up_the_irons: ping re: second vps serial console access.
good morning everybody.
heya cedwards :)
question for the BSD folk. how large do you normally make / when you partition?
cedwards - using zfs, so it doesn't matter. :)
I've yet to dabble in the magic that is zfs :(
cedwards: about a 1gb but it does not even need that
perhaps now is a good time to learn
aem: I just reinstalled my second VPS and did 512M, which is my normal default, but it hit 100% on / when I tried rebuilding world.
I have /tmp, /var, /usr, and / (1G, 2G, remaining and 512M respectively)
yes I had this same issue cedwards
aem: figure out why?
trying to recall heh
but I do remember I reformatted and made my root 1gb
and was fine :)
hmm. hate to lose a morning of work, but I guess that might be worth it.
cedwards: i agree with randall, use zfs
less hassle
I suppose I need to break out the handbook and do some reading them.
s/them/then/
many here have gone on the path ahead of you, and set up signposts. :)
cedwards: randall gave me this link: http://wiki.freebsd.org/RootOnZFS/GPTZFSBoot
i'm using it on the 768 slice
i mean vps ;)
old slicehost customer? :)
yup
I was, once upon a time as well. Went to Linode, and then here.
ok, following those zfs instructions, which option should I select at fixit?
cdrom, usb, floppy, shell
cdrom I think
whatever gets you to a shell :)
but not the holoshell
I think it's "6" then '1"
been a whiel
... http://wiki.freebsd.org/RootOnZFS/GPTZFSBoot
and know that the network interface is "em0", not "re0"
and you can't use DHCP, so you have to put your real info there
when you get down to step 2.5
I think the rest was just as written
I'm still stuck on the first gpart command(s)
file exists on create. file busy on destroy.
you might have booted wrongly then
ad0 should be free
i boot from CD. Select fixit, and cdrom..
try df or mount.  see what's mounted
make sure ad0 isn't mounted
just md0 and acd0
ahh.  might need to destroy the existing label
how do i do that?
dd if=/dev/random of=/dev/ad0 bs=1m count=1
good 'ol dd
then you should be able to do the create
gpart was trying to prevent you from hurting yourself
yup
but you... uh... know better. :)
riggght.
what can I prune from 2.2 if I normall just install minimal?
just use base?
trying base + lib32
ok. machine is finally back up and ready to use.
going to have to get used to having so many entries in 'mount' and 'df' using zfs
cedwards: gpart destroy ad0
sorry, late to the party
gpart delete -i 1 ad0
lol, yeah. we got a little destructive with dd instead :)
i had that same problem following that guide
Hrm, are there any security measures one can take for local users?
did you do `zfs unmount -a` yet?
I mean, so they don't get to root or get any sensitive information
dxtr: no sudo
And, yes, except for jailing them :P
dxtr: plenty.
fink: I'm only allowing sudo to myself
make sure you have a good passwd
I've actually disabled user passwords too (Except for myself so I can sudo)
Are there any directories and/or files I can change permissions on to make sure they don't get any sensitive information?
remind me what you're running? BSD?
FBSD :)
check out login.conf for additional restrictions.
do you pan on having a lot of (untrusted) users on the machine?
Not alot, no :P
I'd say consider what these users do/don't need. if its a simple chroot shell consider ssh chroot config or jails.
definitely check out login.conf, set a more private umask perhaps.. don't allow sudo, etc.
I'll look into it :)
does anyone know why bind9 comes as part of base FreeBSD?
As opposed to what?
unless you're going to run / need a name server, why include it?
wouldn't it be enough to make sure resolution works via /etc/resolv.conf, and then install bind from ports as needed for name servers
Ah, I see. Nope, no idea.
just comes to mind because I'm updating /usr/src and the only updates are for src/contrib/bind9/
hm, anyone here use their arp ipv6 with afraid.org for DNS ?
I use my arp IPv6 to serve dns, why use someone else? ;-)
please tell me how
lol, I have been reading google links for 2 days
I have an _idea_
but DNS is a slippery fish
right now I have a seperate dns server on a Debian machine, I am going to try to hget my ipv6 reversed with it
:)
aem: Piece of cake :)
hehe
I am still struggling here
I'm running nsd \o/
Thanks to up_the_irons
gave up on the Debian, I was completely off track there
nsd is name server daemon yeh?
I've not done IPV6 with bind, but I can't imagine it would be that much different than IPV4.
AAAA vs A is all as far as I know..
cedwards: We're talking reverse here. But yeah, there's no huge difference there either
of course I am assuming experience maintaining DNS, which not everyone has.
yeah heh
i have precisely 0
gettign there though :P
anyone have any suggestions on how to auto-start/re-connect to a screen session on login?
screen -r
:P
edyou mean like when you login ?
-xRR
cedwards: ^
I've seen some examples of: if [ $TERM != "screen" ]; then screen -dr; fi
yeah
I'm not getting it to work consistently though. thought ya'll might have some suggestions.
just for documentation sake, I added 'screen -dRR' to .bash_profile and it seems to work as expected.
is it appropriate to run ntpd on these? I recall with xen that the time was only updated via the host. is that the same for kvm/qemu?
cedwards: fwiw, I run ntpd
do you have a preference between ntpd and openntpd?
I don't know enough about either to have one really
I juse used ntpd because it was in the Handbook I think
cedwards: I use this to shell into my box: ssh -t uesr@server screen -rd
(I've a shell alias locally, obv.)
mike-burns: I do similar. i run jails at home for local services, one of which is an ssh bastion.
mike-burns: that requires 'ssh -t user@host1 ssh -t user@host2 "screen -dr"'
but, that alias will fail if no screen is present on the other end.
Ah, I see.
In unrelated news, I just found this on the OpenBSD Journal blog thingie: http://devio.us/
yeah. I have an account with them.
What do you use it for?
can't have too many random shell accounts when it comes to external testing and bypassing firewalls ;)
Ha true.
I use distributed shell accounts to test dns propagation and firewall verification.
uh huh
where were you when dalnet was ddos'd?
:P
uhh, i don't know what you're talking about :)
hah
infrared: I'm afraid to ask, but how's the dvorak coming?
:(
anyone done zfs based jails?
cedwards: you sloppy bastard it survived