| 1 | [[PageOutline]] |
| 2 | |
| 3 | = Nodefactory based on FreeBSD 11-RELEASE = |
| 4 | |
| 5 | This guide is last updated for use with FreeBSD 11.2-RELEASE |
| 6 | |
| 7 | ---- |
| 8 | |
| 9 | == Scope == |
| 10 | |
| 11 | We intend to implement a number of changes/improvements. |
| 12 | |
| 13 | Done: |
| 14 | - implement new package management (pkgng) |
| 15 | - cleanup packages that are no longer required: nrpe, vim, bash-static, pftop, nmap, python-Jinja2, sixxs-aiccu, openvpn |
| 16 | - implement latest version of lvrouted (auto update default route) |
| 17 | - add [https://code.google.com/p/ladvd/ net/ladvd] |
| 18 | - add inet check in snmpd.conf |
| 19 | - update scripts to use 'drill' instead of 'dig' |
| 20 | - remove the "rcvar='set_rcvar'" statement from startup scripts in /etc/rc.d/ and /usr/local/etc/rc.d |
| 21 | - based on FreeBSD-11.2-RELEASE |
| 22 | - [http://unbound.net/ unbound] replaces bind; recursive dns server on standard-node; authorative server for wleiden.net domain on two special servers in the network; [https://calomel.org/unbound_dns.html unbound tutorial]. Unbound optimizes forwarders automatically, so nameservershuffle is no longer needed. Use unbound from ports, not local_unbound. |
| 23 | - replaced thttpd by [http://httpd.apache.org/ apache-2.4] |
| 24 | - no longer soft-updates |
| 25 | - update captive portal to increase speed: use of static html landing page |
| 26 | - merged APU specifics into generic configuration (we do not use X64, MIPS or ARM) |
| 27 | - correction of dhcpd.conf for aliased interfaces (no 'shared-networks') |
| 28 | - use [wiki:Poudriere] for package building |
| 29 | - correct /tools/wl-config external fetch url (wirelessleiden.nl/config/) |
| 30 | - use of nsd for wleiden.net local domain authorative nameserver |
| 31 | - use monit for node-based monitoring and watch dog functionality (https://mmonit.com/monit/) |
| 32 | |
| 33 | |
| 34 | Pending: |
| 35 | - use ipfw instead of pf in order to make usb-lan adapter work, see ticket #206 for problem description. Functionality: |
| 36 | {{{ |
| 37 | Requirements: |
| 38 | direct new user to the Captive Portal page (rdr, blocking acl) on node. |
| 39 | only allow http/https traffic to internet (gateway setup). |
| 40 | NAT on gateways. |
| 41 | Incoming RDR/NAT voor (webcam) services on gateways. |
| 42 | Nice-to-have features: |
| 43 | Bandwidth limiting (FUP). |
| 44 | Bad traffic detection and blocking. |
| 45 | }}} |
| 46 | - add 'welcome back' page to captive portal (activated when connection interrupted) |
| 47 | - bsnmp may replace net-snmp (low priority) |
| 48 | - wl-web page redesign for local users / maintainance |
| 49 | - add ssh-guard or no password-login, only keys |
| 50 | - gformat should include ssh-redirect rule in pf.hybrid.conf.local for the gateways. |
| 51 | {{{ |
| 52 | # Redirect SSH on internetport 1022 to 22 because of ssh spam, block external port 22: |
| 53 | rdr on $ext_if inet proto tcp from any to $ext_if port 1022 tag SRV -> 172.17.87.1 port 22 |
| 54 | }}} |
| 55 | - captive portal: allow some (specified) external IP's (such as the sponsor website or to allow browsing the WirelessLeiden website e.g. for support information online). Also the captive portal page could provide node specific information that would be maintained through a website (CMS). |
| 56 | - captive portal (enhancement): For user support it might be helpful to provide technical user-related information on the bottom of the captive portal; maybe a comment field and button to allow the user to send input to support@wirelessleiden.nl. |
| 57 | |
| 58 | Will keep |
| 59 | - ucspi-tcp-0.88_2 for redirect captive portal |
| 60 | - mtr, curl, screen, sudo |
| 61 | - dnsmasq (for Soekris hardware and possibly dhcpd service) |
| 62 | - pen |
| 63 | - tinyproxy |
| 64 | |
| 65 | |
