Nodefactory based on FreeBSD-10 ---- == Scope == We intend to implement a number of changes/improvements: - based on FreeBSD-10.1 (until release use 10-STABLE - [http://unbound.net/ unbound] replaces bind; recursive dns server on standard-node; authorative server for wleiden.net domain on two special servers in the network - implement latest version of lvrouted (auto update default route) - update captive portal to increase speed: use static html pages, write in C - add 'welcome back' page to captive portal (activated when connection interrupted) - cleanup packages that are no longer required: nrpe, vim, bash-static, pftop, nmap, python-Jinja2, sixxs-aiccu, openvpn - replace thttpd:light version of apache=2.4 ? nginx? - bsnmp replaces net-snmp - patch isc-dhcpd (#580.3) or use dnsmasq as dhcpd-server (?) - add inet check in snmpd.conf - wl-web pagina redesign for local users / maintainance - add ssh-guard - no password-login, only keys will keep - ucspi-tcp-0.88_2 for redirect captive portal - python (?) - mtr, curl, screen, sudo - dnsmasq (for Soekris hardware and possibly dhcpd service) - pen - tinyproxy As a first step we have implemented the present software configuration (9.0-RELEASE) for FreeBSD10-STABLE with the next generation package management system (pkgng). The procedure to build a nodefactory-host is described below. == A. Setup a FreeBSD host == ---- Warning: 1) Make sure ''/usr'' is '''at least 5GB''' in size, as building images requires quite some space. 2) Make sure you install the 32bit '''i386''' release of FreeBSD also when your system does support amd64, as cross compiling can give some nasty surprises. Tip: use a separate hard disk, mounted on /usr/obj to speed up the compilation process. ---- Get yourself a fresh i386 freebsd host with ports and subversion installed as follows: === A.1. Run the basic CD installer === The procedure below has been tested with 10.0 (standard developer install - no ports -, e.g. with default partitioning will fit our needs). Installing FreeBSD is outside the scope of this document, take a look into [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/bsdinstall.html the FreeBSD handbook Chapter 2 Installing FreeBSD] if you do not know the details. Please do mind that all commands below need to be executed as root, because of the many mounts and unmounts done in various phases. It maybe convenient to ''' permit ssh root login''' (''modify /etc/ssh/sshd_config'' accordingly). Internet connection is required. Set correct date/time, e.g: build# ntpdate 0.nl.pool.ntp.org (You may also wish to add ''ntpd_enable="YES"'' to /etc/rc.conf) === A.2 Install Subversion and Ports === Subversion and root certificates are installed as a package: {{{ build@ pkg install ca_root_nss build# pkg install subversion }}} Check out a copy of the ports tree (this will take a couple of minutes). {{{ build# svn checkout https://svn0.eu.FreeBSD.org/ports/head /usr/ports }}} Tip: if for some reason this svn checkout doesn't work for you consider the use of portsnap: {{{ build# portsnap fetch extract }}} === A.3 set some useful variables === Alter the shell configuration file:/root/.cshrc: {{{ Ensure ftp is set to passive mode, to avoid potential firewall issues: build# echo 'setenv FTP_PASSIVE_MODE YES' >> /root/.cshrc Set a default password for the images that you will produce build# echo 'setenv CFG_ROOT_PASSWORD DefaultPassword12!' >> /root/.cshrc Define your nanobsd (svn) working directory: NOTE: All commands at later stages will refer to this so you better get it right! build# echo 'setenv R /root/nanobsd' >> /root/.cshrc }}} Next load your file (or login again): build# source /root/.cshrc === A.4. update lvrouted port if necessary === Warning: Skip the following steps unless you want to update the current lvrouted version (12878) and know what you are doing: Checkout latest version of lvrouted (i.e. beyond 12878): {{{ build# svn checkout http://svn.wirelessleiden.nl/svn/node-config/other/lvrouted/trunk /usr/local/share/lvrouted }}} run the release.sh script