分类目录归档:FreeBSD

阿里云升级freebsd10.1到11.0-release-p8记录

阿里云升级freebsd10.1到11.0-release-p8记录

总体是一次顺利的升级体验!

主要用到的命令是:

查看版本

945  22:20   freebsd-version -k -u

设置环境变量,10.3版本,好像不需要弄这个:

946  22:20   setenv UNAME_r “10.3-RELEASE”

更新,这个在国内如果没有镜像的话时间超长!

 

为了装jupyter,使用了其它一下命令:

947  22:20   freebsd-update fetch

 

920  20:59   whereis jupyterhub

921  21:00   whereis jupyter

926  21:00   locate notejs

927  21:21   df

928  21:25   whereis nodejs

929  21:25   locate node

930  21:27   pkg install node

931  21:27   pkg-static install node

932  21:55   pkg_stick install python36

933  21:56   pkg-static install python36

934  22:02   whereis py-pyzmq

935  22:03   make PYTHON_VERSION=python3.6 install clean

936  22:03   cd /usr/ports/net/py-pyzmq

937  22:03   make PYTHON_VERSION=python3.6 install clean

938  22:07   pkg-static install py-setuptools36

939  22:07   pkg-static install devel/py-setuptools36

940  22:08   cd /usr/ports/net/py-pyzmq

943  22:09   make -V PYTHON_VERSION=python3.6 install clean

944  22:19   freebsd-version

945  22:20   freebsd-version -k -u

946  22:20   setenv UNAME_r “10.3-RELEASE”

后来知道,这里不需要设这个环境变量。

 

956  22:29   /usr/local/bin/python3.6

957  22:31   ps -aux

958  22:31   nameserver

959  22:32   nslookup

960  22:32   vi /etc/resolv.conf

 

983  22:36   freebsd-update fetch

984  22:36   freebsd-update fetch &

 

1000  22:43   freebsd-update -s ‘freebsd-updates.mirrors.163.com’ fetch

可惜163的镜像没有了。

参考的这篇文章:

升级FreeBSD 10.2-STABLE 到 11.0-RELEASE

https://bbs.aliyun.com/read/297189.html?spm=5176.bbsr296915.0.0.z411Uy

发现那篇文章中有误,

不过那个错误不影响大局,因为到了后面会有提示

freebsd-update fetch 之后,就可以先升级到10.3了

freebsd-update upgrade -r 10.3-RELEASE

 

root@iZ25alqsdzzZ:~ # freebsd-update upgrade -r 10.3-RELEASE

Looking up update.FreeBSD.org mirrors… 4 mirrors found.

Fetching metadata signature for 10.1-RELEASE from update5.freebsd.org… done.

Fetching metadata index… done.

Fetching 2 metadata files… done.

Inspecting system… done.

 

The following components of FreeBSD seem to be installed:

kernel/generic world/base world/lib32

 

The following components of FreeBSD do not seem to be installed:

src/src world/doc world/games

 

Does this look reasonable (y/n)? y

 

Fetching metadata signature for 10.3-RELEASE from update5.freebsd.org… done.

Fetching metadata index… done.

Fetching 1 metadata patches. done.

Applying metadata patches… done.

Fetching 1 metadata files…

done.

Inspecting system…

 

done.

Fetching files from 10.1-RELEASE for merging… done.

Preparing to download files… done.

Fetching 11045 patches…..10….20….30….40….50….60….70….80….90….100….110….120….130….140….150….160….170….180….190….200….210….220….230….240….250….260….270..

 

本来以为要3个小时呢,后来很快:

….10010….10020….10030….10040….10050……..11030….11040.. done.

Applying patches… done.

Fetching 393 files… done.

Attempting to automatically merge changes in files… done.

 

The following file could not be merged automatically: /etc/ntp.conf

Press Enter to edit this file in vi and resolve the conflicts

manually…

 

说/etc/ntp.conf无法自动合并,只能手工上!

 

回答了一大堆yes

然后运行安装:

/usr/sbin/freebsd-update install

 

root@iZ25alqsdzzZ:~ #/usr/sbin/freebsd-update install

Installing updates…

Kernel updates have been installed.  Please reboot and run

“/usr/sbin/freebsd-update install” again to finish installing updates.

 

一年多没重启了,重启一下

启动后看下:

root@rich:~ # freebsd-version -k -u

10.3-RELEASE-p11

10.1-RELEASE

 

Ok,成功从10.1升级到10.3,现在开始主版本升级,从10升级到11,输入如下命令:

# : > /usr/bin/bspatch

# freebsd-update upgrade -r 11.0-RELEASE

# freebsd-update install

<reboot the system>

# freebsd-update install

<rebuild third-party software>

# freebsd-update install

 

root@rich:~ # freebsd-update upgrade -r 11.0-RELEASE

src component not installed, skipped

Looking up update.FreeBSD.org mirrors… 4 mirrors found.

Fetching metadata signature for 10.3-RELEASE from update5.freebsd.org… done.

Fetching metadata index… done.

Fetching 1 metadata patches. done.

Applying metadata patches… done.

Fetching 1 metadata files… done.

Inspecting system… done.

