దూసుకెళ్తున్న కోలీవుడ్ స్టార్ | Rajinikanth’s Jailer 2 Movie Latest Update | Nelson Dilipkumar
దూసుకెళ్తున్న కోలీవుడ్ స్టార్ | Rajinikanth's Jailer 2 Movie Latest Update | Nelson Dilipkumar #nelson #rajinikanth #jailer Watch LIVE Stream : 🔔 Subscribe to our channel ✅ Stay Connected to Us. 👉 Website: 👉 Facebook: 👉 Twitter: 👉 WhatsApp: 👉 Instagram: BIG TV Entertainment channel dedicated to all things entertainment! Enjoy exclusive behind-the-scenes footage, prerelease…
FreeBSD-Update and ~200 Jails
Initially, when I heard about freebsd-rustdate I was very skeptical. I have a fear of “Written in <new hip language>”. I thought, however, I’ll wait, and when the time comes, I will try and see how it works.
For the last couple of days I’ve been updating hosts and jails for my customers and my company, and one of the best resources I found was the FreeBSD Update page on FreeBSD’s Wiki, specially the “freebsd-update Reverse Proxy Cache” section. It has saved me hours when updating the hosts. For some hosts we even did an NFS mount of /var/db/freebsd-update/files directory.
But when it came to upgrading the jails, I realized that this is going to take a very long time. Each host has at least 15 jails, up to 50. There’s a host which has 100+ jails.
Upgrading all of them was going to take a very, very long time. So I ended up doing some research. Here were my options.
freebsd-update run faster.As you have guessed, I went for the last option. Uncle Dave reminded me of freebsd-rustdate again, and I decided to give it a try. Even before starting, my good friend Daniel wrote in our group chat:
@dch my guy. You just saved me several hours per year of flipping back and forth between terminals waiting for the next part of a freebsd-update upgrades to finish running on a million systems.
I arrived to my parent’s house, installed freebsd-rustdate on a host, and tested it on a single jail. Here is my initial reaction
holy fuck freebsd-rustdate is fucking fast
Like I said, I hate “rewrite in <new hip language>”, but clearly, this time it’s a winner.
And frankly speaking, my Jail manager, jailer, does have the same problems that freebsd-update has. It’s much, much slower when you have to manage 100+ jails. I will, however, not rewrite it in another language (for now, and if I do, it will be in Oberon). Although I might end up spending some good amount of time optimizing it 🙂
Kudos to Matthew Fuller, amazing work. And I have to mention, when I was thinking about moving to FreeBSD more than a decade ago, his rant “BSD for Linux Users” was the deciding factor for me, and I’ve been using FreeBSD ever since.
That’s all folks…
Reply via email.
⭕️രജനീകാന്തിന്റെ ‘വേട്ടയ്യൻ’: ‘മനസിലായോ’ ഗാനത്തിന്റെ മേക്കിങ് വീഡിയോ പുറത്തിറങ്ങി, സോഷ്യൽ മീഡിയയിൽ ട്രെൻഡിങ്
Read full story: https://nivadaily.com/rajinikanth-jailer-song-manasalayo-making-video-released/
Join our Whatsapp group
https://chat.whatsapp.com/CktzgxHMaoo84IZtsOqEe6
Vettaiyan's box office success has fans wondering—can Rajinikanth's latest film break the record set by 'Jailer'? 💥🎥 #Vettaiyan #Rajinikanth #BoxOffice #Jailer
https://tinyurl.com/25j4qxzc
Hey #FreeBSD friends.
I'm not sure if this table makes sense, but if you have any feedback, please let me know.
I'm trying to solve a problem, and your feedback will go a long way.
Thanks in advance.
Initially, Jailer has had a single image format to download, the “FreeBSD base image”, also known as base.txz.
Now we’re trying to integrate PkgBase, OCI images, Jailer binary images, Jailer source images (jailerfile), Linux bootstrap images, and regular tarballs.
This is the point where I just want to kill myself. This is harder than expected.
Linux has a package management problem. I’m having a “too many registry types” problem.
Let’s see how it goes.
#Jailer #FreeBSD
Reply via email.