to produce the tar 'release' file (lvrouted-.......tar.gz): {{{ build# cd /usr/local/share/lvrouted/ build# tools/release.sh }}} Upload the lvrouted-12878.tar.gz to the webfolder.wirelessleiden.nl/lvrouted/ directory and - update PORTVERSION in $R/ports/net/lvrouted/Makefile - run 'sha256 lvrouted-......tar.gz' to determin the sha (secure hash) value - modify the SHA256 en filesize in $R/ports/net/lvrouted/distinfo. - commit $R/ports/net/lvrouted === A.5. OPTIONAL, every developer has his own preferences, e.g. === build# pkg install vim-lite build# pkg install sudo build# pkg install screen Tip: screen can be a handy tool if you are working on a remote host. {{{ With 'screen' you can open a virtual terminal, in which you can do everything like in the normal terminal. But you can detach it if you want to do other things in the main terminal and reattach it later. It even works after you quit your main terminal. Common screen commands: 1. Start a new terminal: # screen 2. Type CTRL+A and D to detach this new terminal 3. Reattach it: # screen -R }}} === A.6. get latest sources === build# svn co svn://svn0.eu.FreeBSD.org/base/stable/10 /usr/src == B. Build environment == === B.1 Download the environment from the Wireless Leiden svn repository === {{{ build# svn checkout https://svn.wirelessleiden.nl/svn/code/hybrid/branches/releng-10/nanobsd $R build# cd $R }}} If svn is not found: svn is in /usr/local/bin, alternatively log out and in, or use {{{rehash}}} in a {{{csh}}} shell to make it available. === B.2. Compile all required packages using === {{{ build# $R/tools/package-build.sh }}} This will take quite some time (on remote host use ), depending on your hardware of course. Packages are created in /root/nanobsd/pkg/All: {{{ build# ls $R/pkg/All bash-static-4.3.24.txz openvpn-2.3.4.txz ca_root_nss-3.16.3.txz p11-kit-0.20.3_1.txz curl-7.37.1_2.txz pcre-8.35.txz dnsmasq-2.71_1,1.txz pen-0.18.0.txz easy-rsa-2.2.0.m.txz perl5-5.16.3_11.txz fping-3.10.txz pftop-0.7_2.txz gettext-0.18.3.1_1.txz pkg-1.3.6.txz gmp-5.1.3_2.txz py27-Babel-1.3_2.txz gnutls-3.2.16_4.txz py27-Jinja2-2.7.3.txz iftop-0.17.txz py27-MarkupSafe-0.23.txz indexinfo-0.2.txz py27-pytz-2014.4,1.txz iperf-2.0.5.txz py27-setuptools27-5.5.1.txz isc-dhcp42-server-4.2.7.txz py27-yaml-3.11.txz libffi-3.0.13_1.txz python-2.7_2,2.txz libidn-1.28_1.txz python2-2_3.txz libtasn1-4.1.txz python27-2.7.8_4.txz lvrouted-12879.txz screen-4.2.1_3.txz lzo2-2.08.txz sixxs-aiccu-20070115_4.txz mtr-nox11-0.85_1.txz sudo-1.8.10.p3_1.txz nagios-plugins-2.0.3_2,1.txz thttpd-2.25b_5.txz net-snmp-5.7.2_16.txz tinyproxy-1.8.3_1,1.txz nettle-2.7.1.txz trousers-tddl-0.3.10_7.txz nmap-6.47.txz ucspi-tcp-0.88_2.txz nrpe-2.15_3.txz vim-lite-7.4.398.txz }}} === B.3. Set your favorite root password to be used in the image === Note: you can skip this step if you are satisfied with the default password set in step A.3 above. {{{ $ setenv CFG_ROOT_PASSWORD `dd if=/dev/random bs=10k count=10 |\ tr -cd '[a-zA-Z0-9]' | cut -c -15` $ echo $CFG_ROOT_PASSWORD }}} If you like a simple password, substitute the {{{ `dd if=/dev/random bs=10k count=10 | tr -cd '[a-zA-Z0-9]' | cut -c -15` }}} with your password. === B.4 Build nanobsd (make sure to prepare some coffee;-) ; use screen) === {{{ $ sh /usr/src/tools/tools/nanobsd/nanobsd.sh -c $R/cfg/nanobsd.wleiden }}} Note 1: Take a coffee of go for a hike, this normally takes 2 - 8 hours depending on the machine configuration. If you like to save some power use the script provided by Rick ([http://rickvanderzwet.nl/svn/personal/misc/power-saver]). This script is mainly used on a home server for building FreeBSD world and kernels. As soon it is done it can shutdown if not being used anymore. The system has Wake-On-Lan support and can thus be activated again from remote. Even this little script got flags, check the output of {{{sh /usr/src/tools/tools/nanobsd/nanobsd.sh -h}}} {{{ -b suppress builds (both kernel and world) -k suppress buildkernel -w suppress buildworld -c specify config file ... }}} Tip: a '''safe alternative''' is