Sunday, July 27, 2014

Installing FreeBSD on a Dedibox (

Created: 2014/07/27
Updated: 2014/08/12 - higher-end Dedibox
Updated: 2014/08/14 - software RAID-1

My first server was a Dedibox. I then switched to OVH's Kimsufi (for the anecdote, "Kimsufi" sounds like "enough for me" in French) which at the time was more attractive (15 EUR/month instead of 20).  My setup then evolved to make use of failover IPs (an extra IP address which you can switch from one OVH server to another).

But now my Kimsufi servers are getting old and slow or expensive, depending for which side you're looking at it and I'd like to upgrade them. OVH has very attractive prices like 5 EUR/month for the cheapest one (at least theoritically given I've never seen them available despite them constantly announcing the last server was shipped a few hours ago).  For the price I pay today overall, I could get an i5 CPU on the main server and a cheap and low-grade server for the failover...

... if only OVH was still proposing failover IPs on Kimsufi grade servers. The Kimsufi offer has spun off to really focus on home-servers where -- I guess -- people don't need such fancy services. If you want to have a failover IP at OVH now, you need to get an enterprise grade server which costs at least 80 EUR/month.  I guess this move has been motivated by the IPv4 addresses crunch.

Anyway.  I'm now going back to Dedibox which still offers failover IPs. Also they offer access to the server's console through a Java applet, which can be super useful. Something OVH did back in the time but then removed. However Dedibox don't offer FreeBSD by default (which Kumsufi did at the time, and maybe still do) so you have to install it yourself. Here is how:

  • Boot an Ubuntu rescue system, login and run sudo to be root.
  • Download a FreeBSD release or snapshot ISO; 10-STABLE can be found here:
  • Install QEMU:
    apt-get update && apt-get install qemu-kvm
  • Start QEMU with a VNS server, attached to the raw disk, booting on the ISO:
    qemu-system-x86_64 -no-kvm -hda /dev/sda -cdrom FreeBSD-*.iso -net nic,model=e1000 -vnc :1 -boot d
    or, if you have two disks:
    qemu-system-x86_64 -no-kvm -hda /dev/sda -hdb /dev/sdb -cdrom FreeBSD-*.iso -net nic,model=e1000 -vnc :1 -boot d
  • Connect in using VNC:
    xvncviewer ${server_ip}:1
Now you can install FreeBSD. The only thing is that the bootloader won't be installed (correctly?) for some unknown reason. So you need to do it yourself.
I couldn't come up with the a way to partition the server the way I want with the bsdinstaller, so I typically switch to the console (Alt-F4) right after choosing the keymap to make it using gpart. I'll describe it here for the record, so it will save me from research the next time I'll do it.

Here is the partitioning scheme:
  • We're in 2014, so we're using GPT boot, which requires a small partition for the bootloader.
  • I want the base system in UFS, mainly because it's less brittle to deal with remotely and you can use nextboot(8) fully (the new kernel will be booted only once and they the previous one will be reinstated, so you can try kernels); although all this is less mandatory if you have a working console as with Dedibox.
  • A small swap partition.
  • The remaining in ZFS.

You have a single disk or a hardware RAID controller

Here is how to do it from scratch:

### Setup partitions
# dd if=/dev/zero of=/dev/ada0 bs=64k count=128
128+0 records in
128+0 records out
8388608 bytes transferred in 0.042453 secs (197599244 bytes/sec)
# gpart show
# gpart create -s GPT ada0
ada0 created
# gpart add -t freebsd-boot -s 64k -i 1 ada0
ada0p1 added
# gpart add -t freebsd-ufs -s 20G -i 2 ada0
ada0p2 added
# gpart add -t freebsd-swap -s 2G -i 3 ada0
ada0p3 added
# gpart add -t freebsd-zfs -i 4 ada0
ada0p4 added
### Create the filesystems
# newfs -j /dev/ada0p2
# zpool create tank /dev/ada0p4
cannot mount '/tank': failed to create mountpoint (this is expected and harmless)
### Install the bootcode manually as it will fail for some reason
# gpart bootcode -b /boot/pbmr -p /boot/gptboot -i 1 ada0
bootcode written to ada0

Now go ahead and install FreeBSD.

You want to software RAID-1

Note that we use geom_mirror for the first three partition, and ZFS mirroring for the pool as I think it has better performances.

