users (ex­cept the ad­mins, but they should not keep data in their homes), so I just cre­ate a single home data­set. The setuid op­tion for the usr_​ports should not be ne­ces­sary if you re­dir­ect the build dir­ect­ory of the ports to a dif­fer­ent place (WRKDIRPREFIX in /etc/make.conf).

In­stalling ports

The ports I in­stall by de­fault are net/​rsync, ports-​mgmt/​portaudit, ports-​mgmt/​portmaster, shells/​zsh, sysutils/​bsdstats, sysutils/​ezjail, sysutils/​smartmontools and sysutils/​tmux.

Ba­sic setup

In the crontab of root I setup a job to do a portsnap up­date once a day (I pick a ran­dom num­ber between 0 and 59 for the minute, but keep a fixed hour). I also have http_​proxy spe­cified in /​etc/​profile, so that all ma­chines in this net­work do not down­load everything from far away again and again, but can get the data from the local cach­ing proxy. As a little watch­dog I have a little @reboot rule in the crontab, which no­ti­fies me when a ma­chine re­boots:

@reboot grep “ker­nel boot file is” /​var/​log/​messages | mail –s “„host­name„ re­booted” root >/​dev/​null 2>&1

This does not re­place a real mon­it­or­ing solu­tion, but in cases where real mon­it­or­ing is overkill it provides a nice HEADS-​UP (and shows you dir­ectly which ker­nel is loaded in case a non-​default one is used).

Some de­fault ali­ases I use every­where are:

alias portmlist=“portmaster –L | egrep –B1 „(ew|ort) version|Aborting|installed|dependencies|IGNORE|marked|Reason:|MOVED|deleted|exist|update“ | grep –v „^ – “”
alias portmclean=“portmaster –t –clean-​distfiles –clean-​packages“
alias portmcheck=“portmaster –y –check-​depends”

Ad­di­tional devfs rules for Jails

I have the need to give ac­cess to some spe­cific devices in some jails. For this I need to setup a cus­tom /etc/devfs.rules file. The files con­tains some ID num­bers which need to be unique in the sys­tem. On a 9-​current sys­tem the num­bers one to four are already used (see /etc/defaults/devfs.rules). The next avail­able num­ber is ob­vi­ously five then. First I present my devfs.rules entries, then I ex­plain them:

add path „au­dio*“ un­hide
add path „dsp*“ un­hide
add path midistat un­hide
add path „mixer*“ un­hide
add path „mu­sic*“ un­hide
add path „se­quen­cer*“ un­hide
add path snd­stat un­hide
add path speaker un­hide

add path „lpt*“ un­hide
add path „ulpt*“ un­hide user 193 group 193
add path „un­lpt*“ un­hide user 193 group 193

add path zfs un­hide

add in­clude $devfsrules_​hide_​all
add in­clude $devfsrules_​unhide_​basic
add in­clude $devfsrules_​unhide_​login
add in­clude $devfsrules_​unhide_​printers
add in­clude $devfsrules_​unhide_​zfs

add in­clude $devfsrules_​hide_​all
add in­clude $devfsrules_​unhide_​basic
add in­clude $devfsrules_​unhide_​login
add in­clude $devfsrules_​unhide_​zfs

The devfs_​rules_​unhide_​XXX ones give ac­cess to spe­cific devices, e.g. all the sound re­lated devices or to local print­ers. The devfsrules_​jail_​XXX ones com­bine all the un­hide rules for spe­cific jail setups. Un­for­tu­nately the in­clude dir­ect­ive is not re­curs­ive, so that we can not in­clude the de­fault devfsrules_​jail pro­file and need to rep­lic­ate its con­tents. The first three in­cludes of each devfsrules_​jail_​XXX ac­com­plish this. The unhide_​zfs rule gives ac­cess to /​dev/​zfs, which is needed if you at­tach one or more ZFS data­sets to a jail. I will ex­plain how to use those pro­files with ez­jail in a follow-​up post.

Jails setup

I use ez­jail to man­age jails, it is more com­fort­able than do­ing it by hand while at the same time al­lows me to do some­thing by hand. My jails nor­mally reside in­side ZFS data­sets, for this reason I have setup a spe­cial area (ZFS data­set data/​jails) which is handled by ezjail.The cor­res­pond­ing ezjail.conf set­tings are:


I also dis­abled procfs and fdescfs in jails (but they can be en­abled later for spe­cific jails if ne­ces­sary).

