home
contact :: legal :: webstats
 also in this section:
 technical information library
 most popular pages
 search this site:
 search the web:
 cool tools
 news headlines
my FreeBSD diary
January 27, 2002 (as amended - updated to cover FreeBSD 6.x)

with respect and in deference to The FreeBSD Diary

The aim of this project is to produce a unix server which provides SSH, FTP, SMTP, POP, IMAP, NTP, HTTP (Apache, PERL and PHP), SQL (MySQL), SMB file and print sharing (Samba and CUPS), and email filtering (SpamAssassin) service. An all-in-one drop-in replacement for Windows and Netware servers, basically, with some extra features. I know that unix is more reliable and secure, and is more powerful, than any version of Windows, and I wish to pass these benefits onto my customers.

Note, this server will be on a NATted LAN inside the corporate firewall, which is a separate device, and doubles as a router, DNS server, and ADSL uplink. DHCP is not used.

  1. research

  2. download

  3. install

    1. partitioning
    2. options
    3. SSH
    4. denyhosts
    5. CVSup
    6. portsnap

  4. building the services

    1. webmin
    2. NTP
    3. FTP
    4. SMTP
    5. HTTP (Apache and PHP)
    6. SMB (Samba)
    7. CUPS
    8. POP/IMAP (Dovecot)
    9. SQL (MySQL)

  5. notes

    1. deployment
    2. user management
    3. the packages collection
    4. the ports collection
    5. dual-booting
    6. other

research

Looking for a unix desktop instead of a server platform? Check out PC-BSD - This is FreeBSD + KDE (a popular GUI), with a sexy installer, some smart scripts and a bunch of services preinstalled and preconfigured. It doesn't try to be a server - this is a system designed to do the same job as Windows XP. It's very slick indeed.

The first step is to settle upon which unix to use. I poked around on the net, and I read some of the documentation. Factors influencing my decision included popularity, lineage, and hardware support. In the end, FreeBSD was the clear winner; not only modern and well-supported, but also with a distinguished history, and reference sites including yahoo.com, apache.org, cdrom.com and even (once upon a time) hotmail.com. Sold... Linux? Oh yes - that's the unix that uses BSD components, GNU components, Linus components.. I've heard of it.

I then needed to select a distribution - there's NetBSD, OpenBSD and FreeBSD. NetBSD is optimised for portability... I don't need that. OpenBSD's main advantage seems to be security - I didn't feel the need to encrypt my swapspace... so I opted for the high-performance FreeBSD instead. See also a comparison of BSD operating systems and/or Distrowatch for more information.

Hardware-wise, BSD runs on pretty well anything, including the 333MHz AMD K6 in the test server, with 128Mb of RAM and 4Gb of disk. BSD can run with less resources than these - but I doubt it's recommended. A BIOS with support for LBA and bootable CD-ROMs is also suggested. While BSD can run on ancient hardware, the limitations this imposes on the flexibility of the system may be excessive. Certainly, for production servers I hope to use the latest and fastest hardware. Note that BSD, being a community-supported OS, does not immediately support new devices; nor do manufacturers usually ship BSD drivers. Ensure that drivers are available, working and stable before committing to a specific device.

Software-wise, aside from the operating system I also had to decide which servers and applications to deploy. I stuck with the tools I knew.

Note: once you've settled on a distribution, you might like to stick with the particular version of the distribution you download, at least for a while. This will allow you to compare and contrast between your builds (you will no doubt do several). If you always use the latest version of the distribution, you will be introducing inconsistencies between your builds, this will be confusing if you are still learning how the system works. So, select your download very carefully. As always, avoid ".0" releases, you want a version number x.1 or higher.

download

Next, I had to get the FreeBSD CDs. I downloaded the full distribution as an ISO from a mirror over my ADSL connection. It took around 8 hours, at 512Kbps, for the two CDs. After verifying the MD5 hash for each ISO, I then burned the ISOs onto CDs. If you're not sure how to burn an ISO from a mirror onto a CD, or, indeed, verify the MD5 hashes, this is your cue to open a new browser window and zoom over to your favourite search engine. I did try using BitTorrent to get the ISOs, but it was going to take twice as long, plus saturate my outbound, so I aborted BitTorrent and went for good old FTP.

