This commit is contained in:
Sharad Ahlawat 2021-04-18 01:07:42 -07:00
parent 076c974858
commit 3d64b9b33b
47 changed files with 524 additions and 292 deletions

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
#.gitignore #.gitignore
**/secret/** **/secret/**
**/.acme.sh/** **/.acme.sh/**
current-src.bzip2

View File

@ -28,6 +28,8 @@ kern.geom.label.gptid.enable="0"
# Increase dmesg buffer to fit longer boot output. # Increase dmesg buffer to fit longer boot output.
kern.msgbufsize="524288" kern.msgbufsize="524288"
kern.ipc.maxmbufmem=150608778240
kern.racct.enable=1 kern.racct.enable=1
# ZFS root boot config # ZFS root boot config
@ -96,6 +98,7 @@ vfs.zfs.vdev.cache.size=134217728
vfs.zfs.vdev.cache.max=134217728 vfs.zfs.vdev.cache.max=134217728
# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=185487 # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=185487
# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210686
# https://forums.freebsd.org/threads/updating-bsd-from-10-to-11-ahci-ssd-issue.59923/ # https://forums.freebsd.org/threads/updating-bsd-from-10-to-11-ahci-ssd-issue.59923/
# https://lists.freebsd.org/pipermail/freebsd-bugs/2013-April/052301.html # https://lists.freebsd.org/pipermail/freebsd-bugs/2013-April/052301.html
# my 8TB's don't support NCQ TRIM # my 8TB's don't support NCQ TRIM

View File

@ -1,2 +0,0 @@
00 08,12,16,20 * * * /root/FreeBSD/scripts/zfs_health.sh
00 2 * * 0 /usr/local/sbin/zfSnap -d -s -S -a 2w -p weekly_ -r zroot ship data base

View File

@ -33,3 +33,23 @@ target iqn.nas.ahlawat.com:f13 {
size 128G size 128G
} }
} }
target iqn.nas.ahlawat.com:f12p {
# auth-group no-authentication
portal-group pg0
chap user secretsecret
lun 0 {
path /dev/zvol/ship/raw/FreeBSD12p
size 128G
}
}
target iqn.nas.ahlawat.com:f13p {
# auth-group no-authentication
portal-group pg0
chap user secretsecret
lun 0 {
path /dev/zvol/ship/raw/FreeBSD13p
size 128G
}
}

View File

@ -13,7 +13,7 @@
# references must include a dollar sign '$' in front of the # references must include a dollar sign '$' in front of the
# name to be expanded properly. # name to be expanded properly.
# #
# $FreeBSD: releng/12.1/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $ # $FreeBSD: releng/12.2/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $
# #
# Very basic and secure ruleset: Hide everything. # Very basic and secure ruleset: Hide everything.
@ -87,12 +87,13 @@ add include $devfsrules_unhide_login
add path fuse unhide add path fuse unhide
add path zfs unhide add path zfs unhide
# members of group uucp can access all usb and tty devices
[usbrules=100] [usbrules=100]
add path 'usbctl' mode 660 group uucp add path 'usbctl' mode 660 group uucp
add path 'usb/*' mode 660 group uucp add path 'usb/*' mode 660 group uucp
add path 'ttyU*' mode 660 group uucp add path 'ttyU*' mode 660 group uucp
[serial_usb_rules=1000] [serial_usb_rules=150]
add include $devfsrules_jail add include $devfsrules_jail
add path 'cuau*' unhide add path 'cuau*' unhide
add path 'cuaU*' unhide add path 'cuaU*' unhide
@ -101,7 +102,7 @@ add path 'ttyU*' unhide
add path 'usb*' unhide add path 'usb*' unhide
add path 'usb/*' unhide add path 'usb/*' unhide
[devfs_rules_bhyve_jail=2000] [devfs_rules_bhyve_jail=200]
add include $devfsrules_jail add include $devfsrules_jail
add path vmm unhide add path vmm unhide
add path vmm/* unhide add path vmm/* unhide
@ -111,6 +112,6 @@ add path tap* unhide
add path zvol/ship/raw/* unhide add path zvol/ship/raw/* unhide
add path nmdm* unhide add path nmdm* unhide
[devfs_rules_tun_jail=3000] [devfs_rules_tun_jail=300]
add include $devfsrules_jail add include $devfsrules_jail
add path tun* unhide add path tun* unhide

View File

@ -13,7 +13,7 @@
# For a more detailed explanation of all the periodic.conf variables, please # For a more detailed explanation of all the periodic.conf variables, please
# refer to the periodic.conf(5) manual page. # refer to the periodic.conf(5) manual page.
# #
# $FreeBSD: releng/12.1/usr.sbin/periodic/periodic.conf 337648 2018-08-11 17:11:08Z brd $ # $FreeBSD: releng/12.2/usr.sbin/periodic/periodic.conf 337648 2018-08-11 17:11:08Z brd $
# #
# What files override these defaults ? # What files override these defaults ?