| 66 | Gradually we are implementing the various changes, starting from the present software configuration (9.0-RELEASE) on 11.2-RELEASE with the next generation package management system (pkgng). The procedure to build this 'work-in-progress' nodefactory-host is described below. |
| 67 | |
| 68 | A [http://svn.wirelessleiden.nl/svn/node-config/genesis/nodes/TestTienThuis/wleiden.yaml test-node-configuration] is available in svn. |
| 69 | This wleiden.yaml file can be used to test the image by installing on an Alix-board with connection to the local network. We are also evaluating the new APU-board, see the [wiki:AlixAPU wiki-page]. |
| 70 | |
| 71 | == A. Setup a FreeBSD host == |
| 72 | |
| 73 | Setup is tested in a high performance [https://www.virtualbox.org/ VirtualBox] environment, running 4 x Core i7 CPU, 4096MB RAM and SSD disk (20GB). Timing estimates are based on this system: |
| 74 | |
| 75 | |
| 76 | * Make sure ''/usr'' is '''at least 12 GB''' but better is '''20 GB''' in size, as building images requires quite some space. |
| 77 | * Make sure you install the 32bit '''i386''' release of FreeBSD also when your system does support amd64, as cross compiling can give some nasty surprises. |
| 78 | * Internet connection is required for initial building phase. Ones completed succesfully no internet connection is required anymore. |
| 79 | |
| 80 | Tip: Use an SSD disk to speed up the compilation process. Do NOT use a separate hard disk mounted on /usr/obj as this will cause cross-device link errors. |
| 81 | |
| 82 | Get yourself a fresh i386 FreeBSD host installed as follows: |
| 83 | |
| 84 | === A.1. Run the basic CD installer === |
| 85 | The procedure below has been tested with 11.2 (standard developer install - no ports -, e.g. with default partitioning will fit our needs). Installing FreeBSD is outside the scope of this document, take a look into [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/bsdinstall.html the FreeBSD handbook Chapter 2 Installing FreeBSD] if you do not know the details. |
| 86 | |
| 87 | |
| 88 | === A.2. After first boot === |
| 89 | |
| 90 | Warning: Because of the many mounts and unmounts done in various phases running as root is required. Do NOT use a production machine as WL build environment, because it will fail at some point in time! |
| 91 | |
| 92 | Allow SSH root login, since all commands below need to be executed as root: |
| 93 | {{{PermitRootLogin yes}}} in file:/etc/ssh/sshd_config |
| 94 | |
| 95 | Set correct date/time and make sure it is kept up2date: |
| 96 | build# ntpdate 0.nl.pool.ntp.org |
| 97 | build# echo 'ntpd_enable="YES"' >> /etc/rc.conf |
| 98 | |
| 99 | === A.3 Set some useful variables === |
| 100 | Alter the shell configuration file:/root/.cshrc: |
| 101 | |
| 102 | Ensure ftp is set to passive mode, to avoid potential firewall issues: |
| 103 | build# echo 'setenv FTP_PASSIVE_MODE YES' >> /root/.cshrc |
| 104 | |
| 105 | Set a default password for the images that you will produce: |
| 106 | build# echo 'setenv CFG_ROOT_PASSWORD DefaultPassword12!' >> /root/.cshrc |
| 107 | |
| 108 | Define your nanobsd (svn) working directory: |
| 109 | build# echo 'setenv R /root/nanobsd' >> /root/.cshrc |
| 110 | |
| 111 | Enable SSL for fetch: |
| 112 | build# echo 'setenv SSL_NO_VERIFY_PEER 1' >> /root/.cshrc |
| 113 | |
| 114 | Next load your file (or login again): |
| 115 | build# source /root/.cshrc |
| 116 | |
| 117 | === A.4. Development tools === |
| 118 | Bootstrap development packages: |
| 119 | build# env ALWAYS_ASSUME_YES=1 pkg install vim-console sudo screen ca_root_nss subversion p5-ack |
| 120 | |
| 121 | Tip: screen can be a handy tool if you are working on a remote host. |
| 122 | {{{ |
| 123 | With 'screen' you can open a virtual terminal, in which you can do everything like in the normal terminal. |
| 124 | But you can detach it if you want to do other things in the main terminal and reattach it later. It even works after you quit your main terminal. |
| 125 | |
| 126 | Common screen commands: |