install

My machine had bootable CD-ROM support, so I put in disk 1 and booted off it. However, if bootable CD-ROM support is not an option, the first task is to make the FreeBSD installation floppies. Previous distributions included MAKEFLP.BAT and/or FDIMAGE.EXE to make the floppies, however the 6.0-RELEASE distribution does not. To set up 6.0 on a machine without a bootable CD-ROM, I used the FDIMAGE.EXE from my old FreeBSD 4.11 CD (it's the same binary) to execute this command from the \floppies directory on the CD: fdimage -v boot.flp a: (note: in release 6.1, FDIMAGE.EXE is back in the \tools directory on the CD). I then also created the two kernel disks, I made sure I had the boot disk in the drive, and rebooted.

From the welcome screen that appeared I selected 1. Boot FreeBSD [default]'. The sysinstall Main Menu was then displayed; I then selected 'standard install' (in FreeBSD 6.1, the country and keymap selection screens appear before the Main Menu).

Then, FDISK the partition editor appeared. I pressed A (to use the entire disk), pressed S (to make the new FreeBSD partition bootable), then pressed Q to quit FDISK. I then told the installer to create a standard MBR (since I'm not doing multiboot). [Note to fellow DOS refugees: FreeBSD calls partitions 'slices'. FreeBSD has partitions too but they are different to DOS-style MBR partitions - in fact they are sub-slices, and are called labels.]

Next, the disklabel editor appeared; press A to create the default scheme. The disklabel editor can be tricky to use, especially if customising the label sizes. For reference, the following FreeBSD-style partitions are required: 

/
swap
/tmp
/usr
/var

From experience thus far, 250Mb is the minimum required for /, /tmp and swap, 500Mb is the minimum for /var and 2Gb the minimum for /usr. /usr should be as big as possible. Smaller values may work, but will probably not be useful (especially over time). Think carefully before proceeding - ensure the scheme you define will suit the machine's intended usage (a mailserver, which by default puts spools in /var, will probably need an extra-large /var, for example). You may need to juggle the sizes of the various labels, particularly if you are installing on a disk 4Gb or less in size. Once the label sizes are defined, it's difficult to change them without reinstalling the system from scratch. Unfortunately, FreeBSD is not yet blessed with tools like Ghost and Partition Magic.

The partitions created, the installer prompts for an installation type - I chose Developer. The installer then asks whether to install the ports collection. If the ports collection is not installed, this can cause difficulty in some circumstances, so electing to install the ports here is recommended.

I then selected my installation media; the system files were then copied to the disk (this process takes some time). When the copy completed, a congratulations message appeared.

Next, install proceeded to the "final configuration questions". These vary depending on previous choices and the distribution being installed (docs: handbook).

...and the install was done - exiting the installer and rebooting let me login as root, and whizzo - I found I could immediately ping yahoo.com!

Note: if installing FreeBSD in a dual- or multi-boot system, a boot manager should be installed at this point (see below).

SSH: (docs: handbook; manpage - daemon; manpage - config file)

The next job was to get SSH working. During install, I said Yes, enable SSH login; while this generates keys and configures the SSH daemon to start on boot, it crucially does not automatically allow anyone to login remotely (including root). To permit a user to login:

  1. edit the daemon's configuration file: vi /etc/ssh/sshd_config
  2. uncomment the line PermitRootLogin no
  3. go to the end of the file, add a new line: DenyUsers Administrator Guest Root
  4. add a new line under that: #permitted users
  5. add a new line under that: AllowUsers username@IP.address.you.use
  6. save the changes to the config file and quit the editor
  7. restart the SSH daemon: /etc/rc.d/sshd restart

username is usually the username associated with the sysadmin's personal account (created above, member of group 'wheel'). Do not permit root to login remotely. A more secure configuration is to permit a user who can 'su' to root instead.

IP.address.you.use is the IP address of the computer you use to connect to the server. Failing to add the AllowUsers line permits users to login from anywhere. Failing to add the IP address permits the user specified to login from anywhere.

Remember to restart the daemon after you save your changes to its configuration file. It only reads the file when it starts up.