Initially, Jailer has had a single image format to download, "FreeBSD base image", also known as base.txz.
Now we're trying to integrate PkgBase, OCI images, Jailer binary images, Jailer source images (jailerfile), Linux bootstrap images, and regular tarballs.
Now I just want to kill myself. This is harder than expected.
Linux has a package management problem. I'm having a "too many registry types" problem.
Let’s see how it goes.
The FreeBSD-native-ish home lab and network
https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/
#FreeBSD #homebrewserver #homeserver #Networking #IPv6 #Jails #Jailer #Samba #Homelab #server #containers ##
The FreeBSD-native-ish home lab and network
For many years my setup was pretty simple: A FreeBSD home server running on my old laptop. It runs everything I need to be present on the internet, an email server, a web server (like the one you’ve accessed right now to see this blog post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.
For my home network, I had a basic Access Point and a basic Router.
Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane Electric, the network is passed to my home network (which we’ll talk about in a bit), a home network with multiple VLANs, since friends who come home also need WiFi.
I decided to blog about the details, hoping it would help someone in the future.
I’ll start with the simplest one.
The Home Server
I’ve been running home servers for a long time. I believe that every person/family needs a home server. Forget about buying your kids iPads and Smartphones. Their first devices should be a real computer (sorry Apple, iOS devices are still just a toy) like a desktop/laptop and a home server. The home server doesn’t need to be on the public internet, but mine is, for variety of reasons. This blog being one of them.
I get a static IP address from my ISP, Ucom. After the management change that happened couple of years ago, Ucom has become a very typical ISP (think shitty), but they are the only ones that provide a static IP address, instead of setting it on your router, where you have to do port forwarding.
My home server, hostnamed pingvinashen (meaning the town of the penguins, named after the Armenian cartoon) run FreeBSD. Historically this machine has run Debian, Funtoo, Gentoo and finally FreeBSD.
Hardware wise, here’s what it is:
root@pingvinashen:~ # dmidecode -s system-product-nameLatitude E5470root@pingvinashen:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHzroot@pingvinashen:~ # sysctl hw.physmemhw.physmem: 17016950784root@pingvinashen:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 420G 178G 242G - - 64% 42% 1.00x ONLINE -
While most homelabbers use hardware virtualization, I think that resources are a tight thing, and should be managed properly. Any company that markets itself as “green/eco-friendly” and uses hardware virtualization should do calculations using a pen and paper and prove if going native would save power/resources or not. (sometimes it doesn’t, usually it does)
I use containers, the old-school ones, Jails to be more specific.
I manage jails using Jailer, my own tool, that tries to stay out of your way when working with Jails.
Here are my current jails:
root@pingvinashen:~ # jailer listNAME STATE JID HOSTNAME IPv4 GWantranig Active 1 antranig.bsd.am 192.168.10.42/24 192.168.10.1antranigv Active 2 antranigv.bsd.am 192.168.10.52/24 192.168.10.1git Stoppedhuginn0 Active 4 huginn0.bsd.am 192.168.10.34/24 192.168.10.1ifconfig Active 5 ifconfig.bsd.am 192.168.10.33/24 192.168.10.1lucy Active 6 lucy.vartanian.am 192.168.10.37/24 192.168.10.1mysql Active 7 mysql.antranigv.am 192.168.10.50/24 192.168.10.1newsletter Active 8 newsletter.bsd.am 192.168.10.65/24 192.168.10.1oragir Active 9 oragir.am 192.168.10.30/24 192.168.10.1psql Active 10 psql.pingvinashen.am 192.168.10.3/24 192.168.10.1rss Active 11 rss.bsd.am 192.168.10.5/24 192.168.10.1sarian Active 12 sarian.am 192.168.10.53/24 192.168.10.1syuneci Active 13 syuneci.am 192.168.10.60/24 192.168.10.1znc Active 14 znc.bsd.am 192.168.10.152/24 192.168.10.1
You already get a basic idea of how things are. Each of my blogs (Armenian and English) has its own Jail. Since I’m using WordPress, I need a database, so I have a MySQL jail (which ironically runs MariaDB) inside of it.
