bsd.m3th.org
Yet another *nix admin blog

UPDATE : Check out recent committed /usr/ports/www/spawn-fcgi/, it comes with a better spawn-fcgi rc.d script. Please use the script from the post. However, the spawn-fcgi.sh provided does not have option to run via unix socket. I have submitted the patch.

Few days ago, I posted a write-up, FreeBSD : php-cgi spawn-fcgi rc.d script for nginx, on running php-cgi on port 8888. But how do I run it via unix socket? It is trivial with spawn-fcgi rc.d script. Just add the flags to /etc/rc.conf

spawnfcgi_flags="-s /tmp/php-fastcgi.socket -u www -g www -f /usr/local/bin/php-cgi"

Next, replace the line

fastcgi_pass 127.0.0.1:8888;

with this

fastcgi_pass unix:/tmp/php-fastcgi.socket;

Lastly restart both php-cgi and nginx:

/usr/local/etc/rc.d/spawnfcgi restart && /usr/local/etc/rc.d/nginx restart

That’s all. You have your php-cgi on unix socket.

I have been working on parallel round-robin web clusters (is this the right term?) using 2 x FreeBSD 7.1 AMD64 boxes, nginx (patched with fair upstream), apache + php (backend), glusterfs, tinydns (sitting on another box, a name server, for round robin A record) and mysql multi-master replication. The setup is mainly making use of round-robin replication concept. Although I have yet fully hammered the configuration, it was pretty impressive and secure.

Glusterfs and mysql replicate with SSL. Nginx with SSL. These, however, are slightly at the expense of CPU and performance. I can live it that though.

The write-up of the setup is in progress as I am quite tied up with my day job, HeX project and glusterfs 2.0 ports for FreeBSD. Hopefully, I can manage the time well to complete all these. Nevertheless, here is partial (optional) write-up for glusterfs replication with SSL.

Note: server1 and server2 denote the FreeBSD clusters.

1) Installing required software
Most of the software except glusterfs (not in the freebsd ports as of this posting) is available via the FreeBSD ports. I’m aware of that TimurBakeyev is working on glusterfs ports.

# cd /usr/ports/security/stunnel && make install clean

2) Creating SSL certs (on either of the box)
Generally, it is easier to manage all certs/keys generation on a single box and duplicate required certs to the rest of the boxes. But YMMV. Commonly, cacert.pem and cert/key generated are copied.

2.1) For the impatient
Just create the certificate in 1 liner. Remember to modify the content of “-subj”.

# openssl req -new -outform PEM -out /etc/ssl/stunnel-cert.pem -newkey rsa:1024 \
-nodes -keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -x509 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'

2.2) For the patient
Creating necessary directories for ssl with the following commands.

# mkdir /etc/ssl/newcerts
# mkdir /etc/ssl/private
# echo '01' >/etc/ssl/serial
# touch /etc/ssl/index.txt

Next, let’s generate a CA. You will be prompted with questions of your country, state, location etc and password for the CA key.

# openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/private/cakey.pem \
-out /etc/ssl/cacert.pem -days 3650 -config /etc/ssl/openssl.cnf

Generating a cert request for stunnel

# openssl req -outform PEM -out /etc/ssl/server-req.pem -newkey rsa:1024 -nodes \
-keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'

Lastly using the CA key to sign the cert.

# openssl ca -in /etc/ssl/stunnel-req.pem -notext -out /etc/ssl/stunnel-cert.pem

3) Modifying stunnel rc.d for stunnel running client mode
The rc.d startup for stunnel is meant for running either server or client mode only. I need both modes here. Thus, a quick replication of stunnel rc.d to run another client mode instance of stunnel. I named it /usr/local/etc/rc.d/stunnelc.

#!/bin/sh
#
# $FreeBSD: ports/security/stunnel/files/stunnel.in,v 1.9 2008/01/26 14:18:12 roam Exp $
#

# PROVIDE: stunnelc
# REQUIRE: NETWORKING SERVERS
# BEFORE: DAEMON glusterfs
# KEYWORD: shutdown

#
# Add some of the following variables to /etc/rc.conf to configure stunnel:
# stunnelc_enable (bool):        Set to "NO" by default.
#                               Set it to "YES" to enable stunnel.
# stunnelc_config (str):         Default "/usr/local/etc/stunnel/stunnel-client.conf"
#                               Set it to the full path to the config file
#                               that stunnel will use during the automated
#                               start-up.
# stunnelc_pidfile (str):        Default "/var/tmp/stunnel/stunnel-client.pid"
#                               Set it to the value of 'pid' in
#                               the stunnel.conf file.
#