Un­for­tu­nately ez­jail (as of v3.1) sets the moun­t­point of a newly cre­ated data­set even if it is not ne­ces­sary. For this reason I al­ways is­sue a “zfs in­herit moun­t­point ” after cre­at­ing a jail. This sim­pli­fies the case where you want to move/​rename a data­set and want to have the moun­t­point autom­c­at­ic­ally fol­low the change.

The ac­cess flags of  /​data/​jails dir­ect­ory are 700, this pre­vents local users (there should be none, but bet­ter safe than sorry) to get ac­cess to files from users in jails with the same UID.

After the first create/​update of the ez­jail base­jail the ZFS op­tions of base­jail (data/​jails/​basejail) and new­jail (data/​jails/​newjail) need to be changed. For both exec and setuid should be changed to “on” The same needs to be done after cre­at­ing a new jail for the new jail (be­fore start­ing it).

The de­fault ez­jail fla­vour

In my de­fault ez­jail fla­vour I cre­ate some de­fault user(s) with a basesystem-​shell (via /data/jails/flavours/mydef/ezjail.flavour) be­fore the pack­age in­stall, and change the shell to my pre­ferred zsh af­ter­wards (this is only valid if the jails are used only by in-​house people, if you want to of­fer light­weight vir­tual ma­chines to (un­known) cus­tom­ers, the de­fault user(s) and shell(s) are ob­vi­ously up to dis­cus­sion). At the end I also run a “/​usr/​local/​sbin/​portmaster –y –check-​depends” to make sure everything is in a sane state.

For the pack­ages (/​data/​jails/​flavours/​mydef/​pkg/​) I add sym­links to the un­ver­sioned pack­ages I want to in­stall. I have the pack­ages in a com­mon (think about set­ting PACKAGES in make.conf and us­ing PACKAGES/Latest/XYZ.tbz) dir­ect­ory (if they can be shared over vari­ous fla­vours), and they are un­ver­sioned so that I do not have to up­date the ver­sion num­ber each time there is an up­date. The pack­ages I in­stall by de­fault are bsdstats, portaudit, port­mas­ter, zsh, tmux and all their de­pend­en­cies.

In case you use jails to vir­tu­al­ize ser­vices and con­sol­id­ate serv­ers (e.g. DNS, HTTP, MySQL each in a sep­ar­ate jail) in­stead of provid­ing light­weight vir­tual ma­chines to (un­known) cus­tom­ers, there is also a be­ne­fit of shar­ing the dist­files and pack­ages between jails on the same ma­chine. To do this I cre­ate /data/jails/flavours/mydef/shared/ports/{distfiles,packages} which are then moun­ted via nullfs or NFS into all the jails from a com­mon dir­ect­ory. This re­quires the fol­low­ing vari­ables in /data/jails/flavours/mydef/etc/make.conf (I also keep the pack­ages for dif­fer­ent CPU types and com­pilers in the same sub­tree, if you do not care, just re­move the “/${CC}/${CPUTYPE}” from the PACAKGES line):

DISTDIR=  /​shared/​ports/​distfiles
PACKAGES= /shared/ports/packages/${CC}/${CPUTYPE}

New jails

A fu­ture post will cover how I setup new jails in such a setup and how I cus­tom­ize the start or­der of jails or use some non-​default set­tings for the jail-​startup.

All in­ternal ser­vices mi­grated to IPv6

In the last days I mi­grated all my in­ternal ser­vices to IPv6.

All my jails have an IPv4 and an IPv6 ad­dress now. All Apaches (I have one for my pic­ture gal­lery, one for web­mail, and one for in­ternal man­age­ment) now listen on the in­ternal IPv6 ad­dress too. Squid is up­dated from 2.x to 3.1 (the most re­cent ver­sion in the Ports Col­lec­tion) and I ad­ded some IPv6 ACLs. The in­ternal Post­fix is con­figured to handle IPv6 too (it is de­liv­er­ing everything via an au­then­tic­ated and en­cryp­ted chan­nel to a ma­chine with a static IPv4 ad­dress for fi­nal de­liv­ery). My MySQL does not need an IPv6 ad­dress, as it is only listen­ing to re­quests via IPC (the socket is hard­linked between jails). All ssh dae­mons are con­figured to listen to IPv6 too. The IMAP and CUPS server was pick­ing the new IPv6 ad­dresses auto­mat­ic­ally. I also up­dated Samba to handle IPv6, but due to lack of a Win­dows ma­chine which prefers IPv6 over IPv4 for CIFS ac­cess (at least I think my Win­dows XP net­book only tries IPv4 con­nec­tions) I can not really test this.

Only my Wii is a little bit be­hind, and I have not checked if my Sony-​TV will DTRT (but for this I first have to get some time to have a look if I have to up­date my DD-​WRT firm­ware on the little WLAN-​router which is “ex­tend­ing the cable” from the TV to the in­ternal net­work, and I have to look how to con­fig­ure IPv6 with DD-​WRT).

IPv6 in my LAN

After en­abling IPv6 in my WLAN router, I also en­abled IPv6 in my FreeBSD sys­tems. I have to tell that the IPv6 chapter in the FreeBSD hand­book does not con­tain as much in­form­a­tion as I would like to have about this.

Con­fig­ur­ing the in­ter­faces of my two 9-​current sys­tems to also carry a spe­cific IPv6 ad­dress (an easy one from the ULA I use) was easy after read­ing the man-​page for rc.conf. After a little bit of ex­per­i­ment­ing it came down to:

ifconfig_rl0_ipv6=“inet6 ::2:1 pre­fixlen 64 accept_​rtadv”
ipv6_defaultrouter=”<router ad­dress>”

Apart from this ad­dress (I chose it be­cause the IPv4 ad­dress ends in “.2”, this way I can add some easy to re­mem­ber ad­dresses for this ma­chine if needed), I also have two auto­mat­ic­ally con­figured ad­dresses. One is with the same ULA and some not so easy to re­mem­ber end (con­struc­ted from the MAC ad­dress), and one is from the of­fi­cial pre­fix the router con­struc­ted out of the of­fi­cial IPv4 ad­dress from the ISP (+ the same end than the other end).

Ad­di­tion­ally I also have all my jails on this ma­chine with an IPv6 ad­dress now (yes, they are like “…:2:100” with the :100 be­cause the IPv4 ad­dress ends in “.100”). Still TODO is the con­ver­sion of all the ser­vices in the jails to also listen on the IPv6 ad­dress.

I already changed the con­fig of my in­ternal DNS to have the IPv6 ad­dresses for all sys­tems, listen on the IPv6 ad­dress (when I add an IPv6 net­work to allow-​query/​allow-​query-​cache/​allow-​recursion bind does not want to start). And as I was there, I also en­abled the DNSSEC veri­fic­a­tion (but I get a lot of er­ror mes­sages in the logs: “un­able to con­vert er­rno to isc_​result: 42: Pro­tocol not avail­able”, one search res­ult which talks ex­actly about this er­ror tells it is a “cos­metic er­ror”…).

I no­ticed that an IPv6 ping between two phys­ical ma­chines takes a little bit more time than an IPv4 ping (no IPsec en­abled). It sur­prised me that this is such a no­tice­able dif­fer­ence (not within the std-​dev at all):

— m87​.Leidinger​.net ping stat­ist­ics —
10 pack­ets trans­mit­ted, 10 pack­ets re­ceived, 0.0% packet loss
round-​trip min/​avg/​max/​stddev = 0.168÷0.193÷0.220÷0.017 ms

— m87​.Leidinger​.net ping6 stat­ist­ics —
10 pack­ets trans­mit­ted, 10 pack­ets re­ceived, 0.0% packet loss
round-​trip min/​avg/​max/​std-​dev = 0.207÷0.325÷0.370÷0.047 ms

The in­form­a­tion I miss in the FreeBSD hand­book in the IPv6 chapter is what those other IPv6 re­lated ser­vices are and when/​how to con­fig­ure them. I have an idea now what this radvd is, but I am not sure what the in­ter­ac­tion is with the accept_​rtadv set­ting for if­con­fig (and I do not think I need it, as my WLAN router seems to do it already). I know that I get the IPv6-​friendly net­work neigh­bor­hood dis­played with ndp(8). I did not have a look at en­abling IPv6 mul­tic­ast sup­port in FreeBSD, and I do not know what those other IPv6 op­tions for rc.conf do.