View File

@ -1,3 +1,6 @@
V4: / -network=192.168.10.0 -mask=255.255.255.0
/mnt/ship/pxe/FreeBSD11 -alldirs -maproot=root /mnt/ship/pxe/FreeBSD11 -alldirs -maproot=root
/mnt/ship/pxe/FreeBSD12 -alldirs -maproot=root /mnt/ship/pxe/FreeBSD12 -alldirs -maproot=root
/mnt/ship/pxe/FreeBSD13 -alldirs -maproot=root /mnt/ship/pxe/FreeBSD13 -alldirs -maproot=root
/mnt/ship/pxe/FreeBSD12p -alldirs -maproot=root
/mnt/ship/pxe/FreeBSD13p -alldirs -maproot=root

View File

@ -1,4 +1,4 @@
# $FreeBSD: releng/12.1/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $ # $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
# Trusted keyprint. Changing this is a Bad Idea unless you've received # Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to # a PGP-signed email from <security-officer@FreeBSD.org> telling you to

View File

@ -1,11 +1,12 @@
# Device Mountpoint FStype Options Dump Pass# # Device Mountpoint FStype Options Dump Pass#
/dev/ada2p3 none swap sw 0 0 #/dev/zvol/zroot/swapvol none swap sw 0 0
/dev/ada3p3 none swap sw 0 0 #/dev/ada2p3 none swap sw 0 0
#/dev/ada3p3 none swap sw 0 0
#/dev/da0p1 none swap sw 0 0 #/dev/da0p1 none swap sw 0 0
/dev/da1p1 none swap sw 0 0 #/dev/da1p1 none swap sw 0 0
/dev/da2p1 none swap sw 0 0 #/dev/da2p1 none swap sw 0 0
/dev/da3p1 none swap sw 0 0 #/dev/da3p1 none swap sw 0 0
/dev/da4p1 none swap sw 0 0 #/dev/da4p1 none swap sw 0 0
#/dev/da5p1 none swap sw 0 0 #/dev/da5p1 none swap sw 0 0
#/dev/da6p1 none swap sw 0 0 #/dev/da6p1 none swap sw 0 0
#/dev/da7p1 none swap sw 0 0 #/dev/da7p1 none swap sw 0 0

View File

@ -7,7 +7,7 @@
# This file controls resource limits, accounting limits and # This file controls resource limits, accounting limits and
# default user environment settings. # default user environment settings.
# #
# $FreeBSD: releng/12.1/usr.bin/login/login.conf 338399 2018-08-30 15:52:03Z brd $ # $FreeBSD: releng/12.2/usr.bin/login/login.conf 357789 2020-02-12 02:04:03Z kevans $
# #
# Default settings effectively disable resource limits, see the # Default settings effectively disable resource limits, see the
@ -26,7 +26,8 @@ default:\
:passwd_format=sha512:\ :passwd_format=sha512:\
:copyright=/etc/COPYRIGHT:\ :copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\ :welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :setenv=BLOCKSIZE=K:\
:mail=/var/mail/$:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\ :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\
:nologin=/var/run/nologin:\ :nologin=/var/run/nologin:\
:cputime=unlimited:\ :cputime=unlimited:\
@ -63,6 +64,7 @@ xuser:\
staff:\ staff:\
:tc=default: :tc=default:
daemon:\ daemon:\
:mail@:\
:memorylocked=128M:\ :memorylocked=128M:\
:tc=default: :tc=default:
news:\ news:\
@ -123,7 +125,8 @@ russian|Russian Users Accounts:\
#standard:\ #standard:\
# :copyright=/etc/COPYRIGHT:\ # :copyright=/etc/COPYRIGHT:\
# :welcome=/etc/motd:\ # :welcome=/etc/motd:\
# :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ # :setenv=BLOCKSIZE=K:\
# :mail=/var/mail/$:\
# :path=~/bin /bin /usr/bin /usr/local/bin:\ # :path=~/bin /bin /usr/bin /usr/local/bin:\
# :manpath=/usr/share/man /usr/local/man:\ # :manpath=/usr/share/man /usr/local/man:\
# :nologin=/var/run/nologin:\ # :nologin=/var/run/nologin:\

View File

@ -1,5 +1,5 @@
# #
# $FreeBSD: releng/12.1/usr.sbin/ntp/ntpd/ntp.conf 337649 2018-08-11 17:42:42Z brd $ # $FreeBSD: releng/12.2/usr.sbin/ntp/ntpd/ntp.conf 352865 2019-09-29 03:36:50Z cy $
# #
# Default NTP servers for the FreeBSD operating system. # Default NTP servers for the FreeBSD operating system.
# #
@ -103,3 +103,11 @@ restrict ::1
# Use either leapfile in /etc/ntp or periodically updated leapfile in /var/db. # Use either leapfile in /etc/ntp or periodically updated leapfile in /var/db.
#leapfile "/etc/ntp/leap-seconds" #leapfile "/etc/ntp/leap-seconds"
leapfile "/var/db/ntpd.leap-seconds.list" leapfile "/var/db/ntpd.leap-seconds.list"
# Specify the number of megabytes of memory that should be allocated and
# locked. -1 (default) means "do not lock the process into memory".
# 0 means "lock whatever memory the process wants into memory". Any other
# number means to lock up to that number of megabytes into memory.
# 0 may result in a segfault when ASLR with stack gap randomization
# is enabled.
#rlimit memlock 32

View File

@ -1,11 +1,7 @@
# $FreeBSD: releng/12.1/bin/sh/profile 337849 2018-08-15 14:41:24Z brd $ # $FreeBSD: releng/12.2/bin/sh/profile 363525 2020-07-25 11:57:39Z pstef $
# #
# System-wide .profile file for sh(1). # System-wide .profile file for sh(1).
# #
# Uncomment this to give you the default 4.2 behavior, where disk
# information is shown in K-Blocks
# BLOCKSIZE=K; export BLOCKSIZE
#
# For the setting of languages and character sets please see # For the setting of languages and character sets please see
# login.conf(5) and in particular the charset and lang options. # login.conf(5) and in particular the charset and lang options.
# For full locales list check /usr/share/locale/* # For full locales list check /usr/share/locale/*

View File

@ -32,13 +32,13 @@ firewall_logif="YES"
# interfaces # interfaces
cloned_interfaces_sticky="YES" cloned_interfaces_sticky="YES"
cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10" cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10 bridge48"
ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up" ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up"
ifconfig_igb0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso" ifconfig_igb0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso" ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
vlans_lagg0="1 2 5 9 10" vlans_lagg0="1 2 5 9 10 48"
ipv6_activate_all_interfaces="YES" ipv6_activate_all_interfaces="YES"
rtsold_enable="YES" rtsold_enable="YES"
@ -53,12 +53,15 @@ ifconfig_lagg0_9="inet 192.168.200.10/24"
ifconfig_lagg0_9_ipv6="inet6 fd09::10/64 auto_linklocal accept_rtadv" ifconfig_lagg0_9_ipv6="inet6 fd09::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_10="inet 192.168.10.10/24" ifconfig_lagg0_10="inet 192.168.10.10/24"
ifconfig_lagg0_10_ipv6="inet6 fd0a::10/64 auto_linklocal accept_rtadv" ifconfig_lagg0_10_ipv6="inet6 fd0a::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_48="inet 192.168.48.10/24"
ifconfig_lagg0_48_ipv6="inet6 2001:470:f835::10/64 auto_linklocal accept_rtadv"
ifconfig_bridge1="addm lagg0.1 up" ifconfig_bridge1="addm lagg0.1 up"
ifconfig_bridge2="addm lagg0.2 up" ifconfig_bridge2="addm lagg0.2 up"
ifconfig_bridge5="addm lagg0.5 up" ifconfig_bridge5="addm lagg0.5 up"
ifconfig_bridge9="addm lagg0.9 up" ifconfig_bridge9="addm lagg0.9 up"
ifconfig_bridge10="addm lagg0.10 up" ifconfig_bridge10="addm lagg0.10 up"
ifconfig_bridge48="addm lagg0.48 up"
# adding IP to bridges does not work # adding IP to bridges does not work
#ifconfig_bridge1="inet 192.168.0.10/24" #ifconfig_bridge1="inet 192.168.0.10/24"

View File

@ -1,35 +0,0 @@
portal-group pg0 {
discovery-auth-group no-authentication
listen 0.0.0.0
listen [::]
}
target iqn.nas.ahlawat.com:f11 {
# auth-group no-authentication
portal-group pg0
chap user secretsecret
lun 0 {
path /dev/zvol/ship/raw/FreeBSD11
size 128G
}
}
target iqn.nas.ahlawat.com:f12 {
# auth-group no-authentication
portal-group pg0
chap user secretsecret
lun 0 {
path /dev/zvol/ship/raw/FreeBSD12
size 128G
}
}
target iqn.nas.ahlawat.com:f13 {
# auth-group no-authentication
portal-group pg0
chap user secretsecret
lun 0 {
path /dev/zvol/ship/raw/FreeBSD13
size 128G
}
}

View File

@ -119,6 +119,6 @@
# the -h option and/or read the driver's documentation. # the -h option and/or read the driver's documentation.
[ups] [ups]
driver = usbhid-ups driver = usbhid-ups
port = /dev/ugen0.6 port = /dev/ugen0.7
desc = "" desc = ""
pollonly pollonly

View File

@ -1,30 +0,0 @@
#############################################################################
# Copyright (c) 2010-2014 Balabit
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published
# by the Free Software Foundation, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# As an additional exemption you are allowed to compile & link against the
# OpenSSL libraries as published by the OpenSSL project. See the file
# COPYING for details.
#
#############################################################################
#
# This file is placed into /etc/syslog-ng in order to make it trivial to
# include in user written syslog-ng.conf files. It sets up 'scl-root' and
# `include-path`, then includes all SCL supplied plugins.
#
@include 'scl/*/*.conf'
@define java-module-dir "`module-install-dir`/java-modules"

