Archive

Archive for the ‘FreeNAS’ Category

Encrypt ZFS drives on FreeNAS 0.7.2 (FreeBSD 7)

We recently had a break-in and found out about it when we were far from home. I worried about many things, among them the unencrypted files on my home NAS. Not that I have any state secrets buried, but the thought of having private e-mails, photos and so on in the hands of criminals just felt wrong. Fortunately the thieves left my computers, so I decided to do something about it.

I have an old NAS with FreeBSD 0.7.2 (no longer available) running FreeBSD 7. It does support encryption, albeit a bit manually. First I had to create a geli encryption key on the USB boot device:


umount /cf
mount -o rw /dev/da0a /cf
mkdir /cf/boot/keys
dd if=/dev/random of=/cf/boot/keys/nas.key bs=128k count=1

Next I destroyed the partition on the first disk to go and configured it for encryption with geli:


dd if=/dev/zero of=/dev/ad10 bs=512 count=10
geli init -b -K /cf/boot/keys/nas.key -s 4096 -l 256 /dev/ad10
geli attach -k /cf/boot/keys/nas.key /dev/ad10

Repeat with other drives (ad8 in this case) and create a mirror:


zpool create -m none nas-pool1 mirror /dev/ad10.eli /dev/ad8.eli

Next edit /cf/boot/loader.conf to enter the passphrases at boot time:


geli_ad8_keyfile0_load="YES"
geli_ad8_keyfile0_type="ad8:geli_keyfile0"
geli_ad8_keyfile0_name="/boot/keys/nas.key"
geli_ad10_keyfile0_load="YES"
geli_ad10_keyfile0_type="ad10:geli_keyfile0"
geli_ad10_keyfile0_name="/boot/keys/nas.key"

Reboot and make sure it works, then add additional drives and resilver. Peace of mind restored!

Advertisements
Categories: FreeNAS

Symbolic links and CIFS/SMB with FreeNAS 0.7.2

2011-08-14 1 comment

I recently upgraded to FreeNAS 0.7.2 revision 6694 and suddenly symbolic links across zfs filesystems stopped working when accessed using Windows file sharing (CIFS/SMB). They still worked fine from the command line. Apparently the root cause is a security fix in Samba. To work around the change, add the following to “Auxiliary parameters” for CIFS/SMB in the FreeNAS web ui:

follow symlinks=yes
wide links=yes
unix extensions=off

They will then be added to the global section of smb.conf. Select “Save and Restart” and the links should work again.

Categories: FreeNAS

Subversion on FreeNAS

Like several other FreeNAS users I would like to run a Subversion server on my FreeNAS box. Sure, it is discouraged, but the alternative for me is to use an Internet-facing server or to keep a third machine running all the time. The FreeNAS box seems like the best choice.

The installation process is a bit involved as the embedded version of FreeNAS keeps the root file system in RAM. A standard installation will simply disappear after the first reboot.

Create a group and a user named svn through the web interface. Note that if you want to su to svn later on, a real shell is required, nologin will not work. Login to the Unix prompt and su to root. Create a directory on one of the mounted disks (not the root file system, which is a RAM disk!):


mkdir -p /mnt/data/apps/Subversion

Install the subversion package to the proper location:


setenv PKG_TMPDIR /mnt/data/apps/Subversion
pkg_add -r subversion -P /mnt/data/apps/Subversion

Include the dynamic libraries in the search path:


ldconfig -Rm /mnt/data/apps/Subversion/lib

Create a repository. Again the location must be on a mounted disk:


/mnt/data/apps/Subversion/bin/svnadmin create /mnt/data/apps/Subversion/svnrep

Configure the repository.


vi /mnt/data/apps/Subversion/svnrep/conf/svnserve.conf

Apart from comments this is an example:


[general]
anon-access = none
auth-access = write
password-db = passwd
realm = FreeNAS

Edit the password file (vi /mnt/data/apps/Subversion/svnrep/conf/passwd) and add users:


[users]
userid1 = password1
userid2 = password2

Create a start script for the Subversion daemon:


vi /mnt/data/apps/Subversion/bin/start_svnserve.sh

The start script needs to include the Subversion libraries before it launches svnserve:


#!/bin/bash
ldconfig -Rm /mnt/data/apps/Subversion/lib
su svn -c '/mnt/data/apps/Subversion/bin/svnserve -d 
  --listen-host=n.n.n.n -r /mnt/data/apps/Subversion/svnrep'

The svnserve command should use a single line, wrapped for readability. Without the listen-host option Subversion may use an IPv6 address. Use the option with your IPv4 address to get around that. Make the script executable:


chmod +x /mnt/data/apps/Subversion/bin/start_svnserve.sh

Change ownership of all files properly:


cd /mnt/data/apps/Subversion
chown -R svn:svn svnrep

Test the script. If it works, add it as a PostInit start script (System/Advanced/Command scripts). Voila, FreeNAS is running Subversion!

Categories: FreeNAS