Rootmanual:freenas: Skillnad mellan sidversioner

Från Lysators datorhandbok, den ultimata referensen.
Hoppa till navigering Hoppa till sök
(Add description of creating a restricted user for zfs receive)
m (Spelling)
 
(7 mellanliggande sidversioner av samma användare visas inte)
Rad 112: Rad 112:
Login as Root = yes
Login as Root = yes
== MAIL ==
Change the root mail to match the destination of mail sent:
Navigate to Account/Users/View Users
Click 'root'
Click 'change E-mail'
Set to the desired destination mail
Save

Set the sender mail and outgoing mail server:
Navigate to System/Email
Set from email: root@<hostname> <-- this is the servers hostname
Set Outgoing mail server: mail.lysator.liu.se
Set TLS/SSL: TLS
Save


== Activate Services ==
== Activate Services ==
Rad 120: Rad 134:


= Setting up sanity checks for hard drives =
= Setting up sanity checks for hard drives =

The following schedules are for all the storage drives in the data pool, excluding Solid State Drives (SSDs).


== SMART test schedules ==
== SMART test schedules ==


=== Short test ===
=== Short test ===
Every 5th, 12th, 19, and 26th of the month at 3am.


=== Long test ===
=== Long test ===
Every 8th and 22nd at 4am.


== Scrub schedules ==
== Scrub schedules ==
1st and 15th of the month at 4am. Threshold is set to 10 days.



= Data replication =
= Data replication =
Rad 163: Rad 181:
vi <absolute path for the home of the user>/.zshenv
vi <absolute path for the home of the user>/.zshenv
export PATH=<absolute path for the home of the user>/restricted_bin
export PATH=<absolute path for the home of the user>/restricted_bin

Create a .ssh folder in zbackup's $HOME and set the user rights (will not be able to use authorized_keys without this):
chmod -R 700 <zbackup's home dir>/.ssh
chown -R zbackup:zbackup <zbackup's home dir>/.ssh


Setup the zfs user rights for receiving (note, all properties needs to be on one line):
Setup the zfs user rights for receiving (note, all properties needs to be on one line):
Rad 178: Rad 200:
=== Sender ===
=== Sender ===


Running zfs send as root is a non-issue (unless someone can convince me otherwise), so I will use root.
# Create a dedicated user without any login or /home

# Add a ssh key for the user
# Give the user only rights for sending with zfs send
Add a ssh key for the user, drop to a shell as root:
ssh-keygen

Copy the public key to authorized_keys of the receiver, user zbackup. After this the root user
can send backups/snapshots to the receiver.

Nuvarande version från 16 februari 2017 kl. 17.52

Useful documentation

After installing FreeNAS the User Guide documentation for the current version is available in the "Guide" tab.

Setting up a FreeNAS box

Go through the installation process. After the install make sure that you have the correct address assigned to the box. If not you could use the console menus to set it or drop to a shell.

Using the shell:

ifconfig

Lists all the interfaces and note the interface you want to use

ifconfig <interface> inet <IPv4 address/subnetmask> add

Sets the IPv4 for the interface you want to use

ifconfig <interface> inet <IPv4 address> -alias

If you by accident set a address to the wrong interface

route add default <gateway address>

Sets the default gatway

service nginx restart

Nginx needs to be restarted since it does not serve on the correct address.

Disable the console menu

Go to System/Advanced:

Enable Console Menu = false

Certficates & syslog server

Make sure that you start by using https, for this you need to have a valid certificate. You could if there for the moment are no signed certificate for the machine, generate a self-signed certificate.

To enable https and set syslog server, go to System/General:

Certificate = your certificate
Protocol = HTTPS
WebGUI HTTP -> HTTPS redirect = yes
Syslog server = <Logserver with FQDN>

Kerberos

Before setting up kerberos, ensure that you use HTTPS!

Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it.

Go to "Directory/Kerberos Keytabs" and add the exported keytab (ensure that this is done on a trusted computer).

To enable the kerberos service you need configure it in "Directory/Kerberos Realms":

  1. Click add kerberos realm
  2. Advanced
Realm = LYSATOR.LIU.SE
KDC = as-master.lysator.liu.se
Admin Server = as-master.lysator.liu.se
Password Server = as-master.lysator.liu.se

OK, and your done.

NIS

Setup NIS settings: Directory/NIS

NIS domain = lysator
NIS servers = nis.lysator.liu.se,ns-slave.lysator.liu.se
Secure mode = yes
Enable = yes

And save.

NFS

Setup the default nfs server settings: Service/nfs

Number of Servers = 6
Serve UDP = yes
Enable NFSv4 = yes
support > 16 groups = yes
Log mountd = yes
Log rpc.statd & rpc.lockd = yes

Firewall

Setup pf on the FreeNAS box:

pf is installed by default so all we need to do is create a configuration and enable it.