Note: this configuration permits use of password-based authentication, which is vulnerable to brute-forcing. Key-based authentication (not covered here) is more secure. However, in the configuration above an IP address is specified on the AllowUsers line, which means that a brute-force attack can only be successful if it is made from that IP address.

Note: the rest of the build can be completed remotely, if desired. If this is the case, and a firewall is in between, forward the SSH port 22/TCP to the server now. Also, check that port 22/TCP is open on the firewall. It's good security to use an alternate port, if possible (forward, for example, firewall/external port 6666 to server/internal port 22 - you then specify port 6666 in your SSH client and the firewall maps the traffic to port 22 on the server).

denyhosts: (docs: FAQ)

denyhosts can be used to stop many kinds of brute-force attacks. While the SSH configuration above is quite secure, using denyhosts gives an extra layer of security, and may allow some of the other restrictions to be relaxed (eg. restricting login from certain IP addresses only). In addition, denyhosts can be used to simultaneously block attacks on protocols other than SSH. denyhost's drawbacks include its Python dependency, and also its use of TCP wrappers. However this use of TCP wrappers means that it does not need a firewall in order to operate.

How to install:

  1. cd /usr/ports/security/denyhosts
  2. make install clean
  3. if prompted for Python configuration, make changes as necessary and continue
  4. vi /etc/rc.conf
  5. add these lines (if the syslogd_flags setting already exists, ensure it includes the -c switch): 
    denyhosts_enable="YES"
syslogd_flags="-c"
  6. save the changes and exit the editor
  7. vi /etc/hosts.allow
  8. comment out this line: 
    ALL : ALL : allow
  9. add these lines just before the sendmail settings: 
    # denyhosts
sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow
  10. save the changes and exit the editor
  11. vi /usr/local/etc/denyhosts.conf
  12. uncomment this line: 
    BLOCK_SERVICE  = sshd
  13. save the changes and exit the editor
  14. touch /etc/hosts.deniedssh
  15. /etc/rc.d/syslogd restart
  16. /usr/local/etc/rc.d/denyhosts start

Notes:

CVSup: (docs: handbook; homepage)

I installed CVSup when I installed FreeBSD itself, so next, I updated the source tree, so as to get the latest patches:

  1. cd /usr/local/etc
  2. cp /usr/share/examples/cvsup/standard-supfile .
  3. chmod 644 standard-supfile
  4. vi standard-supfile
  5. change the *default host setting (I use cvsup3.uk.FreeBSD.org or cvsup2.nl.FreeBSD.org)
  6. save the changes and exit the editor
  7. cvsup -g -L 2 standard-supfile (this requires a live internet connection, and takes a while)

The source tree updated, rebuild the system (docs: handbook):

  1. cd /usr/src
  2. make buildworld (this takes quite a while)
  3. make buildkernel (this takes a while)
  4. make installkernel
  5. reboot
  6. cd /usr/src
  7. make installworld
  8. reboot

Don't skip the reboots, without them the new kernel does not become active (not sure about world).

The step below is no longer recommended. Use portsnap instead (see the next section).

The system rebuilt, update the ports collection:

  1. cd /usr/local/etc
  2. cp /usr/share/examples/cvsup/ports-supfile .
  3. chmod 644 ports-supfile
  4. vi ports-supfile
  5. change the *default host setting (eg. cvsup3.uk.FreeBSD.org)
  6. save the changes and exit the editor
  7. cvsup -g -L 2 ports-supfile (this requires a live internet connection, and takes a while)

Notes:

Failing to update the system would not only have left me with a bunch of bugs and security issues that have already been fixed, but would also have prevented me from installing most of the ports, since portaudit, which along with cvsup was installed when I installed FreeBSD itself, aborts the installation of outdated ports.

portsnap: (docs: handbook)

portsnap is used to update the ports collection, and replaces CVSup for this task (CVSup is still needed to update FreeBSD itself, however). portsnap is installed with the base system, for FreeBSD 6 and up (earlier versions require it to be installed from the ports collection). portsnap is more efficient and secure than CVSup.

To initialise portsnap, and update to the latest ports tree, do this: 

portsnap fetch extract

Note: this command is only required when portsnap is first run.

