Category: FreeBSD

The FreeBSD operating system.

Categories
FreeBSD iocage

Migrate a thick jail to another host

Migrating a jail

Thick iocage jails can be safely migrated between FreeBSD hosts using ZFS Send/Recv over SSH.

In the following example:

  • src$ is the original host
  • dst$ is the destination host
  • ‘myapp’ is the name of my jail to migrate
  • Everything is done with root privileges

Stopping processes

Stop the jail and any other ZFS replication processes.

src$ iocage stop myapp

src$ service zrepl stop

dst$ service zrepl stop

Create a snapshot

src$ zfs snapshot -r zroot/iocage/jails/myapp@migration

Send the snapshot

src$ zfs send -R zroot/iocage/jails/myapp@migration | ssh root@dst 'zfs recv -F -v zroot/iocage/jails/myapp'

Testing

Check that the jail exists and that it can be started.

dst$ iocage list

dst$ iocage start myapp

Categories
FreeBSD iocage

Convert a ‘thin’ iocage jail to ‘thick’

I have been using iocage for a number of years as the tool to manage my FreeBSD jails. There are two types of iocage jail installations that I use, thin jails (clone jails) and thick jails.

To create your first jail, you have to fetch a FreeBSD operating system release installation using ‘iocage fetch’. This is used in both types of jails and is separate from the host’s own operating system.

Thin jails share the ZFS dataset that contains the working copy of a fetched version of FreeBSD. They save a lot of space as upgrading FreeBSD one thin jail, upgrades them all.

Thick jails have their own independent copy of the chosen fetched FreeBSD. They use more disk space and take more time to upgrade as each must be done individually.

The extra time and disk space used by Thick jails are worth it. Moving jails between hosts, performing backups and restores using ZFS Send and Receive are a significant advantage.

The requirement

I needed to migrate a thin jail from one host to another but at the destination I wanted it to run as a thick jail instead. As I have found that thick jails are better for me when it comes to upgrades. The migration of a thin jail cannot be done using ZFS Send/Recv as is.

How to do it

Create a new thick jail using iocage called ‘thickjail’.

$ iocage create -T -r 14.3-RELEASE -n thickjail dhcp=on

Check that the new thick jail works by starting and stopping it.

$ iocage start thickjail

$ iocage stop thickjail

$ iocage stop myapp

Copy the files from the thin jail to the thick jail using rsync. Make sure both jails have been stopped beforehand!

$ rsync -a /zroot/iocage/jails/myapp/ /zroot/iocage/jails/thickjail/

When this completes you will notice two jails with the same name when you use ‘iocage list’. However, if you look at the ZFS datasets they will be correctly named.

To correct the listing in iocage, do the the following:

$ iocage rename myapp thinjail

$ iocage rename thickjail myapp

$ iocage start myapp

Test that the new thick jail ‘mayapp’ is working OK before deleting the old thin jail.

$ iocage list

$ iocage destroy thinjail

Categories
FreeBSD

PF: Read the log

I often forget this command to examine what has been logged by the PF filter.

$ tcpdump -n -e -ttt -r /var/log/pflog

To look at what is being filtered in real-time use the following command instead:

$ tcpdump -n -e -ttt -i pflog0

Categories
FreeBSD Linux Windows

SSH: too many authentication failures

I am not entirely certain what the cause of this error is but it is particularly annoying when it happens on a headless system.

I think that the problem is caused by too many keys to choose from during key negotiation, or no key at all. I found this workaround.

ssh -o PubkeyAuthentication=no vince@host

Once a successful login with a password is possible, logout and copy the authentication key to the host…

ssh-copy-id -o PubkeyAuthentication=no vince@host

Then login with ssh again…

ssh vince@host

And ssh should authenticate without using a password.

Categories
FreeBSD Hardware

1024×768 FreeBSD VT Console

I use of a lot of old kit in my lab. Some of these machines have very poor ACPI implementations and they often complete their boot displaying an 80×25 character console on monitors that can support much higher resolutions. I have put up with staggered ZFS listings for too long and decided to fix this problem on my FreeBSD hosts.

Modern FreeBSD uses the VT console by default. If a video graphics driver has been installed, it will display a console in a higher resolution if configured.

The configuration below was tested on FreeBSD 13.4-RELEASE-p1 and FreeBSD 14.1-RELEASE-p5 with onboard intel graphics adapter.

Install the graphics driver:

$ sudo pkg install drm-kmod

Run the following command to load the intel graphics driver on boot:

$ sysrc kld_list+=i915kms

Edit /boot/loader.conf adding the following lines to the file:

# VT console
hw.vga.textmode=1
hw.vga.acpi_ignore_no_vga=1
kern.vty=vt
kern.vt.fb.default_mode="1024x768"

If dmesg reports a good ACPI table, you don’t need to use hw.vga.acpi_ignore_no_vga=1 .

If you are using a screen that cannot display 1024×768, use kern.vt.fb.default_mode=”800×600″ instead.

Reboot the host to see the new console settings are active.

Categories
FreeBSD Hardware

USB Serial Adapter on FreeBSD

To make a USB serial adapter visible to FreeBSD, add the following to /boot/loader.conf

# USB serial adapter
ucom_load="YES"

 

Categories
Alpine Linux FreeBSD Ubuntu

ZFS Trim

I noticed today that the FreeBSD ZFS pool that I created on my laptop SSD was not configured for TRIM. TRIM enables the SSD to recover space from previously written to blocks that have since had files deleted. This can help maintain performance of the SSD as it fills with data.

My pool is called zroot, so the command to check the value of the TRIM setting is:

$ zpool get autotrim zroot

The command to switch on automatic TRIM is:

$ zpool set autotrim=on zroot

 

Categories
FreeBSD Hardware

D-Link DFE-570TX and Broadcom BCM5821

I have just acquired a used 4-port D-Link fast ethernet PCI board from a seller on eBay. I have been looking for one of these for my ‘new’ firewall for ages and was about to give up.

The firewall is an old crate of a Dell GX240 with PCI slots but it still has plenty of grunt to do what I need without consuming too much power. It’s one of the old Dells that I bought years ago for peanuts that has been upgraded with a 2.6Ghz Celeron.

I have been experienting with a Broadcom crypto accelerator in pfSense and I was about to give up on the GX240 and move up to a newer old machine with PCI-X slots.

The BCM5821 already delivers 24x performance improvent on 2048 bit RSA in the 33Mhz PCI bus and I am intrigued to find out how fast it will go in a 64 bit, 66Mhz slot. Now that I have the D-Link, I will crack on with the original plan and save the PCI-X upgrade for later.

More to follow…

Privacy Preference Center

Consent Management

Necessary

Advertising

Analytics

Other