Date: Sun, 16 Mar 2014 13:14:23 -0400 From: Jim Ohlstein <jim@ohlste.in> To: tyler@tysdomain.com Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: configuring base server system: lots of questions Message-ID: <5325DBEF.7020702@ohlste.in> In-Reply-To: <5325D011.8060807@tysdomain.com> References: <5325D011.8060807@tysdomain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/16/14, 12:23 PM, Littlefield, Tyler wrote: > hello: > I am pressed on cash, but wanted to switch from Linode (Linux) to BSD. I > had a few reasons, mainly that i like BSD quite a lot. I found the > soyoustart servers and at least right now for my needs, it's working > good. I am in the process of switching everything over--I'll do an > install and will end up just wiping everything out and rebuilding this > all later when I know exactly what I want to do, so I have a few questions: > 1) I've seen a lot of discussion on ZFS. This server comes with 2 2tb > drives on raid, so I assume it's a mirror. Would ZFS be useful in this > case, or should I stick to UFS? I want to do a lot of work with jails: > jail each individual service. Is this viable? I've also tightened up the > kernel a bit and installed a pretty basic firewall. Are there other > security concerns I need to worry about? What is the general checklist? First, don't assume. Find out. Using ZFS may depend more on how much RAM you have than the drives. More RAM usually = better ZFS peformance. You should also be able to separate the drives into JBOD mode. If they're in a "software RAID" (as most Soyoustart servers seem to be) then that's good. ZFS and a hardware controller don't always play together most efficiently, or so I have been led to believe. UFS is still a fine file system, but if you have adequate RAM ZFS is more than just a file system. Soyoustart servers do seem to have lots of RAM, more than enough for a ZFS system with this amount of storage. However, I doubt that you can simply install FreeBSD with ZFS from a Soyoustart OS template. You'd probably need KVM/IPMI, and I don't know if that's available. As for a security "checklist", every machine is different and everyone's needs are different. Use a firewall that you understand and learn how to write rules. Don't just copy and paste. See below as well. > 2) When accessing jails, I have a game I am developing that I want to > host on this server. There are a few of us that will have access to the > running copy--should they just sudo ezjail-admin console game, or is > there a more secure method to allow individual users access? Yes. Use NAT/redirect. That way you can set the SSH port on the jail to something other than what your main FreeBSD install uses, and redirect it directly to the jails SSH daemon. I use pf(4) for this, with the module built into my kernel. There are other ways. > 3) I have 95 some odd updates with portmaster over the last two weeks. > Is it viable somehow to just apply security patches? Is there a way to > do that, until I have the time to sit down and apply all these updates > individually? Use pkg(8). Unless all 95 have custom options, this will be far more efficient. > 4) My CFLAGS in make.conf looks like this: CFLAGS+=-O2 -march=native -s > is this recommended? If not, what would be a better setup? Usually -O2 > is a good level since -O3 tends (from what I've heard) to create a lot > of cache misses. I wanted it to tune to my processor and strip. I was > also looking at using -flto and -flto=8 (Is there a LDFLAGS), but I > again wasn't sure if this was recommended. No. Don't use CFLAGS in your make.conf! Most ports are already optimized properly, and doing so may break some things. > 5) Any other tips/advice would be awesome. I'll be deploying NGinx, php > (fastcgi/other ideas), mysql and postfix to start with--possibly with > amavis-new for spamassassin and clamav. If you plan to use nginx with PHP via fastcgi, use php-fpm. > > Thanks in advance for the help, > -- Jim Ohlstein "Never argue with a fool, onlookers may not be able to tell the difference." - Mark Twain
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5325DBEF.7020702>