Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 16 Mar 2014 13:14:23 -0400
From:      Jim Ohlstein <jim@ohlste.in>
To:        tyler@tysdomain.com
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: configuring base server system: lots of questions
Message-ID:  <5325DBEF.7020702@ohlste.in>
In-Reply-To: <5325D011.8060807@tysdomain.com>
References:  <5325D011.8060807@tysdomain.com>

next in thread | previous in thread | raw e-mail | index | archive | help


On 3/16/14, 12:23 PM, Littlefield, Tyler wrote:
> hello:
> I am pressed on cash, but wanted to switch from Linode (Linux) to BSD. I
> had a few reasons, mainly that i like BSD quite a lot. I found the
> soyoustart servers and at least right now for my needs, it's working
> good. I am in the process of switching everything over--I'll do an
> install and will end up just wiping everything out and rebuilding this
> all later when I know exactly what I want to do, so I have a few questions:
> 1) I've seen a lot of discussion on ZFS. This server comes with 2 2tb
> drives on raid, so I assume it's a mirror. Would ZFS be useful in this
> case, or should I stick to UFS? I want to do a lot of work with jails:
> jail each individual service. Is this viable? I've also tightened up the
> kernel a bit and installed a pretty basic firewall. Are there other
> security concerns I need to worry about? What is the general checklist?

First, don't assume. Find out.

Using ZFS may depend more on how much RAM you have than the drives. More 
RAM usually = better ZFS peformance. You should also be able to separate 
the drives into JBOD mode. If they're in a "software RAID" (as most 
Soyoustart servers seem to be) then that's good. ZFS and a hardware 
controller don't always play together most efficiently, or so I have 
been led to believe. UFS is still a fine file system, but if you have 
adequate RAM ZFS is more than just a file system.

Soyoustart servers do seem to have lots of RAM, more than enough for a 
ZFS system with this amount of storage. However, I doubt that you can 
simply install FreeBSD with ZFS from a Soyoustart OS template. You'd 
probably need KVM/IPMI, and I don't know if that's available.

As for a security "checklist", every machine is different and everyone's 
needs are different. Use a firewall that you understand and learn how to 
write rules. Don't just copy and paste. See below as well.


> 2) When accessing jails, I have a game I am developing that I want to
> host on this server. There are a few of us that will have access to the
> running copy--should they just sudo ezjail-admin console game, or is
> there a more secure method to allow individual users access?

Yes. Use NAT/redirect. That way you can set the SSH port on the jail to 
something other than what your main FreeBSD install uses, and redirect 
it directly to the jails SSH daemon. I use pf(4) for this, with the 
module built into my kernel. There are other ways.

> 3) I have 95 some odd updates with portmaster over the last two weeks.
> Is it viable somehow to just apply security patches? Is there a way to
> do that, until I have the time to sit down and apply all these updates
> individually?

Use pkg(8). Unless all 95 have custom options, this will be far more 
efficient.

> 4) My CFLAGS in make.conf looks like this: CFLAGS+=-O2 -march=native -s
> is this recommended? If not, what would be a better setup? Usually -O2
> is a good level since -O3 tends (from what I've heard) to create a lot
> of cache misses. I wanted it to tune to my processor and strip. I was
> also looking at using -flto and -flto=8 (Is there a LDFLAGS), but I
> again wasn't sure if this was recommended.

No. Don't use CFLAGS in your make.conf! Most ports are already optimized 
properly, and doing so may break some things.


> 5) Any other tips/advice would be awesome. I'll be deploying NGinx, php
> (fastcgi/other ideas), mysql and postfix to start with--possibly with
> amavis-new for spamassassin and clamav.

If you plan to use nginx with PHP via fastcgi, use php-fpm.

>
> Thanks in advance for the help,
>

-- 
Jim Ohlstein


"Never argue with a fool, onlookers may not be able to tell the 
difference." - Mark Twain



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5325DBEF.7020702>