Rootmanual:freenas: Skillnad mellan sidversioner
Knase (diskussion | bidrag) (Add example firewall configuration) |
Knase (diskussion | bidrag) m (Spelling) |
||
(13 mellanliggande sidversioner av samma användare visas inte) | |||
Rad 35: | Rad 35: | ||
== Kerberos == |
== Kerberos == |
||
'''Before setting up kerberos, ensure that you use HTTPS!''' |
|||
Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it. |
Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it. |
||
Go to "Directory/Kerberos Keytabs" and add the exported keytab (ensure that this is done on a trusted computer). |
|||
To enable the kerberos service you need configure it in "Directory/Kerberos Realms": |
|||
# Click add kerberos realm |
|||
# Advanced |
|||
Realm = LYSATOR.LIU.SE |
|||
KDC = as-master.lysator.liu.se |
|||
Admin Server = as-master.lysator.liu.se |
|||
Password Server = as-master.lysator.liu.se |
|||
OK, and your done. |
|||
== NIS == |
== NIS == |
||
Rad 58: | Rad 72: | ||
== Firewall == |
== Firewall == |
||
Setup pf on the FreeNAS box |
Setup pf on the FreeNAS box: |
||
pf is installed by default so all we need to do is create a configuration and enable it. |
|||
To enable, open /etc/rc.conf with some editor (vi) and add the following at the end: |
|||
pf_enable="YES" |
|||
pf_rules="<absolute path to your pf.conf with rules>" |
|||
gateway_enable="YES |
|||
pf.conf example: |
pf.conf example: |
||
Rad 82: | Rad 103: | ||
#Allow traffic out |
#Allow traffic out |
||
pass out on $ext_if from any to any keep state |
pass out on $ext_if from any to any keep state |
||
End with starting the service: |
|||
service pf start |
|||
== SSH == |
|||
'''Before setting up SSH, ensure that the firewall is enabled!''' |
|||
Setup the ssh server settings: Services/SSH |
|||
Login as Root = yes |
|||
== MAIL == |
|||
Change the root mail to match the destination of mail sent: |
|||
Navigate to Account/Users/View Users |
|||
Click 'root' |
|||
Click 'change E-mail' |
|||
Set to the desired destination mail |
|||
Save |
|||
Set the sender mail and outgoing mail server: |
|||
Navigate to System/Email |
|||
Set from email: root@<hostname> <-- this is the servers hostname |
|||
Set Outgoing mail server: mail.lysator.liu.se |
|||
Set TLS/SSL: TLS |
|||
Save |
|||
== Activate Services == |
|||
Last you need to ensure that you enable the services, go to "Services": |
|||
NFS = on |
|||
SSH = on |
|||
SMART = on |
|||
= Setting up sanity checks for hard drives = |
|||
The following schedules are for all the storage drives in the data pool, excluding Solid State Drives (SSDs). |
|||
== SMART test schedules == |
|||
=== Short test === |
|||
Every 5th, 12th, 19, and 26th of the month at 3am. |
|||
=== Long test === |
|||
Every 8th and 22nd at 4am. |
|||
== Scrub schedules == |
|||
1st and 15th of the month at 4am. Threshold is set to 10 days. |
|||
= Data replication = |
|||
== Snapshots == |
|||
== Replication tasks == |
|||
=== Receiver === |
|||
Create a dedicated user, "Account/Users/Add User": |
|||
username = zbackup |
|||
create a group = yes |
|||
create a home in = <absolute path for the home of the user> |
|||
shell = rzsh |
|||
name = zbackup |
|||
disable password login = yes |
|||
Create a dataset for the backup, Storage/Volumes: |
|||
'''Create dataset''' |
|||
Dataset Name = backup |
|||
Comments = Backup dataset |
|||
'''Change Permissions''' |
|||
Owner(user) = zbackup |
|||
Owner(group) = zbackup |
|||
Get a shell and create a restricted bin for the user: |
|||
mkdir <absolute path for the home of the user>/restricted_bin |
|||
ln -s /sbin/zfs <absolute path for the home of the user>/restricted_bin/zfs |
|||
ln -s /usr/bin/uname <absolute path for the home of the user>/restricted_bin/uname |
|||