 

The following components of FreeBSD seem to be installed:

kernel/generic world/base world/lib32

 

The following components of FreeBSD do not seem to be installed:

world/doc world/games

 

Does this look reasonable (y/n)? y

 

Fetching metadata signature for 11.0-RELEASE from update5.freebsd.org… done.

Fetching metadata index… done.

Fetching 1 metadata patches. done.

Applying metadata patches… done.

Fetching 1 metadata files… done.

Inspecting system… done.

Fetching files from 10.3-RELEASE for merging… done.

Preparing to download files… done.

Fetching 11218 patches…..10….20….30….40….50….60….70….80….90….100….110….120….130….140….150….160….170….180….190….200….210….220….230….240….250….260….270….280….290….300….310….320….330….340….350….360….370….380….390….400….410….420….430….440….450….460….470….480….490….500……….11200….11210…. done.

Applying patches… done.

Fetching 1645 files… done.

Attempting to automatically merge changes in files… done.

 

The following file could not be merged automatically: /etc/ntp.conf

Press Enter to edit this file in vi and resolve the conflicts

 

安装过程中,又出现ntp.conf,我直接确认退出,然后出现:

The following changes, which occurred between FreeBSD 10.3-RELEASE and

FreeBSD 11.0-RELEASE have been merged into /etc/group:

— current version

+++ new version

@@ -1,6 +1,6 @@

-# $FreeBSD: releng/10.3/etc/group 256366 2013-10-12 06:08:18Z rpaulo $

+# $FreeBSD: releng/11.0/etc/group 294896 2016-01-27 06:28:56Z araujo $

#

wheel:*:0:root,sky

daemon:*:1:

kmem:*:2:

sys:*:3:

@@ -15,10 +15,11 @@

staff:*:20:

sshd:*:22:

smmsp:*:25:

mailnull:*:26:

guest:*:31:

+video:*:44:

bind:*:53:

unbound:*:59:

proxy:*:62:

authpf:*:63:

_pflogd:*:64:

@@ -26,10 +27,11 @@

uucp:*:66:

dialer:*:68:

network:*:69:

audit:*:77:

www:*:80:

+_ypldap:*:160:

hast:*:845:

nogroup:*:65533:

nobody:*:65534:

mysql:*:88:

sky:*:1001:

Does this look reasonable (y/n)?

 

更新了一大堆东西,pkg这个是我真实目的,因为阿里云freebsd10.1的pkg挂了:

/usr/sbin/periodic

/usr/sbin/pkg

/usr/sbin/pmcannotate

 

最后出现:

/var/yp/Makefile.dist

To install the downloaded upgrades, run “/usr/sbin/freebsd-update install”.

 

按照提示运行

/usr/sbin/freebsd-update install

 

root@rich:~ #/usr/sbin/freebsd-update install

src component not installed, skipped

Installing updates…

Kernel updates have been installed.  Please reboot and run

“/usr/sbin/freebsd-update install” again to finish installing updates.

 

重启系统后,看一下:

root@rich:~ # uname -a

FreeBSD rich 11.0-RELEASE-p8 FreeBSD 11.0-RELEASE-p8 #0: Wed Feb 22 06:12:04 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

root@rich:~ # freebsd-version -k -u

11.0-RELEASE-p8

10.3-RELEASE-p17

 

呵呵,已经是11啦!

再来一次/usr/sbin/freebsd-update install

root@rich:~ # /usr/sbin/freebsd-update install

src component not installed, skipped

Installing updates…

Completing this upgrade requires removing old shared object files.

Please rebuild all installed 3rd party software (e.g., programs

installed from the ports tree) and then run “/usr/sbin/freebsd-update install”

again to finish installing updates.

root@rich:~ #

 

这里让重新build所有的三方软件,天啊!

这个先不管它了

先看一下版本:

root@rich:~ # freebsd-version -k -u

11.0-RELEASE-p8

11.0-RELEASE-p8

 

嗯,这样就对了 !

 

总体来说,目前看算顺利,没有出什么内核无法启动,sshd无法启动,网站挂了等幺蛾子 !

FreeBSD下 终端输入中文方法

 csh:
setenv LANG en_US.UTF-8

bash:
在securecrt等终端中输入中文
LANG=zh;export LANG

在$HOME/.profile中或/etc/profile中加入
stty cs8 -istrip

到这里,如果shell是sh的话就可以输入中文了,如果shell是bash还要做如下:

在$HOME/.inputrc中
set meta-flag on
set output-meta on
set convert-meta off

本网站vps系统故障

服务商发过来邮件,说机房迁移,本来预计2个小时搞定的,结果发现到昨天下午,我的系统超过7个小时还没恢复服务,于是发ticket,来回忙活,终于在今晚问题解决了。

ps,我的FreeBSD系统原本不间断运行了400多天呢!