. /etc/rc.subr

name="stunnelc"
rcvar=`set_rcvar`

load_rc_config $name

: ${stunnelc_enable="NO"}
: ${stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"}
: ${stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"}
procname="/usr/local/bin/stunnel"
command="/usr/local/bin/stunnel"
command_args=${stunnelc_config}
pidfile=${stunnelc_pidfile}

required_files="${stunnelc_config}"

run_rc_command "$1"

4) glusterfs vol configuration
In this setup, glusterfsd is listening on lo0 127.0.0.1 port 6996 and stunnel server listening on em0 (net facing nic) port 8996. Stunnel client, on the other hand, is listening on 127.0.0.1 port 7996, forwarding to remote host on port 8996. Glusterfs client mount volume which is on 127.0.0.1 port 6996 and 7996 (which is tunneled to port 8996 of remote host). Refer to the configurations below:-

i) stunnel-server.conf.

[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996

ii) stunnel-client.conf.

[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996

Auth login was used due to privileged port ceiling of 1024 imposed by auth addr method. Auth login method care less about privileged port ceiling.

Please refer to
http://www.gluster.org/docs/index.php/GlusterFS_Encrypted_network
http://www.gluster.org/docs/index.php/Translators_v2.0#auth.login

As I’m still working on glusterfs 2.0 ports, you can use the rc.d scripts that I have completed glusterfs and glusterfsd.

APPENDIX

Configuration files on server1

I) /etc/rc.conf

fusefs_enable="YES"
glusterfsd_enable="YES"
glusterfs_enable="YES"
glusterfs_mount="/usr/home/www"
stunnel_enable="YES"
stunnel_config="/usr/local/etc/stunnel/stunnel-server.conf"
stunnel_pidfile="/var/tmp/stunnel/stunnel-server.pid"
stunnelc_enable="YES"
stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"
stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"

II) Stunnel configuration for glusterfsd (/usr/local/etc/stunnel/stunnel-server.conf)

cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-server.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem

output = /var/log/stunnel.log

[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996

III) Stunnel configuration for glusterfs (/usr/local/etc/stunnel/stunnel-client.conf)

cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-client.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem
output = /var/log/stunnelc.log
client = yes

[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996

IV) Glusterfs client configuration (/usr/local/etc/glusterfs/glusterfs.vol)

volume remote1
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 6996
  option remote-subvolume brick
end-volume

volume remote2
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 7996
  option username yourusername
  option password yourpassword
  option remote-subvolume brick
end-volume

volume replicate
  type cluster/replicate
  subvolumes remote1 remote2
end-volume

volume writebehind
  type performance/write-behind
  option block-size 128KB
  option cache-size 1MB
  subvolumes replicate
end-volume

volume cache
  type performance/io-cache
  option cache-size 512MB
  subvolumes writebehind
end-volume

V) Glusterfs server configuration (/usr/local/etc/glusterfs/glusterfsd.vol)

volume posix
  type storage/posix
  option directory /usr/home/www-shared
end-volume

volume locks
  type features/locks
  subvolumes posix
end-volume

volume brick
  type performance/io-threads
  option thread-count 8
  subvolumes locks
end-volume

volume server
  type protocol/server
  option transport-type tcp
  option transport.socket.bind-address 127.0.0.1
  option auth.addr.brick.allow 127.0.0.1
  option auth.login.brick.allow yourusername
  option auth.login.yourusername.password yourpassword
  subvolumes brick
end-volume

I was busy working on glusterfs ports for FreeBSD. Still some issues to be ironed out before it can be submitted to the upstream. At same the time, I set up web servers running nginx with php5 via fastcgi. FreeBSD doesn’t have rc.d script to trigger spawn-fcgi process. So I wrote a quick one. Below is the script.

