I promised to write further about my project, and here I am. First, I needed to setup the Primary Server. You can read how in this article: Setup FreeBSD Server with full HDD encryption. Then I had to insert a second Power source as you can read in the article: Use a Compaq 200 Watt Power Supply (PSU) as a second power source to power 9 hard disks in my system (5x IDE and 4x Sata).
Now I am finally ready to setup my beast!
Connect all the harddrives and a CD-ROM drive to your system, startup the system and boot from the FreeBSD 8.1 DVD.
Choose a standard installation, and the choose user from the menu.
Configure your BOOT harddrive, the name is usually: ad0, Make a slice of 12 GB. If your boot harddisk is over 40GB, you can change this value to a higher one, but don't use all the space in one slice.
Choose {Q} uit and choose OK to make the mount points. An example:
Now I am finally ready to setup my beast!
Note: The following sequence will destroy all your files on your harddisk. Take extreme care with any =thing that might destroy data. You have been warned!!
- 1
Connect all the harddrives and a CD-ROM drive
Connect all the harddrives and a CD-ROM drive to your system, startup the system and boot from the FreeBSD 8.1 DVD.
- 2
Choose standard
Choose a standard installation, and the choose user from the menu.
- 3
Configure your Boot Harddisk
Configure your BOOT harddrive, the name is usually: ad0, Make a slice of 12 GB. If your boot harddisk is over 40GB, you can change this value to a higher one, but don't use all the space in one slice.
- 4
Quit and make the mount points
Choose {Q} uit and choose OK to make the mount points. An example:
If you have a bigger hdd, use the following:
- 5
Choose BootMgr
Choose {Q}uit and choose Boot Manager (Other than this will give me errors)
Choose {OK}
- 6
Ports Collection
Say yes if FreeBSD asks to install the ports collection, choose to install from CD/DVD (The one you inserted in your cdrom-drive).
A Picture of my Monster:
- 7
Sure to write partitions?
FreeBSD will ask if you are sure you want to write all the configurated file systems. Answer {Yes}!
Please wait until the installation is finished!
- 8
Congratulations! You now have FreeBSD
Congratulations! You now have FreeBSD installed on your system, choose {OK}
- 9
Configure Ethernet...
Configure Ethernet or SLIP/PPP network devices? Answer: {Yes}
On my machine I use a separate network card, onboard Network devices seem to always give me headache. I Choose fxp1
- 10
A Few Network questions
IPv6 -> Answer: No
DHCP -> Answer: No.
Separate screen to enter the LAN credentials.
Host:BSD02
Domain: wayward.nl
IPv4 Gateway:10.30.0.100 (My Router adress)
Name Server: 10.30.0.100 (My Router adress. If you have a domain controller that provides DNS you can enter it here)
IPv4 Address: 10.30.0.3
Would you like to bring the fxp1 interface up right now?: {Yes}
Function as a network gateway?: {No}
Configure inet and the network.... {No}
Would you like to enable SSH login? {Yes}
Do you want to have anonymous FTP access to this machine? {No}
Configure NFS Server {No}
This machine NFS client {No}
Customize your system console settings? {No}
Time Zone: {Yes}
Select local or UTC... {No}
Time Zone Selector: {8} Europe
Countries in Europe: {34} Netherlands
CEST look reasonable? {Yes}
PS/2, serial or bus Mouse? {No} (FreeBSD picks it up along the way)
FreeBSD package collection, Browse the collection now? {No}
Additional accounts to the system? {No} (The user will not get a home directory when you create it in the install routine, this can be a pain)
Set Root Password: {Ok}
Enter a password twice, and keep this Password different than the password you are going to use on the encrypted part.
Chance to Set any last options? {No}
Exit the installation.
Remove the media: {Ok}
System will reboot.
- 11
Create a encrypted part of the boot HDD
Type:
Choose: Configure --> Fdisk
In my case, the boot hdd is ad0, I choose ad0 (Place an X and then {OK})
If you are confronted with Geometry, I choose {Yes}.
