Rootmanual:freenas: Skillnad mellan sidversioner
Knase (diskussion | bidrag) (Add template for data replication and sanity checks) |
Knase (diskussion | bidrag) (Add description of creating a restricted user for zfs receive) |
||
Rad 139: | Rad 139: | ||
=== Receiver === |
=== Receiver === |
||
Create a dedicated user, "Account/Users/Add User": |
|||
username = zbackup |
|||
# Add a ssh key for the user |
|||
create a group = yes |
|||
# Give the user only rights for receiving with zfs receive |
|||
create a home in = <absolute path for the home of the user> |
|||
shell = rzsh |
|||
name = zbackup |
|||
disable password login = yes |
|||
Create a dataset for the backup, Storage/Volumes: |
|||
'''Create dataset''' |
|||
Dataset Name = backup |
|||
Comments = Backup dataset |
|||
'''Change Permissions''' |
|||
Owner(user) = zbackup |
|||
Owner(group) = zbackup |
|||
Get a shell and create a restricted bin for the user: |
|||
mkdir <absolute path for the home of the user>/restricted_bin |
|||
ln -s /sbin/zfs <absolute path for the home of the user>/restricted_bin/zfs |
|||
ln -s /usr/bin/uname <absolute path for the home of the user>/restricted_bin/uname |
|||
Add the restricted_bin to the users PATH: |
|||
vi <absolute path for the home of the user>/.zshenv |
|||
export PATH=<absolute path for the home of the user>/restricted_bin |
|||
Setup the zfs user rights for receiving (note, all properties needs to be on one line): |
|||
zfs allow -u zbackup atime,canmount,casesensitivity,checksum,compression,copies,create, |
|||
dedup,destroy,exec,filesystem_count,filesystem_limit,jailed,logbias,mount, |
|||
normalization,quota,readonly,receive,recordsize,redundant_metadata, |
|||
refquota,refreservation,reservation,setuid,sharenfs,sharesmb,snapdir, |
|||
snapshot_count,snapshot_limit,sync,userprop,utf8only,volmode |
|||
<pool name>/<datasets above backup>/backup |
|||
The reason for so many properties is because the snapshots may include those. |
|||
Allow the zbackup user to mount datasets by editing /etc/sysctl.conf: |
|||
vfs.usermount=1 |
|||
=== Sender === |
=== Sender === |
Versionen från 28 januari 2017 kl. 17.38
Useful documentation
After installing FreeNAS the User Guide documentation for the current version is available in the "Guide" tab.
Setting up a FreeNAS box
Go through the installation process. After the install make sure that you have the correct address assigned to the box. If not you could use the console menus to set it or drop to a shell.
Using the shell:
ifconfig
Lists all the interfaces and note the interface you want to use
ifconfig <interface> inet <IPv4 address/subnetmask> add
Sets the IPv4 for the interface you want to use
ifconfig <interface> inet <IPv4 address> -alias
If you by accident set a address to the wrong interface
route add default <gateway address>
Sets the default gatway
service nginx restart
Nginx needs to be restarted since it does not serve on the correct address.
Go to System/Advanced:
Enable Console Menu = false
Certficates & syslog server
Make sure that you start by using https, for this you need to have a valid certificate. You could if there for the moment are no signed certificate for the machine, generate a self-signed certificate.
To enable https and set syslog server, go to System/General:
Certificate = your certificate Protocol = HTTPS WebGUI HTTP -> HTTPS redirect = yes Syslog server = <Logserver with FQDN>
Kerberos
Before setting up kerberos, ensure that you use HTTPS!
Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it.
Go to "Directory/Kerberos Keytabs" and add the exported keytab (ensure that this is done on a trusted computer).
To enable the kerberos service you need configure it in "Directory/Kerberos Realms":
- Click add kerberos realm
- Advanced
Realm = LYSATOR.LIU.SE KDC = as-master.lysator.liu.se Admin Server = as-master.lysator.liu.se Password Server = as-master.lysator.liu.se
OK, and your done.
NIS
Setup NIS settings: Directory/NIS
NIS domain = lysator NIS servers = nis.lysator.liu.se,ns-slave.lysator.liu.se Secure mode = yes Enable = yes
And save.
NFS
Setup the default nfs server settings: Service/nfs
Number of Servers = 6 Serve UDP = yes Enable NFSv4 = yes support > 16 groups = yes Log mountd = yes Log rpc.statd & rpc.lockd = yes
Firewall
Setup pf on the FreeNAS box:
pf is installed by default so all we need to do is create a configuration and enable it.
To enable, open /etc/rc.conf with some editor (vi) and add the following at the end:
pf_enable="YES" pf_rules="<absolute path to your pf.conf with rules>" gateway_enable="YES
pf.conf example:
#External interface ext_if="<interface name of external interface>" table <bruteforce> persist set skip on lo0 set block-policy return scrub in all block in all block out all block quick from <bruteforce> #Allow from management HTTP/HTTPS only pass in on $ext_if proto tcp from <management host> to any port 80 flags S/SA keep state pass in on $ext_if proto tcp from <management host> to any port 443 flags S/SA keep state #Allow internal traffic pass in on $ext_if from 130.236.254.0/24 to any keep state pass in on $ext_if from 2001:6b0:17:f0a0::0/64 to any keep state #Allow ssh from management only block in on $ext_if proto tcp from 130.236.254.0/24 to any port { ssh } block in on $ext_if proto tcp from 2001:6b0:17:f0a0::0/64 to any port { ssh } pass in on $ext_if proto tcp from <management host> to any port { ssh } #Allow traffic out pass out on $ext_if from any to any keep state
End with starting the service:
service pf start
SSH
Before setting up SSH, ensure that the firewall is enabled! Setup the ssh server settings: Services/SSH
Login as Root = yes
Activate Services
Last you need to ensure that you enable the services, go to "Services":
NFS = on SSH = on SMART = on
Setting up sanity checks for hard drives
SMART test schedules
Short test
Long test
Scrub schedules
Data replication
Snapshots
Replication tasks
Receiver
Create a dedicated user, "Account/Users/Add User":
username = zbackup create a group = yes create a home in = <absolute path for the home of the user> shell = rzsh name = zbackup disable password login = yes
Create a dataset for the backup, Storage/Volumes: Create dataset
Dataset Name = backup Comments = Backup dataset
Change Permissions
Owner(user) = zbackup Owner(group) = zbackup
Get a shell and create a restricted bin for the user:
mkdir <absolute path for the home of the user>/restricted_bin ln -s /sbin/zfs <absolute path for the home of the user>/restricted_bin/zfs ln -s /usr/bin/uname <absolute path for the home of the user>/restricted_bin/uname
Add the restricted_bin to the users PATH:
vi <absolute path for the home of the user>/.zshenv export PATH=<absolute path for the home of the user>/restricted_bin
Setup the zfs user rights for receiving (note, all properties needs to be on one line):
zfs allow -u zbackup atime,canmount,casesensitivity,checksum,compression,copies,create, dedup,destroy,exec,filesystem_count,filesystem_limit,jailed,logbias,mount, normalization,quota,readonly,receive,recordsize,redundant_metadata, refquota,refreservation,reservation,setuid,sharenfs,sharesmb,snapdir, snapshot_count,snapshot_limit,sync,userprop,utf8only,volmode <pool name>/<datasets above backup>/backup
The reason for so many properties is because the snapshots may include those.
Allow the zbackup user to mount datasets by editing /etc/sysctl.conf:
vfs.usermount=1
Sender
- Create a dedicated user without any login or /home
- Add a ssh key for the user
- Give the user only rights for sending with zfs send