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: spawnfcgi
# REQUIRE: DAEMON
# BEFORE:  nginx
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable spawnfcgi:
# spawnfcgi_enable (bool):    Set it to "YES" to enable spawnfcgi.
#                             Default is "NO".
# spawnfcgi_flags  (str):     Default is "-a 127.0.0.1 -p 8888 -u www -g www -f /usr/local/bin/php-cgi".
#

. /etc/rc.subr

name="spawnfcgi"
rcvar=${name}_enable

load_rc_config $name

spawnfcgi_enable=${spawnfcgi_enable:-"NO"}
spawnfcgi_flags=${spawnfcgi_flags:-"-a 127.0.0.1 -p 8888 -u www -g www -f /usr/local/bin/php-cgi"}
spawnfcgi_pidfile="/var/run/${name}.pid"
procname="/usr/local/bin/php-cgi"
pidfile=${spawnfcgi_pidfile}
command=/usr/local/bin/spawn-fcgi
command_args="${spawnfcgi_flags} -P ${spawnfcgi_pidfile}"

run_rc_command "$1"

Note: spawn-fcgi is part of lighttpd.

Just add spawnfcgi_enable=”YES” to /etc/rc.conf to enable it. As this is just a simple script, not all option is stated. You can add/overwrite options via spawnfcgi_flags. Do check the option available via /usr/local/bin/spawn-fcgi -h

For nginx part, just add these lines to your server directive.

location ~ \.php$ {
    fastcgi_pass   127.0.0.1:8888;
    fastcgi_index  index.php;
    fastcgi_param   SCRIPT_FILENAME /path/to/the/phpscript/$fastcgi_script_name;
    include         fastcgi_params;
}

I frequently use m0n0wall for quick and easy deployment of firewall. However, it is kind of troublesome to dd the m0n0wall image from another computer. Idea of creating this liveCD installer was originated from Chris Buechler m0n0wall live installer. Since 2005, there has been no updated release of m0n0wall live installer. Thus, I decided to create my own.

m0n0live Installer
The m0n0live Installer CD is a FreeBSD 7.1 based liveCD built with FreeSBIE toolkits. It includes the m0n0wall 1.235, 1.3b15 images under /usr/m0n0 and /usr/m0n0/1.3b. You can grab a copy of m0n0live installer iso (42MB in size) from the link below:-

http://my.rawpacket.org/m0n0live-i386-0.1.iso
http://my.rawpacket.org/m0n0live-i386-0.1.iso.md5
http://my.rawpacket.org/m0n0live-i386-0.1.iso.sha256

Burn the iso onto CD after you have obtained the iso file above. Do verify the iso with md5/sha256 provided to ensure that your download is completed correctly. If you are not familiar with burning an iso image, please refer to CD burning software documentation before you proceed. Never burn this iso file as a single file on a data CD. After you have successfully burned the iso image to CD, boot up the designated device with the bootable CD that you have created.

No login required, just read and follow the instructions displayed on the screen. Enjoy!

In my previous post on the Ricoh SD/MMC card reader, I have to patch the system in order to get the device working. With FreeBSD 7.1, it just works out of the box.

sdhci0: <RICOH R5C822 SD> mem 0xb8000800-0xb80008ff irq 22 at device 9.1 on pci5
sdhci0: 1 slot(s) allocated
sdhci0: [ITHREAD]
mmc0: <MMC/SD bus> on sdhci0
mmcsd0: 245MB <SD Memory Card> at mmc0 16MHz/4bit
GEOM_LABEL: Label for provider mmcsd0s1 is msdosfs/KINGSTON.

Writing speed
The writing speed is about 8 seconds faster than previous test.

coeus# mount -t msdosfs /dev/mmcsd0s1 /mnt/sd
coeus# dd if=/dev/zero of=/mnt/sd/test.img bs=1k count=10k
10240+0 records in
10240+0 records out
10485760 bytes transferred in 2.203386 secs (4758930 bytes/sec)

After a long development on 2.x branch, HeX LiveCD 2.0-RC1 is now available. It’s FreeBSD 7.0 based and stuffed with lots of NSM apps. With unionfs, HeX 2.0-RC1 loads even faster than the previous version.

However. there are a few known issue: -

- Netdude is broken – Passed to the author
- Autopsy is broken(sleuthkit issue) – Unknown, sleuthkit 0.52 is broken in ports
- Gvim is broken(font not available) – Fixed in development
- Flowtag is broken(Looking for older version of tcl while new one is installed) – Passed to the author
- NSM Console(Snort module where wrong path is defined in snort configuration file) – Passed to the author
- Silktools(Flowcap and Rwflowpack) – Unknown
- Ragraph is broken – Unknown
- Zsh is missing – Fixed in development

Here is the iso -
http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso
http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso.md5
http://my.rawpacket.org/hex-i386-2.0-RC1-20080803.iso.sha256

Slow connection from Malaysia? Alternatively, you can download from US mirror -

http://us.rawpacket.org/image/hex-i386-2.0-RC1-20080803.iso

More information could be found in geek00l’s post.

http://geek00l.blogspot.com/2008/08/hex-20-rc1-is-now.html

It has been a while that I did not put up any post. Here a short note on swap space encryption with FreeBSD geom geli(8). This feature was there for quite sometimes.

