From owner-freebsd-questions@FreeBSD.ORG Sun Mar 16 17:14:04 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 62560144 for ; Sun, 16 Mar 2014 17:14:04 +0000 (UTC) Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1E904E0E for ; Sun, 16 Mar 2014 17:14:03 +0000 (UTC) Received: by mail-qc0-f172.google.com with SMTP id i8so5013544qcq.3 for ; Sun, 16 Mar 2014 10:13:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=s+GGshAtVQWUuSQG3KD8wuAXJc5q9CHWm5UDAseKuPE=; b=Wwb1G1KatlqbneHfTrjhgy8Ls759KIQKf1QtnfaDuyJ7YF/TwLBs2qwbLTUgy41b+e UrKM4CaVMdvqgOv0dU6j4ah1tYYj2dom4yTCxXSbXSAxfhA9YW/a1lcCwt18tG6S9KTk IyWjonWNC8KqB/27AY00dKwSFZC4VFS//grp96ucN4UrDkZfsAoheOn+iiyiFQjtiDDE 1c3KsyLVLLgOJiYZfm7SePlAHSYO1aYY19jczgBNXAQ4NtPoJmY8AYf5kDbHrBAT5iZ1 S9YMd/oqVkQWI/v7GYb5eaBgDi+j3RZD/RNw7tcMVz3BqoHRWpxuxUMCjCdOy0APRQEf Hvbg== X-Gm-Message-State: ALoCoQlJyV7gkEHvF5N3CHRnCgaLJm269rzD45iMeevWHMpbCKQae9eIXCBW7HfBOe2BJWOkzJu6 X-Received: by 10.140.84.40 with SMTP id k37mr1967888qgd.98.1394990036617; Sun, 16 Mar 2014 10:13:56 -0700 (PDT) Received: from [192.168.1.4] (pool-96-225-163-109.nrflva.fios.verizon.net. [96.225.163.109]) by mx.google.com with ESMTPSA id 21sm13260313qgh.23.2014.03.16.10.13.55 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 16 Mar 2014 10:13:56 -0700 (PDT) Message-ID: <5325DBEF.7020702@ohlste.in> Date: Sun, 16 Mar 2014 13:14:23 -0400 From: Jim Ohlstein User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: tyler@tysdomain.com Subject: Re: configuring base server system: lots of questions References: <5325D011.8060807@tysdomain.com> In-Reply-To: <5325D011.8060807@tysdomain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Mar 2014 17:14:04 -0000 On 3/16/14, 12:23 PM, Littlefield, Tyler wrote: > hello: > I am pressed on cash, but wanted to switch from Linode (Linux) to BSD. I > had a few reasons, mainly that i like BSD quite a lot. I found the > soyoustart servers and at least right now for my needs, it's working > good. I am in the process of switching everything over--I'll do an > install and will end up just wiping everything out and rebuilding this > all later when I know exactly what I want to do, so I have a few questions: > 1) I've seen a lot of discussion on ZFS. This server comes with 2 2tb > drives on raid, so I assume it's a mirror. Would ZFS be useful in this > case, or should I stick to UFS? I want to do a lot of work with jails: > jail each individual service. Is this viable? I've also tightened up the > kernel a bit and installed a pretty basic firewall. Are there other > security concerns I need to worry about? What is the general checklist? First, don't assume. Find out. Using ZFS may depend more on how much RAM you have than the drives. More RAM usually = better ZFS peformance. You should also be able to separate the drives into JBOD mode. If they're in a "software RAID" (as most Soyoustart servers seem to be) then that's good. ZFS and a hardware controller don't always play together most efficiently, or so I have been led to believe. UFS is still a fine file system, but if you have adequate RAM ZFS is more than just a file system. Soyoustart servers do seem to have lots of RAM, more than enough for a ZFS system with this amount of storage. However, I doubt that you can simply install FreeBSD with ZFS from a Soyoustart OS template. You'd probably need KVM/IPMI, and I don't know if that's available. As for a security "checklist", every machine is different and everyone's needs are different. Use a firewall that you understand and learn how to write rules. Don't just copy and paste. See below as well. > 2) When accessing jails, I have a game I am developing that I want to > host on this server. There are a few of us that will have access to the > running copy--should they just sudo ezjail-admin console game, or is > there a more secure method to allow individual users access? Yes. Use NAT/redirect. That way you can set the SSH port on the jail to something other than what your main FreeBSD install uses, and redirect it directly to the jails SSH daemon. I use pf(4) for this, with the module built into my kernel. There are other ways. > 3) I have 95 some odd updates with portmaster over the last two weeks. > Is it viable somehow to just apply security patches? Is there a way to > do that, until I have the time to sit down and apply all these updates > individually? Use pkg(8). Unless all 95 have custom options, this will be far more efficient. > 4) My CFLAGS in make.conf looks like this: CFLAGS+=-O2 -march=native -s > is this recommended? If not, what would be a better setup? Usually -O2 > is a good level since -O3 tends (from what I've heard) to create a lot > of cache misses. I wanted it to tune to my processor and strip. I was > also looking at using -flto and -flto=8 (Is there a LDFLAGS), but I > again wasn't sure if this was recommended. No. Don't use CFLAGS in your make.conf! Most ports are already optimized properly, and doing so may break some things. > 5) Any other tips/advice would be awesome. I'll be deploying NGinx, php > (fastcgi/other ideas), mysql and postfix to start with--possibly with > amavis-new for spamassassin and clamav. If you plan to use nginx with PHP via fastcgi, use php-fpm. > > Thanks in advance for the help, > -- Jim Ohlstein "Never argue with a fool, onlookers may not be able to tell the difference." - Mark Twain