| 127 | 1. Start a new terminal: |
| 128 | build# screen |
| 129 | 2. Type CTRL+A and D to detach this new terminal |
| 130 | 3. Reattach it: |
| 131 | build# screen -R |
| 132 | }}} |
| 133 | |
| 134 | === A.5. get latest sources === |
| 135 | build# svn co -q https://svn.FreeBSD.org/base/releng/11.2 /usr/src |
| 136 | |
| 137 | === A.6 set up Poudriere === |
| 138 | Setting up of Poudriere is taken care off by the package-build.sh script see section B.2 below. |
| 139 | For details refer to separate page [wiki:Poudriere] |
| 140 | |
| 141 | == B. Build environment == |
| 142 | |
| 143 | === B.1 Download the environment from the Wireless Leiden svn repository === |
| 144 | |
| 145 | build# svn checkout https://svn.wirelessleiden.nl/svn/code/hybrid/branches/releng-11/nanobsd $R |
| 146 | build# cd $R |
| 147 | |
| 148 | |
| 149 | === B.2. Compile all required packages === |
| 150 | |
| 151 | First time use requires the required packages are installed, ports are updated, port trees are merged and the Poudriere jail is setup and loaded: |
| 152 | |
| 153 | Set up Poudriere environment by running [15 min]: |
| 154 | |
| 155 | build# screen $R/tools/package-build.sh initenv |
| 156 | |
| 157 | Now build all packages, this will take quite some time [90 min]: |
| 158 | build# $R/tools/package-build.sh build |
| 159 | |
| 160 | Listing of packages: |
| 161 | |
| 162 | {{{ |
| 163 | GeoIP-1.6.12 Find the country that any IP address or hostname originates from |
| 164 | apache24-2.4.34 Version 2.4.x of Apache web server |
| 165 | apr-1.6.3.1.6.1_1 Apache Portability Library |
| 166 | bash-static-4.4.23 GNU Project's Bourne Again SHell |
| 167 | ca_root_nss-3.39 Root certificate bundle from the Mozilla Project |
| 168 | curl-7.61.0_1 Command line tool and library for transferring data with URLs |
| 169 | daemontools-0.76_18 Service monitoring and logging utilities by djb |
| 170 | db5-5.3.28_7 Oracle Berkeley DB, revision 5.3 |
| 171 | dnsmasq-2.79,1 Lightweight DNS forwarder, DHCP, and TFTP server |
| 172 | expat-2.2.6_1 XML 1.0 parser written in C |
| 173 | gdb-8.1.1 GNU GDB of newer version than comes with the system |
| 174 | gdbm-1.13_1 GNU database manager |
| 175 | gettext-runtime-0.19.8.1_1 GNU gettext runtime libraries and programs |
| 176 | gmp-6.1.2 Free library for arbitrary precision arithmetic |
| 177 | iftop-1.0.p4 Display bandwidth usage on an interface by host |
| 178 | indexinfo-0.3.1 Utility to regenerate the GNU info page index |
| 179 | iperf-2.0.12 Tool to measure maximum TCP and UDP bandwidth |
| 180 | isc-dhcp44-server-4.4.1_3 ISC Dynamic Host Configuration Protocol server |
| 181 | ladvd-1.1.1 Minimal LLDP/CDP/EDP/FDP/NDP sender daemon |
| 182 | ldns-1.7.0_1 Library for programs conforming to DNS RFCs and drafts |
| 183 | libevent-2.1.8_2 API for executing callback functions on events or timeouts |
| 184 | libiconv-1.14_11 Character set conversion library |
| 185 | libidn2-2.0.5 Implementation of IDNA2008 internationalized domain names |
| 186 | libnghttp2-1.33.0 HTTP/2.0 C Library |
| 187 | libunistring-0.9.10 Unicode string library |
| 188 | libxml2-2.9.7 XML parser library for GNOME |
| 189 | lvrouted-13830 Lvrouted is a very simple shortest-path routing daemon |
| 190 | monit-5.25.2 Unix system management and proactive monitoring |
| 191 | mpfr-4.0.1 Library for multiple-precision floating-point computations |
| 192 | mtr-0.92 Traceroute and ping in a single network diagnostic tool |
| 193 | net-snmp-5.7.3_18 Extendable SNMP implementation |
| 194 | nettle-3.4 Low-level cryptographic library |
| 195 | nsd-4.1.24 Authoritative only non-recursive name server |
| 196 | pcre-8.42 Perl Compatible Regular Expressions library |
| 197 | pen-0.34.1 Load balancer for UDP and TCP based protocols |
| 198 | perl5-5.26.2 Practical Extraction and Report Language |
| 199 | pkg-1.10.5_2 Package manager |
| 200 | readline-7.0.3_1 Library for editing command lines as they are typed |