MinGW全称Minimalist GNU For Windows,是个精简的Windows平台C/C++、ADA及Fortran编译器,相比Cygwin而言,体积要小很多,使用较为方便。MinGW提供了一套完整的开源编译工具集,以适合Windows平台应用开发,且不依赖任何第三方C运行时库。

MinGW包括:

  • 一套集成编译器,包括C、C++、ADA语言和Fortran语言编译器
  • 用于生成Windows二进制文件的GNU工具的(编译器、链接器和档案管理器)
  • 用于Windows平台安装和部署MinGW和MSYS的命令行安装器(mingw-get)
  • 用于命令行安装器的GUI打包器(mingw-get-inst)

开发 MinGW 是为了那些不喜欢工作在 Linux(FreeBSD) 操作系统而留在 Windows 的人提供一套符合 GNU 的 GNU 工作环境。 MinGW 是指只用自由软件来生成纯粹的 Win32可执行文件的编译环境

网站:http://www.mingw.org/

右上角有下载地址链接

 

短暂接触了一下FreeBSD10

昨天今天短暂的安装了下freebsd10,但是安装后ports和package(pkg_add)等都没有。只有fetch…..

使用 http://www.airoot.org/wp/?p=154 里的方法,,#portsnap fetch extract ,倒是把ports装上了,但是没有pkg_add,编译安装软件太慢了,测试/学习的时候效率太低,于是把10搞掉,又弄成9.2了。

两个版本都是用usb盘启动安装的,方法见以前的文档:http://www.airoot.org/wp/?p=212

ps,这次下载memstick.img文件,也颇费了周折,先用360云离线下载,再下载到本地,都很慢,后来还是到freebsdchina下载的,速度比较快!

usb启动的时候,还有点曲折,机器不从usb启动。一度想升级cmos,后来是在cmos菜单中,integrated peripherals –on chip usb contraller –usb mass storage support 的enable选项打开后,在harddisk boot priority 中可以看到usb的,把usb启动设置到第一序列,终于就ok了。

10下面ralink的usb无线网卡没有搞定,只是显示ugen2.3  TPlink ,但是按照说明写入if_ral_load=”YES” if_ural_load=”YES”等都没管用

原地址:https://www.freebsdchina.org/forum/viewtopic.php?t=58346

alphachi需求提出:

单位内部需要建自己的数据中心,初期规划数据量约1000TB,想用FreeBSD来做。
找了一圈资料,可参考的实在太少,只能发贴向各位求教。

1. 文件系统是应该跑ZFS吗?

2. 是否应该使用HAST?如果需要使用的话,手册上提到了HAST仅支持2个节点,那是不是说,必须要购买2台服务器,然后每台服务器再拖一台容量为1000TB的磁盘存储?

3. 如果不应该使用HAST,那是不是说需要购买多台服务器做成集群存储?假设每台满配能撑到32T,那就需要购买30多台服务器?那如何让这些服务器的存储连接成1000T的大池?FreeBSD集群如何实现也没找到参考资料。

4. 有没有什么型号的服务器或者存储设备推荐?

完全没有经验,自学成才未遂,请大家指教,谢谢!

delphij解答:

1000TB放到一台机器上需要至少挂4个盘柜,并且需要至少5张HBA卡。(假设:1:4冗余、每4组配一个热备盘)。

这么多块硬盘的系统我们实际做过,但容量没这么大。简单来说,内存必须很大,dedup基本不要想(我个人的忠告是把想在这种规模的系统上干这事的人直接砍死);这样的系统可以做到很好的吞吐量,但是响应时间不会很好。

放1000TB而不做冗余是非常糟糕的主意,事实上,多数应用中你根本没有时间从失败中恢复,300块以上硬盘的存储池导入是相当耗时的过程。

关于HAST:HAST的延迟不够理想(新的 memsync 模式对此有极大的改善),而且恐怕并不满足你的需求。假如你的需求是一台机器倒掉的情况下另一台机器可以立即接管服务,应用必须知道怎么实现,而不能仅仅依赖NFS或iSCSI,因为你的存储池导入在300块硬盘的情况下需要相当长的时间,这样做热备是不能满足需要的。

========

比较正常的、还算便宜的实现方案,仅供参考:

事实上,绝大多数应用需要的仅仅是单一的命名空间,而不在意是否是单一的文件系统。正确的做法是分而治之,而绝不是做一个超大规模的文件系统,更不是一个1PB的存储池。这种规模的存储池可以做,但很可能不会做到你想要的效果,并且发生灾难时无法迅速而有效地恢复。

如果用 NFS,可以配合 amd (automount)来实现单一命名空间(只要做一个简单的符号链接到amd控制的目录即可;amd在多数OS上都有实现,可以在需要时自动挂载文件系统),但运营人员需要根据系统的运行情况来适当做rebalance(将数据从一个节点挪到另一个节点)。这个命名空间是在客户端看到的,存储服务器之间只做热冗余,而不必做成集群。这套系统在需要的时候可以通过增加机器的方式来扩展(当然,不是无限的)。

新式的建立在普通文件系统之上的分布式文件系统在运营方面要比用amd+NFS简单一些,但客户机的OS必须支持这些分布式文件系统,并且配置会更为复杂。

以目前硬盘的尺寸来说,一个节点放大概100TB的存储(冗余之后;不超过1个JBOD)是没什么问题的,再大的话热恢复可能就比较慢了。每个节点应该有一个同样容量和配置的HA节点,随你的应用对数据损失和热恢复时间的容忍度不同,可以用快照复制,也可以用HAST。

任何时候,任何节点的剩余空间不应少于15%,因此你的冗余后容量至少需要1176TB(1000 / 85% = 1176.47TB)。

假定每套系统上放44块硬盘(4组8+2 RAID-Z2或8组4+1 RAID-Z,4块热备),每块硬盘容量为4TB,则每个系统的有效容量为32*4=128TB。总共应配置20套这样的系统,总有效容量为 1280TB(其中一半为热冗余系统)。

