Rootmanual:freenas: Skillnad mellan sidversioner

Från Lysators datorhandbok, den ultimata referensen.
Hoppa till navigering Hoppa till sök
(add ssh settings)
(Add template for data replication and sanity checks)
Rad 118: Rad 118:
SSH = on
SSH = on
SMART = on
SMART = on

= Setting up sanity checks for hard drives =

== SMART test schedules ==

=== Short test ===

=== Long test ===

== Scrub schedules ==


= Data replication =

== Snapshots ==


== Replication tasks ==

=== Receiver ===

# Create a dedicated user without any login or /home
# Add a ssh key for the user
# Give the user only rights for receiving with zfs receive

=== Sender ===

# Create a dedicated user without any login or /home
# Add a ssh key for the user
# Give the user only rights for sending with zfs send

Versionen från 27 januari 2017 kl. 21.21

Useful documentation

After installing FreeNAS the User Guide documentation for the current version is available in the "Guide" tab.

Setting up a FreeNAS box

Go through the installation process. After the install make sure that you have the correct address assigned to the box. If not you could use the console menus to set it or drop to a shell.

Using the shell:

ifconfig

Lists all the interfaces and note the interface you want to use

ifconfig <interface> inet <IPv4 address/subnetmask> add

Sets the IPv4 for the interface you want to use

ifconfig <interface> inet <IPv4 address> -alias

If you by accident set a address to the wrong interface

route add default <gateway address>

Sets the default gatway

service nginx restart

Nginx needs to be restarted since it does not serve on the correct address.

Disable the console menu

Go to System/Advanced:

Enable Console Menu = false

Certficates & syslog server

Make sure that you start by using https, for this you need to have a valid certificate. You could if there for the moment are no signed certificate for the machine, generate a self-signed certificate.

To enable https and set syslog server, go to System/General:

Certificate = your certificate
Protocol = HTTPS
WebGUI HTTP -> HTTPS redirect = yes
Syslog server = <Logserver with FQDN>

Kerberos

Before setting up kerberos, ensure that you use HTTPS!

Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it.

Go to "Directory/Kerberos Keytabs" and add the exported keytab (ensure that this is done on a trusted computer).

To enable the kerberos service you need configure it in "Directory/Kerberos Realms":

  1. Click add kerberos realm
  2. Advanced
Realm = LYSATOR.LIU.SE
KDC = as-master.lysator.liu.se
Admin Server = as-master.lysator.liu.se
Password Server = as-master.lysator.liu.se

OK, and your done.

NIS

Setup NIS settings: Directory/NIS

NIS domain = lysator
NIS servers = nis.lysator.liu.se,ns-slave.lysator.liu.se
Secure mode = yes
Enable = yes

And save.

NFS

Setup the default nfs server settings: Service/nfs

Number of Servers = 6
Serve UDP = yes
Enable NFSv4 = yes
support > 16 groups = yes
Log mountd = yes
Log rpc.statd & rpc.lockd = yes

Firewall

Setup pf on the FreeNAS box:

pf is installed by default so all we need to do is create a configuration and enable it.

To enable, open /etc/rc.conf with some editor (vi) and add the following at the end:

pf_enable="YES"
pf_rules="<absolute path to your pf.conf with rules>"
gateway_enable="YES

pf.conf example:

#External interface                                                             
ext_if="<interface name of external interface>"                                                                    
table <bruteforce> persist                                                      
set skip on lo0                                                                 
set block-policy return                                                         
scrub in all                                                                    
block in all                                                                    
block out all                                                                   
block quick from <bruteforce>                                                   
#Allow from management HTTP/HTTPS only                                          
pass in on $ext_if proto tcp from <management host> to any port 80 flags S/SA keep state                                                                          
pass in on $ext_if proto tcp from <management host> to any port 443 flags S/SA keep state                                                                         
#Allow internal traffic                                                         
pass in on $ext_if from 130.236.254.0/24 to any keep state                      
pass in on $ext_if from 2001:6b0:17:f0a0::0/64 to any keep state                
#Allow ssh from management only                                                 
block in on $ext_if proto tcp from 130.236.254.0/24 to any port { ssh }         
block in on $ext_if proto tcp from 2001:6b0:17:f0a0::0/64 to any port { ssh }   
pass in on $ext_if proto tcp from <management host> to any port { ssh }           
#Allow traffic out                                                              
pass out on $ext_if from any to any keep state

End with starting the service:

service pf start

SSH

Before setting up SSH, ensure that the firewall is enabled! Setup the ssh server settings: Services/SSH

Login as Root = yes

Activate Services

Last you need to ensure that you enable the services, go to "Services":

NFS = on
SSH = on
SMART = on

Setting up sanity checks for hard drives

SMART test schedules

Short test

Long test

Scrub schedules

Data replication

Snapshots

Replication tasks

Receiver

  1. Create a dedicated user without any login or /home
  2. Add a ssh key for the user
  3. Give the user only rights for receiving with zfs receive

Sender

  1. Create a dedicated user without any login or /home
  2. Add a ssh key for the user
  3. Give the user only rights for sending with zfs send