月度归档:2012年11月

关于wordpress ftp更新报错Missing zlib的问题

总结:在freebsd系统里,直接pkg_add -r php5-zlib就可以了。

问题:

wordpress更新或安装插件的时候,报错:

Update WordPress

Downloading update from http://wordpress.org/nightly-builds/wordpress-latest.zip…

Unpacking the update…

Abort class-pclzip.php : Missing zlib extensions

 

从网上查找了很多,都没有解决问题。

最后到zlib的官网:

 

# wget http://zlib.net/zlib-1.2.7.tar.gz
–2012-11-30 10:15:22– http://zlib.net/zlib-1.2.7.tar.gz
Resolving zlib.net (zlib.net)… 69.73.181.135
Connecting to zlib.net (zlib.net)|69.73.181.135|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 560351 (547K) [application/x-gzip]
Saving to: `zlib-1.2.7.tar.gz’

100%[======================================>] 560,351 731K/s in 0.7s

2012-11-30 10:15:23 (731 KB/s) – `zlib-1.2.7.tar.gz’ saved [560351/560351]

# tar -xzvf zlib-1.2.7.tar.gz

# cd zlib-1.2.7

# ./configure
# make

# make install

cp libz.a /usr/local/lib
chmod 644 /usr/local/lib/libz.a
cp libz.so.1.2.7 /usr/local/lib
chmod 755 /usr/local/lib/libz.so.1.2.7
cp zlib.3 /usr/local/share/man/man3
chmod 644 /usr/local/share/man/man3/zlib.3
cp zlib.pc /usr/local/lib/pkgconfig
chmod 644 /usr/local/lib/pkgconfig/zlib.pc
cp zlib.h zconf.h /usr/local/include
chmod 644 /usr/local/include/zlib.h /usr/local/include/zconf.h
#

还是没解决。

 

每次更新的时候,都问ftp信息,网上查了一下,是因为目录的所有者与网站程序的用户不一致(非www)所致,于是;

# chown -R www:www wp

就没再问ftp信息。

 

把php5 重新安装了一遍:

# pkg_add -r php5 php5-xml php5-xmlreader php5-xmlwriter php5-mysql
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-xml.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-xmlreader.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/All/php5-dom-5.3.8.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-xmlwriter.tbz… Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-mysql.tbz… Done.
#

晕,找了半辈子的zlib,原来在这里:

# whereis php5-zlib
php5-zlib: /usr/ports/archivers/php5-zlib
#

# pkg_add -r php5-zlib
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-zlib.tbz… Done.
# service spawn-fcgi restart
Stopping spawn_fcgi.
Waiting for PIDS: 74505.
Starting spawn_fcgi.
spawn-fcgi: child spawned successfully: PID: 77653
#

乌拉!解决啦!

有个朋友博客讲的很清楚:

http://laiyonghua.cn/blog-init/

几款美国的独立服务器

https://www.tailormadeservers.com/order_sys.php?OFFER=WHTSPECIAL-T110&CFG=-3

$80

https://theprimehost.com/billing/cart.php?a=confproduct&i=1

http://www.theprimehost.com/bargain-dedicated-servers.html

$99

 

https://www.datashack.net/cart/?id=148

用优惠码$64

https://portal.securedservers.com/wap-jpost3/E5E31230;jsessionid=A3225D53D95A2AAAB4CCC2755A033C82?execution=e1s1

$98

2013.5.23日补充:
theprimehost有个新的85$的优惠:
http://www.theprimehost.com/bargain-dedicated-servers.html

综合起来看,它的算比较划算的,内存都比较大!

jail中配置整合的网站

mysql 创建数据库:

create database discuz;

 

mysql允许10.0.1.10的myuser用户登录。

mysql> grant all privileges on *.* to ‘myuser’@’10.0.1.10′ identified by ” with grant option;
Query OK, 0 rows affected (0.83 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.11 sec)

 

虚拟机掉电后jail的问题

掉电后,虚拟的硬盘报错,找不到。手工帮它找到,发现以前的jail全没有了。

于是ezjail-admin install -h ftp.jp.freebsd.org

ezjail-admin create test1 10.0.0.5

但是启动的时候报错:

fb1# ezjail-admin start
ezjailConfiguring jails:.
Starting jails:mount_nullfs: Operation not supported by device
mount: fdesc : Operation not supported by device
cannot start jail “test2″:
jail: execvp: /bin/sh: No such file or directory
mount_nullfs: Operation not supported by device
mount: fdesc : Operation not supported by device
cannot start jail “test1_com”:
jail: execvp: /bin/sh: No such file or directory
.

 

报错,看来还是内核问题:

fb1# ezjail-admin update -u
Cannot identify running kernel
fb1#

去下了9.0release的src,然后重新编译内核:

make -j4 buildkernel; make installkernel

重启后,jail工作正常。验证了确实是内核导致的问题。

FREEBSD下的JAIL虚拟机实践4 – ezjail实验2

不知道为什么,用ezjail建立的jails都无法运行:

fb1# jls
JID IP Address Hostname Path
fb1# ezjail-admin list
STA JID IP Hostname Root Directory
— —- ————— —————————— ————————
DS N/A 10.0.0.5 test7 /usr/jails/test7
DS N/A 10.0.0.7 test4.com /usr/jails/test4
DS N/A 10.0.0.6 test2 /usr/jails/test2

于是准备重新虚拟一台新的机器,一切从头来。参考:

https://www.freebsdchina.org/forum/viewtopic.php?t=54242&sid=eef3db0f185e9d9165dbba20255c05c4

这里讲可以不用make buildworld,这样可以节省大量的时间。

但是我用:ezjail-admin install 报错。后来发现是9.0之后,ftp那里发生了变化,导致install的脚本找不到文件。

经过很多磨难,最终“灵光一闪”,到官网下载了最新的ezjail,make install安装。

然后ezjail-admin install 就ok了

(### 修改配置文件,使ezjail可用
$ee /etc/rc.conf
ezjail_enable=”YES”
### 安装world & kernel
$ezjail-admin install -h ftp.tw.freebsd.org )

有可能需要更新($ezjail-admin update -u )

再创建一个最简单的jail:

ezjail-admin create test1.com 10.0.0.10

当然/etc/rc.conf中加入:

ifconfig_em0_alias0=”inet 10.0.0.10/32″
ezjail_enable=”YES”

然后:

fb2# jls
JID IP Address Hostname Path
fb2# ezjail-admin list
STA JID IP Hostname Root Directory
— —- ————— —————————— ————————
DS N/A 10.0.0.10 test1.com /usr/jails/test1.com

 

fb2# jls
JID IP Address Hostname Path
1 10.0.0.10 test1.com /usr/jails/test1.com
fb2# ezjail-admin list
STA JID IP Hostname Root Directory
— —- ————— —————————— ————————
DR 1 10.0.0.10 test1.com /usr/jails/test1.com
哈哈,终于起来了!