注意:44块硬盘必须合理规划使用HBA的接口,需要告诉装配工人如何正确接线。

两个一定要注意的问题:

1. LSI HBA、硬盘固件必须刷到最新,不刷会惨死。
2. 不要混用SATA和SAS硬盘,混用会惨死(事实上目前这一代的LSI HBA对SATA的出错处理还是有些问题);个人推荐SAS硬盘。

(其实还有一些其他的细节,通常做服务器的公司都有经验会告诉你,但这里特别提醒一下:不要把硬盘插在服务器上装箱运到机房,而要分别装箱,到机房再装硬盘,等等)。

这种规模的存储系统,实现起来要比第一眼看上去困难的多。另外,很多潜在的问题如果没有实际的经验,光靠自学是没法知道的,很多东西很碎,很杂,总结出来绝对可以写一本基本上卖不出去的书,而其中大半的内容会迅速过时。

最后,假如没有至少2年的维护挂24块以上硬盘的单一生产系统的实际经验,建议忽略以上全部,直接找个懂行的人来做。

原文档在这里:
http://www.freebsd.org/doc/zh_CN.GB2312/articles/remote-install/article.html

看着不太复杂(第一眼我看着够复杂的),我认为不试验一下,是无法发现其中的问题的(因为我发现很多老外写的东西,国内比着做就是会出很多状况,也许文档也水土不服吧)。

结果做了一下实验,果然发现有问题:

主要是卡在这一步:

紧接着,构建可启动的 mfsBSD 映像:

# make BASE=/cdrom/7.0-RELEASE
我是无论如何都报错,类似:

ciias# make BASE=/cdrom
Cannot find directory “/cdrom/base”
*** Error code 1

Stop in /root/tmp/mfsbsd-2.0.
ciias# make BASE=/cdrom/
Cannot find directory “/cdrom//base”
*** Error code 1

Stop in /root/tmp/mfsbsd-2.0.
ciias# make BASE=/cdrom/base
Please set the environment variable BASE to a path
with FreeBSD distribution files (e.g. /cdrom/8.3-RELEASE)
Examples:
make BASE=/cdrom/8.3-RELEASE
make BASE=/cdrom/usr/freebsd-dist
*** Error code 1

Stop in /root/tmp/mfsbsd-2.0.
ciias# make BASE=/cdrom/usr
Cannot find directory “/cdrom/usr/base”
*** Error code 1

我直接到/cdrom里去看,压根就没有base…..

后来问题解决了,终于做出img镜像文件了:

ciias# make BASE=/cdrom/usr/freebsd-dist
Extracting base and kernel … done
Removing selected files from distribution … done
Installing configuration scripts and files … done
Generating SSH host keys … done
Configuring boot environment … done
100 % 11.2 MiB / 51.5 MiB = 0.218 1.2 MiB/s 0:43
done
Creating and compressing mfsroot … done
Creating image file … done
-rw-r–r– 1 root skywalk 32505856 May 24 15:13 mfsbsd-9.0-RELEASE-amd64.img
不过我用的是i386,咋弄出来是amd64的镜像啊?一会儿要测试一下这个能用不。

此次实验,问题解决的方法为:

1 要用FreeBSD的完整安装盘,比如 FreeBSD-9.1-RELEASE-i386-disc1.iso  ,而不能用纯boot盘

2 mfsbsd最新为2.0版本,而不是文档中的1.0版本

3 make那里,根据iso光盘中不能的结构,写法不同。比如我的9.1是用的

make BASE=/cdrom/usr/freebsd-dist

为什么要这么麻烦的远程安装呢?因为:

世界上有很多的服务器主机供应商, 但是他们中只有很少的一部分正式支持 FreeBSD, 他们通常为他们提供的服务器上安装 Linux® 发行版提供支持。

在某些情况下,如果你请求这些公司他们会安装一个你首选的 Linux® 发行版。有了这个选择,我们将试图安装 FreeBSD。

翻译成中文就是:只要提供linux的托管服务器,我们就能想办法安装上FreeBSD(而不在于是否有boot cd或者boot usb等)

5.27日补充:

经过测试,在virtualbox中,dd后,系统启动,最后报btx halt错.网上搜索了一下,发现报该问题的网页不多,有人通过更新bios解决.

又做了mfsbsd的iso光盘,经测试在virtualbox里是可以用的.这样可能就是用虚拟机的原因,有机会再在实际环境下测试.