To update the ports tree at a later time (eg. once portsnap has been initialised, as above): 

portsnap fetch update

Notes:

day 4: building the services

Webmin: (docs: homepage; article: OnLamp)

Webmin is possibly the first service to install - this will allow point-and-click configuration of many other services. Before installing, do this:

  1. vi /etc/make.conf
  2. add this line: X11BASE=${LOCALBASE}
  3. save the changes and exit the editor
  4. vi /etc/rc.conf
  5. add this line: webmin_enable="YES"
  6. save the changes and exit the editor

To install webmin:

  1. cd /usr/ports/sysutils/webmin
  2. make install clean

To configure or reconfigure webmin, run the following command:

/usr/local/lib/webmin/setup.sh

Notes on webmin configuration:

To start and stop webmin, use these commands:

/usr/local/etc/webmin/start
/usr/local/etc/webmin/stop

To access webmin on a machine on the LAN, use an address like this:

http://hostname:port/ or http://IP.address.in.use:port/

To access webmin on a machine at the other end of an SSH tunnel, use an address like this:

http://localhost:3001/

Notes:

NTP: (docs: handbook; manpage)

An NTP daemon is installed by default; use this procedure to configure and start it:

  1. edit startup file: vi /etc/rc.conf
  2. add a line to end: ntpdate_flags="time.server.to.use"
  3. add a line to end: ntpdate_enable="YES"
  4. add a line to end: ntpd_enable="YES"
  5. save the file and close the editor
  6. create config file: vi /etc/ntp.conf
  7. add a line: server time.server.to.use
  8. add a line: driftfile /var/db/ntp.drift
  9. save the file and close the editor
  10. start the server: ntpd

Notes:

FTP: (docs: handbook - ftp; handbook - inetd; manpage - inetd)

An FTP server is installed by default; use this procedure to configure and start it:

  1. get into sysinstall
  2. select Configure, then Networking
  3. go down to inetd and press Enter
  4. accept the warning
  5. open the editor
  6. uncomment the "ftp" line (tcp6 is apparently for IPv6 - I left this commented out)
  7. save the changes and exit the editor, then quit sysinstall
  8. if needed, add usernames to the banned user file: vi /etc/ftpusers
  9. if needed, add usernames to the restricted user file: vi /etc/ftpchroot
  10. if needed, edit welcome and motd files: vi /etc/ftpwelcome ... vi /etc/ftpmotd
  11. start inetd: /etc/rc.d/inetd start
  12. edit startup file: vi /etc/rc.conf
  13. ensure the inetd_enable line is set to "YES"
  14. if present, ensure TCP_extensions is set to "NO"
  15. save any changes and exit the editor

Notes:

SMTP (sendmail): (docs: handbook)

Sendmail is installed and enabled by default. Use this procedure to configure it:

  1. cd /etc/mail
  2. cp access.sample access
  3. vi access
  4. comment out everything except RELAY line
  5. change RELAY line to reflect the subnet of the local LAN
  6. save the file and quit the editor
  7. create hostnames file: vi local-host-names
  8. add new line: yourdomain.com
  9. add new line: mail.yourdomain.com
  10. save the file and quit the editor
  11. run make in /etc/mail/ to create the config files
  12. vi /etc/rc.conf
  13. add new line: sendmail_enable="YES"
  14. save the file and quit the editor
  15. cp freebsd.mc sendmail.mc
  16. vi sendmail.mc
  17. add these lines above the other FEATURE lines near the top of the file: 
    MASQUERADE_AS(`yourdomain.com')dnl
FEATURE(masquerade_envelope)
  18. save the file and quit the editor
  19. m4 /usr/share/sendmail/cf/m4/cf.m4 sendmail.mc > temp.cf
  20. mv temp.cf sendmail.cf
  21. vi /etc/mail/sendmail.cf
  22. comment out the line DaemonPortOptions=Port=587, Name=MSA, M=E (this stops sendmail listening on port 587)
  23. save the file and quit the editor
  24. run make in /etc/mail/ to update the databases
  25. restart sendmail: /etc/rc.d/sendmail restart

Where yourdomain.com is the name of the domain for which mail is being processed. You must wait for DNS changes to propagate before you can test inbound mail processing.

This setup permits the server to relay mail sent by any machine on the LAN, and also removes the machine's hostname from any mail originating from the machine (ie. cron, mail).

