Skip to content

Instantly share code, notes, and snippets.

@Mausy5043
Last active June 4, 2017 11:06
Show Gist options
  • Save Mausy5043/9087e91e9b9a7c9f708e6e50a749b8db to your computer and use it in GitHub Desktop.
Save Mausy5043/9087e91e9b9a7c9f708e6e50a749b8db to your computer and use it in GitHub Desktop.
Installing FreeBSD 11.0 on a VM (QEMU/KVM) running on Ubuntu 16.04 LTS
PS1=' \[\033[01;32m\]\u@\h\[\033[00m\] \[\033[01;36m\]\w \$\[\033[00m\] '
# $OpenBSD: dot.profile,v 1.4 2005/02/16 06:56:57 matthieu Exp $
#
# sh/ksh initialization
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
EDITOR=nano; export EDITOR
PAGER=more; export PAGER
alias la='ls -lAF'
PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
export PATH HOME TERM

Set-up

Downloaded the FreeBSD 11.0 .iso file and created an .xml file for the VM with the .iso file in the virtual CD/DVD-drive

VM has 1 CPU, 10 GB diskspace and 1GB memory. VNC is enabled. Hostname will be freya11

Installation

  1. On the server: virsh create xml/ini-freya11.xml
  2. Open a VNC session
  3. Select all the defaults; set hostname appropriately
  4. Optional system components to install: lib32, ports, src, test
  5. Then select the network interface for IPv4/DHCP and aqcuire a lease; skip IPv6
  6. Pick a mirror
  7. Choose guided disk set-up entire disk, GPT partition scheme, accept all the defaults
  8. ...wait...
  9. Set a root password
  10. Set the timezone
  11. Services to be started at boot: sshd, ntpd, dumpdev
  12. System hardening options: enable all except options hiding PIDs
  13. Add a superuser: invite into group wheel; accept all defaults and set a password
  14. Drop into the shell to check internet connectivity ping google.com should work
  15. Exit and Reboot

On the server: stop the VM using virsh destroy freya11 Edit the XML-file and remove the <disk type="file" device="cdrom"> ... </disk> section. If VNC support can be dropped, then also remove the <graphics type='vnc' port='-1' autoport="yes" listen='0.0.0.0'/> Save the XML file as xml/freya11.xml

Start the VM

virsh create xml/freya11.xml

Stop the VM

virsh destroy freya11

Set-up remote SSH

Since this is a headless server we will be connecting to it via SSH. Use of VNC should be avoided because my VNC-app does not provide scrolling. Also the text console is terrible under VNC.

  1. Remove any previous keys from your local SSH configuration: ssh-keygen -t rsa -b 4096 -f "$HOME/.ssh/known_hosts" -R freya11.lan
  2. Copy your public key to the VM:
    • ssh-copy-id admin@freya11.lan (assuming you created an additional user called admin);
    • yes you're sure; then enter the password for the remote user (here: admin);
    • it should then be possible to login using ssh admin@freya11.lan

First login activities

A place to store my scripts: $ mkdir bin Clean the ports tree (call me paranoid):

$ su -
# cd /usr/ports
# make clean

Do some initialising stuff:

# periodic monthly; periodic weekly; periodic daily

Install basic set of packages

To install stuff easier I use portmaster:

# cd /usr/ports/ports-mgmt/portmaster
# make install clean

To prevent having to su - and forget to exit I will install sudo

# cd /usr/ports/security/sudo 
# make install clean
  • sudo
    • options: audit, disable_root_sudo, insults, nls
    • gettext-tools options: threads

I hate vi(m) so I get nano:

# cd /usr/ports/editors/nano
# make install clean

Now, I still need sudo rights: # nano /etc/sudoers
uncomment this line:
%wheel ALL=(ALL) NOPASSWD: ALL