the image-script available in $R/tools/ : {{{ build# $R/tools/image build }}}. This script checks whether a kernel and/or world are already available and skips these steps. This may prevent lengthy, unnecessary builds. Note 2: The geometry of the cf card is defined in the nanobsd configuration file $R/cfg/nanobsd.wleiden The 'default' values are for a Peak 1 GB card. They also work on an Alix2D3 board with a 1 GB PCEngines 'blanc' cf card and 1 or 2 GB Transcend cf cards although those geometries are different. There are issues with Soekris boards, depending on the BIOS version. == C. Fetch node configuration onto image, write to CF disk or remotely update == === C.1. Fetch configuration === {{{ build# $R/tools/image config for }}} The script is connecting to the [http://svn.wirelessleiden.nl/svn/node-config/genesis/nodes/ Wireless Leiden 'genesis' database]. First make sure that the configuration file is up to date by clicking the 'update' button on [http://sunfire.wirelessleiden.nl/wleiden/config/ http://sunfire.wirelessleiden.nl/wleiden/config/] Pick your situation! Note: proxy configurations are [http://sunfire.wirelessleiden.nl/wleiden/config/ here]. You can inspect the image bij mounting as memory disk: {{{ build# mdconfig -a -t vnode -f /usr/obj/nanobsd.wleiden-hybrid/_.disk.full build# mount /dev/md0s1a /mnt build# ls /mnt build# umount /mnt build# mount /dev/md0s3 /mnt build# ls /mnt build# umount /mnt build# mdconfig -d -u 0 }}} Editing can also be done using the image script: {{{ build# $R/tools/image edit }}} === C.2. Write the correct image to CF (media based on SLC and not MLC flash seem to perform much better)=== ---- ''NOTE:'' '''''_.disk.full''''' is required for '''new CF cards''' as it contains two base systems and one configuration. [[BR]] '''''_.disk.image''''' on the other hand can be used to update an '''existing CF card''' ---- a. '''New image''': Put full image on compact flash disk (attach a card reader/writer with a CF disk of minimum 1 GB) Use the script {{{ build# $R/tools/write-image.sh }}} or the command line: {{{ build# dd bs=64k if=/usr/obj/nanobsd.wleiden-hybrid/_.disk.full of=/dev/da0 }}} (assuming {{{/dev/da0}}} is your compact flash entry; this takes about 15 minutes, check progress by typing Ctrl-T; you may wish to check afterwards with fdisk whether there are three partitions on the disk, you can also mount /dev/da0s1a and /dev/da0s3 and check the configuration) a. '''Existing image''': Put partial image on slice (slice 2) (attach a card reader/writer with the CF disk containing the existing image) {{{ build# dd bs=64k if=/usr/obj/nanobsd.wleiden-hybrid/_.disk.image of=/dev/da0s2 }}} a. '''Existing image remote update''' (slice 2) (network connection to machine 172.x.y.z required) For remotely updating an existing configuration use: the image script {{{ build# $R/tools/image deploy on [and reboot] }}} or manually: {{{ build# dd if=/usr/obj/nanobsd.wleiden-hybrid/_.disk.image bs=10k | ssh root@172.x.y.z /tools/updatep2 }}} You may adjust the block size to make the transfer more efficient (additionally ssh -C is possible) and you can use Ctrl-T to check progress. '''WARNING''': in case of a remote update from 7.2 to 8.0 you must scp the new rc.conf.local to the node before reboot because the interface configuration statements are quite different. If you do not adjust the configuration before reboot the interfaces will not be configured after reboot and you will not be able to reach the node!(see F.4 below) == D. Check the cf card and apply last minute changes == === D.1. Check cf card === While the cf card is still in your flash card reader you can check whether the image has been written correctly. Check whether you can mount the partitions, e.g. {{{ build# mount /dev/da0s1a /mnt build# ls /mnt build# umount /mnt }}} and the configuration partition: {{{ build# mount /dev/da0s3 /mnt build# ls /mnt }}} If you cannot mount the partitions, take a fresh cf card and start again with writing the image. === D.2 Adjust captive portal === (to be completed)