I also have a Git server, running gitea, which is down at the moment as I’m doing maintanence. The Git server (and many other services) requires PostgreSQL, hence the existence of a PostgreSQL jail. I run huginn for automation (RSS to Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a Jail of its own. Same goes about my fiancée.
Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of lobste.rs) and a personal ZNC server.
As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my friends use this service.
Oragir is an instance of WriteFreely, as I advocate public blogging and ActivityPub. Our community uses that too.
The web server that forwards all this traffic from the public to the Jails is nginx. All it does is proxy_pass as needed. It runs on the host.
Other services that run on the host are DNS (BIND9), an email service running OpenSMTPd (which will be moved to a Jail soon), the chat service running prosody (which will be moved to a Jail soon) and finally, WireGuard, because I love VPNs.
Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to Hurricane Electric.
Yes, I have a firewall, I use pf(4).
For the techies in the room, here’s what my rc.conf looks like.
# cat /etc/rc.conf# Defaultsclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"#local_unbound_enable="YES"sshd_enable="YES"moused_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="pingvinashen.am"# Networkingdefaultrouter="37.157.221.1"gateway_enable="YES"ifconfig_em0="up"vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Routerifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"static_routes="home"route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"cloned_interfaces="bridge0 bridge6 bridge10"ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"## IPv6ipv6_gateway_enable="YES"gif_interfaces="gif0"gifconfig_gif0="37.157.221.130 216.66.84.46"ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"ipv6_defaultrouter="2001:470:1f14:ef::1"ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"ipv6_static_routes="home guest"ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \inet6 2001:470:1f15:e4::80 prefixlen 64 \inet6 2001:470:1f15:e4::5222 prefixlen 64 \inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \"# VPNwireguard_enable="YES"wireguard_interfaces="wg0"# Firewallpf_enable="YES"# Jailsjail_enable="YES"jailer_dir="zfs:zroot/jails"# DNSnamed_enable="YES"# Mailsmtpd_enable="YES"smtpd_config="/usr/local/etc/smtpd.conf"# XMPPprosody_enable="YES"turnserver_enable="YES"# Webnginx_enable="YES"tor_enable="YES"
The gif0 interface is a IPv6-over-IPv4 tunnel. I have static routes to my home network, so I don’t go to my server over the ISP every time. This also gives me the ability to get IPv6 in my home network that is routed via my home server.
As you have guessed from this config file, I do have VLANs setup. So let’s get into that.
The Home Network
First of all, here’s a very cheap diagram
I have the following VLANs setup on the switch.
VLAN IDPurpose1Switch Management1000pingvinashen (home server) WAN1001evn0 (home router) WAN37pingvinashen ↔ evn042Internal Management100Home LAN69Home GuestHere are the active ports
PortVLANsPurpose24untagged: 1Switch management, connects to Port 222untagged: 1000pingvinashen WAN, from ISP21untagged: 1001Home WAN, from ISP20tagged: 1000, 37To pingvinashen, port
em019untagged: 1001To home router, port igb118tagged: 42, 100, 69, 99To home router, port igb217untagged: 37To home router, port igb016tagged: 42, 100, 69To Lenovo T480s15untagged: 100To Raspberri Pi 42untagged: 99From Port 24, for switch management1untagged: 42; tagged: 100, 69; PoETo UAP AC ProThe home router, hostnamed evn0 (named after the IATA code of Yerevan’s Zvartnots International Airport) runs FreeBSD as well, the hardware is the following
root@evn0:~ # dmidecode -s system-product-nameAPU2root@evn0:~ # sysctl hw.modelhw.model: AMD GX-412TC SOC root@evn0:~ # sysctl hw.physmemhw.physmem: 4234399744root@evn0:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 12.5G 9.47G 3.03G - - 67% 75% 1.00x ONLINE -
The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act as a syslog server.