关于wordpress ftp更新报错Missing zlib的问题

总结:在freebsd系统里,直接pkg_add -r php5-zlib就可以了。

问题:

wordpress更新或安装插件的时候,报错:

Update WordPress

Downloading update from http://wordpress.org/nightly-builds/wordpress-latest.zip…

Unpacking the update…

Abort class-pclzip.php : Missing zlib extensions

 

从网上查找了很多,都没有解决问题。

最后到zlib的官网:

 

# wget http://zlib.net/zlib-1.2.7.tar.gz
–2012-11-30 10:15:22– http://zlib.net/zlib-1.2.7.tar.gz
Resolving zlib.net (zlib.net)… 69.73.181.135
Connecting to zlib.net (zlib.net)|69.73.181.135|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 560351 (547K) [application/x-gzip]
Saving to: `zlib-1.2.7.tar.gz’

100%[======================================>] 560,351 731K/s in 0.7s

2012-11-30 10:15:23 (731 KB/s) – `zlib-1.2.7.tar.gz’ saved [560351/560351]

# tar -xzvf zlib-1.2.7.tar.gz

# cd zlib-1.2.7

# ./configure
# make

# make install

cp libz.a /usr/local/lib
chmod 644 /usr/local/lib/libz.a
cp libz.so.1.2.7 /usr/local/lib
chmod 755 /usr/local/lib/libz.so.1.2.7
cp zlib.3 /usr/local/share/man/man3
chmod 644 /usr/local/share/man/man3/zlib.3
cp zlib.pc /usr/local/lib/pkgconfig
chmod 644 /usr/local/lib/pkgconfig/zlib.pc
cp zlib.h zconf.h /usr/local/include
chmod 644 /usr/local/include/zlib.h /usr/local/include/zconf.h
#

还是没解决。

 

每次更新的时候,都问ftp信息,网上查了一下,是因为目录的所有者与网站程序的用户不一致(非www)所致,于是;

# chown -R www:www wp

就没再问ftp信息。

 

把php5 重新安装了一遍:

# pkg_add -r php5 php5-xml php5-xmlreader php5-xmlwriter php5-mysql
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-xml.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-xmlreader.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/All/php5-dom-5.3.8.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-xmlwriter.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-mysql.tbz… Done.
#

晕,找了半辈子的zlib,原来在这里:

# whereis php5-zlib
php5-zlib: /usr/ports/archivers/php5-zlib
#

# pkg_add -r php5-zlib
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-zlib.tbz… Done.
# service spawn-fcgi restart
Stopping spawn_fcgi.
Waiting for PIDS: 74505.
Starting spawn_fcgi.
spawn-fcgi: child spawned successfully: PID: 77653
#

乌拉!解决啦!

有个朋友博客讲的很清楚:

http://laiyonghua.cn/blog-init/

FreeBSD下虚拟机jail的cpu/mem等控制

http://wiki.freebsd.org/JailResourceLimits

  • Implement memory limits in kern_jail.c [done]
  • Implement CPU share limiting in sched_hier.c [done]
  • jtune program to modify CPU and memory limits on running jails [done]

还可以用cpuset 限制cpu

NAME
     cpuset -- configure processor sets

SYNOPSIS
     cpuset [-l cpu-list] [-s setid] cmd ...
     cpuset [-l cpu-list] [-s setid] -p pid
     cpuset [-c] [-l cpu-list] -C -p pid
     cpuset [-cr] [-l cpu-list]
	    [-j jailid | -p pid | -t tid | -s setid | -x irq]
     cpuset [-cgir] [-j jailid | -p pid | -t tid | -s setid | -x irq]

这里有个相关网页:
http://lists.freebsd.org/pipermail/freebsd-jail/2009-May/000866.html

CPU limit for Jails(patch for ULE scheduler)

 

这还有个:

http://www.tomjudge.com/index.php/FreeBSD/Jails/MemoryLimits

 

FreeBSD jail 安装实践

参见:http://www.freebsd.org/doc/zh_CN/books/handbook/jails-application.html
D=/home/jail/zqfx
cd /usr/src
mkdir -p $D
make world DESTDIR=$D
make distribution DESTDIR=$D
mount -t devfs devfs $D/dev

ifconfig ed0 inet alias 192.0.2.100/32
mount -t procfs proc /data/jail/192.0.2.100/proc
jail -c path=/data/jail/192.0.2.100 host.hostname=testhostname
ip4.addr=192.0.2.100 command=/bin/sh /etc/rc

/etc/rc.d/jail start
/etc/rc.d/jail stop
/etc/rc.d/jail start myjail
/etc/rc.d/jail stop myjail

结果/usr/src下没源码,正在下源码中。
11.6日补充:昨天用sysinstall没有下来源码。
今天直接到http://mirrors.163.com去下的 结果解开解到/usr/usr/src目录去了。不过这不是问题,知道到该目录,
make world DESTDIR=$D 中…..

install -s -o root -g wheel -m 555 ldd32 /home/jail/zqfx/usr/bin

————————————————————–
>>> make world completed on Tue Nov 6 07:26:45 CST 2012
(started Tue Nov 6 04:45:28 CST 2012)
————————————————————–

完成后,运行:
make distribution DESTDIR=$D
…..
cd /usr/usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT /home/jail/zqfx/
install -o root -g wheel -m 444 /usr/usr/src/etc/../sys/amd64/conf/GENERIC.hints /home/jail/zqfx/boot/device.hints

完成后,执行:

ifconfig re0 inet alias 10.0.1.100/32
mount -t procfs proc /home/jail/zqfx/10.0.1.100/proc
jail -c path=/home/jail/zqfx host.hostname=zqfx.network
ip4.addr=10.0.1.100 command=/bin/sh /etc/rc

mount那里无法执行,因为我没data目录….
后来明白了,我这里需要改成:
mount -t procfs proc /home/jail/zqfx/proc
jail -c path=/home/jail/zqfx host.hostname=zqfx.network
ip4.addr=10.0.1.100 command=/bin/sh /etc/rc
这样就ok了。