 

前面一直失败的原因,我认为应该是内核版本的问题,因为:

fb1# ezjail-admin update -u
Cannot identify running kernel
fb1#

而这台系统就是ok的:

fb2# ezjail-admin update -u
Looking up update.FreeBSD.org mirrors… 3 mirrors found.
Fetching public key from update5.FreeBSD.org… done.
Fetching metadata signature for 9.0-RELEASE from update5.FreeBSD.org…

11.19日补充:

由于放在photon的vps系统关闭,开机后jail无法运行,于是准备用ezjail重构。

ciias# ezjail-admin install -h ftp.jp.freebsd.org

由于photon对亚洲优化过,连freebsd的官网还不如到jp快。

ciias# ezjail-admin update -u

WARNING: FreeBSD 9.0-RELEASE is approaching its End-of-Life date.
It is strongly recommended that you upgrade to a newer
release within the next 2 months.
Installing updates… done.

在/etc/rc.conf 中加入虚拟ip地址:

ifconfig_re0_alias0=”inet 10.0.1.10/32″
ifconfig_re0_alias1=”inet 10.0.1.11/32″
ifconfig_re0_alias2=”inet 10.0.1.12/32″
ifconfig_re0_alias3=”inet 10.0.1.13/32″
ifconfig_re0_alias4=”inet 10.0.1.14/32″

添加jail虚拟机:

ezjail-admin create nginx 10.0.1.10

ezjail-admin create mysql 10.0.1.11

ezjail-admin start

ciias# jls
JID IP Address Hostname Path
1 10.0.1.10 nginx /usr/jails/nginx
2 10.0.1.11 mysql /usr/jails/mysql

做完才发现,更新ports前面用zjail-admin update -p,没通过,后来看那个相关文档,需要用大写P

ezjail-admin update -P

时间比较长,让机器后台去干吧!

允许在jail虚拟机里访问网络
$sysctl security.jail.allow_raw_sockets=1
$ee /etc/sysctl.conf
security.jail.allow_raw_sockets=1

 

另,虚拟机里的一些配置文件,应该在母机中就先配置好,这样省得每个jail都要进去配:域名解析/ip路由/root口令/常用包等。

freebsd内核编译、优化 zt

http://blog.chinaunix.net/space.php?uid=9419692&do=blog&id=3182631

一、内核编译
优化内核,去掉不用的组件及设备驱动,以提高系统效率,首先使用uname -a查看本机的内核详细版本,使用dmesg查看
本机所有的硬件信息,并进行相应的记录,后续编辑内核文件时要用到
1.安装CVSUP:
——————————
最好在安装时装好cvsup;
freebsd# cd /usr/ports/net/cvsup-without-gui/
freebsd# make install clean