Here’s what the rc.conf looks like
clear_tmp_enable="YES"sendmail_enable="NONE"syslogd_flags="-a '172.16.100.0/24:*' -H"zfs_enable="YES"dumpdev="AUTO"hostname="evn0.illuriasecurity.com"pf_enable="YES"gateway_enable="YES"ipv6_gateway_enable="YES"sshd_enable="YES"# Get an IP address from the ISP's GPONifconfig_igb1="DHCP"# Internal routes with pingvinashenifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"static_routes="pingvinashen"route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"ipv6_defaultrouter="2001:470:7914:7065::2"# Home Mgmt, Switch Mgmt, Home LAN, Home Guestifconfig_igb2="up"vlans_igb2="42 99 100 69"ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"# DNS and DHCPnamed_enable="YES"dhcpd_enable="YES"named_flags=""# NTPntpd_enable="YES"# Router Advertisement and LLDPrtadvd_enable="YES"lldpd_enable="YES"lldpd_flags=""
Here’s pf.conf, because security is important.
ext_if="igb1"bsd_if="igb0"int_if="igb2.100"guest_if="igb2.69"mgmt_if="igb2.42"sw_if="igb2.99"ill_net="172.16.0.0/16"nat pass on $ext_if from $int_if:network to any -> ($ext_if)nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)nat pass on $ext_if from $guest_if:network to any -> ($ext_if)set skip on { lo0 }block in allpass on $int_if from $int_if:network to anypass on $mgmt_if from $mgmt_if:network to anypass on $sw_if from $sw_if:network to anypass on $guest_if from $guest_if:network to anyblock quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }pass inet proto icmppass inet6 proto icmp6pass out all keep stateI’m sure there are places to improve, but it gets the job done and keeps the guest network isolated.
Here’s rtadvd.conf, for my IPv6 folks
igb2.100:\ :addr="2001:470:7914:6a76::":prefixlen#64:\ :rdnss="2001:470:7914:6a76::1":\ :dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":igb2.69:\ :addr="2001:470:7914:6969::":prefixlen#64:\ :rdnss="2001:470:7914:6969::1":
For DNS, I’m running BIND, here’s the important parts
listen-on { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };listen-on-v6 { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };allow-query { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};And for DHCP, here’s what it looks like
subnet 172.16.100.0 netmask 255.255.255.0 { range 172.16.100.100 172.16.100.150; option domain-name-servers 172.16.100.1; option subnet-mask 255.255.255.0; option routers 172.16.100.1; option domain-name "evn0.loc.illuriasecurity.com"; option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";}host zvartnots { hardware ethernet d4:57:63:f1:5a:36; fixed-address 172.16.100.7;}host unifi0 { hardware ethernet 58:9c:fc:93:d1:0b; fixed-address 172.31.42.42;}
[…]subnet 172.31.42.0 netmask 255.255.255.0 { range 172.31.42.100 172.31.42.150; option domain-name-servers 172.31.42.1; option subnet-mask 255.255.255.0; option routers 172.31.42.1;}subnet 192.168.69.0 netmask 255.255.255.0 { range 192.168.69.100 192.168.69.150; option domain-name-servers 192.168.69.1; option subnet-mask 255.255.255.0; option routers 192.168.69.1;}So you’re wondering, what’s this unifi0? Well, that brings us to
T480s
This laptop has been gifted to me by [REDACTED] for my contributions to the Armenian government (which means when a server goes down and no one knows how to fix it, they called me and I showed up)
Here’s the hardware
root@t480s:~ # dmidecode -s system-versionThinkPad T480sroot@t480s:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHzroot@t480s:~ # sysctl hw.physmemhw.physmem: 25602347008root@t480s:~ # zpool listNAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOTzroot 224G 109G 115G - - 44% 48% 1.00x ONLINE -
The T480s has access to VLAN 100, 42, 69, but the host itself has access only to VLAN 100 (LAN), while the jails can exist on other VLANs.
So I have a Jail named unifi0 that runs the Unifi Management thingie.
Here’s what rc.conf of the host looks like
clear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"sshd_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="t480s.evn0.loc.illuriasecurity.com"ifconfig_em0="up -rxcsum -txcsum"vlans_em0="100 42 69"ifconfig_em0_100="up"ifconfig_em0_42="up"ifconfig_em0_69="up"cloned_interfaces="bridge0 bridge100 bridge42 bridge69"create_args_bridge100="ether 8c:16:45:82:b4:10"ifconfig_bridge100="addm em0.100 SYNCDHCP"ifconfig_bridge100_ipv6="inet6 auto_linklocal"rtsold_flags="-i -F -m bridge100"rtsold_enable="YES"create_args_bridge42=" ether 8c:16:45:82:b4:42"create_args_bridge69=" ether 8c:16:45:82:b4:69"ifconfig_bridge42="addm em0.42"ifconfig_bridge69="addm em0.69"jail_enable="YES"jailer_dir="zfs:zroot/jailer"ifconfig_bridge0="inet 10.1.0.1/24 up"ngbuddy_enable="YES"ngbuddy_private_if="nghost0"dhcpd_enable="YES"lldpd_enable="YES"
I used Jailer to create the unifi0 jail, here’s what the jail.conf looks like
# vim: set syntax=sh:exec.clean;allow.raw_sockets;mount.devfs;unifi0 { $id = "6"; devfs_ruleset = 10; $bridge = "bridge42"; $domain = "evn0.loc.illuriasecurity.com"; vnet; vnet.interface = "epair${id}b"; exec.prestart = "ifconfig epair${id} create up"; exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; exec.prestart += "ifconfig ${bridge} addm epair${id}a up"; exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown jail"; exec.poststop = "ifconfig ${bridge} deletem epair${id}a"; exec.poststop += "ifconfig epair${id}a destroy"; host.hostname = "${name}.${domain}"; path = "/usr/local/jailer/unifi0"; exec.consolelog = "/var/log/jail/${name}.log"; persist; mount.fdescfs; mount.procfs;}Here are the important parts inside the jail
root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.confifconfig_epair6b="SYNCDHCP"sendmail_enable="NONE"syslogd_flags="-ss"mongod_enable="YES"unifi_enable="YES"root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b ifconfig epair6b ether 58:9c:fc:93:d1:0b
Don’t you love it that you can see what’s inside the jail from the host? God I love FreeBSD!
Did I miss anything? I hope not.
Oh, for the homelabbers out there, the T480s is the one that runs things like Jellyfin if needed.
Finally, the tiny
Raspberry Pi 4, Model B
I found this in a closed, so I decided to run it for TimeMachine.
I guess all you care about is rc.conf
hostname="tm0.evn0.loc.illuriasecurity.com"ifconfig_DEFAULT="DHCP inet6 accept_rtadv"sshd_enable="YES"sendmail_enable="NONE"sendmail_submit_enable="NO"sendmail_outbound_enable="NO"sendmail_msp_queue_enable="NO"growfs_enable="YES"powerd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"rtsold_enable="YES"samba_server_enable="YES"
And the Samba Configuration
[global]# Network settingsworkgroup = WORKGROUPserver string = Samba Server %vnetbios name = RPi4# Logginglog file = /var/log/samba4/log.%mmax log size = 50log level = 0# Authenticationsecurity = userencrypt passwords = yespassdb backend = tdbsammap to guest = Bad Usermin protocol = SMB2max protocol = SMB3# Apple Time Machine settingsvfs objects = catia fruit streams_xattrfruit:metadata = streamfruit:resource = streamfruit:encoding = nativefruit:locking = nonefruit:time machine = yes# File System supportea support = yeskernel oplocks = nokernel share modes = noposix locking = nomangled names = nosmbd max xattr size = 2097152# Performance tuningread raw = yeswrite raw = yesgetwd cache = yesstrict locking = no# Miscellaneouslocal master = nopreferred master = nodomain master = nowins support = no[tm]comment = Time Machine RPi4path = /usr/local/timemachine/%Ubrowseable = yesread only = novalid users = antranigvvfs objects = catia fruit streams_xattrfruit:time machine = yesfruit:advertise_fullsync = truefruit:time machine max size = 800G # Adjust the size according to your needscreate mask = 0600directory mask = 0700
That’s pretty much it.
Conclusion
I love running homebrew servers, home networks and home labs. I love that (almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi Access Point also runs Linux, both of which I’m pretty happy with.
While most homelabbers used ESXi in the past, I’m happy to see that most people are moving to open source solutions like Proxmox and Xen, but I think that FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at the moment, but I would use it if I needed hardware virtualization.
Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I think that it’s a pro. If I need to “replicate” this network, all I need to do is to copy some text files and modify some IP addresses / Interface names.
I hope this was informative and that it would be useful for anyone in the future.
That’s all folks…
Reply via email.
https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/
#Containers #Dell #DellLatitudeE5470 #FreeBSD #homeServer #HowTo #Jailer #Jails #macOS #Networking #pf #Samba #Unifi #Unix #VNET
I love it when computers Just Work™
Worst website on the net? probably not, but hey, it gets the job done!
More updates coming next week!
Installing DFIR-IRIS on FreeBSD using Jails
This is a live blogging of the installation process of DFIR-IRIS on FreeBSD 14.0-RELEASE using Jails and Jailer.
The main requirements are:
I assume you already have nginx up and running, we will just be setting up a vhost under the domain name dfir.cert.am. Don’t worry, this is INSIDE our infrastructure, you will not be able to connect to it 🙂
Initial Setup
First we create a jail named iris0, using Jailer:
jailer create iris0
Next we install the required software inside of the jail. Looks like everything is available in FreeBSD packages:
jailer console iris0
pkg install \ nginx \ python39 \ py39-pip \ gnupg \ 7-zip \ rsync \ postgresql12-client \ git-tiny \ libxslt \ rust \ acme.sh
Installing DFIR-IRIS
Since we’re using FreeBSD, we’ll be doing things the right way instead of the Docker way, so we will be running IRIS as a user, not as root.
pw user add iris -m
Next we setup some directories and checkout the repo
root@iris0:~ # pw user add iris -m
root@iris0:~ # su - irisiris@iris0:~ $ git clone --branch v2.4.7 https://github.com/dfir-iris/iris-web.git iris-web
Finally, we install some python dependencies using pip.
iris@iris0:~ $ cd iris-web/source
iris@iris0:~/iris-web/source $ pip install -r requirements.txt
Now we have to configure the .env
# -- DATABASEexport POSTGRES_USER=postgresexport POSTGRES_PASSWORD=postgresexport POSTGRES_DB=iris_dbexport POSTGRES_ADMIN_USER=irisexport POSTGRES_ADMIN_PASSWORD=longpasswordexport POSTGRES_SERVER=localhostexport POSTGRES_PORT=5432# -- IRISexport DOCKERIZED=0export IRIS_SECRET_KEY=verylongsecretexport IRIS_SECURITY_PASSWORD_SALT=verylongsaltexport IRIS_UPSTREAM_SERVER=app # these are for docker, you can ignoreexport IRIS_UPSTREAM_PORT=8000# -- WORKERexport CELERY_BROKER=amqp://localhost# Set to your rabbitmq instance# Change these as you need them.# -- AUTH#IRIS_AUTHENTICATION_TYPE=local## optional#IRIS_ADM_PASSWORD=MySuperAdminPassword!#IRIS_ADM_API_KEY=B8BA5D730210B50F41C06941582D7965D57319D5685440587F98DFDC45A01594#IRIS_ADM_EMAIL=admin@localhost#IRIS_ADM_USERNAME=administrator# requests the just-in-time creation of users with ldap authentification (see https://github.com/dfir-iris/iris-web/issues/203)#IRIS_AUTHENTICATION_CREATE_USER_IF_NOT_EXIST=True# the group to which newly created users are initially added, default value is Analysts#IRIS_NEW_USERS_DEFAULT_GROUP=# -- LISTENING PORT#INTERFACE_HTTPS_PORT=443
Configuring HTTPS
We can use acme.sh to issue a TLS certificate from Lets Encrypt.
root@iris0:~ # acme.sh --set-default-ca --server letsencryptroot@iris0:~ # acme.sh --issue -d dfir.cert.am --standaloneroot@iris0:~ # acme.sh -i -d dfir.cert.am --fullchain-file /usr/local/etc/ssl/dfir.cert.am/fullchain.pem --key-file /usr/local/etc/ssl/dfir.cert.am/key.pem --reloadcmd 'service nginx reload'
Setup nginx
DFIR-IRIS provides a nginx configuration template at nginx.conf, we will be using that, with a little bit of modifications.