In Fdisk, press {C} and use up the rest of the HDD, press {W},
Choose BootMgr and then press {Q} to leave.
There is an {X} in front of ad0, choose {OK}
Press {X}, and {Exit Install} to Exit sysinstall.
- 12
Shutdown the Backup server
My Backup server has a problem with the RocketRaid card that the computer will always startup, even when I tell him to Power down. Instead, I use the following command:
When the system is halted, I pull out the powercord, and then I switch off the secondary power supply.
Preparing temporary HDD
- 13
Start from the secondary HDD
In the BIOS of my Primary server, I could say from which IDE drive the system must start, unfortunately the Compaq has no option for this. We need to disconnect the primary HDD and connect a harddisk configured as slave on the IDE controller. Start the system and insert the FreeBSD DVD in the cdrom drive.
- 14
Secondary Installation Steps
Start the system from the CDrom and choose:
Standard installation.
A program to partition your harddisk will be started, select {OK}
- 15
Create a slice
You will be asked which harddisk you wish to work on, in my case the HDD is called ad1, I choose {ad1}.
Delete any existing Slices with the {D} key.
Create a New Slice and use the full HDD.
Press {Q} to leave this program.
- 16
Choose Boot Manager
Since the Compaq BIOS has no option for selected the harddrive we need the BootMgr, I choose {BootMgr}.
- 17
Make partitions
An {X} is still in front of ad1, select {OK}
Some instructions will be given, select {OK}
Choose {A} and the partitions will be filled in. For the secondary HDD, it is not very important to have a good proportioned harddrive since you are going to use it once.
Press {Q} to leave.
- 18
Choose the installation
Choose: {User} Binaries and doc only.
You will be asked in which language you want documentation. Choose the correct one and then {OK}
Install the ports collection? {No}
Choose {OK}
Install from FreeBSD CD/DVD.
A warning appears that all be overwritten, choose {Yes}
The installation is started, please wait....
- 19
Answer some questions
Configure Ethernet or SLIP/PP network devices? {NO}
Function as a network gateway? {NO}
Configure inetd and the network services that it provides? {NO}
WOuld you like to enable SSH login? {YES}
Do you want anonymous FTP access? {NO}
NFS Server? {NO}
NFS Client {NO}
Customize your system console settings? {NO}
Time Zone? {YES}
CMOS clock set to UTC… {NO}, choose: 8. Europe, Netherlands
CET reasonable? {YES}
PS/2, serial or BUS mouse? {NO}
FreeBSD package collection? {NO}
Additional accounts to the system? {YES} --> Add a user, then use {X} Exit.
- 20
Enter the root password
Keep this password different from the encrypted part of the HDD.
Visit general configuration menu for a change to set any last options? {NO}
{X} Exit Install
Are you sure? {Yes}
Be sure to remove the media from the drive {OK}
- 21
Turn off system when the BIOS screen is visible
Turn off the system when the BIOS screen is visible.
Creating the encrypted part of the HDD
- 22
Connect both harddisk drive's on the system
Connect both harddisk drives to the primary IDE cable, so there is a Master drive (The one you are going to use in the future) and a secondary HDD on the primary IDE cable (The temporary HDD).
- 23
Choose F5 (Other drive)
At bootup you will be presented to boot from the HDD:
Choose F5 to switch from Primary hdd to Secondary HDD (On the Primary IDE Cable).
Then choose F1 to actually boot (Or wait a few seconds)
- 24
Check the avaible devices
Login as root
Go to the devices directory:
and get the directory dump on your screen:
Look for a drive with s2 at the end. On my machine, the drive is called: ad0s2.
- 25
Create Encrypted Part of HDD
To make the second Slice of the Boot harddrive encrypted type:
You will be asked to enter a passphrase, enter this twice.
Note: My passphrase is the same as the head server and has 7 words in it, make it hard for another to crack and easy for you to remember. Be sure to use both uppercase and lowercase characters.