2.升级源码:
——————————
freebsd# ee /usr/share/examples/cvsup/stable-supfile
把:
default host=CHANGE_THIS.FreeBSD.org
改为:
default host=cvsup.FreeBSDchina.org
src-all
freebsd# ee /usr/share/examples/cvsup/ports-supfile
把:
default host=CHANGE_THIS.FreeBSD.org
改为:
default host=cvsup.FreeBSDchina.org
freebsd# cvsup -g -L 2 /usr/share/examples/cvsup/stable-supfile
或者 csup -g -L 2 /usr/share/examples/cvsup/stable-supfile
freebsd# cvsup -g -L 2 /usr/share/examples/cvsup/ports-supfile
freebsd# cd /usr/obj
freebsd# chflags -R noschg *
freebsd# rm -rf *
3.重新编译源码和内核
———————————–
freebsd# cd /usr/src/sys/amd64(或i386—32位与64位,分别选择相应的)/conf/
freebsd# mkdir /root/kernels
freebsd# cp GENERIC /root/kernels/MYKERNEL
freebsd# cd /usr/src
freebsd# ln -s /root/kernels/MYKERNEL
freebsd# make buildworld //编译所有的系统程序
freebsd# make buildkernel KERNCONF=MYKERNEL //编译新的系统核心
freebsd# reboot
freebsd# make installkernel KERNCONF=MYKERNEL //安裝新的系统核心
freebsd# make installworld //安装新的系统程序
freebsd# reboot
重启系统用uname -a查看编辑后的内核是否是自己定制的内核;
编辑内核文件要注意的地方
device em # Broadcom BCM570xx Gigabit Ethernet //加载网卡,一定要慎重,特别是远程
如果不确定网卡型号,可用dmesg |less 查看
如新内核有问题,可以还的原内核文件
mv /boot/kernel /boot/kernel.bak
mv /boot/kernel.old /boot/kernel
4、附上优化后的内核文件:
—————————————————————-
cpu I686_CPU
ident MYKERNE
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
options SC_DISABLE_REBOOT
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options HZ=1000
options IPSEC #IP security
device crypto
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!]
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options P1003_1B_SEMAPHORES # POSIX-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
options STOP_NMI # Stop CPUS using NMI instead of IPI
options AUDIT # Security event auditing
# To make an SMP kernel, the next two lines are needed
options SMP # Symmetric MultiProcessor Kernel
device apic # I/O APIC
# CPU frequency control
device cpufreq
# Bus support.
device eisa
device pci
# SCSI Controllers
device mpt # LSI-Logic MPT-Fusion
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the ‘device miibus’ line in order to use these NICs!
device miibus # MII bus support
device em
device le # Broadcom BCM570xx Gigabit Ethernet
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory “disks”
device gif # IPv6 and IPv4 tunneling
device bpf # Berkeley packet filter
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device ukbd # Keyboard
二、内核参数优化
内核编译完后,就要对内核的参数做一些调整,以提高服务器的运行速度
/etc/sysctl.conf
———————————————————-
#通过源路由,攻击者可以尝试到达内部IP地址 –包括RFC1918中的地址,所以
不接受源路由信息包可以防止你的内部网络被探测
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
#安全参数,编译内核的时候加了options TCP_DROP_SYNFIN才可以用,可以阻止某些OS探测
net.inet.tcp.drop_synfin=1
#最大的待发送TCP数据缓冲区空间
net.inet.tcp.sendspace=65536
#最大的接受TCP缓冲区空间
net.inet.tcp.recvspace=65536
#最大的接受UDP缓冲区大小
net.inet.udp.recvspace=49152
#最大的发送UDP数据缓冲区大小
net.inet.udp.maxdgram=24576
#本地套接字连接的数据发送空间
net.local.stream.sendspace=65535
#加快网络性能的协议
net.inet.tcp.rfc1323=1
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1
#最大的套接字缓冲区
kern.ipc.maxsockbuf=2097152
#系统中允许的最多文件数量
kern.maxfiles=65536
#每个进程能够同时打开的最大文件数量
kern.maxfilesperproc=32768
#该选项设置是否延迟ACK应答数据包
net.inet.tcp.delayed_ack=1
#屏蔽ICMP重定向功能
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
#防止ICMP广播风暴
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
#限制系统发送ICMP速率
net.inet.icmp.icmplim=100
net.inet.icmp.icmplim_output=1
#设置为1会帮助系统清除没有正常断开的TCP连接
net.inet.tcp.always_keepalive=1
#若看到net.inet.ip.intr_queue_drops这个在增加,就要调大net.inet.ip.intr_queue_maxlen,为0最好
net.inet.ip.intr_queue_maxlen=1000
net.inet.ip.intr_queue_drops=0
#防止DOS攻击,默认为30000
net.inet.tcp.msl=2500
#接收到一个已经关闭的端口发来的所有包,直接drop,如果设置为1则是只针对TCP包
net.inet.tcp.blackhole=2
#接收到一个已经关闭的端口发来的所有UDP包直接drop
net.inet.udp.blackhole=1
#为网络数据连接时提供缓冲
net.inet.tcp.inflight.enable=1
#限制 TCP 带宽延迟积和 NetBSD 的 TCP/Vegas 类似。
#它可以通过将 sysctl 变量 net.inet.tcp.inflight.enable 设置成 1 来启用。
#系统将尝试计算每一个连接的带宽延迟积,并将排队的数据量限制在恰好能保持最优吞吐量的水平上。
#这一特性在您的服务器同时向使用普通调制解调器,千兆以太网,乃至更高速度的光与网络连接 (或其他带宽延迟积很
#大的连接) 的时候尤为重要,
#特别是当您同时使用滑动窗缩放,或使用了大的发送窗口的时候。
#如果启用了这个选项,您还应该把 net.inet.tcp.inflight.debug 设置为 0 (禁用调试),
#对于生产环境而言, 将 net.inet.tcp.inflight.min 设置成至少 6144 会很有好处。
#然而, 需要注意的是,这个值设置过大事实上相当于禁用了连接带宽延迟积限制功能。
#这个限制特性减少了在路由和交换包队列的堵塞数据数量,也减少了在本地主机接口队列阻塞的数据的数量。
#在少数的等候队列中、交互式连接,尤其是通过慢速的调制解调器,也能用低的 往返时间操作。
#但是,注意这只影响到数据发送 (上载/服务端)。对数据接收(下载)没有效果。
#调整 net.inet.tcp.inflight.stab 是 不 推荐的。
#这个参数的默认值是 20,表示把 2 个最大包加入到带宽延迟积窗口的计算中。
#额外的窗口似的算法更为稳定,并改善对于多变网络环境的相应能力,
#但也会导致慢速连接下的 ping 时间增长 (尽管还是会比没有使用 inflight 算法低许多)。
#对于这些情形, 您可能会希望把这个参数减少到 15, 10, 或 5;
#并可能因此而不得不减少 net.inet.tcp.inflight.min (比如说, 3500) 来得到希望的效果。
#减少这些参数的值, 只应作为最后不得已时的手段来使用。
net.inet.tcp.inflight.debug=0
net.inet.tcp.inflight.rttthresh=10
net.inet.tcp.inflight.min=6144
net.inet.tcp.inflight.max=1073725440
net.inet.tcp.inflight.stab=20
#如果打开的话每个目标地址一次转发成功以后它的数据都将被记录进路由表和arp数据表,节约路由的计算时间,但会需#
要大量的内核内存空间来保存路由表
net.inet.ip.fastforwarding=1
#默认情况下,ip包的id号是连续的,如果设置成1,则这个id号是随机的
net.inet.ip.random_id=1
#并发连接数,默认为128,推荐在1024-4096之间,数字越大占用内存也越大
kern.ipc.somaxconn=8192
#不允许用户看到其他用户的进程
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
#设置kernel安全级别
kern.securelevel=0
#记录下任何TCP连接
net.inet.tcp.log_in_vain=0
#记录下任何UDP连接
net.inet.udp.log_in_vain=0
#防止不正确的udp包的攻击
net.inet.udp.checksum=1
#防止DOS攻击
net.inet.tcp.syncookies=1
#仅为线程提供物理内存支持,需要256兆以上内存
kern.ipc.shm_use_phys=1
# 线程可使用的最大共享内存
kern.ipc.shmmax=67108864
# 最大线程数量
kern.ipc.shmall=32768
# 程序崩溃时不记录
kern.coredump=0
#lo本地数据流接收和发送空间
net.local.stream.recvspace=65536
net.local.dgram.maxdgram=16384
net.local.dgram.recvspace=65536
# 本地数据最大数量
net.inet.raw.maxdgram=65536
# 本地数据流接收空间
net.inet.raw.recvspace=65536
#ipfw防火墙动态规则数量,默认为4096,增大该值可以防止某些病毒发送大量TCP连接,导致不能建立正常连接
net.inet.ip.fw.dyn_max=65535
#所有MPSAFE的网络ISR对包做立即响应,提高网卡性能
net.isr.direct=1
#清理apache产生的CLOSE_WAIT状态
net.inet.ip.rtexpire=3600
net.inet.ip.rtminexpire=2
#TCP的套接字的空闲时间
net.inet.tcp.keepidle=600000
#控制TCP及UDP所使用的port范围
net.inet.ip.portrange.first=8888
net.inet.ip.portrange.hifirst=8888
#加载linux内核版本
compat.linux.osrelease=2.6.16
/boot/loader.conf
—————————————————-
kern.maxdsiz=”536870912″
kern.ipc.maxsockets=”16424″
kern.ipc.nmbclusters=”32768″
kern.ipc.nmbufs=”65535″
kern.ipc.nsfbufs=”2496″
net.inet.tcp.tcbhashsize=”2048″
kern.maxusers=”256″