Add the restricted_bin to the users PATH: |
|||
vi <absolute path for the home of the user>/.zshenv |
|||
export PATH=<absolute path for the home of the user>/restricted_bin |
|||
Create a .ssh folder in zbackup's $HOME and set the user rights (will not be able to use authorized_keys without this): |
|||
chmod -R 700 <zbackup's home dir>/.ssh |
|||
chown -R zbackup:zbackup <zbackup's home dir>/.ssh |
|||
Setup the zfs user rights for receiving (note, all properties needs to be on one line): |
|||
zfs allow -u zbackup atime,canmount,casesensitivity,checksum,compression,copies,create, |
|||
dedup,destroy,exec,filesystem_count,filesystem_limit,jailed,logbias,mount, |
|||
normalization,quota,readonly,receive,recordsize,redundant_metadata, |
|||
refquota,refreservation,reservation,setuid,sharenfs,sharesmb,snapdir, |
|||
snapshot_count,snapshot_limit,sync,userprop,utf8only,volmode |
|||
<pool name>/<datasets above backup>/backup |
|||
The reason for so many properties is because the snapshots may include those. |
|||
Allow the zbackup user to mount datasets by editing /etc/sysctl.conf: |
|||
vfs.usermount=1 |
|||
=== Sender === |
|||
Running zfs send as root is a non-issue (unless someone can convince me otherwise), so I will use root. |
|||
Add a ssh key for the user, drop to a shell as root: |
|||
ssh-keygen |
|||
Copy the public key to authorized_keys of the receiver, user zbackup. After this the root user |
|||
can send backups/snapshots to the receiver. |
Nuvarande version från 16 februari 2017 kl. 17.52
Useful documentation
After installing FreeNAS the User Guide documentation for the current version is available in the "Guide" tab.
Setting up a FreeNAS box
Go through the installation process. After the install make sure that you have the correct address assigned to the box. If not you could use the console menus to set it or drop to a shell.
Using the shell:
ifconfig
Lists all the interfaces and note the interface you want to use
ifconfig <interface> inet <IPv4 address/subnetmask> add
Sets the IPv4 for the interface you want to use
ifconfig <interface> inet <IPv4 address> -alias
If you by accident set a address to the wrong interface
route add default <gateway address>
Sets the default gatway
service nginx restart
Nginx needs to be restarted since it does not serve on the correct address.
Go to System/Advanced:
Enable Console Menu = false
Certficates & syslog server
Make sure that you start by using https, for this you need to have a valid certificate. You could if there for the moment are no signed certificate for the machine, generate a self-signed certificate.
To enable https and set syslog server, go to System/General:
Certificate = your certificate Protocol = HTTPS WebGUI HTTP -> HTTPS redirect = yes Syslog server = <Logserver with FQDN>
Kerberos
Before setting up kerberos, ensure that you use HTTPS!
Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it.
Go to "Directory/Kerberos Keytabs" and add the exported keytab (ensure that this is done on a trusted computer).
To enable the kerberos service you need configure it in "Directory/Kerberos Realms":
- Click add kerberos realm
- Advanced
Realm = LYSATOR.LIU.SE KDC = as-master.lysator.liu.se Admin Server = as-master.lysator.liu.se Password Server = as-master.lysator.liu.se
OK, and your done.
NIS
Setup NIS settings: Directory/NIS
NIS domain = lysator NIS servers = nis.lysator.liu.se,ns-slave.lysator.liu.se Secure mode = yes Enable = yes
And save.
NFS
Setup the default nfs server settings: Service/nfs
Number of Servers = 6 Serve UDP = yes Enable NFSv4 = yes support > 16 groups = yes Log mountd = yes Log rpc.statd & rpc.lockd = yes
Firewall
Setup pf on the FreeNAS box:
pf is installed by default so all we need to do is create a configuration and enable it.