然后需要在rc.conf文件里加入:
jail_enable=”YES” # 如果设为 NO 则表示不自动启动 jail
jail_list=”www” # 以空格分隔的 jail 名字列表

jail_www_rootdir=”/home/jail/zqfx” # jail 的根目录
jail_www_hostname=”www.zqfx.NET” # jail 的主机名
jail_www_ip=”10.0.1.100″ # jail 的 IP 地址
jail_www_devfs_enable=”YES” # 在 jail 中挂接 devfs
jail_www_devfs_ruleset=”www_ruleset” # 在 jail 中应用的devfs 规则集

当然我的是:
jail_enable=”YES”
jail_list=”zqfx”
jail_zqfx_rootdir=”/home/jail/zqfx” # jail 的根目录
jail_zqfx_hostname=”www.zqfx.net” # jail 的主机名
jail_zqfx_ip=”10.0.1.100″ # jail 的 IP 地址
jail_www_devfs_enable=”YES” # 在 jail 中挂接 devfs
jail_zqfx_devfs_ruleset=”YES” # 在 jail 中应用的devfs 规则集

ok,起来了:

# /etc/rc.d/jail start zqfx
Configuring jails:.
Starting jails: www.zqfx.NET.

比想象的要容易一点。可怜几年前就应该搞jail的!

把名字改成www.zqfx.net ,前面不小心输入大写了。

有两个常用命令来控制jail,就是jexec和jls
先用jls看一下:
ciias# jls
JID IP Address Hostname Path
2 10.0.1.100 www.zqfx.net /home/jail/zqfx

然后用jexec进入虚拟机:

ciias# jexec 2 tcsh
www# top
last pid: 71324; load averages: 0.07, 0.02, 0.00 up 2+04:26:14 04:55:29
6 processes: 1 running, 5 sleeping
CPU: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
Mem: 101M Active, 217M Inact, 88M Wired, 19M Cache, 59M Buf, 53M Free
Swap: 1792M Total, 82M Used, 1709M Free, 4% Inuse

PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
71156 root 1 20 0 20384K 4208K select 0:00 0.00% sendmail
71319 root 1 21 0 14612K 2668K pause 0:00 0.00% tcsh
71324 root 1 20 0 16700K 2152K RUN 0:00 0.00% top
71043 root 1 20 0 12184K 1616K select 0:00 0.00% syslogd
71166 root 1 45 0 14260K 1720K nanslp 0:00 0.00% cron
71160 smmsp 1 52 0 20384K 4148K pause 0:00 0.00% sendmail

发现么有resolv.conf 文件,于是生成:
ciias# vi resolv.conf
serach zqfx.net
nameserver 208.87.241.170
目前还么成功….
/etc/netstart
然后好多报错
# ping 10.0.1.100
ping: socket: Operation not permitted

可以用ezjail简化管理
http://erdgeist.org/arts/software/ezjail/
安装好后,配置文件在:/usr/local/etc/ezjail.conf

ciias# /usr/local/bin/ezjail-admin
ezjail-admin v3.2
Usage: ezjail-admin [archive|config|console|create|delete|install|list|restore|update] {params}
ciias# /usr/local/bin/ezjail-admin list
STA JID IP Hostname Root Directory
— —- ————— —————————— ————————
ciias#

晕,不小心搞出好几个来:

ciias# jls
JID IP Address Hostname Path
3 10.0.1.100 zqfx.network /home/jail/zqfx
4 10.0.1.100 zqfx.network /home/jail/zqfx
6 10.0.1.100 www.zqfx.net /home/jail/zqfx

11.7日补充:
前面弄出来的jail虚拟机是无法ssh登录进去的,也无法ping通。

为了ping通,需要修改一下主机的sysctl.conf文件:
ciias# vi /etc/sysctl.conf
# $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# “sysctl” to adjust kernel values. “man 5 sysctl.conf” for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.jail.allow_raw_sockets=1
重启虚拟机之后就可以ping通了
ciias# ping 10.0.1.100
PING 10.0.1.100 (10.0.1.100): 56 data bytes
64 bytes from 10.0.1.100: icmp_seq=0 ttl=64 time=0.018 ms
64 bytes from 10.0.1.100: icmp_seq=1 ttl=64 time=0.020 ms

然后修改虚拟机里的rc.conf文件:
ciias# jexec 8 vi /etc/rc.conf
# This file now contains just the overrides from /etc/defaults/rc.conf.
# Please make all changes to this file, not to /etc/defaults/rc.conf.