- 26
Attach encrypted Slice
Type:
Message will appear:
- 27
Create Partitions on the encrypted drive
To make the necessary partitions/Labels on the encrypted part, we are going to use bsdlabel:
After the last line you will be presented with an editor, make it look like this:
I=Insert [ESC=end Insert], x remove character.
Do not change the letter c!
I use this setup, because my hdd is 100 GB:
- 28
Save the labels
Press once on {ESC}, then type :w {ENTER}, and leave :q {ENTER}
- 29
Check if the new (encrypted) devices are created
Are there any .eli devices? If Yes, Go ON!
- 30
Format the encrypted partitions/labels
Note: The parameter -i will make it possible to write a lot of small files on this partition.
We don't need to format the swap partition, so we go on to:
With the label mounted as /usr it is important to be able to write a lot of small files:
- 31
Create the directory for root mountpoint
Then mount it:
- 32
Create all other directory's needed for FreeBSD OS
- 33
Mount the encrypted slices
- 34
Copy the FreeBSD OS to the encrypted part of the drive
Prepare the destination location (encrypted part)
Mount the CD-ROM drive:
Change to the correct directory:
You are about to extract the base distribution into /fixed/ - are you SURE you want to do this over your installed system (y/n)? If /fixed/ is mentioned, press: {y}
- 35
Install the kernel
- 36
Install the help pages
- 37
Copy the boot directory to the future boot drive
First we need to mount the future boot drive:
Copy the boot directory to the boot drive:
- 38
Speed up the boot process
To Speed up the boot process we compress a few files:
- 39
Make FreeBSD startup from the encrypted part
To let FreeBSD boot from the un-encrypted part of the HDD and process the startup from the encrypted part we change the fstab file.
Make the Fstab file look like this:
Save the file and exit.
- 40
Create the necessary directories
If you have a floppydrive:
For the cdrom drive:
- 41
Copy fstab to encrypted part
We also need to copy the fstab file from the unencrypted part to the encrypted part:
- 42
Let FreeBSD ask for the passphrase at bootup
- 43
Copy Unencrypted boot to encrypted part
Since we are going to use striping of FreeBSD we need some files that the install we did on the encrypted part does not have. We need to copy the unencrypted boot back to the encrypted boot directory.
Wait for all the files to be copied.
- 44
ALL STEPS DONE!!!!???
Are you sure that you have done all the above steps??
- 45
Disconnect the slave HDD
Power down the Server, disconnect all the power to the machine and disconnect the Slave HDD from the IDE Cable.
Test the FreeBSD encrypted version
- 45
See if you can login without a password
If everything was going well, you have to enter the passphrase that you have typed in the steps before. Then if you login with root, you will not be presented with a password. If this happens, you know you are on the encrypted part of the HDD.
Since the installation is basic, you need to configure everything by hand before it will work. Also a warning about a name server will pop by -- that's because the network device is not configured yet.
- 46
(optional) Connect your Harddisk drives to your Raid Controller
When the machine says the system is halted, turn off your system and disconnect the powercables.
When you are using a HPT374 like me, take note that Seagate ST3500630A (Barracuda) does not work together with Hitachi Deskstar IDE HDDs on the Rocketraid 454. I could not make a RAID 0/JBOD or Mirror, so I have choosen to do this the software way.
Also, sometimes a LED keeps on when the machine is started in FreeBSD and then ad6 HDD is not present in the /dev directory.
I have to restart it until all the LEDs are off or a device is not detected.
(Can anyone tell me what this is? It happens after I type in my passphrase).
It seems to me, when I wait too long with typing the correct passphrase that this happens??!!
It seems to me, when I wait too long with typing the correct passphrase that this happens??!!
- 47
Enable networking
Type:
Select: Configure --> Networking --> Interfaces
In my case I select: {fxp1}
IPv6: {No}
DHCP {No}
I type in my credentials.