HTTP (Apache and PHP): (docs: handbook; homepage: Apache - PHP)

  1. install from the Ports collection: cd /usr/ports/www/apache13-modperl
  2. make install clean (again, this requires a live internet connection, and takes a while)

Note: there's no Apache configuration done here, and the daemon is not yet started - install PHP first:

  1. cd /usr/ports/lang/php5
  2. make install clean (again, this requires a live internet connection, and takes a while)
  3. PHP options: select CLI, CGI, Apache, Suhosin, FastCGI and pathinfo
  4. cp /usr/local/etc/php.ini-recommended /usr/local/etc/php.ini
  5. open the PHP config file: vi /usr/local/etc/php.ini
  6. change the display_errors line if appropriate
  7. cd /usr/ports/lang/php5-extensions
  8. make install clean

Now to complete the Apache configuration:

  1. open the Apache config file: vi /usr/local/etc/apache/httpd.conf
  2. change the ServerAdmin line
  3. change the DocumentRoot line to /usr/local/www/public_html
  4. change the second <Directory> line to /usr/local/www/public_html
  5. in the Aliases section, comment out the /manuals/ alias
  6. add the following to the end of the file: 
    ## BEGIN PHP config ##
   AddType application/x-httpd-php .php
   AddType application/x-httpd-php .phtml
   AddType application/x-httpd-php .php3
   AddType application/x-httpd-php .php4
   AddType application/x-httpd-php .php5
   AddType application/x-httpd-php-source .phps
## END PHP config ##
  7. save the changes and exit the editor
  8. mkdir /usr/local/www/public_html
  9. chmod 775 /usr/local/www/public_html
  10. rm /usr/local/www/cgi-bin
  11. mkdir /usr/local/www/cgi-bin
  12. chmod 775 /usr/local/www/cgi-bin
  13. vi /etc/rc.conf
  14. add new line: apache_enable="YES"
  15. start Apache: /usr/local/sbin/apachectl start

Notes:

SMB (Samba): (docs: handbook; HOW-TO)

There are many ways to use Samba. The configuration defined below emulates a shared drive on a Windows PC with minimal security. It can also be used emulate shared printers (in conjunction with CUPS). It does not require users enter a password - it assumes that any user on the local network is valid. This is done as follows:

  1. cd /usr/ports/net/samba3
  2. make install clean (again, this requires a live internet connection, and takes a while)
  3. select at least syslog (and CUPS if you want to use the FreeBSD box as a printserver)
  4. cd /usr/local/etc
  5. cp smb.conf.default smb.conf
  6. chmod 644 smb.conf
  7. vi smb.conf
  8. in the [global] section, change workgroup name to correct name, example: MY_GROUP
  9. in the [global] section, set the security mode to user
  10. in the [global] section, uncomment the hosts allow line and change it to permit access only from the local LAN and localhost, example: 192.168.0. 127.
  11. in the [global] section, set domain master and preferred master as appropriate (this is not required, but I suspect it makes browsing the network faster)
  12. in the [global] section, adjust log size if necessary (remember this is per machine)
  13. create a section in the config file for the share (do this in the "share definitions" section): 
    [public]
   path = /usr/data/smbspace
   read only = no
   public = yes
   oplocks = false
   level2oplocks = false
  14. save the changes and exit the editor
  15. create share directory: mkdir /usr/data/smbspace
  16. set permissions on share directory: chmod 775 /usr/data/smbspace
  17. vi /etc/rc.conf
  18. add a new line to the end of the file to enable Samba on boot: samba_enable="YES"
  19. save the changes and exit the editor
  20. start the daemon: /usr/local/etc/rc.d/samba start

Samba has a web-based administration tool called SWAT, to install:

  1. vi /etc/inetd.conf
  2. uncomment the line starting with swat stream tcp nowait/400
  3. save the changes and exit the editor
  4. restart inetd: /etc/rc.d/inetd reload

    SWAT will then be accessible at http://localhost:901/ (the root username and password are required)

    Note that SWAT uses inetd. Enable it if necessary with the following:

    1. vi /etc/rc.conf
    2. add line to end: inetd_enable="YES"

Notes:

CUPS (and printserving with Samba): (docs: samba CUPS)

CUPS is not installed by default. Install it as follows:

  1. cd /usr/ports/print/cups
  2. make install clean (again, this requires a live internet connection, and takes a while)
  3. from the Ghostscript installer that appears, deselect every printer, then continue (we're using raw mode)
  4. vi /usr/local/etc/cups/mime.types
  5. uncomment line near end starting with application/octet-stream (in FreeBSD 6.1 this is uncommented by default)
  6. save the file and quit the editor
  7. vi /usr/local/etc/cups/mime.convs
  8. uncomment line near end starting with application/octet-stream
  9. save the file and quit the editor
  10. vi /usr/local/etc/cups/cupsd.conf
  11. comment out the line Listen localhost:631
  12. add a line below: Port 631
  13. change the Allow line in the <location /> section to suit the LAN, eg. Allow 192.168.0.*
  14. change the Allow line in the <location /admin> section to suit your system, eg. IP.address.you.use
  15. save the file and quit the editor

IP.address.you.use is the IP address of the computer you use to connect to the server.

The Samba/CUPS interface must then be configured:

  1. vi /usr/local/etc/smb.conf
  2. in the [global] section, uncomment printing=cups
  3. in the [global] section, add a line immediately underneath the one previously edited: printcap name=cups
  4. in the [printers] section, add public=yes
  5. in the [printers] section, add use client driver=yes
  6. in the [printers] section, add printer admin=root
  7. in the [printers] section, set guest ok = yes
  8. in the [printers] section, ensure browseable = yes
  9. in the [printers] section, ensure writeable = yes
  10. save the file and quit the editor

enable and run CUPS:

  1. vi /etc/rc.conf
  2. add a new line to the end: cupsd_enable="YES"
  3. save the file and quit the editor
  4. start the server: /usr/local/etc/rc.d/cupsd start

Then configure a printer:

  1. access the web interface: https://yourserver:631/admin/ (does not require Apache installed)
  2. click Administration
  3. login (as either root some other user)
  4. click Add Printer
  5. enter a printer name (descriptive only - appears as sharename when browsing for a printer)
  6. click Continue
  7. select Parallel Port #1 (interrupt driven)
  8. click Continue
  9. enter the device name: parallel:/dev/lpt0
  10. select raw
  11. click Continue
  12. select raw queue
  13. click Continue

This done, Windows users will be able to browse for the printer and add it as usual to their systems. They will be prompted for drivers which they must install locally.

Note: the above notes assume the printer is connected directly to the server's parallel port. If the printer is connected via a printserver, substitute the protocol and device path above as appropriate, examples: lpd://192.168.0.90/p1 or lpd://yourprintserver/p2

Note: it may take a few minutes for the printer you have shared ("published") to become visible to client computers.

Note: if the server is being configured remotely with SSH, it's possible to create a tunnel to port 631, and then use a local web browser to connect, through the tunnel, to the CUPS control panel, using an address such as http://localhost:3000/ (where 3000 is the local port where the SSH tunnel terminates).

Note: the CUPS logfile, very useful for troubleshooting, can be found in /var/log/cups/

Note: the CUPS admin panel may autodetect network printers, if so it provides a wizard to add them to the CUPS configuration. However this wizard creates sharenames that are incompatible with/invisible to Windows 9x clients. Ensure to use short sharenames (11 characters or less) if Windows 9x clients are in use. The printer will need to be added manually in order to define a sharename.

Note: printing under unix is not straight-forward, and I'm not an expert. While this section works, in that Windows clients can print to the unix printer, this section leaves out certain things (ie. the ability to print from the server to the printer, and loading Windows drivers onto the server).

POP/IMAP (Dovecot): (docs: Dovecot)

A POP server is not installed by default. I installed Dovecot from the ports collection (it does IMAP as well):

  1. cd /usr/ports/mail/dovecot
  2. make install clean (again, this requires a live internet connection, and takes a while)
  3. cd /usr/local/etc
  4. cp dovecot-example.conf dovecot.conf
  5. chmod 644 dovecot.conf
  6. vi dovecot.conf
  7. change the default_mail_env line to read mbox:~/mail:INBOX=/var/mail/%u
  8. uncomment the ssl_disable line and change the value to yes
  9. uncomment the disable_plaintext_auth line and change the value to no
  10. save the file and quit the editor
  11. start the server: dovecot

Note to self: this procedure doesn't seem to cause dovecot to start on boot ...

SQL (MySQL): (docs: MySQL)

MySQL is not installed by default. How to install and configure it from the ports collection:

  1. install MySQL (this requires a live internet connection, and takes a while)

    cd /usr/ports/databases/mysql50-server
    make install clean

  2. configure the data directory

    mkdir /data
    mkdir /data/db
    mkdir /data/db/mysql
    chown -R mysql /data/db/mysql/
    chgrp -R mysql /data/db/mysql/

    Note: the default directory MySQL uses is /var/db/mysql/ however it has been changed to /data/db/mysql/ in this example.
    Note: a MySQL user and group are required, however these are created automatically by the installer.

  3. initialise the database server

    /usr/local/bin/mysql_install_db -u mysql --datadir=/data/db

    Note: If a bunch of 'cannot find file' messages appear here, check the permissions on the data directory.

  4. configure the environment

    To enable MySQL to start on boot, add to /etc/rc.conf the following:

    mysql_enable="YES"
    mysql_dbdir="/data/db/mysql"

  5. reboot and test

    If there are problems, check the file server.err in the MySQL data directory for error messages (the actual name of the file will not be server.err, "server" is substituted for your machine's hostname). Don't skip the reboot - it can fix at least one transient post-install issue.

  6. set root password

    mysqladmin -u root password 'secret_password'

  7. grant administrative permissions

    mysql -uroot -psecret_password -e"GRANT ALL PRIVILEGES ON *.* TO 'root'@'IP.address.you.use' IDENTIFIED BY 'secret_password'"
    mysql -uroot -psecret_password -e"GRANT SHUTDOWN ON *.* TO 'root'@'IP.address.you.use' IDENTIFIED BY 'secret_password'"

    IP.address.you.use is the IP address of the computer you use to connect to the server.

Notes:

deployment

When the server is fully built and as tested as possible, it can be launched, ready for use in a production (live) environment. If the server is to accept mail from the internet, the following additional items should be done before launch:

  1. if your router has a dynamic public IP address, get a dynamic DNS account, and install a dynamic DNS client on the server (you can also roll your own DDNS client using cron and curl)
  2. at your DNS provider, change the domain's MX record to point at your router's public IP address (or dynamic DNS hostname). This will cause all email for the domain you specify to be forwarded to the address you specify, so ensure the server is ready to accept it. This change will take 24-48 hours to take effect. Check MX records with this command: host -t mx domain.name
  3. on your router, forward port TCP/25 (SMTP) to the server's private IP address (additionally ensure this port is open on the firewall)
  4. save the router configuration

User management

The packages collection

Installing software from the packages collection is done as follows:

  1. go into sysinstall
  2. select 'Configure' from the main menu
  3. select Packages
  4. insert disc 1 of the FreeBSD distribution set
  5. select CD/DVD (or use FTP, if a CD is inconvenient, but an internet connection is available)
  6. browse the collection
  7. select the desired package(s)
  8. choose Install
  9. exit sysinstall

The ports collection

If the ports collection is not installed, software from it cannot be installed, including Apache, PHP, Samba and Dovecot. Currently I'm stuck on this problem, and so I install the full ports collection during installation.

dual-booting

I've only played with this a bit so nothing indepth here, however I did try installing FreeBSD on an empty second hard disk in a machine running Windows 2000 Server. During FreeBSD's install I elected to install the Boot Manager, as suggested by the installer, so I could select which operating system to boot.

However the Boot Manager seemed to corrupt my MBR. I got a nasty message from W2KS when I tried to log in - "your paging file is too small", a known fault but after running the fix and rebooting I got an even nastier message from W2KS asking me to reboot in Directory Services Restore Mode. At this point I broke out my Ghost image and restored my W2KS installation from a backup.

I found a third-party boot manager called GAG which did the trick. I reinstalled FreeBSD, this time telling it to leave the MBR alone, then installed GAG. Sorted.

other notes

related articles:

 my FreeBSD diary
 FreeBSD and ATA disks
 adding a disk
 upgrading a disk
 FreeBSD backups
 automated PHP scripting
 filesystem access controls
 unix basics