View File

@ -1,185 +0,0 @@
@version:3.25
@include "scl.conf"
#
# This sample configuration file is essentially equilivent to the stock
# FreeBSD /etc/syslog.conf file.
#
# $FreeBSD: head/sysutils/syslog-ng/files/syslog-ng.conf.sample 340872 2014-01-24 00:14:07Z mat $
#
#
# options
#
options { chain_hostnames(off); flush_lines(0); threaded(yes); };
#
# sources
#
source src { system();
udp(); internal(); };
#
# destinations
#
destination messages { file("/var/log/messages"); };
destination security { file("/var/log/security"); };
destination authlog { file("/var/log/auth.log"); };
destination maillog { file("/var/log/maillog"); };
destination lpd-errs { file("/var/log/lpd-errs"); };
destination xferlog { file("/var/log/xferlog"); };
destination cron { file("/var/log/cron"); };
destination debuglog { file("/var/log/debug.log"); };
destination consolelog { file("/var/log/console.log"); };
destination all { file("/var/log/all.log"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination slip { file("/var/log/slip.log"); };
destination ppp { file("/var/log/ppp.log"); };
destination console { file("/dev/console"); };
destination allusers { usertty("*"); };
#destination loghost { udp("loghost" port(514)); };
#
# log facility filters
#
filter f_auth { facility(auth); };
filter f_authpriv { facility(authpriv); };
filter f_not_authpriv { not facility(authpriv); };
#filter f_console { facility(console); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_ftp { facility(ftp); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_security { facility(security); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_local0 { facility(local0); };
filter f_local1 { facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };
#
# log level filters
#
filter f_emerg { level(emerg); };
filter f_alert { level(alert..emerg); };
filter f_crit { level(crit..emerg); };
filter f_err { level(err..emerg); };
filter f_warning { level(warning..emerg); };
filter f_notice { level(notice..emerg); };
filter f_info { level(info..emerg); };
filter f_debug { level(debug..emerg); };
filter f_is_debug { level(debug); };
#
# program filters
#
filter f_ppp { program("ppp"); };
filter f_slip { program("startslip"); };
#
# *.err;kern.warning;auth.notice;mail.crit /dev/console
#
log { source(src); filter(f_err); destination(console); };
log { source(src); filter(f_kern); filter(f_warning); destination(console); };
log { source(src); filter(f_auth); filter(f_notice); destination(console); };
log { source(src); filter(f_mail); filter(f_crit); destination(console); };
#
# *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
#
log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
log { source(src); filter(f_news); filter(f_err); destination(messages); };
#
# security.* /var/log/security
#
log { source(src); filter(f_security); destination(security); };
#
# auth.info;authpriv.info /var/log/auth.log
log { source(src); filter(f_auth); filter(f_info); destination(authlog); };
log { source(src); filter(f_authpriv); filter(f_info); destination(authlog); };
#
# mail.info /var/log/maillog
#
log { source(src); filter(f_mail); filter(f_info); destination(maillog); };
#
# lpr.info /var/log/lpd-errs
#
log { source(src); filter(f_lpr); filter(f_info); destination(lpd-errs); };
#
# ftp.info /var/log/xferlog
#
log { source(src); filter(f_ftp); filter(f_info); destination(xferlog); };
#
# cron.* /var/log/cron
#
log { source(src); filter(f_cron); destination(cron); };
#
# *.=debug /var/log/debug.log
#
log { source(src); filter(f_is_debug); destination(debuglog); };
#
# *.emerg *
#
log { source(src); filter(f_emerg); destination(allusers); };
#
# uncomment this to log all writes to /dev/console to /var/log/console.log
# console.info /var/log/console.log
#
#log { source(src); filter(f_console); filter(f_info); destination(consolelog); };
#
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
# *.* /var/log/all.log
#
#log { source(src); destination(all); };
#
# uncomment this to enable logging to a remote loghost named loghost
# *.* @loghost
#
#log { source(src); destination(loghost); };
#
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
#
#log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
#log { source(src); filter(f_news); filter(f_err); destination(newserr); };
#log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
#
# !startslip
# *.* /var/log/slip.log
#
log { source(src); filter(f_slip); destination(slip); };
#
# !ppp
# *.* /var/log/ppp.log
#
log { source(src); filter(f_ppp); destination(ppp); };

116
freebsd_vm/devfs.rules Normal file
View File

@ -0,0 +1,116 @@
#
# The following are some default rules for devfs(5) mounts.
# The format is very simple. Empty lines and lines beginning
# with a hash '#' are ignored. If the hash mark occurs anywhere
# other than the beginning of a line, it and any subsequent
# characters will be ignored. A line in between brackets '[]'
# denotes the beginning of a ruleset. In the brackets should
# be a name for the rule and its ruleset number. Any other lines
# will be considered to be the 'action' part of a rule
# passed to the devfs(8) command. These will be passed
# "as-is" to the devfs(8) command with the exception that
# any references to other rulesets will be expanded first. These
# references must include a dollar sign '$' in front of the
# name to be expanded properly.
#
# $FreeBSD: releng/12.1/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $
#
# Very basic and secure ruleset: Hide everything.
# Used as a basis for other rules.
#
[devfsrules_hide_all=1]
add hide
# Basic devices typically necessary.
# Requires: devfsrules_hide_all
#
[devfsrules_unhide_basic=2]
add path log unhide
add path null unhide
add path zero unhide
add path crypto unhide
add path random unhide
add path urandom unhide
# Devices typically needed to support logged-in users.
# Requires: devfsrules_hide_all
#
[devfsrules_unhide_login=3]
add path 'ptyp*' unhide
add path 'ptyq*' unhide
add path 'ptyr*' unhide
add path 'ptys*' unhide
add path 'ptyP*' unhide
add path 'ptyQ*' unhide
add path 'ptyR*' unhide
add path 'ptyS*' unhide
add path 'ptyl*' unhide
add path 'ptym*' unhide
add path 'ptyn*' unhide
add path 'ptyo*' unhide
add path 'ptyL*' unhide
add path 'ptyM*' unhide
add path 'ptyN*' unhide
add path 'ptyO*' unhide
add path 'ttyp*' unhide
add path 'ttyq*' unhide
add path 'ttyr*' unhide
add path 'ttys*' unhide
add path 'ttyP*' unhide
add path 'ttyQ*' unhide
add path 'ttyR*' unhide
add path 'ttyS*' unhide
add path 'ttyl*' unhide
add path 'ttym*' unhide
add path 'ttyn*' unhide
add path 'ttyo*' unhide
add path 'ttyL*' unhide
add path 'ttyM*' unhide
add path 'ttyN*' unhide
add path 'ttyO*' unhide
add path ptmx unhide
add path pts unhide
add path 'pts/*' unhide
add path fd unhide
add path 'fd/*' unhide
add path stdin unhide
add path stdout unhide
add path stderr unhide
# Devices usually found in a jail.
#
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path fuse unhide
add path zfs unhide
[usbrules=100]
add path 'usbctl' mode 660 group uucp
add path 'usb/*' mode 660 group uucp
add path 'ttyU*' mode 660 group uucp
[serial_usb_rules=1000]
add include $devfsrules_jail
add path 'cuau*' unhide
add path 'cuaU*' unhide
add path 'ttyu*' unhide
add path 'ttyU*' unhide
add path 'usb*' unhide
add path 'usb/*' unhide
[devfs_rules_bhyve_jail=2000]
add include $devfsrules_jail
add path vmm unhide
add path vmm/* unhide
add path vmm.io unhide
add path vmm.io/* unhide
add path tap* unhide
add path zvol/ship/raw/* unhide
add path nmdm* unhide
[devfs_rules_tun_jail=3000]
add include $devfsrules_jail
add path tun* unhide

4
freebsd_vm/loader.conf Normal file
View File

@ -0,0 +1,4 @@
boot_serial="NO"
if_tap_load="YES"

99
freebsd_vm/rc.conf Normal file
View File

@ -0,0 +1,99 @@
hostname="freebsd.ahlawat.com"
#ifconfig_vtnet0="DHCP"
#ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
kld_list="nmdm vmm ipfw ipdivert linux64"
# Do not mark to autodetach otherwise ZFS gets very unhappy.
geli_autodetach="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdir="/var/crash"
savecore_enable="YES"
# Turbo boost
performance_cpu_freq="HIGH"
ntpd_sync_on_start="YES"
ntpd_enable="YES"
powerd_enable="YES"
powerd_flags="-a hiadaptive -n hiadaptive -m 2500 -M 3300"
smartd_enable="YES"
#nut_enable="YES"
#dbus_enable="YES"
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
firewall_logif="YES"
# interfaces
cloned_interfaces_sticky="YES"
cloned_interfaces="bridge1"
ifconfig_vtnet0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
ifconfig_vtnet0="inet 192.168.0.83/24"
ifconfig_vtnet0_ipv6="inet6 fd01::83/64 auto_linklocal accept_rtadv"
ifconfig_bridge1="ether random addm vtnet0 up"
defaultrouter="192.168.0.5"
ipv6_defaultrouter="fd01::5"
# interfaces
syslogd_enable="YES"
syslogd_flags="-C -O rfc5424 -ss"
syslog_ng_enable="NO"
syslog_ng_config="-u daemon"
syslog_ng_pid="/var/run/syslog-ng.pid"
sendmail_enable="NO"
sendmail_outbound_enable="NO"
sendmail_submit_enable="YES"
sendmail_msp_queue_enable="YES"
sshd_enable="YES"
iocage_enable="NO"
devfs_system_ruleset="usbrules"
#node_exporter_enable="YES"
#node_exporter_args=--collector.filesystem.ignored-mount-points="/mnt/iocage*"
#gstat_exporter_enable="YES"
# modify hard disk cam queues
cam_tag_enable="YES"
# debian jail
linux_enable="YES"
nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfsuserd_enable="YES"
mountd_enable="YES"
mountd_flags="-r"
rpcbind_enable="YES"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"
tftpd_enable="YES"
tftpd_flags="-s /mnt/ship/pxe"
ctld_enable="YES"