The final nginx.conf will look like this:
#user nobody;worker_processes 1;# This default error log path is compiled-in to make sure configuration parsing# errors are logged somewhere, especially during unattended boot when stderr# isn't normally logged anywhere. This path will be touched on every nginx# start regardless of error log location configured here. See# https://trac.nginx.org/nginx/ticket/147 for more info. ##error_log /var/log/nginx/error.log;##pid logs/nginx.pid;events { worker_connections 1024;}http { include mime.types; default_type application/octet-stream; # Things needed/recommended by DFIR-IRIS map $request_uri $csp_header { default "default-src 'self' https://analytics.dfir-iris.org; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline';"; } server_tokens off; sendfile on; tcp_nopush on; tcp_nodelay on; types_hash_max_size 2048; types_hash_bucket_size 128; proxy_headers_hash_max_size 2048; proxy_headers_hash_bucket_size 128; proxy_buffering on; proxy_buffers 8 16k; proxy_buffer_size 4k; client_header_buffer_size 2k; large_client_header_buffers 8 64k; client_body_buffer_size 64k; client_max_body_size 100M; reset_timedout_connection on; keepalive_timeout 90s; client_body_timeout 90s; send_timeout 90s; client_header_timeout 90s; fastcgi_read_timeout 90s; # WORKING TIMEOUT FOR PROXY CONF proxy_read_timeout 90s; uwsgi_read_timeout 90s; gzip off; gzip_disable "MSIE [1-6]\."; # FORWARD CLIENT IDENTITY TO SERVER proxy_set_header HOST $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # FULLY DISABLE SERVER CACHE add_header Last-Modified $date_gmt; add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; if_modified_since off; expires off; etag off; proxy_no_cache 1; proxy_cache_bypass 1; # SSL CONF, STRONG CIPHERS ONLY ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_certificate /usr/local/etc/ssl/dfir.cert.am/fullchain.pem; ssl_certificate_key /usr/local/etc/ssl/dfir.cert.am/key.pem; ssl_ecdh_curve secp521r1:secp384r1:prime256v1; ssl_buffer_size 4k; # DISABLE SSL SESSION CACHE ssl_session_tickets off; ssl_session_cache none; server { listen 443 ssl server_name dfir.cert.am; root /www/data; index index.html; error_page 500 502 503 504 /50x.html; add_header Content-Security-Policy $csp_header; # SECURITY HEADERS add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; # max-age = 31536000s = 1 year add_header Strict-Transport-Security "max-age=31536000: includeSubDomains" always; add_header Front-End-Https on; location / { proxy_pass http://localhost:8000; location ~ ^/(manage/templates/add|manage/cases/upload_files) { keepalive_timeout 10m; client_body_timeout 10m; send_timeout 10m; proxy_read_timeout 10m; client_max_body_size 0M; proxy_request_buffering off; proxy_pass http://localhost:8000; } location ~ ^/(datastore/file/add|datastore/file/add-interactive) { keepalive_timeout 10m; client_body_timeout 10m; send_timeout 10m; proxy_read_timeout 10m; client_max_body_size 0M; proxy_request_buffering off; proxy_pass http://localhost:8000; } } location /socket.io { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_pass http://localhost:8000/socket.io; } }}Setup PostgreSQL
I assume you know how to do this 🙂 You don’t need to configure a separate user, by the looks of it, IRIS likes to do that itself. Thanks to Jails I was able to run a separate PostgreSQL instance in the iris0 jail.
P.S. If you are running PostgreSQL inside a jail, make sure that the following variables are set in your jail configuration
sysvshm = new; sysvmsg = new;
Running DFIR-IRIS
Now that everything is up and running, we just need to run DFIR-IRIS and it will create the database, needed users, an administration account, etc.
su - iriscd ~/iris-web/source. ../.env~/.local/bin/gunicorn app:app --worker-class eventlet --bind 0.0.0.0:8000 --timeout 180 --worker-connections 1000 --log-level=debug
Assuming everything is fine, now we can setup a rc.d service script to make sure it runs at boot.