Enabling swapspace encryption with geli

Only 2 files are required to be edited, /etc/fstab and /boot/loader.conf. Change your swap partition in /etc/fstab with suffix “.eli” (i.e. ad1s1b.eli) and enable geom_eli kernel module in /boot/loader.conf with “geom_eli_load=”YES”“. Your swap space will be encrypted on next reboot.

Alternatively, you can enable it without reboot with the steps below.

# swapoff /dev/ad0s1b

# kldload geom_eli

# geli onetime -e blowfish -l 128 -s 4096 -d ad0s1b

# swapon /dev/ad0s1b.eli

Note : you can refer to geli(8) manpage for more algorithm options. I used blowfish on the above example.

Verifying if swap space encryption is enabled

# dmesg | grep GEOM_ELI

GEOM_ELI: Device ad0s1b.eli created.
GEOM_ELI: Encryption: Blowfish-CBC 128
GEOM_ELI: Crypto: software

# geli list
Geom name: ad0s1b.eli
EncryptionAlgorithm: Blowfish-CBC
KeyLength: 128
Crypto: software
Flags: ONETIME, W-DETACH, W-OPEN
Providers:
1. Name: ad0s1b.eli
Mediasize: 2147483648 (2.0G)
Sectorsize: 4096
Mode: r1w1e0
Consumers:
1. Name: ad0s1b
Mediasize: 2147483648 (2.0G)
Sectorsize: 512
Mode: r1w1e1

Back in 2003, I used OpenBSD’s sysctl -w vm.swapencrypt.enable=1 or wm.swapencrypt.enable=1 in /etc/sysctl.conf for swap space encryption and this is made default on OpenBSD 4.3. Compare to FreeBSD implementation, OpenBSD’s method is simpler. However, FreeBSD’s geom geli(8) and gbde(8) offers more than just swap space encryption. It gives the capability to encryption disk partition.

More info can be found in the excellent FreeBSD handbook.

http://www.freebsd.org/doc/en/books/handbook/swap-encrypting.html

My usage has not reached the level that requires high confidentiality on storage. Perhaps, I will do a encrypted file system on my portable harddisk for porns next time.

I have not verified this on my own laptop (HP Compaq Presario V3417AU). But it really a good news.

To: freebsd-acpi@freebsd.org
From: takawata@xxxxxxxxxxx
Date: Tue, 13 May 2008 20:25:56 +0900
Subject: SMP suspend/resume.

Hi, I managed to make suspend and resume work on SMP system.
The patch following is a bit crude patch, but it begin
to work on my ThinkPad X61 (core2duo system).

TODO:
1. Suspend/resume path it self is simular to AP boot path.
Some of code may be integrated.
2. More context, like MTRR or npx context should be saved on
suspend.
3. Make acpi suspend resume path more ABI aware: needless
register recoverly or special register context saving
(the value itself is usually constant) should be removed.
4. Make same binary module work on both UP or SMP case.
(Or is it time to give up using acpi module on also on i386?)

Click attachment for the patch.

I walked through routine maintenance of one of FreeBSD boxes, which was running as reverse proxy (Apache httpd + mod_security2 + mod_proxy) for OWA in my office. Everything went smoothly. But when it came to restarting of services, apache started to complain of unresolved symbol!

Cannot load /usr/local/libexec/apache22/mod_security2.so into server: /usr/local/libexec/apache22/mod_security2.so: undefined symbol: xmlFree

I reinstalled apache22, libxml2 and mod_security2 from ports. Nothing unusual was sighted. Asking our friend, google didn’t provide much of information. The latest that I managed to dig out was in 2005 and 2006. Some dudes had the same issue as me.

Anyhow I’m pretty convinced it is a bug from mod_security2-2.1.7_1 in FreeBSD’s ports. Here a quick workaround, just add the lines below to your Apache httpd.conf and the error message will go away!

LoadFile /usr/local/lib/libxml2.so
LoadModule security2_module libexec/apache22/mod_security2.so