| 201 | screen-4.6.2 Multi-screen window manager |
| 202 | sudo-1.8.25 Allow others to run commands as root |
| 203 | thttpd-2.29 Tiny/turbo/throttling HTTP server with CGI support |
| 204 | tinyproxy-1.8.4,1 Small, efficient HTTP proxy server |
| 205 | ucspi-tcp-0.88_2 Command-line tools for building TCP client-server applications |
| 206 | unbound-1.7.3 Validating, recursive, and caching DNS resolver |
| 207 | vim-console-8.1.0342 Improved version of the vi editor (console only) |
| 208 | wait_on-1.1.2 Enable shell scripts to monitor for changes on directories and files |
| 209 | }}} |
| 210 | |
| 211 | (list updated Sep, 2018 using {{{$R/tools/image edit => pkg info}}}) |
| 212 | |
| 213 | === B.4 Build nanobsd aka make sure to prepare some coffee ;-) === |
| 214 | Start the build process [2 hours]: |
| 215 | build# screen $R/tools/image build |
| 216 | |
| 217 | Tip: Save some power and use an [http://rickvanderzwet.nl/svn/personal/misc/power-saver power-saver script] to shut-down the machine ones not being using any-more. |
| 218 | Tip: The geometry of a default image is based on a 1GB CF card, changes file:$R/cfg/nanobsd.wleiden |
| 219 | |
| 220 | |
| 221 | == C. Fetch node configuration onto image, write to CF disk or remotely update == |
| 222 | |
| 223 | === C.1. Fetch node-configuration === |
| 224 | Apply [//svn.wirelessleiden.nl/svn/node-config/genesis/nodes/ Wireless Leiden 'genesis' database] configuration: |
| 225 | build# $R/tools/image config for <Nodename> |
| 226 | |
| 227 | |
| 228 | You can inspect the image bij mounting as memory disk: |
| 229 | build# $R/tools/image edit |
| 230 | |
| 231 | Tip: For the time being you have to adjust the permissions of monitrc: |
| 232 | {{{ |
| 233 | chmod 0700 /usr/local/etc/monitrc |
| 234 | chmod 0700 /conf/base/etc/local/monitrc |
| 235 | }}} |
| 236 | |
| 237 | === C.2. Write the correct image to CF === |
| 238 | Tip: Media based on SLC and not MLC flash seem to perform much better |
| 239 | |
| 240 | Write new image to CF disk inserted into an USB card reader [15min]: |
| 241 | build# $R/tools/write-image.sh |
| 242 | |
| 243 | |
| 244 | |
| 245 | == F. Notes == |
| 246 | |
| 247 | === F.1 Total refresh in case of change in build configuration === |
| 248 | |
| 249 | To start from scratch: |
| 250 | {{{ |
| 251 | svn up $R |
| 252 | $R/tools/package-build.sh distclean |
| 253 | $R/tools/package-build.sh initenv |
| 254 | $R/tools/package-build.sh build |
| 255 | }}} |
| 256 | |
| 257 | === F.2 Update lvrouted port (ONLY) if necessary === |
| 258 | |
| 259 | Warning: Skip the following steps unless you want to update the current lvrouted version (13830) and know what you are doing: |
| 260 | |
| 261 | Checkout latest version of lvrouted (i.e. beyond 13830): |
| 262 | build# svn checkout http://svn.wirelessleiden.nl/svn/node-config/other/lvrouted/trunk /tmp/lvrouted |
| 263 | |
| 264 | Produce the tar release archive: |
| 265 | build# ./tools/release.sh |
| 266 | build# cd /tmp/lvrouted |
| 267 | |
| 268 | Upload the file:lvrouted-uvwxyz.tar.gz to the [https://webfolder.wirelessleiden.nl/lvrouted/ webfolder] directory. |
| 269 | |
| 270 | Update PORTVERSION to match current release: |
| 271 | build# vim $R/ports/net/lvrouted/Makefile |
| 272 | |
| 273 | Update the hash values: |
| 274 | build# make makesum -C $R/ports/net/lvrouted |
| 275 | |
| 276 | Commit changes: |
| 277 | build# svn ci $R/ports/net/lvrouted |
| 278 | |
| 279 | === F.3 Existing image on node, remote update (slice 2) === |
| 280 | |
| 281 | Note: network connection to node 172.x.y.z is required. |
| 282 | |
| 283 | For remotely updating an existing node software configuration use the image script: |
| 284 | build# $R/tools/image deploy on <node> [and reboot] |
| 285 | |
| 286 | |
| 287 | Tip: You may adjust the block size to make the transfer more efficient (additionally ssh -C is possible) and you can use Ctrl-T to check progress. |
| 288 | |