For that I wrote two files, the service itself and a helper start.sh script
rc.d script at /usr/local/etc/rc.d/iris
#!/bin/sh# PROVIDE: iris# REQUIRE: NETWORKING# KEYWORD: . /etc/rc.subrname="iris"rcvar="iris_enable"load_rc_config ${name}: ${iris_enable:=no}: ${iris_path:="/usr/local/iris"}: ${iris_gunicorn:="/usr/local/bin/gunicorn"}: ${iris_env="iris_gunicorn=${iris_gunicorn}"}logfile="${iris_path}/iris.log"pidfile="/var/run/${name}/iris.pid"iris_user="iris"iris_chdir="${iris_path}/source"iris_command="${iris_path}/start.sh"command="/usr/sbin/daemon"command_args="-P ${pidfile} -T ${name} -o ${logfile} ${iris_command}"run_rc_command "$1"and the helper script at /home/iris/iris-web/start.sh
#!/bin/shexport HOME=$(getent passwd `whoami` | cut -d : -f 6). ../.env${iris_gunicorn} app:app --worker-class eventlet --bind 0.0.0.0:8000 --timeout 180 --worker-connections 128now we set some variables in rc.conf using sysrc and we can start the service.
sysrc iris_enable="YES"sysrc iris_path="/home/iris/iris-web"sysrc iris_gunicorn="/home/iris/.local/bin/gunicorn"
Finally, we can start DFIR-IRIS as a service.
service iris start
Aaaaand we’re done 🙂
Thank you for reading!
There are some issues that I’d like to tackle, for example, service iris stop doesn’t work, and it would be nice if we ported all of the dependencies into Ports, but for now, this seems to be working fine.
Special thanks to the DFIR-IRIS team for creating this cool platform!
That’s all folks…
Reply via email.
https://antranigv.am/posts/2024/05/dfir-iris-freebsd-jail/
#DFIR #FreeBSD #HowTo #InfoSec #IRIS #Jailer #Jails #PostgreSQL #Python
'Hukum': Rajinikanth led 'Jailer' Sequel Gets a Title!! #Rajinikanth, #Jailer, #Jailer2, #Hukum
https://movizark.com/2024/04/14/hukum-rajinikanth-led-jailer-sequel-gets-a-title/
Top Opening Weekend Grossers - Indian Movies
1 #KGFChapter2 : 555 Cr (4 Days)
2 #Pathaan : 542 Cr (5 Days)
3 #Jawan : 520.79 Cr (4 D)
4 #Baahubali2 : 506 Cr (3 D)
5 #RRRMovie : 500 Cr (3 D)
6 #2Point0 : 345 Cr (4 D)
7 #LEO : 300 Cr+** 1 More Day to go
8 #Jailer : 295.7 Cr (4 D)
🎥 Jailer Movie Review: #AlphonsePuthren praises #Rajinikanth latest blockbuster
👉 #Premam and #Gold director shares his detailed review of #Jailer
👉 #Rajinikanth shines as a jailer with a past
👉 #NelsonDilipkumar delivers a successful suspense thriller
https://thecinemanews.online/premam-and-gold-director-alphonse-puthren-praises-jailer-detailed-review-inside/
Rajinikanth: పబ్లిక్ గా `జైలర్` డైరెక్టర్ పురువు తీసేసిన రజనీకాంత్.. ఇంత షాకిస్తారని అస్సలు ఊహించలేదు!
#Rajinikanth #Jailer #NelsonDilipkumar #TeluguNews
https://pakkafilmy.com/telugu/2023/09/19/rajinikanth-unexpected-comments-on-jailer-success/
Rajinikanth: తెలుగులో ఫస్ట్ మూవీకి రజనీకాంత్ తీసుకున్న రెమ్యునరేషన్ అంత తక్కువా.. కానీ ఇప్పుడు..?
#Rajinikanth #Jailer #SuperStar #TeluguNews
https://pakkafilmy.com/telugu/2023/09/09/remuneration-of-rajinikanth-for-his-first-telugu-movie/
Rajinikanth : గుళ్లో రజినీకాంత్ కి భిక్ష వేసిన మహిళ.. కానీ రజనీకాంత్ ఏం చేశారంటే..?
#Rajinikanth #Jailer #Robo #Kollywoodnews #Telugunews #Pakkafilmy