To enable, open /etc/rc.conf with some editor (vi) and add the following at the end:

pf_enable="YES"
pf_rules="<absolute path to your pf.conf with rules>"
gateway_enable="YES

pf.conf example:

#External interface                                                             
ext_if="<interface name of external interface>"                                                                    
table <bruteforce> persist                                                      
set skip on lo0                                                                 
set block-policy return                                                         
scrub in all                                                                    
block in all                                                                    
block out all                                                                   
block quick from <bruteforce>                                                   
#Allow from management HTTP/HTTPS only                                          
pass in on $ext_if proto tcp from <management host> to any port 80 flags S/SA keep state                                                                          
pass in on $ext_if proto tcp from <management host> to any port 443 flags S/SA keep state                                                                         
#Allow internal traffic                                                         
pass in on $ext_if from 130.236.254.0/24 to any keep state                      
pass in on $ext_if from 2001:6b0:17:f0a0::0/64 to any keep state                
#Allow ssh from management only                                                 
block in on $ext_if proto tcp from 130.236.254.0/24 to any port { ssh }         
block in on $ext_if proto tcp from 2001:6b0:17:f0a0::0/64 to any port { ssh }   
pass in on $ext_if proto tcp from <management host> to any port { ssh }           
#Allow traffic out                                                              
pass out on $ext_if from any to any keep state

End with starting the service:

service pf start

SSH

Before setting up SSH, ensure that the firewall is enabled! Setup the ssh server settings: Services/SSH

Login as Root = yes

MAIL

Change the root mail to match the destination of mail sent:

Navigate to Account/Users/View Users
Click 'root'
Click 'change E-mail'
Set to the desired destination mail
Save

Set the sender mail and outgoing mail server:

Navigate to System/Email
Set from email: root@<hostname> <-- this is the servers hostname
Set Outgoing mail server: mail.lysator.liu.se
Set TLS/SSL: TLS
Save

Activate Services

Last you need to ensure that you enable the services, go to "Services":

NFS = on
SSH = on
SMART = on

Setting up sanity checks for hard drives

The following schedules are for all the storage drives in the data pool, excluding Solid State Drives (SSDs).

SMART test schedules

Short test

Every 5th, 12th, 19, and 26th of the month at 3am.

Long test

Every 8th and 22nd at 4am.

Scrub schedules

1st and 15th of the month at 4am. Threshold is set to 10 days.

Data replication

Snapshots

Replication tasks

Receiver

Create a dedicated user, "Account/Users/Add User":

username = zbackup
create a group = yes
create a home in = <absolute path for the home of the user>
shell = rzsh
name = zbackup
disable password login = yes

Create a dataset for the backup, Storage/Volumes: Create dataset

Dataset Name = backup
Comments = Backup dataset

Change Permissions

Owner(user) = zbackup
Owner(group) = zbackup

Get a shell and create a restricted bin for the user:

mkdir <absolute path for the home of the user>/restricted_bin
ln -s /sbin/zfs <absolute path for the home of the user>/restricted_bin/zfs
ln -s /usr/bin/uname <absolute path for the home of the user>/restricted_bin/uname

Add the restricted_bin to the users PATH:

vi <absolute path for the home of the user>/.zshenv
export PATH=<absolute path for the home of the user>/restricted_bin

Create a .ssh folder in zbackup's $HOME and set the user rights (will not be able to use authorized_keys without this):

chmod -R 700 <zbackup's home dir>/.ssh
chown -R zbackup:zbackup <zbackup's home dir>/.ssh

Setup the zfs user rights for receiving (note, all properties needs to be on one line):

zfs allow -u zbackup atime,canmount,casesensitivity,checksum,compression,copies,create,
                         dedup,destroy,exec,filesystem_count,filesystem_limit,jailed,logbias,mount,
                         normalization,quota,readonly,receive,recordsize,redundant_metadata,
                         refquota,refreservation,reservation,setuid,sharenfs,sharesmb,snapdir,
                         snapshot_count,snapshot_limit,sync,userprop,utf8only,volmode
                         <pool name>/<datasets above backup>/backup

The reason for so many properties is because the snapshots may include those.

Allow the zbackup user to mount datasets by editing /etc/sysctl.conf:

vfs.usermount=1

Sender

Running zfs send as root is a non-issue (unless someone can convince me otherwise), so I will use root.

Add a ssh key for the user, drop to a shell as root:

ssh-keygen

Copy the public key to authorized_keys of the receiver, user zbackup. After this the root user can send backups/snapshots to the receiver.