14
freebsd_vm/sysctl.conf Normal file
View File

@ -0,0 +1,14 @@
# $FreeBSD$
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces
net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface
net.link.bridge.pfil_member=0 # Packet filter on the member interface

View File

@ -62,7 +62,7 @@ exit $?
# (This uses cu() so press ~+Ctrl-D to exit) # (This uses cu() so press ~+Ctrl-D to exit)
#on base system: #on base system:
#zfs create -V 32G -o refreservation=none ship/raw/freebsd #zfs create -V 16G -o refreservation=none ship/raw/freebsd
#zfs create -V 16G -o refreservation=none ship/raw/freebsd_1 #zfs create -V 16G -o refreservation=none ship/raw/freebsd_1
#zfs create -V 16G -o refreservation=none ship/raw/freebsd_2 #zfs create -V 16G -o refreservation=none ship/raw/freebsd_2
#zfs create -V 16G -o refreservation=none ship/raw/freebsd_z1 #zfs create -V 16G -o refreservation=none ship/raw/freebsd_z1

View File

@ -48,6 +48,8 @@ update_jail ()
} }
iocage fetch -U -r 12.2-RELEASE iocage fetch -U -r 12.2-RELEASE
etcupdate build current-src.bzip2
mv current-src.bzip2 /root/FreeBSD/jails/configs/common/
read -p "update pkgp packages first (y/N)? " RESP read -p "update pkgp packages first (y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then if [ ! -z $RESP ] && [ $RESP == "y" ]; then
@ -78,7 +80,6 @@ echo "freebsd-update fetch"
echo "freebsd-update install" echo "freebsd-update install"
# echo "pkg bootstrap -f ; pkg update ; pkg upgrade" # echo "pkg bootstrap -f ; pkg update ; pkg upgrade"
echo "cd /usr/src; svn update; make -j8 buildkernel KERNCONF=diyIT && make -j8 installkernel KERNCONF=diyIT" echo "cd /usr/src; svn update; make -j8 buildkernel KERNCONF=diyIT && make -j8 installkernel KERNCONF=diyIT"
echo "etcupdate build /root/FreeBSD/jails/configs/common/current-src.bzip2"
echo "reboot" echo "reboot"
echo "pkg-static upgrade -f" echo "pkg-static upgrade -f"
#echo "rm -rf /var/tmp/temproot*" #echo "rm -rf /var/tmp/temproot*"