Bring the interface up now? {Yes}
{X} Exit
{X} Exit
{X} Exit Install
Reboot:
- 48
Enable SSH
To work faster and from every PC I enable SSH login, type:
Choose: Configure --> Networking --> (Scroll down with arrow keys) sshd, choose {Ok}
{X} Exit --> {X} Exit Install
- 49
Check rc.conf for ssh
Sysinstall is nice and easy, but you should know what it does. So we are going to check /etc/rc.conf for ssh
Check if you see the tag: sshd_enable="YES". If so, ssh will be enabled at next bootup.
- 50
(optional) A little detour
Yes! I did a little detour on this one, I tried to connect four IDE harddrives to one controller and four sata drives to a sata controller. Sad thing is, it was not stable, I have left this piece in this manual so you can learn from it. I bought two Sata drives of 2 TeraByte and now I am using 4 x 2 TB Sata drives as one big volume.
Make a Stripe set (Raid0) with FreeBSD
If you are using one controller card with 4 IDE drives and another controller card with 4 Sata drive's and you want one big volume you can use FreeBSD to stripe with the GEOM software.
Enable striping driver
Search Geom_Stripe and type "YES" instead of "NO"
Save the file with ":w!" (The i is to write a read-only file, only possible as root user)
Do the same for unencrypted part
First mount the unencrypted part of the HDD
Search Geom_Stripe and type "YES" instead of "NO"
Save the file with ":w!"
Reboot to activate striping
And YES! it is native!
Create first striping set
I explained about the problem between the Seagate and the barracuda, so I solve this the software way. We are going to create a striping set from ad4,6,8 and 10. (The names may be different on your system, check the /dev directory).
This will create a striping set with the name ide0. It will give some errors that it will not use the entire drive's capacity, but that is common with RAID 0 sets -- all volumes must be the exact same size.
Check your striping set
You can check your striping set by:
and search for ide0
Stripe over stripe
Striping over striping... It's unbelievable that this is possible. In Windows, I would be afraid what will happen with the data, but on my FreeBSD box... I am confident!
My other Rocket Raid (Model 1740) has created 3 striping sets so we have 4 times 2 TB of striping sets, create a second striping set:
/dev/dax is the most common name for a hardware striping set, I have seen this in FreeBSD 8.x and in a VirtualMachine enviroment with iSCSI. Once I have seen arx in FreeBSD6.2
Make the stripe (big0) encrypted
And yes we want to encrypt this too! When I format the big0 volume it is somewhat slow, but the only thing this system has to do is duplicate data and share it when disaster strikes, so I don't care.
Type your secret passphrase twice.
Attach the big0 array
Type type the passphrase and the usual confirmation will be shown.
Label the striped encrypted drive"]
[x] to delete characters, Press {I} to edit/insert, Change unused behind a: to 4.2BSD, [ESC], :w, :q
Format the encrypted .elia drive
When I look at the drive, I see the let's making disco, so I know all drive's are being used to stripe!
When working with older stuff, it helps to connect all the LEDs, for 20,- Euro's you got 10 of them with a wire and a little connector
Mount it and check it"]
A list with the mounted drives will be presented, check if the size checks out.
Mount at startup
Add the following line at the end of the file:
Save the file and exit vi.
Copy the new fstab to the unecrypted part
Install Rsync on your FreeBSD machine
- 51
Encrypt the big volume
My Big volume that are 4 S-Ata harddisks on one Sata Controller is called /dev/da0, the name for your array could be different, check the name first:
Search for da0 (or da1, da2, etc...) or ar0 (ar1, ar2, etc..) and use this device name to encrypt the big volume
Encrypt the big volume with:
Enter the passphrase twice.
- 52
Attach and format the big volume (da0)
First we need to attach the encrypted device:
Enter the passphrase you defined in the last step.
Make a label for the attached device:
[x] to delete characters, Press {I} to edit/insert, Change unused behind a: to 4.2BSD, [ESC], :w, :q
It needs to look like this:
The offset will be different; this is the size of your volume.
Don't forget the save the file and then Exit
Check if there are new devices in your /dev directory
You should see devices like da0.elia or ar0.elia.
Format the new device:
This may take a while, please wait!
- 53
Mount the encrypted volume
First make a directory where you can mount the volume:
Mount the big device:
Check the size with command df:
Result:
Your figures are probably different, but this is a good way to check if all the sizes are correct.
- 54
Mount the new device at bootup
Edit fstab
Add the following line at the bottom:
- 55
Install rsync
Now we have a device where we can put all the data from the primary server we need to sync it to the backup server.
You need to have rsync installed on the primary server, read here how you can do it!
To install Rsync we start sysinstall.
Select Configure --> Packages --> CD/DVD --> net --> rsync-3.x.x
Select {OK} --> {Install}
You will be shown what you have selected, select {OK}
Installation will commence.
{X} Exit
{X} Exit Install
Take out FreeBSD CD/DVD
- 56
Setup rsyncd
Remove # before "UID" & "GID" and change "nobody" to "rsync", the file will look like this:
- 57
Create user rsync
Fill in all the credentials.
- 58
Create a batch file on the backup server
It must contain:
- 59
Make the batch file startable
- 60
Create the password file
Now create the password file for copycop
Type the password in the file and save it!
- 61
Change the rights
Change the rights of the file's so not everybody can read them.
- 62
Start Rsync to test syncing the data
You should see:
and then popping a lot of file's on your screen! (And of course the led's playing disco, as a matter a fact I feel Disco! Wheee!!!)
If you get an error like: "rsync error error starting client-server protocol code 5", check the password you have used in the password file on the primary and backup server. Also check on the primary server if host allow contains the correct IP Address.
- 63
More pointers about errors with rsync
If you get the following errors:
Scroll back and see on which directory's you don't have access. Change the rights of those directories on the primary server.
The error you should see an error in the copy files tree like this: send_files failed to open "dir/ectory/" (in encrypt_a): Permission denied (13)
- 64
Setting up NTP for time sync
Open rc.conf
Add the following to lines at the bottom:
This is the IP adress of your head server, so all systems in your network al synced together!
Installation of Samba
===================
What is the use of a backup server, when you cannot access it from Windows? I will set it up Samba so that you can only read from it!
- 65
Install Samba from the ports
Insert your FreeBSD 8.1 install CD/DVD in your cd drive and type:
Wait for FreeBSD to complete the operation.
- 66
Edit smb.conf to configure samba
Here is an example of smb.conf file:
On the backup server I have set writable = no on every share, this is a backup server not a working server!
- 67
Enable Samba at startup
Edit the /etc/rc.conf file and enable Samba:
Add the following lines at the bottom of rc.conf
If you get the following errors: "nttrans.c:2119(call_nt_tr
oplocks = false
level2 oplocks = false
oplocks = false
level2 oplocks = false
- 68
Edit welcome message
Put the following lines into the editor:
Save the message with :w and exit.
- 69
Restart Machine and check Samba
- 70
Add the user you want to access Samba
Before the Windows clients can access the Samba shares, you have to add them as a Samba user:
Enter the password twice and do this for every user you want to be able to access Samba.
- 71
Try to connect with a windows client
Start the machine, enter the passphrases to mount the encrypted partitions and wait until nmbd & smbd is loaded, then start a Windows client and enter the name of your server in Windows Explorer.
You should be able to access the shares, read it, but you cannot write it
- 72
Create a cronjob for rsync
If you are going to use rsync, do it on a regular basis! We add a cronjob.
Login as root
Type:
Add the following line:
Save the file and exit, you should see the line:
...then you know it is about to run!
- 73
Enter a password for the root account
A very important step for security, enter a password for the root account. Type:
Enter the password twice.
- 74
Done!
Your backup server is ready!
by: dmeeren on 2011-03-26 at 07:02:53ID: 25127
Select allOpen in new window
After that my system rebooted, after fiddling around with drivers, it appeared to be an IRQ problem. I Solved this problem by swapping the VGA card with the NIC card from PCI Slot.