We recently had a break-in and found out about it when we were far from home. I worried about many things, among them the unencrypted files on my home NAS. Not that I have any state secrets buried, but the thought of having private e-mails, photos and so on in the hands of criminals just felt wrong. Fortunately the thieves left my computers, so I decided to do something about it.
I have an old NAS with FreeBSD 0.7.2 (no longer available) running FreeBSD 7. It does support encryption, albeit a bit manually. First I had to create a geli encryption key on the USB boot device:
umount /cf mount -o rw /dev/da0a /cf mkdir /cf/boot/keys dd if=/dev/random of=/cf/boot/keys/nas.key bs=128k count=1
Next I destroyed the partition on the first disk to go and configured it for encryption with geli:
dd if=/dev/zero of=/dev/ad10 bs=512 count=10 geli init -b -K /cf/boot/keys/nas.key -s 4096 -l 256 /dev/ad10 geli attach -k /cf/boot/keys/nas.key /dev/ad10
Repeat with other drives (ad8 in this case) and create a mirror:
zpool create -m none nas-pool1 mirror /dev/ad10.eli /dev/ad8.eli
/cf/boot/loader.conf to enter the passphrases at boot time:
geli_ad8_keyfile0_load="YES" geli_ad8_keyfile0_type="ad8:geli_keyfile0" geli_ad8_keyfile0_name="/boot/keys/nas.key" geli_ad10_keyfile0_load="YES" geli_ad10_keyfile0_type="ad10:geli_keyfile0" geli_ad10_keyfile0_name="/boot/keys/nas.key"
Reboot and make sure it works, then add additional drives and resilver. Peace of mind restored!
I recently upgraded to FreeNAS 0.7.2 revision 6694 and suddenly symbolic links across zfs filesystems stopped working when accessed using Windows file sharing (CIFS/SMB). They still worked fine from the command line. Apparently the root cause is a security fix in Samba. To work around the change, add the following to “Auxiliary parameters” for CIFS/SMB in the FreeNAS web ui:
They will then be added to the global section of smb.conf. Select “Save and Restart” and the links should work again.
Like several other FreeNAS users I would like to run a Subversion server on my FreeNAS box. Sure, it is discouraged, but the alternative for me is to use an Internet-facing server or to keep a third machine running all the time. The FreeNAS box seems like the best choice.
The installation process is a bit involved as the embedded version of FreeNAS keeps the root file system in RAM. A standard installation will simply disappear after the first reboot.
Create a group and a user named svn through the web interface. Note that if you want to su to svn later on, a real shell is required, nologin will not work. Login to the Unix prompt and su to root. Create a directory on one of the mounted disks (not the root file system, which is a RAM disk!):
mkdir -p /mnt/data/apps/Subversion
Install the subversion package to the proper location:
setenv PKG_TMPDIR /mnt/data/apps/Subversion pkg_add -r subversion -P /mnt/data/apps/Subversion
Include the dynamic libraries in the search path:
ldconfig -Rm /mnt/data/apps/Subversion/lib
Create a repository. Again the location must be on a mounted disk:
/mnt/data/apps/Subversion/bin/svnadmin create /mnt/data/apps/Subversion/svnrep
Configure the repository.
Apart from comments this is an example:
[general] anon-access = none auth-access = write password-db = passwd realm = FreeNAS
Edit the password file (
vi /mnt/data/apps/Subversion/svnrep/conf/passwd) and add users:
[users] userid1 = password1 userid2 = password2
Create a start script for the Subversion daemon:
The start script needs to include the Subversion libraries before it launches svnserve:
#!/bin/bash ldconfig -Rm /mnt/data/apps/Subversion/lib su svn -c '/mnt/data/apps/Subversion/bin/svnserve -d --listen-host=n.n.n.n -r /mnt/data/apps/Subversion/svnrep'
The svnserve command should use a single line, wrapped for readability. Without the listen-host option Subversion may use an IPv6 address. Use the option with your IPv4 address to get around that. Make the script executable:
chmod +x /mnt/data/apps/Subversion/bin/start_svnserve.sh
Change ownership of all files properly:
cd /mnt/data/apps/Subversion chown -R svn:svn svnrep
Test the script. If it works, add it as a PostInit start script (System/Advanced/Command scripts). Voila, FreeNAS is running Subversion!