# Enable network daemons for user convenience.
# Created: Tue Nov 6 05:12:05 2012
rpc_bind_enable=”NO”
sshd_enable=”YES”
hostname=”www.zqfx.net”

sendmail_enable=”NO”
sendmail_submit_enable=”NO”
sendmail_outbound_enable=”NO”
sendmail_msp_queue_enable=”NO”

ntpd_enable=”YES”
ntpd_sync_on_start=”YES”
named_enable=”YES”
~
~
~
~
~
~
/etc/rc.conf: 17 lines, 463 characters

然后刷新下这个rc.conf:
ciias# jexec 8 sh /etc/rc
Setting hostname: www.zqfx.net.
Creating and/or trimming log files.
ln: /dev/log: Operation not permitted
Starting syslogd.
syslogd: child pid 94232 exited with return code 1
/etc/rc: WARNING: failed to start syslogd
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
/etc/rc: ERROR: named chroot: devfs cannot be mounted from within a jail. Thus a chrooted named cannot be run from within a jail. To run named without chrooting it, set named_chrootdir=”” in /etc/rc.conf.
Clearing /tmp (X related).
Updating motd:.
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
44:6f:02:3c:50:7e:6e:d2:3f:2b:7d:7a:e9:8b:27:52 root@www.zqfx.net
The key’s randomart image is:
……
好多的输出啊,不管它们。
然后在主机ssh一下:

ciias# ssh XXX@10.0.1.100
The authenticity of host ‘10.0.1.100 (10.0.1.100)’ can’t be established.
ECDSA key fingerprint is 10:d8:77:a3:7c:c8:d7:5a:a5:48:b0:7c:79:66:a8:38.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.0.1.100’ (ECDSA) to the list of known hosts.

Password:
FreeBSD 9.0-RELEASE (GENERIC) #0: Tue Jan 3 07:46:30 UTC 2012

Welcome to FreeBSD!

乌拉!终于ssh进来了!

现在在虚拟系统内部,还不能ping外面,
$ ping 10.0.1.100
ping: socket: Operation not permitted
据说在虚拟机里加入security.allow_raw_sockets=1 就可以了,但是我加入之后,重启虚拟机,还是无法ping出去。
发现虚拟机里security.allow_raw_sockets 还是一直=0
ciias# jexec 10 sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0
sysctl: security.jail.allow_raw_sockets: Operation not permitted

这篇文章里有讲怎么办,但是我照做还是没解决。

http://www.elfnet.org/2010/12/01/freebsd-jail-ping-socket-operation-permitted/

后来我突发奇想,在主机的/etc/sysctl 文档中写入:

security.param.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets=1

然后重启虚拟机

乌拉,可以ping拉!

$ ping 10.0.1.100
PING 10.0.1.100 (10.0.1.100): 56 data bytes
64 bytes from 10.0.1.100: icmp_seq=0 ttl=64 time=0.016 ms

下面要解决的问题,就是nat出去的问题。因为手里只有一个公网ip,所以看来要nat出去了。

 

两篇文档:
The Quick-N-Dirty Guide to ezjail in FreeBSD

jail nat http://forums.freebsd.org/showthread.php?t=5693

参考上面的文章,写了nat的配置:

lan_if=”re0″
lan_if_subnet=”199.71.215.0/24″
lan_if_ip=”199.71.215.119″
jail_vps_server_ip=”10.0.1.100″
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip

 

第二篇文章中提到pf,找到一个介绍的链接:

http://hi.baidu.com/zone_cisco/item/1bda170799e986d51ff046ae

参考着上面来配置:

 

#pf config file
pf_enable=”YES”
pf_rules=”/etc/pf.conf”
inetd_enable=”YES”
pflog_enable=”NO”
pflog_logfile=”/var/log/pflog”

sysctl -w net.inet.ip.forwarding=1

 

ciias# vi /etc/pf.conf
lan_if=”re0″
lan_if_subnet=”199.71.215.0/24″
lan_if_ip=”199.71.215.119″
jail_vps_server_ip=”10.0.1.100″
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if
_subnet -> $lan_if_ip

运行:

pfctl -e;pfctl -f /etc/pf.conf

pfctl: /dev/pf: No such file or directory

 

那我就刷新一下rc.conf拉!