(I know this is supposed to be done using visudo, but because I only uncomment a line the additional checks by visudo won't be needed)

then save & exit and exit the root shell
# exit


bash is my preferred shell

cd /usr/ports/shells/bash
sudo make instal clean
  • bash
    • options: colonbreakswords, help, implicitcd, nls, syslog
    • bison options: nls
    • m4 options: -
chsh -s /usr/local/bin/bash
sudo nano /etc/fstab

Add this line to /etc/fstab:
fdesc /dev/fd fdescfs rw 0 0 And perform the mount now: sudo mount -t fdescfs fdesc /dev/fd

Using my script mkbin.sh (see below) I install these:

  • lsof
    • options: -
  • bash-completion
    • options: -
  • portmaster
    • options: bash, zsh
    • next also run: portmaster -L; pkg update
  • rsync
    • options: ssh, flags
  • git
    • options: contrib, curl, cvs, iconv, nls, p4, perl
    • xmlto options: -
    • getopt options: nls
    • libxml2 options: schema, threads, valid
    • libxslt options: crypto
    • libgcrypt options: -
    • libgpg-error options: nls
    • docbook-xsl options: all
    • xmlcatmgr options: -
    • w3m options: -
    • python27 options: ipv6, libffi, nls, pymalloc, sem, threads, ucs4
    • libffi options: -
    • readline options: termcap
  • tree
    • options: -

Hardening the system

FreeBSD has two tmp locations (/tmp and /var/tmp). Combine these into one:

sudo mv /var/tmp/* /tmp/
sudo rm -rf /var/tmp
sudo ln -s /tmp /var/tmp

Disable local root access: sudo sed 's/ secure/ insecure/' /etc/ttys

Make some changes to SSH configuration sudo nano /etc/ssh/sshd_config Uncomment the line reading #Protocol 2 Uncomment the lines starting with #HostKey and containing rsa, dsa, ecdsa or ed25519 Uncomment the line #X11Forwarding yes and change it to X11Forwarding no Uncomment the line #VersionAddendum and remove the OS identifier after it Add a line AllowGroups wheel (your user must be part of the group wheel; check using id)

<domain type='kvm'>
<name>freya11</name>
<uuid>put-UUID-here</uuid>
<memory>1048576</memory>
<currentMemory>1048576</currentMemory>
<vcpu>1</vcpu>
<os>
<type>hvm</type>
<boot dev='cdrom'/>
</os>
<features>
<acpi/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/kvm</emulator>
<disk type="file" device="disk">
<driver name="qemu" type="qcow2"/>
<source file="/srv/array1/homes/vmbeheer/images/freya11.qcow2"/>
<target dev="vda" bus="virtio"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0"/>
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw"/>
<source file="/srv/array1/homes/vmbeheer/iso/FreeBSD-11.0-RELEASE-amd64-bootonly.iso"/>
<target dev="hdc" bus="ide"/>
<readonly/>
<address type="drive" controller="0" bus="1" target="0" unit="0"/>
</disk>
<interface type='bridge'>
<source bridge='br0'/>
<mac address="02:de:ad:df:a2:66"/>
</interface>
<controller type="ide" index="0">
<address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x1"/>
</controller>
<!--ignore>
<input type='mouse' bus='ps2'/>
</ignore-->
<graphics type='vnc' port='-1' autoport="yes" listen='0.0.0.0'/>
<console type='pty'>
<target port='0'/>
</console>
</devices>
</domain>
#!/usr/bin/env bash
package=$1
#packagedir=$(whereis $1 | cut -f 2 -d ":")
packagedir=$(whereis $package |awk '{for(i=1;i<=NF;++i)if($i~/usr\/ports/)print $i}')
if [ -z "$packagedir" ]; then
echo "Package $package not found"
exit 1
fi
echo "Looking in: $packagedir"
cd $packagedir
echo "########## MAKING ########"
sudo make rmconfig-recursive
sudo make config-recursive
sudo make install
sudo make clean
echo "########## FINISHED ########"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment