View
243
Download
1
Category
Tags:
Preview:
Citation preview
We have Linux, why'd we care?
● Diversity● Diversity is good
– Having competing implementations results in better performance● This applies not only to flavors of BSD, having completely different
implementation of POSIX keeps Linux on its toes
– Monoculture increases exposure: “one exploit to rule them all”
– One more playground to develop your ideas
● Licensing● BSD license is very easy to understand: do whatever you
want, just keep our copyright strings.– Very appealing to vendors (NetApp, Juniper, Apple)
● No obligations, but still getting contributions
History of the BSD
● 4.2BSD (1983) – TCP/IP, FFS
● 4.3BSD (1986) – portability, performance
● Net/1 (1989) – release of networking code
● Net/2 (1991) – rewrite of remaining proprietary parts
● 386BSD (1992) – port to 80386
● FreeBSD, NetBSD
● Lawsuit by AT&T, slows development for 2 years
● 4.4BSD R2 (1995) – Last release from Berkeley
● OpenBSD (1995) – security-oriented fork of NetBSD
● FreeBSD 4 (2000) – outstanding stability and performance, jails
● FreeBSD 5 (2003) – SMP, GEOM, netgraph● DragonFly BSD (2003) – fork of 4.8, different take on SMP
● FreeBSD 6 (2005) – more kernel SMP work
● FreeBSD 7 (2008) – SCTP, UFS journaling, ZFS, DTrace, jemalloc, sched_ule
Slices vs partitions
● DOS partitions are called slices – s1,s2,...● fdisk /dev/ad0
– Painful to use, use sysinstall if you need to edit slices interactively
– Or -I to use whole disk
● Further subdivided into (BSD) partitions – a,b,...● bsdlabel -e /dev/ad0s1
● c is “raw” disk by convention. Do not use or alter.
● /dev/ad0● /dev/ad0s1
– /dev/ad0s1a
– /dev/ad0s1d
● /dev/ad0s2
– /dev/ad0s2a
– /dev/ad0s2b
Notable differences
● /bin/sh is not bash● root's shell is /bin/sh
– Keep it that way and do not login as root.
● /bin/csh sucks
– pkg_add -r bash (or some other shell)
● /usr/bin/vi is not vim– pkg_add -r vim-lite
● Not just vim, that wil pull whole world along with it
– Stuck in vi(m)? Don't panic, <Esc>:q!● Set your $EDITOR to “ee” - a gentler approach to editing, with on-screen help
● To su to root user needs to be in @wheel
● sysinstall is there
● sshd has PermitRootLogin off by default● Keep it that way, do not login as root over ssh
/usr vs /usr/local
● /bin, /sbin, /lib – essential system bins and libs● /usr/{bin,sbin,lib} – other base system bins, libs● /usr/local/{bin,sbin,lib} – ports bins, libs● /etc
● /etc/namedb (BIND is in base)● /usr/local/etc/postfix (Postfix is in ports)
/etc/rc.conf
● A shell script, but not to be (mis)used as such: declarations only please.
hostname="web.example.com"
ifconfig_bge0="inet 10.0.0.2/24”
defaultrouter="10.0.0.1"
sshd_enable="YES"
pf_enable="YES"
ntpd_enable="YES"
sendmail_enable="NONE" # Can be “YES”, “NO” or “NONE”
postfix_enable = "YES" # Invalid – no spaces allowed around “=”: (it's a shell script!)
...
● /etc/defaults/rc.conf
System startup
● /etc/rc.d/* - base system services● /usr/local/etc/rc.d/* - services from ports● /etc/rc.conf – enable/disable services
● foo_enable=”YES”
● Order depends on set of REQUIRES/PROVIDES declarations● rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
Logging
● syslog● /etc/syslog.conf, /var/log/*● /var/log/all.log – useful to have, easy to find stuff
● newsyslog – log rotation● Not just syslogs, any logs - /etc/newsyslog.conf● Compression, pid files, signals; runs in parallel● Time spec is a bit odd, but manpage is good and
there's a dry-run mode: newsyslog -n -v/logs/www/access.log root:www 660 12 * @01T00 JC /var/run/httpd.pid 30
Ports
● /usr/ports/$category/$package● Makefiles pushed to their limits.● Search
– /usr/ports # make search name=foo● Build and install:
– /usr/ports/category/package # make install● Will build from sources
– pkg_add -r package● Will download and install a pre-built package
● Port options in /var/db/ports/$package
Package management
● portupgrade● pkg_add -r portupgrade● portupgrade -aP● /usr/local/etc/pkgtools.conf – per-package options
● Package database● pkg_info● /var/db/pkg – plain text files describing installed
packages and dependencies– Cached in a BDB file /var/db/pkg/pkgdb.db
Versioning (uname -r)
● Stable branch, X-STABLE. Currently X=7.● X.Y-RELEASE – offical release, no patches. What you get by installing from
an offical CD/DVD.