ciias# sh /etc/rc
Setting hostuuid: 0c1c5265-ed08-82ac-29b3-44fdd4d4bb24.
Setting hostid: 0xdd72886c.
Entropy harvesting: interrupts ethernet point_to_point kickstart.
Fast boot: skipping disk checks.
Mounting local file systems:.
Starting Network: lo0 re0 plip0.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xffffffff
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:16:3e:ab:ac:12
inet6 fe80::216:3eff:feab:ac12%re0 prefixlen 64 scopeid 0x2
inet 199.71.215.119 netmask 0xffffffc0 broadcast 199.71.215.127
inet 10.0.1.100 netmask 0xffffffff broadcast 10.0.1.100
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
devd already running? (pid=723).
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
.
route: writing to routing socket: File exists
add net default: gateway 199.71.215.65: route already in table
Additional inet routing options: gateway=YES.
route: writing to routing socket: File exists
add net ::ffff:0.0.0.0: gateway ::1: route already in table
route: writing to routing socket: File exists
add net ::0.0.0.0: gateway ::1: route already in table
route: writing to routing socket: File exists
add net fe80::: gateway ::1: route already in table
route: writing to routing socket: File exists
add net ff02::: gateway ::1: route already in table
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/mysql
32-bit compatibility ldconfig path: /usr/lib32
Creating and/or trimming log files.
Starting syslogd.
syslogd: child pid 98886 exited with return code 1
/etc/rc: WARNING: failed to start syslogd
No core dumps found.
Clearing /tmp (X related).
Recovering vi editor sessions:.
Updating motd:.
Starting webmin.
Starting Webmin server in /usr/local/lib/webmin
Pre-loaded virtual-server/virtual-server-lib-funcs.pl in virtual_server
Pre-loaded virtual-server/feature-unix.pl in virtual_server
Pre-loaded virtual-server/feature-dir.pl in virtual_server
Pre-loaded virtual-server/feature-dns.pl in virtual_server
Pre-loaded virtual-server/feature-mail.pl in virtual_server
Pre-loaded virtual-server/feature-web.pl in virtual_server
Pre-loaded virtual-server/feature-webalizer.pl in virtual_server
Pre-loaded virtual-server/feature-ssl.pl in virtual_server
Pre-loaded virtual-server/feature-logrotate.pl in virtual_server
Pre-loaded virtual-server/feature-mysql.pl in virtual_server
Pre-loaded virtual-server/feature-postgres.pl in virtual_server
Pre-loaded virtual-server/feature-ftp.pl in virtual_server
Pre-loaded virtual-server/feature-spam.pl in virtual_server
Pre-loaded virtual-server/feature-virus.pl in virtual_server
Pre-loaded virtual-server/feature-webmin.pl in virtual_server
Pre-loaded virtual-server/feature-virt.pl in virtual_server
Pre-loaded virtual-server/feature-virt6.pl in virtual_server
Pre-loaded WebminCore
Failed to bind to port 10000 : Address already in use
Could not listen on any ports/etc/rc: WARNING: failed to start webmin
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
nginx: [emerg] bind() to 0.0.0.0:80 failed (48: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (48: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (48: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (48: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (48: Address already in use)
nginx: [emerg] still could not bind()
/etc/rc: WARNING: failed to start nginx
mysql already running? (pid=26581).
Starting sshd.
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
(48)Address already in use: make_sock: could not bind to address [::]:8080
(48)Address already in use: make_sock: could not bind to address 0.0.0.0:8080
no listening sockets available, shutting down
Unable to open logs
/etc/rc: WARNING: failed to start apache22
Configuring syscons: keymap blanktime.
Starting cron.
Configuring jails:.
Starting jails: www.zqfx.net.
/etc/rc.d/sysctl: WARNING: sysctl security.param.jail.allow_raw_sockets does not exist.
Starting inetd.
Starting background file system checks in 60 seconds.

Wed Nov 7 13:31:40 CST 2012
ciias#

然后在测试下nat:

ciias# pfctl -e ; pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled
No ALTQ support in kernel
ALTQ related functions disabled
ciias# pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled

现在的问题是ALTQ

经过网上查找信息,原来如果不用ALTQ的话,可以直接忽略它的报错!

然后发现可以ping通网关,却无法ping通外面。

在我原有的nat知识基础上,我怀疑前面写的不对,于是改成:

ciias# vi /etc/pf.conf
lan_if=”re0″
lan_if_subnet=”199.71.215.64/26″
lan_if_ip=”199.71.215.119″
jail_vps_server_ip=”10.0.1.100″
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to any -> $lan_if_ip

重启pf的nat配置:

ciias# pfctl -f /etc/pf.conf -N
No ALTQ support in kernel
ALTQ related functions disabled

查看nat是否生效:
ciias# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
nat on re0 inet proto tcp from 10.0.1.100 to any -> 199.71.215.119
nat on re0 inet proto udp from 10.0.1.100 to any -> 199.71.215.119
nat on re0 inet proto icmp from 10.0.1.100 to any -> 199.71.215.119

在主机中测试虚拟机的连通性:

ciias# jexec 10 ping 8.8.8.8
jexec: jail_attach(10): Invalid argument
ciias# jls
JID IP Address Hostname Path
3 10.0.1.100 zqfx.network /home/jail/zqfx
4 10.0.1.100 zqfx.network /home/jail/zqfx
11 10.0.1.100 www.zqfx.net /home/jail/zqfx
12 10.0.1.100 www.zqfx.net /home/jail/zqfx
ciias# jexec 12 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=49 time=30.648 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=30.698 ms

乌拉!自此,虚拟系统的网路终于通了!

现在的问题是,主机到虚拟机的ssh断开了…

 

先关掉所有的虚拟机:

ciias# jls
JID IP Address Hostname Path
3 10.0.1.100 zqfx.network /home/jail/zqfx
4 10.0.1.100 zqfx.network /home/jail/zqfx
11 10.0.1.100 www.zqfx.net /home/jail/zqfx
You have new mail.
ciias# jexec 3 sh /etc/rc.shutdown
Terminated
.
ciias# jexec 4 sh /etc/rc.shutdown
Terminated
.
ciias# jexec 11 sh /etc/rc.shutdown
Terminated
.

之所以这样关,是因为/etc/rc.d/jail stop xxx 对前3个没起作用。

晕,shutdown 也没起作用。我是不明白,我配置了一个虚拟机,怎么能起来4个!

而且好像前2个是一样的,后2个是一样的。

ciias# jls
JID IP Address Hostname Path
3 10.0.1.100 zqfx.network /home/jail/zqfx
4 10.0.1.100 zqfx.network /home/jail/zqfx
11 10.0.1.100 www.zqfx.net /home/jail/zqfx
13 10.0.1.100 www.zqfx.net /home/jail/zqfx

前两个不能ping通外面,后两个可以。