本文出自 “聆听未来” 博客,请务必保留此出处http://blog.chinaunix.net/space.php?uid=9419692&do=blog&id=3182631

FreeBSD下的jail虚拟机实践3 – ezjail

ezjail英文官网:

http://erdgeist.org/arts/software/ezjail/

ezjail中文wiki

https://wiki.freebsdchina.org/software/e/ezjail

ezjail 英文wiki

http://www.secure-computing.net/wiki/index.php/FreeBSD_jails_with_ezjail

通过ezjail使用jail 中文wiki

https://wiki.freebsdchina.org/software/j/jail

用ezjail建立和管理jail

http://os.51cto.com/art/201104/254034_1.htm

 

首先安装ezjail,这个没啥说的,在freebsd下,要么是  cd /usr/ports/sysutils/ezjail && make install clean

要么pkg_add -r ezjail

配置文件在这里:

cp /usr/local/etc/ezjail.conf.sample /usr/local/etc/ezjail.conf

下面是wiki中的一份配置:
# ezjail.conf - Example file, see ezjail.conf(5)
#
# Note: If you alter some of those variables AFTER creating your first
# jail, you may have to adapt /etc/fstab.* and EZJAIL_PREFIX/etc/ezjail/* by
# hand

# Location of jail root directories
#
# Note: If you have spread your jails to multiple locations, use softlinks
# to collect them in this directory
# 保存虚拟机为路径,缺省为/usr/jails,如果打算保存到其他目录,照下面的样子修改。
ezjail_jaildir=/opt/jails

# Location of the tiny skeleton jail template
# 建立虚拟机基本系统时模板路径,一般无需改变。
# ezjail_jailtemplate=${ezjail_jaildir}/newjail

# Location of the huge base jail
# 虚拟机基本系统路径,一般无需改变。
# ezjail_jailbase=${ezjail_jaildir}/basejail

# Location of your copy of FreeBSD’s source tree
# 源代码路径,一般无需改变。
# ezjail_sourcetree=/usr/src

# In case you want to provide a copy of ports tree in base jail, set this to
# a cvsroot near you
# Port系统的CVS根设置,一般不必要设置,我们用portsnap
# ezjail_portscvsroot=freebsdanoncvs@anoncvs.FreeBSD.org:/home/ncvs

# This is where the install sub command defaults to fetch its packages from
# FreeBSD的FTP服务器。为神马不是ftp.cn.FreeBSD.org?
# 世界上最远的距离是神马?你懂的。好吧,我承认,我很杯具地用了联通线路。
ezjail_ftphost=ftp.tw.freebsd.org

# This is the command that is being executed by the console subcommand
# ezjail_default_execute=”/usr/bin/login -f root”

# This is the flavour used by default when setting up a new jail
# 这个是用来为虚拟机提供一个缺省的配置集,下面会进一步解释。Tips:我姓钱。不知道算不算亮点。
ezjail_default_flavour=”chian”

# This is the default location where ezjail archives its jails to
# ezjail_archivedir=”${ezjail_jaildir}/ezjail_archives”

# base jail will provide a soft link from /usr/bin/perl to /usr/local/bin/perl
# to accomodate all scripts using ‘#!/usr/bin/perl’…
# ezjail_uglyperlhack=”YES”

# Default options for newly created jails
#
# Note: Be VERY careful about disabling ezjail_mount_enable. Mounting
# basejail via nullfs depends on this. You will have to find other
# ways to provide your jail with essential system files
# 作者说要VERY小心,如果禁用ezjail_mount_enable的话。
# 以nullfs载入虚拟机基本系统是这个参数控制的,除非你另外给虚拟机提供基本系统,否则不应该禁用这个选项。
# devfs一般来说也不应该禁用。procfs和fdescfs一般来说可以禁用。
# ezjail_mount_enable=”YES”
# ezjail_devfs_enable=”YES”
# ezjail_devfs_ruleset=”devfsrules_jail”
ezjail_procfs_enable=”NO”
ezjail_fdescfs_enable=”NO”

# 下面这几行用于在ZFS建立虚拟机。只能在古董机器上玩FreeBSD的屌丝们,直接无视吧!
# Setting this to YES will start to manage the basejail and newjail in ZFS
# ezjail_use_zfs=”YES”
# Setting this to YES will manage ALL new jails in their own zfs
# ezjail_use_zfs_for_jails=”YES”
# The name of the ZFS ezjail should create jails on, it will be mounted at the ezjail_jaildir
# ezjail_jailzfs=”tank/ezjail”
# ADVANCED, be very careful!
# ezjail_zfs_properties=”-o compression=lzjb -o atime=off”
# ezjail_zfs_jail_properties=”-o dedup=on”
就我的情况来说,我准备全部用默认就行了。

当然因为“不许说脏话”,如果在国内,还要设置更快的cvs站点:

ezjail_portscvsroot=freebsdanoncvs@anoncvs.FreeBSD.org:/home/ncvs

网上说有两个:

China

  • cvsup.cn.FreeBSD.org
  • cvsup2.cn.FreeBSD.org

和ftp站点:

ezjail_ftphost=ftp.tw.freebsd.org

几个文档,步骤全部不一样,我摸着石头走一下哈。

 

安装完ezjail,先不创建模板了,先把两个要修改的地方修改掉:

echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf
echo 'ezjail_enable="YES"' >> /etc/rc.conf

现在开始创建jail啦!
mkdir /usr/jails
cd /usr/jails
ezjail-admin update -ip
如果提示src不在的话,需要下载,使用如下命令:
ezjail-admin install -s
这里需要在/usr/src 先make buildworld,我是昨天做的这件事,从晚上9点多一直编译到今天中午12点多。这就是用四核atom芯片的一个内核编译的下场。
晕,没想到这个创建jail也这么慢,先去睡觉了。
-i 不运行amke buildworld
-p 提供给jail ports。这里我还要再去研究一下,看它是否全copy过去的,如果是,那以后这里要修改掉,要用挂载的方法,那样省空间。
又看了一下handbook,那里也是要重新装一套ports的(http://www.freebsd.org/doc/zh_CN.GB2312/books/handbook/jails-application.html)

先把英文的那个写下来:
  • The -i option above tells ezjail that we’ve already built-world (when we updated FreeBSD on the host system), so it simply does a make installworld to your jail home. Omitting the -i causes this process to take a considerable amount of time because ‘world’ is built.
  • The -p option above tells ezjail that we want the ports tree included in our jail. This will take additional disk space equal to that of the size of your ports tree.

When this process is complete, you should have a directory structure similar to this in your jail home (/usr/jails by default):

drwxr-xr-x   5 root  wheel   512B Sep 26 14:57 .
drwxr-xr-x  18 root  wheel   512B Sep 25 13:11 ..
drwxr-xr-x   9 root  wheel   512B Sep 26 13:42 basejail
drwxr-xr-x   4 root  wheel   512B Sep 26 14:43 flavours
drwxr-xr-x  12 root  wheel   512B Sep 26 13:58 newjail
 我的是这样的:

/usr/jails
fb1# ls -l
total 12
drwxr-xr-x 9 root wheel 512 Nov 13 12:11 basejail
drwxr-xr-x 3 root wheel 512 Nov 13 12:16 flavours
drwxr-xr-x 12 root wheel 512 Nov 13 12:16 newjail

Building Our ezjail Flavour

# cd /usr/jails/flavours
# cp -Rp ./default ./clx
这里我没有default,但是我这里有example:

fb1# pwd
/usr/jails/flavours
fb1# ls -l
total 4
drwxr-xr-x 4 root wheel 512 Nov 11 22:51 example
那就比着葫芦画瓢吧:

fb1# cp -Rp example/ ai
fb1# ls
ai example
fb1# ls -l ai
total 12
drwxr-xr-x 2 root wheel 512 Nov 11 22:51 etc
-rwxr-xr– 1 root wheel 1547 Feb 26 2010 ezjail.flavour
drwxr-xr-x 3 root wheel 512 Nov 11 22:51 usr

Copy /usr/local

cp -Rp /usr/local/* ./clx/usr/local/
选做:这样可以使自己已经安装过的程序全部装好在jail里
我操作的:

fb1# ls ai/usr/local/
fb1# pwd
/usr/jails/flavours
fb1# cp -Rp /usr/local/* ai/usr/local/

由于以前local安装了很多软件,所以速度非常慢。今后还是要注意母鸡不要安装不必要的包。目前看下来,也就是wget等比较合适,还有就是可以提前安装好python,甚至python的env目录。

Copy /var/db/pkg

# mkdir ./clx/var && mkdir ./clx/var/db
# cp -Rp /var/db/pkg ./clx/var/db/
选做:这样可以把所有的数据库都拷过去。好像freebsd所有的存档也在这里,比如ports的..

我的操作:

fb1# mkdir ai/var && mkdir ai/var/db
fb1# cp -R /var/db/pkg ai/var/db

 

Create /etc/<config> files

Your jails, by default, have a very limited, and very incorrect setup. Here are the specific files we had to copy from our host /etc/ to our flavour’s etc:

File Reason
/etc/localtime Puts our jail in the correct timezone.
/etc/resolv.conf Allows our system to resolve domain names and URLs.
/etc/motd Create’s a login banner for ssh users.
/etc/shells Since we installed bash, we need an appropriate shells file.
/etc/syslog.conf We’ve enabled all.log and console.log in our systems. We want those changes to apply to our jails, as well.

我的操作:

fb1# cp /etc/localtime ai/etc/
fb1# ls ai/etc
localtime make.conf periodic.conf rc.conf
fb1# cp /etc/resolv.conf ai/etc/
fb1# cp /etc/motd ai/etc/
fb1# cp /etc/shells ai/etc
fb1# cp /etc/syslog.conf ai/etc
fb1# ls ai/etc
localtime motd rc.conf shells
make.conf periodic.conf resolv.conf syslog.conf

In addition to the copied files, we made some extensive changes to /etc/periodic.conf and /etc/rc.conf. First, rc.conf:

# Miscellaneous Configuration
network_interfaces="lo0"                # No network interfaces aside from the loopback device
kern_securelevel_enable="YES"           # Enable 'securelevel' kernel security
kern_securelevel="1"                    # See init(8)
rpcbind_enable="NO"                     # Disable RPC daemon
cron_flags="$cron_flags -J 15"          # Prevent lots of jails running cron jobs at the same time
syslogd_flags="-ss"                     # Disable syslogd listening for incoming connections
sendmail_enable="NONE"                  # Comppletely disable sendmail
clear_tmp_enable="YES"                  # Clear /tmp at startup

## Mail Config
postfix_enable="YES"                    # Enable postfix at boot.
sendmail_enable="NO"                    # Disable Sendmail
sendmail_submit_enable="NO"             # Disable sendmail submit
sendmail_outbound_enable="NO"           # Disable sendmail outbound
sendmail_msp_queue_enable="NO"          # Disable sendmail msp queing

# SSHD Configuration
sshd_enable="YES"                       # Enable sshd
  • Note that our rc.conf doesn’t contain any IP address, etc. This is to be handled entirely by the host system.
我的操作是,修改该rc.conf文件,主要是修改如下两句:

network_interfaces=”lo0″

sshd_enable=”YES”

 

Next, our periodic.conf file:

daily_status_network_enable="NO"
daily_status_security_ipfwlimit_enable="NO"
daily_status_security_ipfwdenied_enable="NO"
weekly_whatis_enable="NO"       # our jails are read-only /usr

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

daily_show_empty_output="NO"
daily_show_success="NO"
daily_show_info="NO"
daily_status_security_inline="YES"

weekly_show_success="NO"
weekly_show_info="NO"
weekly_show_empty_output="NO"

monthly_show_success="NO"
#monthly_show_info="NO" # Show login accounting
monthly_show_empty_output="NO"
  • man periodic.conf if you’re interested in what’s going on here.
我的里面是这样的:

daily_output=”/var/log/daily.log”
weekly_output=”/var/log/weekly.log”
monthly_output=”/var/log/monthly.log”
daily_status_security_output=”/var/log/daily_status_security.log”
daily_status_network_enable=”NO”
daily_status_security_ipfwlimit_enable=”NO”
daily_status_security_ipfwdenied_enable=”NO”
weekly_whatis_enable=”NO” # our jails are read-only /usr

 

ezjail.flavour

Inside your flavour’s root directory, you should see an ezjail.flavour file. This file is essentially a script that get’s run the first time a jail that was created with the flavour is started. In our case, we are going to add some users (and their groups), add the postfix/cyrus users and groups, and perform a few other initial maintenance tasks. Here’s our file as an example:

#!/bin/sh
#
# BEFORE: DAEMON
#
# Prevent this script from being called over and over if something fails.

rm -f /etc/rc.d/ezjail-config.sh /ezjail.flavour

# Groups
#########
#
# You will probably start with some groups your users should be in

pw groupadd -q -n cyrus -g 60
pw groupadd -q -n admin -g 100
pw groupadd -q -n admin2 -g 101
pw groupadd -q -n postfix -g 125
pw groupadd -q -n maildrop -g 126

# Users
########
#
# You might want to add some users. The password is to be provided in the
# encrypted form as found in /etc/master.passwd.
# The example password here is "admin"
# Refer to crypt(3) and pw(8) for more information

### ADMIN Accounts
echo -n '<passwd_hash>' |
pw useradd -n admin -u 100 -s /bin/bash -m -d /home/admin -g admin -G wheel -c 'Admin' -H 0

echo -n '<passwd_hash>' |
pw useradd -n admin2 -u 101 -s /bin/csh -m -d /home/admin2 -g admin2 -G wheel -c 'Another Admin' -H 0

### Daemon/System Accounts
# POSTFIX
echo -n '*' |
pw useradd -n postfix -u 125 -s /usr/sbin/nologin -m -d /var/spool/postfix -g postfix -c 'Postfix Mail User' -H 0
## Postfix gripes if /var/spool/postfix isn't owned by root/wheel
chown root:wheel /var/spool/postfix
# CYRUS Mail Server
echo -n '*' |
pw useradd -n cyrus -u 60 -s /usr/sbin/nologin -m -d /nonexistent -g cyrus -c 'Cyrus Mail User' -H 0

# Packages
###########
#
# Install all packages previously put to /pkg
# Remove package files afterwards

[ -d /pkg ] && PACKAGESITE=file:// pkg_add -r /pkg/*
rm -rf /pkg

# Postinstall
##############
#
# Your own stuff here, for example set login shells that were only
# installed just before.

# Create all.log and console.log (chmod all.log, too)
touch /var/log/all.log && chmod 0600 /var/log/all.log
touch /var/log/console.log
  • Any other shell commands you need to run to setup your jail can be put in this file.
 我的操作:

修改了如下几点:

pw groupadd -q -n admin -g 100

echo -n ‘$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91′ |
pw useradd -n admin -u 1001 -s /bin/sh -m -d /home/admin -G wheel -c ‘Admin User’ -H 0
#添加admin组和admin用户,该用户口令为admin

有需要的话可以添加screen包:

cd /usr/ports/sysutils/screen && make install

该包可以保存工作状态,被打断后可以快速恢复 ,详见:http://wiki.cnmc.tw/index.php/Sysutils/screen

 

创建jail啦!

Building a Jail

Now that we’ve got all the configuration and defaults set up for our jails, building an actual jail is pretty darn easy. Let’s say we want to create a jail using our clx flavour for www.example.com with an IP of 10.0.0.5. Simply use the following command:

# ezjail-admin create -f clx www.example.com 10.0.0.5

Yeah, it’s that easy. Once the build is done, it’ll take a couple of minutes, we need to assign that new IP to our jail host, and put that IP in /etc/rc.conf to make it persistent through reboots:

# ipconfig <interface> alias 10.0.0.5/16

rc.conf:

ifconfig_interface_aliasX="inet 10.0.0.5/16"

Note: Replace interface with your actual interface and aliasX where X is the incremental IP alias.

我的操作是:

ezjail-admin create -f ai test1.com 10.0.0.5

好慢啊,还是装了太多不必要的包了。最后显示:

find: /usr/jails/test1.com/pkg/: No such file or directory
Note: Shell scripts for flavour ai installed, flavourizing on jails first startup.
Warning: IP 10.0.0.5 not configured on a local interface.
Warning: Some services already seem to be listening on all IP, (including 10.0.0.5)
This may cause some confusion, here they are:
root sshd 940 4 tcp4 *:22 *:*
root syslogd 723 7 udp4 *:514 *:*

好多warning啊,不过这都不是问题。

 

在创建的同时,就在网卡加上jail地址:

ifconfig em0 alias 10.0.0.5/16

也可以在rc.conf中加入:

ifconfig_em0_alias=”10.0.0.5/32″

ifconfig_em1_alias=”10.0.0.6/32″

随便多写了几个ip,ifconfig显示这样:

inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
inet 10.0.0.6 netmask 0xffffffff broadcast 10.0.0.6
inet 10.0.0.5 netmask 0xffffffff broadcast 10.0.0.5
inet 10.0.0.7 netmask 0xffffffff broadcast 10.0.0.7
inet 10.0.0.8 netmask 0xffff0000 broadcast 10.0.255.255