Also, note that the current bsdinstaller does not seem to understand what is a geom_mirror device and wants us to create a partitioning scheme on it.  We will therefore mount the partition to /mnt manually.

### Setup partitions on the first disk, ada0
# dd if=/dev/zero of=/dev/ada0 bs=64k count=128
128+0 records in
128+0 records out
8388608 bytes transferred in 0.042453 secs (197599244 bytes/sec)
# gpart show
# gpart create -s GPT ada0
ada0 created
# gpart add -t freebsd-boot -s 64k -i 1 ada0
ada0p1 added
# gpart add -t freebsd-ufs -s 20G -i 2 ada0
ada0p2 added
# gpart add -t freebsd-swap -s 2G -i 3 ada0
ada0p3 added
# gpart add -t freebsd-zfs -i 4 ada0
ada0p4 added
### Now duplicate those steps for ada1.
### Now create the mirror
# kldload geom_mirror
# gmirror label gm-root ada0p2 ada1p2
# gmirror label gm-swap ada0p3 ada1p3
### Create the filesystems
# newfs -j /dev/ada0p2
# zpool create tank mirror /dev/ada0p4 /dev/ada1p4
cannot mount '/tank': failed to create mountpoint (this is expected and harmless)
### Install the bootcode manually as it will fail for some reason
# gpart bootcode -b /boot/pbmr -p /boot/gptboot -i 1 ada0
bootcode written to ada0
# gpart bootcode -b /boot/pbmr -p /boot/gptboot -i 1 ada1
bootcode written to ada1
### Mount the partition to install FreeBSD
# mount /dev/mirror/gm-root /mnt

Now when the installer asks you about the partitioning, select "Shell" and FreeBSD will be installed to /mnt once you exit this shell.

End of installation

A few notes (some for myself):
  • The default router in's network is .1.
  • Add the following lines to /etc/rc.conf
  • sendmail_submit_enable=NO
  • YMMV but on QEMU I have an em0 interface, but on the real server it can be igb0 or bce0; so I need to change my /etc/rc.conf accordingly. What I typically do if I'm not sure, is duplicate the ifconfig_em0 line to ifconfig_igb0 and ifconfig_bce0.
  • Add a user or enable root login on sshd.
  • If you are using software RAID, add geom_mirror_load="YES" to /boot/loader.conf.
  • If your server has a PERC h200 controller, the disk won't be /dev/ada0 but /dev/da0, even on FreeBSD10, so change /etc/fstab accordingly.
  • Add the swap to /etc/fstab.
Small example of what /etc/fstab look like (with a software mirror in that case, but you cannot boot on a mirror, the subsystem is not there yet at boot, so you need to pick one of the disk):
/dev/mirror/gm-root     /               ufs     rw      1       1
/dev/mirror/gm-swap     none            swap    sw      0       0
Now before trying to boot FreeBSD on the real server, just try it on QEMU, this will save you some time if you missed something. First umount cleanly your disks and then kill QEMU from the host. Now re-run it using:
qemu-system-x86_64 -no-kvm -hda /dev/sda -net nic,model=e1000 -vnc :1 -boot c
This should go to the boot pompt. Shut down cleanly. Then you can try to boot it on the real server. If it does not come only, you can still use the Java console to debug it (for example, the interface name may not be correct).

Tuesday, May 6, 2014

Netboot OpenBSD on a Soekris

This post is a reminder for me on how to do this. This is the second time I spend two entire evenings to achieve this, and I seem to remember both time I succeeded using different methods. This time I decided to dump what I have in mind because in 2014, this is just silly how backward and complicated it is :). By the way, I know some people more experienced than me in OpenBSD who may read this, feel free to comment and tell me what I'm doing wrong to end up with something so convoluted :).

I'm using a Debian machine as a server. There is a direct Ethernet cable from the Soekris to the server (, nothing else is on the network.

  1. Download the OpenBSD release and extract it to /openbsd.
  2. Install the following packages on the Debian server:
    • udhcpd, because it's way simpler than ISC dhcpd
    • atftpd, do NOT use the tftpd package, which is the implementation from NetKit, this is really broken and althrough supposed to be very simple I wasted hours on this
    • rarpd
    • bootparamd
    • nfs-kernel-server
  3. Here are the relevant bits for /etc/udhcpd.conf:
    interface eth2
    sname     debian
    bootfile  /tftpboot/pxeboot
    option    dns
    option    router
    option    domain   domain.local
    option    subnet
    option    lease    864000
    option    rootpath /openbsd
  4. Start it:
    udhcpd -f /etc/udhcpd.conf
  5. atftpd probably added a similar line to /etc/inetd.conf; keep everything as-is and change the serving path (last argument):
    tftp            dgram   udp4    wait    nobody /usr/sbin/tcpd /usr/sbin/in.tftpd --tftpd-timeout 300 --retry-timeout 5 --mcast-port 1758 --mcast-addr --mcast-ttl 1 --maxthread 100 --verbose=5 /openbsd
  6. Start or reload inetd.
  7. Now I advise to start a
    tcpdump -ev
    in one terminal t
    o see what's going on on the wire, and
    tail -f /var/log/daemon.log
    in an other. You can give a try to the Soekris: provided you have a serial cable on it (otherwise I don't even know why you're reading this), hit Ctrl-P at the boot and type:
    boot f0
    This won't work, but note the Soekris MAC address and the IP address which has been distributed to it.
  8. Now fill up /etc/ethers for rarpd (that's oldschool, isn't it? :)):
  9. Now let's configure bootparamd by first telling the Soekris name in /etc/hosts:   soekris
    and then giving NFS root in /etc/bootparams.conf (!)
    soekris root=
  10. Export /openbsd in NFS in /etc/exports:
    and reload the list of exported filesystems:
    /etc/init.d/nfs-kernel-server restart
  11. Now configure a bit OpenBSD before booting it:
    1. /openbsd/etc/boot.conf (set the console to see the kernel boot and tell pxeboot where to find the kernel):
      stty com0 19200
      set tty com0
      boot tftp:/tftpboot/bsd
    2. /openbsd/etc/ttys (enable getty on the console and set the correct speed):
      console "/usr/libexec/getty std.19200"  vt220   on  secure
  12. Verify that everything is running: inetd, udhcpd, rarpd, all RPC daemons (rpcbind should be start before all of them), including rpc.bootparamd.
  13. You should now be able to boot, with root having no password!

Thursday, February 21, 2013

Poor man's browser sandboxing

Last update: Sat Feb 23 15:14:13 CET 2013

Nowadays I use my browser most of the time, as you probably do as well. And like me, you are probably quite annoyed to run this big software blob and its unavoidable bugs against so many websites. Yes, browsers are the prime attack vector now.

So why not sandbox it as another user so as to insulate it from you sensitive data (ssh keys/agent, files, ...)? You can do this in about 15 minutes. This is more a quick reminder for me than a full-fledged blog post, so the explanations and commands are a little terse. Adapt them to fit your need.

$ sudo adduser -m browser
$ sudo mkdir ~browser/.ssh
$ sudo cp ~/.ssh/ ~browser/.ssh/authorized_keys

# You should shut down your browsers before doing this.
$ sudo mkdir ~browser/.config
$ sudo cp -Rp ~/.config/google-chrome ~browser/.config/
$ sudo cp -Rp ~/.mozilla ~browser/
$ sudo chown -R browser ~browser

$ cat > bin/ << EOF
exec ssh -Xf browser@localhost "$@"
$ chmod +x bin/

# Be sure that your ~/bin belongs to your $PATH.
$ runasbrowser Xephyr :1
$ runasbrowser google-chrome


  • You will probably need to put user "browser" in a group to allow him to play music :).
  • I've got the idea of this here; you can see that the author did much more things than me to set this up. I'm not sure why it works for me with so few steps.

Tuesday, December 11, 2012

Producers/consumers timely queue in Python

For one of my projects (Push2mob), I had to implement a multiple producers / multiple consumers timely queue, that is a priority queue where the priority is a timestamp at which the item should be delivered.  After multiple more or less successful attempts I've finally come up with an implementation that was efficient and neat.  I've posted it on StackOverflow to ask for some review, and got a good one.

Here is the final result.  I would be glad if it could help someone.

# Copyright (c) 2012, Jeremie Le Hen 
# All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met: 
# 1. Redistributions of source code must retain the above copyright notice, this
#    list of conditions and the following disclaimer. 
# 2. Redistributions in binary form must reproduce the above copyright notice,
#    this list of conditions and the following disclaimer in the documentation
#    and/or other materials provided with the distribution. 

import collections
import heapq
import threading
import time

class TimelyQueue:
    Implements a similar but stripped down interface of Queue which
    delivers items on time only.

    def __init__(self, resolution=5):
        `resolution' is an optimization to avoid wasting CPU cycles when
        something is about to happen in less than X ms.
        self.timerthread = threading.Thread(target=self.__timer)
        self.timerthread.daemon = True
        self.resolution = float(resolution) / 1000
        self.queue = []
        self.triggered = collections.deque()
        self.putcond = threading.Condition()
        self.getcond = threading.Condition()
        # Optimization to avoid waking the thread uselessly.
        self.putwaketime = 0
        self.terminating = False

    def put(self, when, item):
        `when' is a Unix time from Epoch.
        with self.putcond:
            heapq.heappush(self.queue, (when, item))
            if when < self.putwaketime or self.putwaketime == 0:

    def get(self, timeout=None):
        Timely return the next object on the queue.
        with self.getcond:
            if len(self.triggered) > 0:
                when, item = self.triggered.popleft()
                return item
                when, item = self.triggered.popleft()
            except IndexError:
                return None
            return item

    def qsize(self):
        Self explanatory.
        with self.putcond:
            return len(self.queue)

    def terminate(self):
        Request the embedded thread to terminate.
        with self.putcond:
            self.terminating = True

    def __timer(self):
        with self.putcond:
            maxwait = None
            while True:
                curtime = time.time()
                    when, item = self.queue[0]
                    maxwait = when - curtime
                    self.putwaketime = when
                except IndexError:
                    maxwait = None
                    self.putwaketime = 0
                if self.terminating:

                curtime = time.time()
                while True:
                    # Don't dequeue now, we are not sure to use it yet.
                        when, item = self.queue[0]
                    except IndexError:
                    if when > curtime + self.resolution:

                if len(self.triggered) > 0:
                    with self.getcond:

if __name__ == "__main__":
    q = TimelyQueue()
    N = 100000
    t0 = time.time()
    for i in range(N):
        q.put(time.time() + 2, i)
    dt = time.time() - t0
    print "put done in %.3fs (%.2f put/sec)" % (dt, N / dt)
    t0 = time.time()
    i = 0
    while i < N:
        a = q.get(3)
        if i == 0:
            dt = time.time() - t0
            print "start get after %.3fs" % dt
            t0 = time.time()
        i += 1
    dt = time.time() - t0
    print "get done in %.3fs (%.2f get/sec)" % (dt, N / dt)
    # Give change to the thread to exit properly, otherwise we may get
    # a stray interpreter exception.

Friday, June 15, 2012

Using raw devices with VirtualBox run as user

Today I needed to run a virtual machine on my laptop. It is not very powerful so I wanted to avoid as much overhead as possible: skipping the host's VFS/filesystem layer is fairly easy, you just have to give access to a raw partition the your virtualization software instead of a file. After all, both are just seen as a big array of bytes. My hard drive is under LVM, so I created a dedicated logical volume that I wanted to be writable by me given I planned to run VirtualBox as a user.

I knew I could do this with udev(8) but skimming through the documentation and fumbling its rules would have been too long for my available time, so I tried Google with no luck and finally asked on IRC, where I found that someone already did this for the same reason.

The configuration line is quite easy:

root@r2d2# cat /etc/udev/rules.d/99-my.rules

This rules basically tells that for any add or change of a block device named "dm-*" and matching "*-vbox*", change its group to "jlh" (note that == and = are different, as in many programming languages). One interesting thing to note is that ENV{DM_NAME}=="*-vbox*" is an helper environment variable that is set by udev(8) standards rules. Those stand in /lib/udev/rules/ on Debian and udev(8) merges the content of this directory with the standard configuration directory /etc/udev/rules.d/. Rules are applied by filename order, so be careful to be the last one. Initially I used "90-my.rules" but there is a rule in "91-permissions.rules" that overrode mine. You can easily debug by running udevd --debug, although the output is quite verbose.

