Encrypt ZFS drives on FreeNAS 0.7.2 (FreeBSD 7)
We recently had a break-in and found out about it when we were far from home. I worried about many things, among them the unencrypted files on my home NAS. Not that I have any state secrets buried, but the thought of having private e-mails, photos and so on in the hands of criminals just felt wrong. Fortunately the thieves left my computers, so I decided to do something about it.
I have an old NAS with FreeBSD 0.7.2 (no longer available) running FreeBSD 7. It does support encryption, albeit a bit manually. First I had to create a geli encryption key on the USB boot device:
umount /cf
mount -o rw /dev/da0a /cf
mkdir /cf/boot/keys
dd if=/dev/random of=/cf/boot/keys/nas.key bs=128k count=1
Next I destroyed the partition on the first disk to go and configured it for encryption with geli:
dd if=/dev/zero of=/dev/ad10 bs=512 count=10
geli init -b -K /cf/boot/keys/nas.key -s 4096 -l 256 /dev/ad10
geli attach -k /cf/boot/keys/nas.key /dev/ad10
Repeat with other drives (ad8 in this case) and create a mirror:
zpool create -m none nas-pool1 mirror /dev/ad10.eli /dev/ad8.eli
Next edit /cf/boot/loader.conf
to enter the passphrases at boot time:
geli_ad8_keyfile0_load="YES"
geli_ad8_keyfile0_type="ad8:geli_keyfile0"
geli_ad8_keyfile0_name="/boot/keys/nas.key"
geli_ad10_keyfile0_load="YES"
geli_ad10_keyfile0_type="ad10:geli_keyfile0"
geli_ad10_keyfile0_name="/boot/keys/nas.key"
Reboot and make sure it works, then add additional drives and resilver. Peace of mind restored!
Symbolic links and CIFS/SMB with FreeNAS 0.7.2
I recently upgraded to FreeNAS 0.7.2 revision 6694 and suddenly symbolic links across zfs filesystems stopped working when accessed using Windows file sharing (CIFS/SMB). They still worked fine from the command line. Apparently the root cause is a security fix in Samba. To work around the change, add the following to “Auxiliary parameters” for CIFS/SMB in the FreeNAS web ui:
follow symlinks=yes
wide links=yes
unix extensions=off
They will then be added to the global section of smb.conf. Select “Save and Restart” and the links should work again.
Subversion on FreeNAS
Like several other FreeNAS users I would like to run a Subversion server on my FreeNAS box. Sure, it is discouraged, but the alternative for me is to use an Internet-facing server or to keep a third machine running all the time. The FreeNAS box seems like the best choice.
The installation process is a bit involved as the embedded version of FreeNAS keeps the root file system in RAM. A standard installation will simply disappear after the first reboot.
Create a group and a user named svn through the web interface. Note that if you want to su to svn later on, a real shell is required, nologin will not work. Login to the Unix prompt and su to root. Create a directory on one of the mounted disks (not the root file system, which is a RAM disk!):
mkdir -p /mnt/data/apps/Subversion
Install the subversion package to the proper location:
setenv PKG_TMPDIR /mnt/data/apps/Subversion
pkg_add -r subversion -P /mnt/data/apps/Subversion
Include the dynamic libraries in the search path:
ldconfig -Rm /mnt/data/apps/Subversion/lib
Create a repository. Again the location must be on a mounted disk:
/mnt/data/apps/Subversion/bin/svnadmin create /mnt/data/apps/Subversion/svnrep
Configure the repository.
vi /mnt/data/apps/Subversion/svnrep/conf/svnserve.conf
Apart from comments this is an example:
[general]
anon-access = none
auth-access = write
password-db = passwd
realm = FreeNAS
Edit the password file (vi /mnt/data/apps/Subversion/svnrep/conf/passwd
) and add users:
[users]
userid1 = password1
userid2 = password2
Create a start script for the Subversion daemon:
vi /mnt/data/apps/Subversion/bin/start_svnserve.sh
The start script needs to include the Subversion libraries before it launches svnserve:
#!/bin/bash
ldconfig -Rm /mnt/data/apps/Subversion/lib
su svn -c '/mnt/data/apps/Subversion/bin/svnserve -d
--listen-host=n.n.n.n -r /mnt/data/apps/Subversion/svnrep'
The svnserve command should use a single line, wrapped for readability. Without the listen-host option Subversion may use an IPv6 address. Use the option with your IPv4 address to get around that. Make the script executable:
chmod +x /mnt/data/apps/Subversion/bin/start_svnserve.sh
Change ownership of all files properly:
cd /mnt/data/apps/Subversion
chown -R svn:svn svnrep
Test the script. If it works, add it as a PostInit start script (System/Advanced/Command scripts). Voila, FreeNAS is running Subversion!