174
pxe/root/create.sh Executable file
View File

@ -0,0 +1,174 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
JAIL=$1
JAILHOSTNAME=$2
JAILDOMAIN=$3
JAILIP=$4
JAILUSER=$5
JAILUSERID=$6
JAILUSERVNC=$7
: "${JAIL:?Need to specify JAIL - first parameter}"
: "${JAILHOSTNAME:?Need to specify JAILHOSTNAME - second parameter}"
: "${JAILDOMAIN:?Need to specify JAILDOMAIN - third parameter}"
: "${JAILIP:?Need to specify JAILIP - fourth parameter}"
: "${JAILUSER:?Need to specify JAILUSER - fifth parameter - set to X if none required}"
: "${JAILUSERID:?Need to specify JAILUSERID - sixth parameter - eg. set to 1000 for p OR 2002 for r}"
: "${JAILUSERVNC:?Need to specify JAILUSERVNC - seventh parameter - set to true to add vnc for jailuser}"
# user p and r are diyit deployment specific
# there are cases where you may only want an IPv4 jail
I6CONFIG=true
I4NW="192.168.10"
I6NW="fd0a"
I4GW="192.168.10.5"
I6GW="fd0a::5"
I4NS="192.168.10.5"
I6NS="fd0a::5"
# these IP spaces are diyit deployment specific
echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"
# cant install packages during jail creation because ipfw blocks all network traffic
#echo '{"pkgs":["bash","bash-completion","nano"]}' > /tmp/pkg-$JAIL.json
#iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json ...
#rm /tmp/pkg-$JAIL.json
if $I6CONFIG; then
iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
# iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64,vnet0|accept_rtadv" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
# iocage cannot set static IP AND enable SLAAC temporary properly
iocage exec $JAIL 'sysrc ifconfig_epair0b_ipv6="inet6 auto_linklocal accept_rtadv"'
iocage exec $JAIL "sysrc rtsold_enable=YES"
iocage exec $JAIL "echo 'net.inet6.ip6.accept_rtadv=1' >> /etc/sysctl.conf"
iocage exec $JAIL "echo 'net.inet6.ip6.use_tempaddr=1' >> /etc/sysctl.conf"
iocage exec $JAIL "echo 'net.inet6.ip6.prefer_tempaddr=1' >> /etc/sysctl.conf"
else
iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" defaultrouter=$I4GW resolver="nameserver $I4NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
fi
iocage exec $JAIL "sysrc firewall_enable=YES"
iocage exec $JAIL "sysrc firewall_type=open"
iocage exec $JAIL "sysrc firewall_logif=YES"
iocage exec $JAIL "service ipfw restart"
# jail is already up at this point so configure IPv6 manually for this run
iocage exec $JAIL "ifconfig epair0b inet6 accept_rtadv; sysctl net.inet6.ip6.accept_rtadv=1; sysctl net.inet6.ip6.use_tempaddr=1; sysctl net.inet6.ip6.prefer_tempaddr=1; service rtsold start"
iocage exec $JAIL "echo '$I4NW.$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
if $I6CONFIG; then
iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
fi
iocage exec $JAIL "mkdir -p /mnt/certs"
iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
iocage exec $JAIL "mkdir -p /mnt/config"
iocage fstab -a $JAIL /root/FreeBSD/jails/config/$JAIL /mnt/config nullfs rw 0 0
iocage exec $JAIL "mkdir -p /var/db/freebsd-update/files"
iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files nullfs rw 0 0
iocage exec $JAIL "mkdir -p /mnt/common"
iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
# create resolvconf.conf - IPv6 SLAAC/DHCP on freebsd removes all ipv4 configuraton from resolv.conf
iocage exec $JAIL "[ -f /mnt/config/resolv.conf ] && cp /mnt/config/resolvconf.conf /etc/ || cp /mnt/common/resolvconf.conf /etc/"
iocage exec $JAIL "resolvconf -u"
iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos"
iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/"
iocage exec $JAIL "[ -f /mnt/config/freebsd-update.conf ] && cp /mnt/config/freebsd-update.conf /etc/ || cp /mnt/common/freebsd-update.conf /etc/"
iocage exec $JAIL "env ASSUME_ALWAYS_YES=YES pkg bootstrap"
iocage exec $JAIL "pkg update -f"
iocage exec $JAIL "pkg upgrade -y"
iocage exec $JAIL "pkg install -y bash bash-completion nano"
iocage exec $JAIL "[ -f /mnt/config/nanorc ] && cp /mnt/config/nanorc /usr/local/etc/ || cp /mnt/common/nanorc /usr/local/etc/"
iocage exec $JAIL "cp -r /mnt/common/nano /usr/local/etc/"
#iocage exec $JAIL "passwd root"
iocage exec $JAIL "chsh -s /usr/sbin/nologin toor"
iocage exec $JAIL "pw usermod -n root -s /usr/local/bin/bash -c jail-$JAIL"
iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /root/ || cp /mnt/common/.bash_profile /root/"
iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /root/ || cp /mnt/common/.dir_colors /root/"
iocage exec $JAIL "mkdir /root/.ssh"
iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /root/.ssh/ || cp /mnt/common/authorized_keys /root/.ssh/"
iocage exec $JAIL "chmod 600 /root/.ssh/authorized_keys"
iocage exec $JAIL "[ -f /mnt/config/sshd_config ] && cp /mnt/config/sshd_config /etc/ssh/ || cp /mnt/common/sshd_config /etc/ssh/"
iocage exec $JAIL "sysrc sshd_enable=YES"
iocage exec $JAIL "/etc/rc.d/sshd start"
iocage exec $JAIL "service sshd restart"
iocage exec $JAIL "cd /etc/mail ; make"
iocage exec $JAIL "bash /mnt/common/snip-sendmail.sh"
iocage exec $JAIL "sysrc sendmail_enable=NO"
iocage exec $JAIL "sysrc sendmail_outbound_enable=NO"
iocage exec $JAIL "sysrc sendmail_submit_enable=YES"
iocage exec $JAIL "sysrc sendmail_msp_queue_enable=YES"
iocage exec $JAIL "cd /etc/mail ; make all install"
iocage exec $JAIL "echo 'root: jail-root@$JAILDOMAIN' >> /etc/mail/aliases"
iocage exec $JAIL "/usr/bin/newaliases"
iocage exec $JAIL "service sendmail start"
iocage exec $JAIL "service sendmail restart"
# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
iocage exec $JAIL 'sysrc ntp_leapfile_fetch_opts="--no-verify-peer -mq"'
if [ "$JAILUSER" != "X" ]; then
iocage exec $JAIL "pkg install -y sudo"
iocage exec $JAIL "pw useradd $JAILUSER -u $JAILUSERID -G wheel -m -d /home/$JAILUSER -s /usr/local/bin/bash"
iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /home/$JAILUSER/ || cp /mnt/common/.bash_profile /home/$JAILUSER/"
iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.bash_profile"
iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /home/$JAILUSER/ || cp /mnt/common/.dir_colors /home/$JAILUSER/"
iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.dir_colors"
iocage exec $JAIL "mkdir /home/$JAILUSER/.ssh"
iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /home/$JAILUSER/.ssh/ || cp /mnt/common/authorized_keys /home/$JAILUSER/.ssh/"
iocage exec $JAIL "chmod 600 /home/$JAILUSER/.ssh/authorized_keys"
iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER/.ssh"
iocage exec $JAIL "echo '%wheel ALL=(ALL) NOPASSWD: ALL' | EDITOR='tee -a' visudo"
echo "set ssh password for $JAILUSER"
iocage exec $JAIL "passwd $JAILUSER"
if $JAILUSERVNC; then
iocage exec $JAIL "pkg install -y tigervnc-server perl5 xauth fluxbox xorg-fonts-truetype xterm dbus"
#firefox and other X apps require dbus
iocage exec $JAIL "sysrc dbus_enable=YES"
iocage exec $JAIL "service dbus start"
iocage exec $JAIL "mkdir -p /home/$JAILUSER/.vnc"
iocage exec $JAIL "[ -f /mnt/config/secret/passwd ] && cp /mnt/config/secret/passwd /home/$JAILUSER/.vnc/ || cp /mnt/common/secret/passwd /home/$JAILUSER/.vnc/"
iocage exec $JAIL "[ -f /mnt/config/xstartup ] && cp /mnt/config/xstartup /home/$JAILUSER/.vnc/ || cp /mnt/common/xstartup /home/$JAILUSER/.vnc/"
iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER"
iocage exec $JAIL "[ -f /mnt/config/vncserver ] && cp /mnt/config/vncserver /usr/local/etc/rc.d/vncserver || cp /mnt/common/vncserver /usr/local/etc/rc.d/vncserver"
iocage exec $JAIL "chmod 555 /usr/local/etc/rc.d/vncserver"
iocage exec $JAIL "sysrc vncserver_enable=YES"
iocage exec $JAIL "service vncserver start"
fi
fi
iocage exec $JAIL "pkg clean -y"
iocage exec $JAIL "tzsetup America/Los_Angeles"
# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
# iocage exec $JAIL "rmdir /mnt/common"
iocage exec $JAIL "echo 'Subject: created new jail: $JAIL with $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v -t jail-root@$JAILDOMAIN"
# reverse dns should already be configured for the mail server to accept this email

View File

@ -1,4 +1,13 @@
#!/usr/local/bin/bash #!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#shrinking the command Native Command Queue down to 1 effectively disabling queuing #shrinking the command Native Command Queue down to 1 effectively disabling queuing
for Disk in `camcontrol devlist | grep "ST8000DM" | cut -d"," -f2 | cut -d")" -f1`; for Disk in `camcontrol devlist | grep "ST8000DM" | cut -d"," -f2 | cut -d")" -f1`;
do do

View File

@ -1,14 +0,0 @@
# pkgk install py37-pysnmp
from pysnmp import hlapi
def get(target, oids, credentials, port=161, engine=hlapi.SnmpEngine(), context=hlapi.ContextData()):
handler = hlapi.getCmd(
engine,
credentials,
hlapi.UdpTransportTarget((target, port)),
context,
*construct_object_types(oids)
)
return fetch(handler, 1)[0]

21
sync-config.sh Executable file
View File

@ -0,0 +1,21 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
diff -ru / configs | grep -v "Only in /" | grep "Only in" | sed 's/Only in // ; s/: /\//' | xargs -n1 echo WILL DELETE
read -p "(y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then
diff -ru / configs | grep -v "Only in /" | grep "Only in" | sed 's/Only in // ; s/: /\//' | xargs -n1 rm
fi
diff -ru / configs | grep -v "Only in /" | grep "diff -ru" | sed 's/diff -ru//' | xargs -n2 echo WILL COPY
read -p "(y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then
diff -ru / configs | grep -v "Only in /" | grep "diff -ru" | sed 's/diff -ru//' | xargs -n2 cp
fi

21
sync-pxe.sh Executable file
View File

@ -0,0 +1,21 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
diff -ru /mnt/ship/pxe pxe | grep -v "Only in /" | grep "Only in" | sed 's/Only in // ; s/: /\//' | xargs -n1 echo WILL DELETE
read -p "(y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then
diff -ru /mnt/ship/pxe pxe | grep -v "Only in /" | grep "Only in" | sed 's/Only in // ; s/: /\//' | xargs -n1 rm
fi
diff -ru /mnt/ship/pxe pxe | grep -v "Only in /" | grep "diff -ru" | sed 's/diff -ru//' | xargs -n2 echo WILL COPY
read -p "(y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then
diff -ru /mnt/ship/pxe pxe | grep -v "Only in /" | grep "diff -ru" | sed 's/diff -ru//' | xargs -n2 cp
fi