To enable, open /etc/rc.conf with some editor (vi) and add the following at the end:
pf_enable="YES" pf_rules="<absolute path to your pf.conf with rules>" gateway_enable="YES
pf.conf example:
#External interface ext_if="<interface name of external interface>" table <bruteforce> persist set skip on lo0 set block-policy return scrub in all block in all block out all block quick from <bruteforce> #Allow from management HTTP/HTTPS only pass in on $ext_if proto tcp from <management host> to any port 80 flags S/SA keep state pass in on $ext_if proto tcp from <management host> to any port 443 flags S/SA keep state #Allow internal traffic pass in on $ext_if from 130.236.254.0/24 to any keep state pass in on $ext_if from 2001:6b0:17:f0a0::0/64 to any keep state #Allow ssh from management only block in on $ext_if proto tcp from 130.236.254.0/24 to any port { ssh } block in on $ext_if proto tcp from 2001:6b0:17:f0a0::0/64 to any port { ssh } pass in on $ext_if proto tcp from <management host> to any port { ssh } #Allow traffic out pass out on $ext_if from any to any keep state
End with starting the service:
service pf start
SSH
Before setting up SSH, ensure that the firewall is enabled! Setup the ssh server settings: Services/SSH
Login as Root = yes
Change the root mail to match the destination of mail sent:
Navigate to Account/Users/View Users Click 'root' Click 'change E-mail' Set to the desired destination mail Save
Set the sender mail and outgoing mail server:
Navigate to System/Email Set from email: root@<hostname> <-- this is the servers hostname Set Outgoing mail server: mail.lysator.liu.se Set TLS/SSL: TLS Save
Activate Services
Last you need to ensure that you enable the services, go to "Services":
NFS = on SSH = on SMART = on
Setting up sanity checks for hard drives
The following schedules are for all the storage drives in the data pool, excluding Solid State Drives (SSDs).
SMART test schedules
Short test
Every 5th, 12th, 19, and 26th of the month at 3am.
Long test
Every 8th and 22nd at 4am.
Scrub schedules
1st and 15th of the month at 4am. Threshold is set to 10 days.
Data replication
Snapshots
Replication tasks
Receiver
Create a dedicated user, "Account/Users/Add User":
username = zbackup create a group = yes create a home in = <absolute path for the home of the user> shell = rzsh name = zbackup disable password login = yes
Create a dataset for the backup, Storage/Volumes: Create dataset
Dataset Name = backup Comments = Backup dataset
Change Permissions
Owner(user) = zbackup Owner(group) = zbackup
Get a shell and create a restricted bin for the user:
mkdir <absolute path for the home of the user>/restricted_bin ln -s /sbin/zfs <absolute path for the home of the user>/restricted_bin/zfs ln -s /usr/bin/uname <absolute path for the home of the user>/restricted_bin/uname
Add the restricted_bin to the users PATH:
vi <absolute path for the home of the user>/.zshenv export PATH=<absolute path for the home of the user>/restricted_bin
Create a .ssh folder in zbackup's $HOME and set the user rights (will not be able to use authorized_keys without this):
chmod -R 700 <zbackup's home dir>/.ssh chown -R zbackup:zbackup <zbackup's home dir>/.ssh
Setup the zfs user rights for receiving (note, all properties needs to be on one line):
zfs allow -u zbackup atime,canmount,casesensitivity,checksum,compression,copies,create, dedup,destroy,exec,filesystem_count,filesystem_limit,jailed,logbias,mount, normalization,quota,readonly,receive,recordsize,redundant_metadata, refquota,refreservation,reservation,setuid,sharenfs,sharesmb,snapdir, snapshot_count,snapshot_limit,sync,userprop,utf8only,volmode <pool name>/<datasets above backup>/backup
The reason for so many properties is because the snapshots may include those.
Allow the zbackup user to mount datasets by editing /etc/sysctl.conf:
vfs.usermount=1
Sender
Running zfs send as root is a non-issue (unless someone can convince me otherwise), so I will use root.
Add a ssh key for the user, drop to a shell as root:
ssh-keygen
Copy the public key to authorized_keys of the receiver, user zbackup. After this the root user can send backups/snapshots to the receiver.