– X.Y-RELEASE-pN – official release + security patch N.● N starts with 0. Patches are provided for 2 years after release.
– Stable, only security fixes. Easy to track via binary updates.
● X.Y-STABLE – stable development branch between X.Y and X.(Y+1)
– Reasonably stable, but requires updating from source. Can be considered for production if contains features/fixes not yet released.
● Development branch, (X+1)-CURRENT● Bumpy ride on the bleeding edge. Latest and greatest but not necessarily
stable. Requires compiling from source. Not recommended for production.
Updating the base system
● Binary updates on the RELEASE branch● freebsd-update fetch && freebsd-update install
– This will keep you up to date on security patches to your current release
● freebsd-update -r X.Y-RELEASE upgrade– Upgrade to release X.Y
● Source updates, for STABLE and CURRENT branches● Yes, you will build and install the world.
– Do not be alarmed. Concentrate on the kittens.
Updating base system from source
● Copy and edit /usr/share/examples/cvsup/stable-supfile● Set host= to one of the mirrors (see link in the file)
● Set tag= to the desired branch, e.g. RELENG_7
● cd /usr/src; csup /path/to/my_supfile
● make buildworld
● make buildkernel && make installkernel
● Reboot (required if performing major upgrade, i.e. X.Y -> (X+1).0)
● mergemaster -p● Review and apply config changes required to install binaries (e.g. addition of new
users)
● make installworld
● mergemaster● Review and apply config changes
Updating packages
● Update ports tree in /usr/ports● csup /usr/share/examples/cvsup/ports-supfile
● Install portupgrade● pkg_add -r portupgrade
● See what's to be updated● portupgrade -an
● Perform the update● portupgrade -aP
– -P tells portupgrade to use binary packages when available.● Packages are only provided for several latest RELEASE branches and are not available on
STABLE and CURRENT.
● Reboot is recommended at this point to reload all binaries. Restarting individual services also works.
Packet filtering
● User sanity first● getopt() is NOT a good rule language
– yes, i'm looking at you, iptables
● ipfw● Abandoned for a while, development resumed recently
● pass tcp from any to me 80 in via bge0 keep-state
● ipf● Ported from NetBSD
● Better than original ipfw but no recent development
● pass in on bge0 proto tcp from any to bge0 port 80
● pf● OpenBSD's rewrite of ipf, further improvements
– tables, packet reassembly, traffic shaping, pfsync
Jails
● Para-virtualization● Shares running kernel● Provides separate userland with process isolation● Restricted root privileges
● Appeared in FreeBSD 4.0● “chroot() on steroids”
● Isolation is being improved● Multiple IP addresses in 7.2● Own networking stack with filtering expected in 8.0
Performance monitoring
● vmstat● systat -XXX: {if,io,vm}stat, ip, tcp● iostat● gstat● top
● “S” (or -S) to display kernel threads● “H” (or -H) to display user-level threads
● /proc is not mounted by default● “mount_procfs proc /proc” but usually can do without● sysctls are used. sysctl -a, -d will give short descriptions
Case study: MySQL performance
● Red is Linux 2.6.20.1, green is 2.6.21. Drop at > 8 thr assumed to be MySQL's fault
● Others are various snapshots of FreeBSD 7.0. Caused a lot of noise.
MySQL performance: 3 months later
● Red is FreeBSD 7.0, green is Linux 2.6.22, blue is 2.6.23
● Scaling issue has been fixed, but change of scheduler in 2.6.23 caused a regression (later resolved)
Recommended