现在看一下:

fb1# ezjail-admin list

STA JID IP Hostname Root Directory
— —- ————— —————————— ————————
DS N/A 10.0.0.5 test1.com /usr/jails/test1.com

ssh那里把端口给占用了很无奈。

然后重启下jail:

ezjail_enable=”YES”
fb1# /usr/local/etc/rc.d/ezjail.sh restart
Stopping jails: cannot stop jail test1_com. No jail id in /var/run
.
Configuring jails:.
Starting jails: cannot start jail “test1_com”:
连重启都起不来,还不如jail容易纠错呢。

重新执行一下create命令:

fb1# ezjail-admin create -f ai test1.com 10.0.0.5
Error: An ezjail config already exists at /usr/local/etc/ezjail/test1_com.
This can happen because ezjail converts non alphanumeric characters in jail names to ‘_’.
Please rename the ezjail.
fb1# cd /usr/local/etc/ezjail
fb1# ls
test1_com
fb1# cat test1_com
# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree. See rcorder(8) for more details.
#
# PROVIDE: standard_ezjail
# REQUIRE:
# BEFORE:
#

export jail_test1_com_hostname=”test1.com”
export jail_test1_com_ip=”10.0.0.5″
export jail_test1_com_rootdir=”/usr/jails/test1.com”
export jail_test1_com_exec_start=”/bin/sh /etc/rc”
export jail_test1_com_exec_stop=””
export jail_test1_com_mount_enable=”YES”
export jail_test1_com_devfs_enable=”YES”
export jail_test1_com_devfs_ruleset=”devfsrules_jail”
export jail_test1_com_procfs_enable=”YES”
export jail_test1_com_fdescfs_enable=”YES”
export jail_test1_com_image=””
export jail_test1_com_imagetype=””
export jail_test1_com_attachparams=””
export jail_test1_com_attachblocking=””
export jail_test1_com_forceblocking=””
export jail_test1_com_zfs_datasets=””
export jail_test1_com_cpuset=””
export jail_test1_com_fib=””

再回头检查下,发现

security.jail.param.allow.raw_sockets: 0

于是再来一次 :

fb1# echo ‘security.jail.allow_raw_sockets=1′ >> /etc/sysctl.conf
fb1# /etc/netstart
还是没起来……

太多地方容易有手误了!再来创建一个简单点的:

ezjail-admin create -f example test2.com 10.0.0.6

………………

find: /usr/jails/test2.com/pkg/: No such file or directory
Note: Shell scripts for flavour example installed, flavourizing on jails first startup.
Warning: Some services already seem to be listening on all IP, (including 10.0.0.6)
This may cause some confusion, here they are:
root syslogd 723 7 udp4 *:514 *:*

两个都没起来:

fb1# ezjail-admin list
STA JID IP Hostname Root Directory
— —- ————— —————————— ————————
DS N/A 10.0.0.6 test2.com /usr/jails/test2.com
DS N/A 10.0.0.5 test1.com /usr/jails/test1.com
fb1# ezjail-admin start
ezjailConfiguring jails:.
Starting jails: cannot start jail “test2_com”:
cannot start jail “test1_com”:
.
f

 

这里有个简单的步骤:

(1)编辑网卡地址,为网卡创建二个子网地址
(2)编译内核

(3)ports安装ezjail工具

cd /usr/ports/sysutils/ezjail
make install clean

(4)生成jail模板

ezjail-admin update -p -i

-p:提供给jail ports

-i:不再运行make world,因为第一步我们已经做了。

(5)生成名为apache.cn7788.com和reseach.cn7788.com的子jail机器

ezjail-admin create -r /usr/jails/apache apache.cn7788.com 192.168.1.104
ezjail-admin create -r /usr/jails/research research.cn7788.com 192.168.1.105

该命令可以分别在/usr/jails/apache和/usr/jails/research目录下建立名为了apache.cn7788.com和research.cn7788.com的jail机器。

(6)让192.168.1.103的机器开机即启动ezjail工具

操作如下:

在/etc/rc.conf最后添加代码如下:

ezjail_enable="YES"

(7)分别通过ezjail启动这二个jail机器

/usr/local/etc/rc.d/ezjail.sh start apache.cn7788.com
/usr/local/etc/rc.d/ezjail.sh start research.cn7788.com

这里补充说明下:ezjail由两个脚本组成:ezjail-admin和ezjail.sh,前者用于创建、更新和删除Jail,后者用于启动、停止和重启Jail。

(8)通过ezjail-admin list查看jail机器的情况


另有个很好的软件:

jailaudit

http://anonsvn.h3q.com/projects/jailaudit/


 

 

网站三剑客discuz+wordpress+anwsion

三个都是基于php+mysql的应用,discuz是论坛,wordpress是博客,anwsion是问答程序,它们可以通过Ucenter整合在一起。

参见这篇文章:

WordPress整合Discuz! X2.5、Anwsion问答统一用户同步登录

 

前几天已经安装了discuz,现在开始安装anwsion。系统需要gd库,直接pkg_add -r gd

anwsion报错:

  •     × Anwsion 支持 MySQLi 与 PDO_MYSQL 两种数据库模块, 您的服务器两种都不支持
  •     ×
  •     × Anwsion 至少需要有 GD 图象处理库才能正常运行

关于数据库模块,我已经在php.ini文件中,将如下三行的分号都去掉了:

extension=php_mysql.dll
extension=php_mysqli.dll
extension=php_pdo_mysql.dll
还是不行。按照某博客讲的:

还有需要对curl的支持
修改php.ini
extension=php_curl.dll去掉分号,重启服务。。 还是不行。

干脆再安装下mysqli的包吧:

www# pkg_add -r php5-mysqli
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-mysqli.tbz… Done.
www# /usr/local/etc/rc.d/spawn-fcgi restart
Stopping spawn_fcgi.
Starting spawn_fcgi.
spawn-fcgi: child spawned successfully: PID: 28997
刷新一下,ok,pass了

 

下面解决session不能传递的问题:

按照网上的说明,把这句的分号去掉:

session.save_path = “/tmp”

没有解决问题。

(看php文档,发现session扩展已经转到pecl,pecl隶属于pear ,不知道这里的session是否我所需要的session)pear用pkg安装好,报错很多,况且我对pear没法很快上手,所以放弃。

在下面的问题解决后,我想到session是否也是一个包? 于是操作:

www# whereis php5-session
php5-session: /usr/ports/www/php5-session
www# pkg_add -r php5-session
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-session.tbz… Done.
www# /usr/local/etc/rc.d/spawn-fcgi restart
Stopping spawn_fcgi.
Starting spawn_fcgi.
spawn-fcgi: child spawned successfully: PID: 32534
问题解决

 

下面解决图形处理库问题:

安装了gd:pkg_add -r gd,还是不行

后来在php.ini中,设置如下一句:

extension=php_gd2.dll

还是不行。

查找,发现有php-gd包,安装:

www# pkg_add -r php5-gd
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/php5-gd.tbz… Done.

重启服务:

www# /usr/local/etc/rc.d/spawn-fcgi restart
Stopping spawn_fcgi.
Starting spawn_fcgi.
spawn-fcgi: child spawned successfully: PID: 32434
OK!

 

上面3个问题解决后,又把两个目录设置为完全可写:

  • upload/system/
  • upload/system/config/

终于可以开始安装了!

 

提示信息:

目录: /usr/local/www/nginx-dist/aq/upload/tmp 无法创建,请将网站根目录权限设置为 777, 或者创建这个目录设置权限为 777
目录: /usr/local/www/nginx-dist/aq/upload/cache 无法创建,请将网站根目录权限设置为 777, 或者创建这个目录设置权限为 777
目录: /usr/local/www/nginx-dist/aq/upload/uploads 无法创建,请将网站根目录权限设置为 777, 或者创建这个目录设置权限为 777

操作:

www# cd upload/
www# pwd
/usr/local/www/nginx-dist/aq/upload
www# mkdir tmp
www# mkdir cache
www# mkdir uploads
然后出来设置数据库的界面了。

这个程序不智能,在数据库不存在的情况下,不会自己创建数据库,只好手工创建一个;

www# mysql
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 2096 to server version: 4.1.25

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the buffer.

mysql>

create database ans;
Query OK, 1 row affected (0.00 sec)

 

然后又报错,说我mysql版本低,它要5.x版本,而我是4.1版本。然后只好重新安装新版本的mysql哦:

www# pkg_delete mysql-server-4.1.25 mysql-client-4.1.25
Stopping mysql.
Waiting for PIDS: 74752.
==> You should manually remove the “mysql” user.
www#

www# pkg_add -r mysql55-server
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/Latest/mysql55-server.tbz…
Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-9.0-release/All/mysql-client-5.5.17.tbz… Done.
===> Creating users and/or groups.
Using existing group ‘mysql’.
Using existing user ‘mysql’.

************************************************************************

Remember to run mysql_upgrade (with the optional –datadir=<dbdir> flag)
the first time you start the MySQL server after an upgrade from an
earlier version.

************************************************************************

 

然后启动mysql:

 

cat mysql_enable=”YES”  >> /etc/rc.conf

www# /usr/local/etc/rc.d/mysql-server start

www# mysql_upgrade –datadir=/var/db

后面按部就班,就安装完成了! 真不容易啊!

 

后面按部就班的安装wordpress,由于我没有把目录设置为可写,所以wp程序不能创建wp-config.php文件,所以我粘帖它页面上的配置,然后安装就好了。

 

今天晚了,明天再搞整合!

FreeBSD下虚拟机jail的cpu/mem等控制

http://wiki.freebsd.org/JailResourceLimits

  • Implement memory limits in kern_jail.c [done]
  • Implement CPU share limiting in sched_hier.c [done]
  • jtune program to modify CPU and memory limits on running jails [done]

还可以用cpuset 限制cpu

NAME
     cpuset -- configure processor sets

SYNOPSIS
     cpuset [-l cpu-list] [-s setid] cmd ...
     cpuset [-l cpu-list] [-s setid] -p pid
     cpuset [-c] [-l cpu-list] -C -p pid
     cpuset [-cr] [-l cpu-list]
	    [-j jailid | -p pid | -t tid | -s setid | -x irq]
     cpuset [-cgir] [-j jailid | -p pid | -t tid | -s setid | -x irq]

这里有个相关网页:
http://lists.freebsd.org/pipermail/freebsd-jail/2009-May/000866.html

CPU limit for Jails(patch for ULE scheduler)

 

这还有个:

http://www.tomjudge.com/index.php/FreeBSD/Jails/MemoryLimits

 

在jail虚拟机中安装Nginx+php+mysql+discuz

参考的这个文档。

https://wiki.freebsdchina.org/howto/n/php_fastcgi_nginx

不过我怀疑这个文档中略过了安装php的那个过程….

我认为正常的安装顺序应该是:

安装nginx 这个pkg安装最快!

安装php pkg安装的php5

安装spawn-cgi 这个也可以pkg_add

 

nginx里的写法是:

location ~ .php$ {
#root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /usr/local/www/nginx$fastcgi_script_
name;
include fastcgi_params;
}

fastcgi_param这里,我直接把地址:/usr/local/www/nginx写进去了。 nginx官方例子中,用到的是

$document_root ,但是试用下来,这个地址显然不对。这个地址应该是文档所在的地址,而不是网站所在的地址。

根据我的实际情况,我外面还有一层nginx转发:

server {
listen 199.71.215.119:80;
server_name win.airoot.org www.win.airoot.org;
location / {
proxy_pass http://10.0.1.100;
}

}

然后再装mysql,

 

www# service mysql-server start

经过折腾,把php5-mysql装一遍,重启了spawn-cgi,现在discuz可以装了。

discuz装好后,发现它有些链接还是走的内网地址,这样还有待解决。

 

后来在第一层nginx那里,这样写:

server {
listen 199.71.215.119:80;
server_name win.airoot.org www.win.airoot.org;
location / {
proxy_pass http://win.airoot.org;
}
}

就ok了。