The next step is to create a VMDK file for VirtualBox that will point to the raw device and then attach is to your VM's storage controller. This is quite well documented in the manual (Using a raw host hard disk from a guest).


jlh@r2d2$ VBoxManage internalcommands createrawvmdk \
    -filename VirtualBox VMs/vm1/data.vmdk \
    -rawdisk /dev/mapper/vg0-vbox_vm1
jlh@r2d2$ VBoxManage showvminfo vm1 | grep 'Storage Controller Name'
Storage Controller Name (0):            IDE Controller
jlh@r2d2$ VBoxManage storageattach vm1 --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium /home/jlh/VirtualBox\ VMs/FreeBSD/data.vmdtk

Your mileage may vary if, for example, you have a different storage controller name, different port or device. The full "showvminfo" output will tell you which slot is available. Another solution is to add another storage controller, although VirtualBox will not permit you to have multiple IDE controller. You can add a S-ATA controller which allows you to plug up to 30 devices:

jlh@r2d2$ VBoxManage storagectl vm1 --name "SATA Controller" --add sata --controller IntelAHCI --bootable on
jlh@r2d2$ VBoxManage storageattach vm1 --storagectl "SATA Controller" --port 0 --device 0 --type hdd --medium /home/jlh/VirtualBox\ VMs/boot.vmdk
jlh@r2d2$ VBoxManage storageattach vm1 --storagectl "IDE Controller" --port 1 --device 0 --type hdd --medium /home/jlh/VirtualBox\ VMs/root.vmdk

VitualBox and VboxManage are pretty well documented.

Wednesday, March 28, 2012

A Varnish threads story

Varnish is a (now) well-known HTTP caching reverse-proxy. It has been written primarily by Poul-Henning Kamp, a famous FreeBSD developer. Varnish is very BSDish: simple, versatile and powerful.

(Yet, configuring it may be pretty tough because HTTP is a complex protocol with regard to caching (RFC 2616 mentions client-side proxies but not server-side ones). Besides, applications living on top of it are often written without any caching consideration in mind. For instance by default Varnish doesn't cache response from requests containing cookies, not it caches responses with a Set-Cookie header, for obvious reasons. Unfortunately PHP applications make heavy use of the PHPSESSID cookie simply because the session_start() function, which is part of the PHP library, is very handy for developers.

Varnish uses a pool of threads to serve requests, with a configurable minimum and maximum values as well as a timeout value (with the -w command-line option). Much like what Apache does with processes when used with the MPM prefork module. Additionally, Varnish enforces a configurable delay between thread creation (parameter's name is thread_pool_add_delay, you can configure it with the -p command-line option).

For some reason, one Varnish instance on a preproduction server here was configured with silly values regarding thread limits: only one thread at minimum. Given the server was often unused, threads timed out and were removed down to one. The problem was that when a developer wanted to test the websites, there was only one thread available and the aforementioned delay between thread creation prevented from spawning them all at one. Albeit being a very powerful server, the website was felt very sluggish.

It took me some time to find out this problem. When I modified the configuration, the website was really, really fast.

Tuesday, March 6, 2012

Portmaster options combo to upgrade FreeBSD ports

Some years ago I was using the famous Portupgrade to maintain my ports. This software is mature, very powerful and easy to use. Unfortunately its dependency on Ruby makes it really cumbersome, especially because I have many jails.

Therefore when Doug Barton began Portmaster, which is written is shell and does more or less the same thing (well, actually less, but I can live with it), I was quite eager to use it. One thing I didn't like from the beginning with Postmaster was that it is not able to work alone: it is constantly asking things. Of course there are options to disable this, but this leads to me the second problem: they are not intuitive! (at least for me...)

After some struggle, I finally managed to find the options I always want to use and I'm writing them as a reminder and in the hope to help someone else in the same hassle:

# portmaster -dBGm BATCH=1 --no-confirm --delete-packages -a

Here are the details:

  • I'm using portconf to configure the ports' build knobs, so I don't want to run the configuration or to be asked something about it. Just use the defaults unless I told otherwise: -G -m BATCH=1;
  • Don't create a backup package, I'm not running any financial application: -B;
  • Don't ask me if the distfiles must be cleaned, just do it: -d;
  • Don't ask me if I really want to upgrade my ports, I already executed the command proving it: --no-confirm;
  • Remove packages once installed: --delete-packages;
  • Upgrade everything: -a, but you might not want to ugprade everything at once so you can replace this with one or more port name.